HADE：一種用於偵測網站應用程式中過度資料暴露漏洞的混合式分析方法

蔡謦恩; Ching-En Tsai

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/102200

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	王凡	zh_TW
dc.contributor.advisor	Farn Wang	en
dc.contributor.author	蔡謦恩	zh_TW
dc.contributor.author	Ching-En Tsai	en
dc.date.accessioned	2026-04-08T16:14:37Z	-
dc.date.available	2026-04-09	-
dc.date.copyright	2026-04-08	-
dc.date.issued	2026	-
dc.date.submitted	2026-03-22	-
dc.identifier.citation	[1] B. Alexander, D. Denis, M. Denis, and T. Aleksey. Automatic detection of access control vulnerabilities via api specification processing. Вопросыкибербезопасности, (1 (47)):49–65, 2022. [2] P. Alikhanifard and N. Tsantalis. A novel refactoring and semantic aware abstract syntax tree differencing tool and a benchmark for evaluating the accuracy of diff tools. ACM Trans. Softw. Eng. Methodol., 34(2), Jan. 2025. [3] F. E. Allen and J. Cocke. A program data flow analysis procedure. Commun. ACM, 19(3):137, Mar. 1976. [4] S. Arzt, S. Rasthofer, T. Fritz, E. Bodden, A. Bartel, J. Klein, D. Octeau, and M. McDaniel. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pages 259–269. ACM, 2014. [5] N. Ayewah, W. Pugh, D. Hovemeyer, J. D. Morgenthaler, and J. Penix. Using static analysis to find bugs. IEEE software, 25(5):22–29, 2008. [6] E. Bodden, A. Sewe, J. Sinschek, H. Oueslati, and M. Mezini. Taming reflection: Aiding static analysis in the presence of reflection and custom class loaders. In Proceedings of the 33rd International Conference on Software Engineering, pages 241–250, 2011. [7] Checkmarx. Checkmarx one: Api security. https://checkmarx.com/product/api-security/, 2025. Accessed: 2025-07-07. [8] B. Chess and G. McGraw. Static analysis for security. IEEE Security & Privacy, 2(6):76–79, 2004. [9] Council of the European Union. General Data Protection Regulation. https://eur-lex.europa.eu/eli/reg/2016/679, 2016. Regulation (EU) 2016/679. [10] A. Fass, D. F. Somé, M. Backes, and B. Stock. Doublex: Statically detecting vulnerable data flows in browser extensions at scale. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pages 1789–1804, 2021. [11] P. Genfer andU.Zdun. Avoidingexcessivedataexposure through microservice apis. In European Conference on Software Architecture, pages 3–18. Springer, 2022. [12] A. Golmohammadi, M. Zhang, and A. Arcuri. Testing restful apis: A survey. ACM Trans. Softw. Eng. Methodol., 33(1), Nov. 2023. [13] M.Idris, I. Syarif, and I. Winarno. Developmentofvulnerable webapplication based on owasp api security risks. In 2021 International Electronics Symposium (IES), pages 190–194, 2021. [14] M.KhedkarandE.Bodden. Towardanandroidstaticanalysisapproachfor data protection. In Proceedings of the IEEE/ACM 11th International Conference on Mobile Software Engineering and Systems, pages 65–68, 2024. [15] M. Khedkar, M. Schlichtig, S. Mohan, and E. Bodden. Visualizing privacy-relevant data flows in android applications. arXiv preprint arXiv:2503.16640, 2025. [16] J. Krause and J. Krause. Shadow dom. Developing Web Components with TypeScript: Native Web Development Using Thin Libraries, pages 43–52, 2021. [17] M.Lambers, T.Schmidt, andF.Peters. Taint analysis for graph apis focusing on broken access control. In International Conference on Graph Theory and Applications (ICGT), pages 112–125. Springer, 2024. [18] F. Lanzinger and A. Weigl. Towards a formal approach for data minimization in programs (short paper). In International Workshop on Data Privacy Management, pages 161–169. Springer, 2021. [19] C. Lin, Z. Ouyang, J. Zhuang, J. Chen, H. Li, and R. Wu. Improving code summarization with block-wise abstract syntax tree splitting. In 2021 IEEE/ACM 29th International Conference on Program Comprehension(ICPC),pages184–195, 2021. [20] K. Liu, H. Chen, and L. Zhang. Labeleddroid: Scalable taint analysis for android apps. In Journal of Systems and Software, volume 180, pages 111–126. Elsevier, 2025. [21] V. B. Livshits and M. S. Lam. Finding security vulnerabilities in java applications with static analysis. In USENIX security symposium, volume14, pages18–18, 2005. [22] A. Mazidi, D. Corradini, and M. Ghafari. Mining rest apis for potential mass assignment vulnerabilities. In Proceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering, pages 369–374, 2024. [23] MDN Contributors. Expressions and operators- javascript \| mdn, 2024. Accessed: 2025-07-14. [24] MITRE Corporation. CWE-200: Exposure of sensitive information to an unauthorized actor, 2024. Accessed: 2025-07-17. [25] National Institute of Standards and Technology. Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf, 2010. NIST Special Publication 800-122. [26] F. Nielson, H. R. Nielson, and C. Hankin. Principles of program analysis. Springer Science & Business Media, 2004. [27] OWASP Foundation. Top 10 api security risks–2019. https://owasp.org/API-Security/editions/2019/en/0x11-t10/, 2019. Accessed: 2025-07-07. [28] OWASP Foundation. Top 10 api security risks–2023. https://owasp.org/API-Security/editions/2023/en/0x11-t10/, 2023. Accessed: 2025-07-07. [29] F. Pallas, D. Hartmann, P. Heinrich, J. Kipke, and E. Grünewald. Configurable perquerydataminimizationforprivacy-compliantwebapis. In International Conference on Web Engineering, pages 325–340. Springer, 2022. [30] L. Pan, S. Cohney, T. Murray, and V.-T. Pham. Edefuzz: A web api fuzzer for excessive data exposures. In Proceedings of the 46th IEEE/ACM International Conference on Software Engineering, pages 1–12, 2024. [31] H. Qian, W. Liu, Z. Ding, W. Sun, and C. Fang. Abstract syntax tree for method name prediction: How far are we? In 2023 IEEE 23rd International Conference on Software Quality, Reliability, and Security (QRS), pages 464–475, 2023. [32] M. Sagiv, T. Reps, and R. Wilhelm. Parametric shape analysis via 3-valued logic. ACM Transactions on Programming Languages and Systems (TOPLAS), 24(3):217–298, 2002. [33] E. Spirin, E. Bogomolov, V. Kovalenko, and T. Bryksin. Psiminer: A tool for mining rich abstract syntax trees from code. In 2021 IEEE/ACM 18th International Conference on Mining Software Repositories (MSR), pages 13–17, 2021. [34] Tree-sitter. Tree-sitter. https://tree-sitter.github.io/tree-sitter/, 2025. Accessed: 2025-07-07. [35] M. Wei, X. Wu, S. Li, and L. Jiang. Amandroid: A precise and general intercomponent data flow analysis framework for security vetting of android apps. In ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), pages 259–269. ACM, 2014. [36] Y. Yuan, Z. Wei, L. Liu, S. Chen, and J. Su. Ast-trans: Detecting web tracking using transformer-based deep learning with abstract syntax tree. In 2024 IEEE International Performance, Computing, and Communications Conference (IPCCC), pages 1–7, 2024. [37] Y. Zhang, W. Li, and M. Chen. Backdroid: Targeted taint analysis for large-scale android apps. In arXiv preprint arXiv:2005.11527, 2020.	-
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/102200	-
dc.description.abstract	儘管網站應用程式早已被廣泛採用，現代網站系統日益增加的複雜度與規模，重新引發了對過度資料暴露（ExcessiveDataExposure,EDE）的關注。過度資料暴露違反了資料最小化原則，該原則要求系統僅處理與傳輸其功能所嚴格必要的資料。現有解決方案多透過動態分析來偵測後端API回傳的多餘資料；然而，這類方法雖具實用性，卻面臨執行階段成本高昂的問題，且因依賴以DOM為基礎的渲染機制，容易忽略非視覺性或隱性資料的使用情形。為克服上述限制，本文提出一種以資料最小化為核心的新穎鍵匹配方法。該方法透過分析前端程式碼，追蹤實際被使用的API回應資料，並將其與後端回傳內容進行關聯分析，從而在不需執行程式或進行UI渲染的情況下，即可於原始碼層級提前偵測過度資料暴露。此外，本文結合靜態與動態JavaScript切片技術，將其整合至所提出的鍵匹配方法中，以進一步提升對於過度資料暴露偵測的準確率。本方法於65個真實網站以及四個自行部署的測試網站上進行測試，平均偵測時間為6.86秒，準確率達93.29%。當結合靜態JavaScript切片技術時，平均偵測時間增加至56.32秒，而準確率提升至95.93%。進一步結合動態JavaScript切片技術後，平均偵測時間增加至79.15秒，準確率則提升至98.33%實驗結果顯示，本方法可成功應用於不同的測試案例，且效能優於既有方法，展現其高度適用性以及於實務與大規模部署上的潛力。	zh_TW
dc.description.abstract	While web applications have long been widely adopted, the growing complexity and scale of modern web systems have raised renewed concerns about Excessive Data Exposure (EDE)—a violation of the data minimization principle, which requires systems to process and transmit only data strictly necessary for their functions. Existing solutions use dynamic analysis to detect superfluous data returned by backend APIs. While useful, they suffer from high runtime overhead and limitations caused by relying on DOM-based rendering, which can miss non-visual or implicit data usage. To overcome these issues, we propose a novel key matching approach grounded in data minimization. Our approach analyzes frontend code to track actual API response usage and correlates it with backend responses. This enables early, source-level detection of excessive data exposure without requiring runtime execution or UI rendering. Additionally, we integrate our key matching approach with both static and dynamic JavaScript slicing techniques to improve its accuracy in detecting Excessive Data Exposure. Tested on 65 real-world websites and four self-deployed test websites, our method achieves an average detection time of 6.86 seconds with 93.29% accuracy. When combined with static JavaScript slicing technique, the average detection time increases to 56.32 seconds while the accuracy improves to 95.93%. When combined with dynamic JavaScript slicing technique, the average detection time increases to 79.15 seconds while the accuracy improves to 98.33%. It successfully applies to different tested cases and outperforms previous approaches, highlighting its high applicability and strong potential for practical and large-scale deployment.	en
dc.description.provenance	Submitted by admin ntu (admin@lib.ntu.edu.tw) on 2026-04-08T16:14:37Z No. of bitstreams: 0	en
dc.description.provenance	Made available in DSpace on 2026-04-08T16:14:37Z (GMT). No. of bitstreams: 0	en
dc.description.tableofcontents	Acknowledgements iii 摘要 v Abstract vii Contents ix List of Figures xi List of Tables xiii Denotation xv Chapter 1 Introduction 1 Chapter 2 Background 5 2.1 Web Application Interaction 5 2.2 API Testing & Security 6 2.3 OWASP API Risks 7 2.4 Abstract Syntax Tree (AST) 8 Chapter 3 Related Work 9 3.1 Source Code-based Detection 9 3.2 Taint Analysis 10 3.3 DOM-based Dynamic Approach 10 3.4 Data Minimization 11 Chapter 4 Motivation 13 Chapter 5 Approach 19 5.1 Overview 19 5.2 Definition of Terms 20 5.3 Slicing 21 5.4 Parsing 22 5.5 Matching 25 5.6 Refinement 26 5.7 Result 30 Chapter 6 Evaluation 31 6.1 Efficiency 32 6.2 Performance 34 6.3 Applicability 38 Chapter 7 Conclusion 41 References 43	-
dc.language.iso	en	-
dc.subject	API安全性	-
dc.subject	程式分析	-
dc.subject	隱私保護	-
dc.subject	資料最小化	-
dc.subject	過度資料暴露	-
dc.subject	API Security	-
dc.subject	Program Analysis	-
dc.subject	Privacy	-
dc.subject	Data Minimization	-
dc.subject	Excessive Data Exposure	-
dc.title	HADE：一種用於偵測網站應用程式中過度資料暴露漏洞的混合式分析方法	zh_TW
dc.title	HADE: A Hybrid Analysis Approach for Detecting Excessive Data Exposure Vulnerabilities in Web Applications	en
dc.type	Thesis	-
dc.date.schoolyear	114-2	-
dc.description.degree	碩士	-
dc.contributor.oralexamcommittee	黃世昆;李念澤;梁德容;陳銘憲	zh_TW
dc.contributor.oralexamcommittee	Shih-Kun Huang;Nian-Ze Lee;Deron Liang;Ming-Syan Chen	en
dc.subject.keyword	API安全性,程式分析隱私保護資料最小化過度資料暴露	zh_TW
dc.subject.keyword	API Security,Program AnalysisPrivacyData MinimizationExcessive Data Exposure	en
dc.relation.page	47	-
dc.identifier.doi	10.6342/NTU202504788	-
dc.rights.note	未授權	-
dc.date.accepted	2026-03-23	-
dc.contributor.author-college	電機資訊學院	-
dc.contributor.author-dept	電機工程學系	-
dc.date.embargo-lift	N/A	-
顯示於系所單位：	電機工程學系

文件中的檔案：

檔案	大小	格式
ntu-114-2.pdf 未授權公開取用	816.33 kB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。