LLMenhanced Static Analysis for Detecting Broken Object Level Authorization Vulnerabilities in Java Web Applications#br#

	#br#

Abstract

Abstract: Broken object level authorization (BOLA) is currently one of the critical security threats to Web applications. As a typical unauthorized access vulnerability, BOLA arises when a system fails to properly validate a user’s access permissions to target objects. The key to static detection of BOLA vulnerabilities lies in: accurately identifying objectlevel sensitive operations and analyzing unprotected access behaviors during path traversal. Since BOLA is an application logiclevel vulnerability, its detection effectiveness directly depends on the precision of understanding the expected objectlevel authorization policies. However, existing detection methods predominantly rely on empirical heuristic rules to identify sensitive and protected operations, making them difficult to adapt to the actual business logic of different applications, resulting in high false positives and false negatives in detection results. To address this limitation, this paper innovatively proposes a large language model (LLM)enhanced static detection method for BOLA vulnerabilities in Web applications, LLM4BOLA. First, leveraging LLM’s advanced code comprehension and semantic reasoning capabilities to infer objectlevel sensitive operations and custom authorization policies in specific business scenarios. Then, identifying diverse permission protection mechanisms. Finally, comprehensively detecting missing objectlevel permission checks along the paths from request entry points to sensitive operations. Experimental results demonstrate that the proposed method not only effectively detects known vulnerabilities but also discovers unknown ones, significantly outperforming traditional rulebased approaches in detection accuracy.

Key words: broken object level authorization, static analysis, vulnerability detection, Web application security, software security

摘要： 对象级授权漏洞(broken object level authorization, BOLA)是当前Web应用面临的严重安全威胁之一.作为典型的越权漏洞，BOLA源于系统未能有效验证用户对目标对象的访问权限.静态检测BOLA漏洞的关键在于：准确识别对象级敏感操作以及分析路径遍历过程中未受保护的访问行为.由于BOLA属于应用逻辑层面的漏洞，其检测效果直接取决于对应用对象级授权预期的理解精度.然而，现有检测方法普遍依赖经验性的启发式规则识别敏感操作和权限保护，难以适配不同应用的实际业务逻辑，导致后续检测结果误报和漏报.为此，创新性地提出基于大语言模型(large language model, LLM)增强的Web应用对象级授权漏洞静态检测方法(LLM4BOLA)：首先利用LLM强大的代码理解与语义推理能力推断特定业务场景下的对象级敏感操作和自定义授权策略；进而识别多样化的权限保护机制；最终检测从请求入口到所有敏感操作路径上的对象级权限缺失情况.实验验证表明，该方法不仅能有效检测已知漏洞，还具备发现未知漏洞的能力，其检测精度显著优于现有基于规则的检测方法.

关键词: 对象级授权漏洞, 静态分析, 漏洞检测, Web应用安全, 软件安全

CLC Number:

TP311

孟海宁, 李炼, . 基于大语言模型增强的Java Web应用对象级授权漏洞静态检测方法[J]. 信息安全研究, 2026, 12(5): 394-.

References

［1］OWASP. API1: 2023 broken object level authorization［EBOL］. 2023［20230718］. https:owasp.orgAPISecurityeditions2023en0xa1brokenobjectlevelauthorization［2］Vithanage N M, Jeyamohan N. WebGuardia—An integrated penetration testing system to detect Web application vulnerabilities［C］ Proc of the 2016 Int Conf on Wireless Communications, Signal Processing and Networking (WiSPNET). Piscataway, NJ: IEEE, 2016: 221227［3］Kumar Shrestha A, Singh Maharjan P, Paudel S. Identification and illustration of insecure direct object references and their countermeasures［J］. International Journal of Computer Applications, 2015, 114(18): 3944［4］Pratama I P A E, Rhusuli A M. Penetration testing on Web application using insecure direct object references (IDOR) method［C］ Proc of the 2022 Int Conf on ICT for Smart Society (ICISS). Piscataway, NJ: IEEE, 2022: 0107［5］Hadavi M A, Bagherdaei A, Ghasemi S. IDOT: Blackbox detection of access control violations in Web applications［J］. The ISC International Journal of Information Security, 2021, 13(2): 117129［6］Huang Y, Shi C, Lu J, et al. Detecting broken objectlevel authorization vulnerabilities in databasebacked applications［C］ Proc of the 2024 ACM SIGSAC Conf on Computer and Communications Security. New York: ACM, 2024: 29342948［7］Monshizadeh M, Naldurg P, Venkatakrishnan V N. MACE: Detecting privilege escalation vulnerabilities in Web applications ［C］ Proc of the 2014 ACM SIGSAC Conf on Computer and Communications Security. New York: ACM, 2014: 690701［8］陈虹, 谢金彤, 金海波, 等. 基于多访问控制的智能合约重入攻击防御方法［J］. 信息安全研究, 2025, 11(4): 333342［9］OWASP. Insecure direct object reference preventionOWASP cheat sheet series［EBOL］. 2023 ［20250614］. https:cheatsheetseries.owasp.orgcheatsheetsInsecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html［10］Spring. Spring security［EBOL］. ［20250614］. https:spring.ioprojectsspringsecurity［11］Wang C, Liu J, Peng X, et al. Boosting static resource leak detection via LLMbased resourceoriented intention inference［C］ Proc of the 47th IEEEACM Int Conf on Software Engineering. Piscataway, NJ: IEEE, 2024: 29052917［12］Du X, Zheng G, Wang K, et al. VulRAG: Enhancing LLMbased vulnerability detection via knowledgelevel RAG［J］. arXiv preprint, arXiv:2406.11147, 2024［13］Wu F, Zhang Q, Bajaj A P, et al. Exploring the limits of ChatGPT in software security applications［J］. arXiv preprint, arXiv:2312.05275, 2023［14］MyBatis Team. MyBatis 3［EBOL］. 2024［20250614］. https:mybatis.orgmybatis3zh_CNindex.html［15］Yang C. DeepSeek v3—Advanced AI & LLM model online［EBOL］. (20241226)［20250614］. https:deepseekv3.org［16］c2nesjavalang: Pure Python Java parser and tools［EBOL］. ［20250614］. https:github.comc2nesjavalang［17］Sridharan M, Chandra S, Dolby J, et al. Alias Analysis for ObjectOriented pPrograms［M］ Aliasing in ObjectOriented Programming. Types, Analysis and Verification. Berlin: Springer, 2013: 196232［18］IBM. WALA［EBOL］. (20231108)［20250614］. https:sourceforge.netprojectswala［19］Andersen L O, Lee P. Program analysis and specialization for the C programming language［D］. Copenhagen: University of Copenhagen, 2005

[1]	. Smart Contract Vulnerabilities Based on Differential Evolutionary Algorithms and Solution Time Prediction Detection#br# [J]. Journal of Information Security Reserach, 2026, 12(1): 24-.
[2]	. A Spectre Vulnerability Detection Method Integrating Fuzzing and #br# Taint Analysis#br# [J]. Journal of Information Security Reserach, 2025, 11(9): 822-.
[3]	. A Binary Modularization Approach Based on Graph Community Detection Method [J]. Journal of Information Security Reserach, 2025, 11(1): 43-.
[4]	. A Web Vulnerability Detection Solution Integrating LSTM for Directory Acquisition [J]. Journal of Information Security Reserach, 2024, 10(9): 824-.
[5]	. Research on Risk Analysis of Opensource Software Supply Chain Security [J]. Journal of Information Security Reserach, 2024, 10(9): 862-.
[6]	. Source Code Vulnerability Detection Based on Fewshot Learning#br# #br# [J]. Journal of Information Security Reserach, 2024, 10(5): 440-.
[7]	. Research on Source Code Vulnerability Detection Based on BERT Model [J]. Journal of Information Security Reserach, 2024, 10(4): 294-.
[8]	. A Review of Fuzz Testing Techniques for Autonomous Driving Systems [J]. Journal of Information Security Reserach, 2024, 10(11): 982-.
[9]	. Reentrancy Vulnerability Detection Method in Smart Contracts #br# Based on Hybrid Model and Attention Mechanism#br# [J]. Journal of Information Security Reserach, 2024, 10(11): 1056-.
[10]	. Router Vulnerability Detection Method Based on Static Analysis and Fuzzing [J]. Journal of Information Security Reserach, 2024, 10(1): 40-.
[11]	. Research on Loop Security Problem in Binary Programs [J]. Journal of Information Security Reserach, 2023, 9(4): 364-.
[12]	. Machine Learning based Code Injection Attack Vulnerability Detection for Android Hybrid Applications [J]. Journal of Information Security Reserach, 2023, 9(10): 940-.
[13]	. A Vulnerability Detecting Approach Based on Sanitizer Identification for Embedded Devices [J]. Journal of Information Security Reserach, 2023, 9(10): 954-.
[14]	. The Detection Method for Token Trading Vulnerability and Authority Transfer Vulnerability Based on Symbolic Execution [J]. Journal of Information Security Reserach, 2022, 8(7): 632-.
[15]	. Survey of Coverage-guided Grey-box Fuzzing [J]. Journal of Information Security Reserach, 2022, 8(7): 643-.