Design and Implementation of an Interface Authorization Scanning Platform

In the context of increasing security incidents such as database leaks and user data exposure, the rapid growth of business functions and user numbers makes security a critical concern. The article describes a systematic approach to detecting API authorization (越权) issues through automated scanning.

Background : Traditional manual security testing is labor‑intensive, especially for a business line exposing more than 2,000 gateway APIs. Existing open‑source tools handle generic vulnerabilities (SQL injection, XSS, etc.) but lack effective solutions for authorization problems, which are tightly coupled with business logic.

Basic Model : The model consists of three stages – (1) capture requests from the external entry points, (2) replay the same request with both authorized and unauthorized accounts, and (3) compare the responses to determine whether an authorization check is present and effective.

Overall Solution Design : The platform operates in a test environment to avoid contaminating production data. Requests are sampled, prioritized (normal response > error response; high information volume > low), and then replayed with prepared accounts representing different roles (vertical vs. horizontal privilege scenarios). The results are analyzed to identify vertical and horizontal privilege violations.

Core Algorithm Design :

Intelligent Sampling – batch‑collect requests, group by API name, rank by response quality, and select a configurable number for replay.

Parameter Risk Judgment – classify parameters into system, public, and business objects. Business objects (e.g., orderId, shopId) trigger deeper checks, while pure pagination parameters are ignored.

Vertical Privilege Check – focus on the returned error code. If an authorized account receives a success code while an unauthorized account receives a permission‑denied code, the check passes. Misconfigurations in the permission platform are also detected.

Horizontal Privilege Check – first identify the API behavior (read vs. write) using keyword dictionaries. Example of read keywords: ["query","list","get"]; write keywords: ["create","delete","update","config"]. The interface name youzan.retail.trademanager.get.selffetchpointconfig.1.0.0 matches both "get" and "config"; scoring determines it as a read request.

Read Request Horizontal Check – compare the responses of authorized and unauthorized calls; identical responses indicate a potential horizontal privilege issue. Special handling for empty or default responses (e.g., {"data":{"total":0,"page_no":1,"page_size":25}}, {"data":[]}, {"data":{"is_bind":false}}) reduces false positives.

Write Request Horizontal Check – if both calls succeed and return the same payload, the issue is flagged for manual verification because the effect of the write may not be observable.

Post‑Check – historical records of confirmed issues are used to auto‑resolve recurring findings; otherwise, manual review is required.

Platform Architecture : The system provides modules for task management, API management, result visualization, and configuration of privilege rules. Screenshots illustrate coverage dashboards and detailed result inspection.

Practice and Impact : After deployment, the platform discovers >20 authorization issues per month, earlier than manual testing, reduces testing effort, and raises developers' security awareness. The workflow includes daily issue aggregation, triage by testing, hand‑off to developers, and final closure with archival.

Future Outlook : Plans include integrating the scanner into CI pipelines, refining the privilege model to be more generic across business lines, and leveraging AI/ML techniques to improve detection accuracy.