sinkoscommerce

StaticDetectionofSecond-OrderVulnerabilitiesinWebApplicationsJohannesDahseandThorstenHolz,Ruhr-UniversityBochumhttps://www.
usenix.
org/conference/usenixsecurity14/technical-sessions/presentation/dahseUSENIXAssociation23rdUSENIXSecuritySymposium989StaticDetectionofSecond-OrderVulnerabilitiesinWebApplicationsJohannesDahseHorstG¨ortzInstituteforIT-Security(HGI)Ruhr-UniversityBochum,Germanyjohannes.
dahse@rub.
deThorstenHolzHorstG¨ortzInstituteforIT-Security(HGI)Ruhr-UniversityBochum,Germanythorsten.
holz@rub.
deAbstractWebapplicationsevolvedinthelastdecadesfromsim-plescriptstomulti-functionalapplications.
Suchcom-plexwebapplicationsarepronetodifferenttypesofse-curityvulnerabilitiesthatleadtodataleakageoracom-promiseoftheunderlyingwebserver.
Socalledsecond-ordervulnerabilitiesoccurwhenanattackpayloadisrststoredbytheapplicationonthewebserverandthenlateronusedinasecurity-criticaloperation.
Inthispaper,weintroducetherstautomatedstaticcodeanalysisapproachtodetectsecond-ordervulnera-bilitiesandrelatedmulti-stepexploitsinwebapplica-tions.
Byanalyzingreadsandwritestomemoryloca-tionsofthewebserver,weareabletoidentifyunsani-tizeddataowsbyconnectinginputandoutputpointsofdatainpersistentdatastoressuchasdatabasesorses-siondata.
Asaresult,weidentied159second-ordervulnerabilitiesinsixpopularwebapplicationssuchastheconferencemanagementsystemsHotCRPandOpen-Conf.
Moreover,theanalysisofwebapplicationseval-uatedinrelatedworkrevealedthatweareabletodetectseveralcriticalvulnerabilitiespreviouslymissed.
1IntroductionWebapplicationsarethedrivingforcebehindthemodernWebsincetheyenablealltheserviceswithwhichusersinteract.
Often,suchapplicationshandlelargeamountsof(potentiallysensitive)datasuchastextmessages,in-formationaboutusers,orlogincredentialsthatneedtobestoredpersistentlyontheunderlyingwebserver.
Fur-ther,sessionsareusedtotemporarilystoredataaboutauserinteractingwiththewebapplicationduringmulti-stepprocesses.
Allofthisdatacanpotentiallybeabusedbyanattackertocauseharm.
Manydifferentkindsofat-tacksagainstwebapplicationssuchasCross-SiteScript-ing(XSS)orSQLinjection(SQLi)attacksareknownandcommoninjectionawsarewellunderstood.
Suchat-tackscanbepreventedbysanitizinguserinputandmanyapproachestoaddressthisproblemwerepresentedinthelastfewyears(e.
g.
,[2,8,15,21,22,24,27,29]).
Onecommonassumptionunderlyingmanydetectionandpreventionapproachesisthatdatathatisalreadystoredontheserverissafe.
However,anadversarymightbeabletobypassthedefensesviasocalledsecond-ordervulnerabilitiesifshemanagestorstabusethewebap-plicationtostoretheattackpayloadonthewebserver,andthenlateronusethispayloadinasecurity-criticaloperation.
Suchvulnerabilitiesareoftenoverlooked,buttheycanhaveasevereimpactinpractice.
Forexam-ple,XSSattacksthattargettheapplication'susersareworseifthepayloadisstoredinasharedresourceanddistributedtoallusers.
Furthermore,withinmulti-stepexploitsavulnerabilitycanbeescalatedtoamoreseverevulnerability.
Thus,detectingsecond-ordervulnerabili-tiesiscrucialtoimprovethesecurityofwebapplications.
DetectingSecond-OrderVulnerabilitiesTopreventsuchattacks,thesourcecodeofagivenwebapplicationisassessedbeforeitisdeployedonawebserver.
Thiscanbedoneeitherviadynamicorstaticanalysis.
Thereareseveraldynamicapproachestodetectsecond-orderXSSattacksviafuzzing[14,19].
Generallyspeaking,suchapproachestrytoinjectrandomstringstoallpos-siblePOSTrequestparametersinablack-boxapproach.
Inasecondstep,theanalysistoolsdetermineiftheran-domstringisprintedbytheapplicationagainwithoutan-othersubmission,indicatingthatitwasstoredonthewebserver.
However,thedetectionaccuracyforsecond-ordervulnerabilitiesiseitherunsatisfyingorsuchvulnerabili-tiesaremissedcompletely[4,7,13,23].
Artziet.
al.
[1]presentedadynamiccodeanalysistoolthatconsiderspersistentdatainsessions,buttheirapproachmissesotherfrequentlyuseddatastoressuchasdatabasesorles.
Furthermore,onegeneraldrawbackofdynamicap-proachesisthetypicallylowcodecoverage.
Staticcodeanalysisisacommonlyusedtechniquetondsecurityweaknessesinsourcecode.
Taintanalysisandsimilarcodeanalysistechniquesareusedtostudythedataowofuntrusted(alsocalledtainted)dataintocriti-caloperationsoftheapplication.
However,webapplica-tionscanalsostoreuntrusteddatatoexternalresourcesandlateronaccessandreuseit,aproblemthatisover-199023rdUSENIXSecuritySymposiumUSENIXAssociationlookedinexistingapproaches.
Sincethedataowisde-ferredandcanbesplitamongdifferentlesandfunc-tionsoftheapplication,second-ordervulnerabilitiesaredifculttodetectwhenanalyzingthesourcecodestati-cally.
Furthermore,staticcodeanalysishasnoaccesstotheexternalresourcesusedbytheapplicationanddoesnotknowthedatathatisstoredinthese.
Wearenotawareofanyplainstaticcodeanalysisim-plementationhandlingsecond-ordervulnerabilities.
Themainproblemistodecidewhetherdatafetchedfromper-sistentstoresistaintedornot.
Assumingalldatatobetaintedwouldleadtoahighnumberoffalsepositives,whileaconservativeanalysismightmissvulnerabilities.
OurApproachInthispaper,weintroducearenedtypeoftaintanalysis.
Duringourdataowanalysis,wecollectalllocationsinpersistentstoresthatarewrittentoandcanbecontrolled(tainted)byanadversary.
Ifdataisreadfromapersistentdatastore,thedecisionifthedataistaintedornotisdelayedtotheendoftheanal-ysis.
Eventually,whenalltaintablewritingstopersis-tentstoresareknown,thedelayeddecisionsaremadetodetectsecond-ordervulnerabilities.
Theintricaciesofidentifyingtheexactlocationwithinthepersistentstorethedataiswrittentoisapproachedwithstringanaly-sis.
Furthermore,sanitizationthroughdatabaselookupsorchecksforexistinglenamesarerecognized.
WeimplementedourapproachinaprototypeforstaticPHPcodeanalysissincePHPisthemostpopularserver-sidescriptinglanguageontheWebwithanincreasingmarketshareof81.
8%[28].
Notethatourapproachcanbegeneralizedtostaticcodeanalysisofotherlanguagesbyapplyingthetechniquesintroducedinthispapertothedataowanalysisofanotherlanguage.
Weevalu-atedourapproachbyanalyzingsixpopularreal-worldapplications,includingOpenConf,HotCRP,andosCom-merce.
Overall,wedetectedandreported159previ-ouslyunknownsecond-ordervulnerabilitiessuchasre-motecommandexecutionvulnerabilitiesinosCommerceandOpenConf.
Wealsoanalyzedthreewebapplicationsthatwereusedduringtheevaluationofpriorworkinthisareaandfoundthatpreviousworkmissedseveralsecond-ordervulnerabilities,indicatingthatexistingap-proachesdonothandlesuchvulnerabilitiescorrectly.
Insummary,wemakethefollowingthreecontributions:Wearethersttoproposeanautomatedapproachtostaticallyanalyzesecond-orderdataowsthroughdatabases,lenames,andsessionvariablesusingstringanalysis.
Thisenablesustodetectsecond-orderandmulti-stepexploitationvulnerabilitiesinwebapplications.
Westudytheproblemofsecond-ordersanitization,acrucialsteptolowerthenumberofpotentialfalsepositivesandnegatives.
Webuiltaprototypeoftheproposedapproachandevaluatesecond-orderdataowsofsixreal-worldwebapplications.
Asaresult,wedetect159previ-ouslyunknownvulnerabilitiesrangingfromXSStoremotecodeexecutionattacks.
2TechnicalBackgroundInthissection,weintroducethenatureofsecond-ordervulnerabilitiesandmulti-stepexploits.
First,weexaminedataowthroughpersistentdatastoresandthedifcul-tiesofanalyzingsuchowsstatically.
Wethenpresenttwosecond-ordervulnerabilitiesasmotivatingexamples.
2.
1PersistentDataStoresWedenepersistentdatastores(PDS)asmemoryloca-tionsthatareusedbyanapplicationtostoredata.
Thisdataisavailableaftertheincomingrequestwasparsedandcanbeaccessedlateronbythesameapplicationtoreusethedata.
Thetermpersistentreferstothefactthatdataisstoredonthewebserver'sharddrive,althoughitcanbefrequentlydeletedorupdated.
Notethatthisde-nitionalsoincludessessiondatasinceinformationaboutauser'ssessionisstoredontheserverandcanbereusedbyanadversary.
WenowintroducethreecommonlyusedPDSbywebapplications.
2.
1.
1DatabasesDatabasesarethemostpopularformofPDSfoundintoday'swebapplications.
Adatabaseservertypicallymaintainsseveraldatabasesthatconsistofmultipleta-bles.
Atableisstructuredincolumnsthathaveaspecicdatatypeandlengthassociatedwiththem.
StoreddataisaccessedviaSQLqueriesthatallowtolter,sort,orin-tersectdataonretrieval.
InPHP,anAPIfordatabasein-teractionisbundledasaPHPextensionthatprovidessev-eralbuilt-infunctionsforthedatabaseconnection,andthequeryandaccessofdata.
IncontrasttootherPDS,writingandreadingtoamemorylocationisperformedviathesamebuilt-inqueryfunction.
SQLhasdifferentsyntacticalformsofwritingdatatoatable.
Listing1showsthreedifferentwaystoperformthesamequery.
1//specifiedwrite2INSERTINTOusers(id,name,pass)VALUES(1,admin,foo)3INSERTINTOusersSETid=1,name=admin,pass=foo4//unspecifiedwrite5INSERTINTOusersVALUES(1,admin,foo)Listing1:WritingtothedatabasetableusersinSQL.
Whilethersttwoqueriesexplicitlydenethecol-umnnames,thethirdquerydoesnot.
Werefertothersttypeasspeciedwriteandtothesecondtypeasun-speciedwrite.
Bothtypesconveyadifcultyforstatic2USENIXAssociation23rdUSENIXSecuritySymposium991analysisofthequery:aspeciedwriterevealsthecol-umnnameswheredataiswrittento,butdoesnotrevealifthereareanyothercolumnsinthetablethatarelledwithdefaultvalues.
ThishindersthereconstructionoftablestructureswhenanalyzingSQLqueriesofanap-plicationstatically.
Anunspeciedwritetellsusexactlyhowmanycolumnsexist,butdoesnotrevealitsnames.
Whenthecolumnsareaccessedlateronbyname,itisunclearwhichcolumnwaslledwithwhichvalue.
Thesameappliesforreadoperations.
Aspeciedreadre-vealstheaccessedcolumnnamesinaeldlist,whereasanunspeciedread,indicatedbyanasteriskcharacter,selectsallavailablecolumnswithoutnamingthem.
InPHP,thequerieddataisstoredasaresultresource.
Therearedifferentwaystofetchthedatafromtheresultresourcewithbuilt-infunctions,asshowninListing2.
1//numericfetch2row=mysql_fetch_row(res);echorow[1];3//associativefetch4row=mysql_fetch_assoc(res);echorow["name"];5row=mysql_fetch_object(res);echorow->name;Listing2:Fetchingdatafromadatabaseresultresource.
Basically,numericandassociativefetchoperationsex-ist.
Therstmethodstoresthedatainanumericallyin-dexedarraywheretheindexreferstotheorderoftheselectedcolumns.
Theassociativefetchstoresthedatainanarrayindexedbycolumnname.
Itisalsopossibletostorethedatainanobjectwherethepropertynamesequalsthecolumnnames.
Thekeydifferenceisthattheassociativefetchrevealstheaccessedcolumnnameswhilethenumericfetchdoesnot.
Alldifferentcombinationsofwriting,reading,andac-cessingdatacanoccurwithinawebapplication.
Incer-taincombinations,itisnotclearwhichcolumnsareac-cessedwithoutknowledgeaboutthedatabaseschema.
Forexample,whendataiswrittenunspeciedandfetchedassociatively.
Inpractice,however,weareoftenabletoreconstructthedatabaseschemafromthesourcecode(seeSection3.
4.
1fordetails).
2.
1.
2SessionDataAcommonwayofdealingwiththestate-lessHTTPpro-tocolaresessions.
InPHP,theSESSIONarraypro-videsanabstractwayofhandlingsessiondatathatisstoredwithinles(default)ordatabases.
Asessionvalueisassociatedwithanalphanumericalkeythatrepresentsthememorylocation.
NotethattheSESSIONarrayneedstobetreatedlikeanyothersuperglobalarrayinPHPanditcanbeaccessedinanycontextoftheapplica-tion.
Asanyotherarray,itcanbeaccessedandmodieddynamically,inter-procedurally,anditcanhavemultiplekeynames.
BesidestheSESSIONarrayandthedepre-catedHTTPSESSIONVARSarray,thebuilt-infunctionssessionregister()andsessiondecode()canbeusedtosetsessiondata.
2.
1.
3FileNamesAcommonsourceforvulnerabilitiesisanunsanitizedlename.
DevelopersoftenoverlookthatthelenameofanuploadedlecancontainmaliciouscharactersandthuscanbeusedasaPDSforanattackpayload.
Forexample,Unixlesystemsallowanyspecialcharactersinlenames,exceptfortheslashandthenullbyte[12].
NTFSallowscharacterssuchasthesinglequotethatcanbeusedforexploitation[20].
Fordetectingsecond-ordervulnerabilities,weneedtodeterminepathswhereleswitharbitrarynamesarelocated.
Theanalysisofaleuploadrevealstowhichpathaleiswrittentoandiftheleisnamedasspeciedbytheuser.
InPHP,alethatissubmittedviaamulti-partPOSTrequestisstoredinatemporarydirectorywithatemporarylename.
Thetemporaryandoriginallenameisaccessibleinthesu-perglobalFILESarray.
Furthermore,built-infunctionssuchasrename()andcopy()canbeusedbyanap-plicationtorenamealeontheserver.
NotethatalsodirectorynamescanbeusedasPDS,forexamplewhencreatedwiththebuilt-infunctionmkdir().
2.
1.
4ExcludedPDSTherearelesspopularPDSthatwedonotincludeinouranalysis.
Forexample,datacanberetrievedfromaCGIenvironmentvariable,acongurationle,orfromanexternalresourcesuchasanFTPorSMTPserver[5].
However,thesePDSareusedrarelyinpracticeandde-cisionscanonlybemadewithpreconguredwhitelists.
WeonlyconsiderPDSthataretaintedbytheapplicationitselfandnotthroughadifferentchannel.
Analyzingthedataowthroughlecontentwillbeaninterestingaddi-tioninthefuture.
Here,thechallengeistodeterminetowhatpartofagivenledataiswrittentoandfromwhatpartoftheledataisreadfrombecausethestructureofthedatawithintheleisunknown.
NotethatdatastoredviaPHP'sbuilt-infunctionsiniset()orputenv()onlyexistsforthedurationofthecurrentrequest.
Attheendoftherequest,theenvi-ronmentisrestoredtoitsoriginalstate.
Thus,theydonotholdtoourdenitionofaPDS.
2.
2Second-OrderVulnerabilitiesAtaint-stylevulnerabilityoccursifdatacontrolledbyanattackerisusedinasecurity-criticaloperation.
Inthedataowmodel,thiscorrespondstotainteddataliterallyowingintoasensitivesinkwithinonepossibledataowoftheapplication.
Weclassifyasecond-ordervulnera-bilityasataint-stylevulnerabilitywherethedataowsthroughoneormorePDS.
Here,theattackpayloadisrststoredinaPDSandlaterretrievedandusedinasen-sitivesink.
Thus,twodistinctdataowsrequireanalysis:(i)sourcetoPDSand(ii)PDStosink.
399223rdUSENIXSecuritySymposiumUSENIXAssociationInthefollowing,weintroducetwomotivatingexam-pleswithapayloadstoredinaPDS.
Ingeneral,everycombinationofasource,sensitivesink,andaPDSispos-sible.
Dependingontheapplication'sdesign,theowofmaliciousdataoccurswithinasingleormultipleattackrequests(e.
g.
,whendifferentrequestsforwritingandreadingarenecessary).
Finally,weintroducemulti-stepexploitsasasubclassofsecond-ordervulnerabilities.
2.
2.
1PersistentCross-SiteScriptingCross-SiteScripting(XSS)[16]isthemostcommonse-curityvulnerabilityinwebapplications[22].
ItoccurswhenuserinputisreectedtotheHTMLresultoftheap-plicationinanunsanitizedway.
Itisthenpossibletoin-jectarbitraryHTMLmarkupintotheresponsepagethatisrenderedbytheclient'sbrowser.
Anattackercanabusethisbehaviorbyembeddingmaliciouscodeintothere-sponsethatforexamplelocallydefacesthewebsiteorstealscookieinformation.
WespeakofPersistentCross-SiteScriptingiftheat-tacker'spayloadisstoredinaPDSrst,readbytheap-plicationagain,andprintedtotheresponsepage.
Incon-trasttonon-persistent(reected)XSS,theattackerdoesnothavetocraftasuspiciouslinkandsendittoavictim.
Instead,allusersoftheapplicationthatvisittheaffectedpageareattackedautomatically,makingthevulnerabilitymoresevere.
Furthermore,apersistentXSSvulnerabilitycanbeabusedtospreadanXSSworm[18,26].
Listing3depictsanexampleofapersistentXSSvul-nerability.
Thesimpliedcodeallowstosubmitanewcommentwhichisstoredinthetablecommentsto-getherwiththenameoftheauthor.
Ifnonewcom-mentissubmitted,itlistsallpreviouslysubmittedcom-mentsthatarefetchedfromthedatabase.
Whilethecom-mentitselfissanitizedinline7bythebuilt-infunctionhtmlentities()thatencodesHTMLcontrolcharac-ters,theauthor'snameisnotsanitizedinline6andthusaffectedbyXSS.
Notethatifthesourcecodeisanalyzedtop-down,itisunknownatthepointoftheSELECTqueryifmaliciousdatacanbeinsertedintothetablecommentsbyanadversary.
1if(empty(_POST[submit])){2//listcomments3res=mysql_query("SELECTauthor,textFROMcomments");4foreach(mysql_fetch_row(res)asrow){5comment=mysql_fetch_array(row);6echocomment[author].
:.
7htmlentities(comment[text]).
"";8}9}10else{11//addcomment12author=addslashes(_POST[name]);13text=addslashes(_POST[comment]);14mysql_query("INSERTINTOcomments(author,text)15VALUES(author,text)");16}Listing3:Exampleforsecond-orderXSSvulnerability.
2.
2.
2Second-OrderSQLInjectionASQLinjection(SQLi)[9]vulnerabilityoccurswhenawebapplicationdynamicallygeneratesaSQLquerywithunsanitizeduserinput.
Here,anattackercanpo-tentiallyinjectherownSQLsyntaxtoarbitrarilymodifythequery.
Dependingontheenvironment,theattackercanpotentiallyextractsensitivedatafromthedatabase,modifydata,orcompromisethewebserver.
InListing4,usersuppliedcredentialsarecheckedinline6.
Ifthecredentialsarevalid,thesessionkeyloggedinissettotrueandtheuser-suppliedusernameissavedintothesessionkeyuser.
Incasetheuser-supplieddataisinvalid,thefailedloginattemptisloggedtothedatabasewiththehelpoftheuser-denedlog()function.
Here,asecond-orderSQLioccurs:ifanat-tackerregisterswithamalicioususername,thisnameiswrittentothesessionkeyuserandonasecondfailedloginattemptusedintheloggingSQLquery.
1functionlog(error){2user=_SESSION[user];3mysql_query("INSERTINTOlogs(error,user)4VALUES(error,user)");5}6if(validAuth(_POST[user],_POST[pass]){7_SESSION[loggedIn]=true;8_SESSION[user]=_POST[user];9}10else{11log(Failedloginattempt);12}Listing4:Exampleforsecond-orderSQLivulnerability.
2.
2.
3Multi-StepExploitationWithinasecond-ordervulnerability,therstorder(e.
g.
,safewritingofuserinputintothedatabaseoralepath)isnotavulnerabilitybyitself.
However,unsafewritingcanleadtoothervulnerabilities.
Wedeneamulti-stepexploitastheexploitationofavulnerabilityinthesecondorderthatrequirestheexploitationofanunsafewritingintherstorder.
Thus,amulti-stepexploitisasubclassofasecond-ordervulnerabilityanditcandrasticallyraisetheseverityoftherstvulnerability.
Sinceweonlyconsiderdatabases,sessions,andlenamesasPDSinouranalysis,thefollowingvulnerabili-tiesarerelevant:SQLi:ASQLiinanINSERTorUPDATEstatementleadstoafullcompromiseofallcolumnsinthespeciedtable.
Furthermore,aSQLiinaSELECTqueryallowsarbitrarydatatobereturned.
Pathtraversal:Apathtraversalvulnerabilityal-lowstochangethecurrentdirectoryofaleopera-tiontoanotherlocation.
Arbitrarylenamescanbecreatedinarbitrarylocationsifapathtraversalvul-nerabilityaffectstherenamingorcreationofles.
Arbitrarylewrite:Anarbitrarylewritevulnera-bilitycanmodifyorcreateanewsessionle,lead-ingtothecompromiseofallsessionvalues.
4USENIXAssociation23rdUSENIXSecuritySymposium9933DetectingSecond-OrderVulnerabilitiesInthefollowing,wedescribeourapproachtoauto-maticallydetectsecond-ordervulnerabilitiesviastaticcodeanalysis.
Forthispurpose,weextendedourpro-totypeRIPS[6]thatusesblocksummaries[30].
Inthissection,werstbrieyreviewtheuseddataowandtaintanalysisapproachofRIPS(Sections3.
1and3.
2).
Afterwards,weexplainournoveladditionsfordetect-ingsecond-ordervulnerabilitiesandmulti-stepexploits(Sections3.
3–3.
5).
3.
1DataFlowAnalysisRIPSleveragesacontext-sensitive,intra-andinter-proceduraldataowanalysis.
Weusebasicblock,func-tion,andlesummaries[30]forefcient,backwards-directeddataowanalysis[6].
First,foreachPHPle'scode,acontrolowgraph(CFG)consistingofcon-nectedbasicblocksisgenerated.
Denitionsoffunc-tions,classes,andmethodswithinthecodeareextracted.
Then,everyCFGisanalyzedtop-downbysimulatingtheconnectedbasicblocksonebyone.
Ablockedgethatlinkstwoconnectedbasicblocksissimulatedaswelltoidentifydatasanitization.
Duringthesimulationofonebasicblock,allassigneddataistransformedintodatasymbolsthatwewillintro-ducelater.
Theowofthedataisinferredfromthesesymbolsandsummarizedinablocksummary[30]thatmapsdatalocationstoassigneddata.
Thereturnresultsandside-effects(e.
g.
,dataassignmentorsanitization)ofcalledbuilt-infunctionsaredeterminedbyaprecisesim-ulationofover900uniquefunctions.
Ifauser-denedfunctioniscalledwithinabasicblock,itsCFGisgeneratedandallbasicblocksaresim-ulated.
Basedontheseblock'ssummaries,thedataowwithinthefunctionisdeterminedbyanalyzingreturnstatementsinasimilarwaytotaintanalysis(seeSec-tion3.
2).
Theresultsarestoredinafunctionsummary.
Thissummaryisusedforeachcalloftheuser-denedfunction,whilereturnvalues,globalvariables,andpa-rametersareadjustedtothecallee'sargumentsandenvi-ronmentcontext-sensitively.
Whenallbasicblocksofale'sCFGaresimulated,alesummaryisgeneratedinasimilarwaytofunctionsthatisusedduringleinclusion.
Dataanditsaccesswithintheapplication'scodeismodeledbysocalleddatasymbols[6]:Valuerepresentsastatic"string",integer,oat,oraresolvedCONSTANT'svalue.
Denedconstantvaluesarestoredintheenvironment.
Variablerepresentsavariablebyitsname.
ArrayDimFetchrepresentstheaccessofanar-ray(array[k])andextendstheVariablesym-bolwithadimension(k).
Thedimensionliststhefetchedarraykeysinformofdatasymbols.
ArrayDimTreerepresentsanewlydeclaredar-rayortheassignmentofdatatoonearraykey(array[k]=data).
Itisorganizedinatreestructure.
Thearraykeysarerepresentedbyarrayedgesthatpointtotheassigneddatasymbol.
TheArrayDimTreesymbolprovidesmethodstoaddorfetchsymbolsbyadimensionthatiscomparedtothetree'sedges.
ValueConcatrepresentstheconcatenationoftwoormoredatasymbols(a.
b).
TwoconsecutiveValuesymbolsaremergedtooneValuesymbol.
Multipleisacontainerforseveraldatasymbols.
Itisused,forexample,whenafunctionreturnsdiffer-entvaluesdependingonthecontroloworPHP'sternaryoperatorisused(ca:b).
Duringdataowanalysis,oneormoresanitiza-tiontagscanbeaddedtoadatasymbol,forexam-pleifsanitizationisappliedbybuilt-infunctionssuchasaddslashes()orhtmlentities().
Eachsanitiza-tiontagrepresentsonecontext,forexample,asingle-quotedSQLvalueoradouble-quotedHTMLattribute.
Asymbolcanbesanitizedagainstonecontext,butbevulnerabletoanother.
Thetagsareremovedagainwhenbuilt-infunctionssuchasstripslashes()orhtmlentitydecode()arecalled.
Furthermore,infor-mationaboutencodingisaddedtoeverydatasymbol.
3.
2Context-SensitiveTaintAnalysisThegoalistocreateavulnerabilityreport,wheneveratainteddatasymbolδowsintoasensitivesink.
Ourimplementationisperformedwith355sensitivebuilt-infunctionsofPHP.
Ifacalltoasinkisencounteredduringblocksimulation,itsrelevantargumentsarean-alyzed.
First,theargumentistransformedintoadatasymbol.
Ifthesymbolwasdenedwithinthesamebasicblock,itisinferredfromtheblocksummary.
Then,thesymbolislookedupintheblocksummaryofeverypre-viousbasicblockthatislinkedwithablockedgetothecurrentbasicblock.
Ifthelookupintheblocksummarysucceeds,theinferredsymbolisfetched.
ThedimensionofanArrayDimFetchsymboliscarrieduntilamap-pingArrayDimTreesymbolisfound.
Thebackwards-directedsymbollookupcontinuesforeachlinkedbasicblockandstopsifasymboloftypeValueisinferredorthebeginningoftheCFGisreached.
Atthispoint,allresolvedsymbolsareconvertedtostringsinordertoper-formcontext-sensitivestringanalysis[6].
ThesymbolsValueandBooleanareconvertedtotheirrepresentativestringvalues.
DatasymbolsofsourcesaremappedtoaTaintID(TID)thatisusedasstringrepresentation.
Next,eachstringisanalyzed.
ThelocationoftheTIDswithinthemarkupisdeterminedtopreciselydetectthecontext.
ForcomplexmarkuplanguagessuchasHTML599423rdUSENIXSecuritySymposiumUSENIXAssociationorSQL,amarkupparserisused.
Withthehelpofthesanitizationtagsandencodinginformationofthelinkeddatasymbol,wecheckifthesymbolissanitizedcor-rectlyaccordingtoitscontext.
IfaTIDisfoundthatbelongstoanunsanitizedsourceregardingthecurrentcontext,avulnerabilityreportisgenerated.
Unsanitizedparametersorglobalvariablesareaddedtothefunction'ssummaryassensitiveparameterorglobal.
Thesearean-alyzedinthecontextofeachfunctioncall.
3.
3ArrayHandlingBymanuallyanalyzingthecodeofthemostpopularPHPapplications[28],weempiricallyfoundthatacommonwaytowritedataintoadatabaseisbyusingarrays.
AnexampleisshowninListing5.
Inline9and10,thear-ray'skeydenesthetable'scolumnandthearray'svaluestoresthedatatowrite.
Theseparatedarrayvaluesarejoinedtoastringagainbyusingthebuilt-infunctionimplode()(lines2/3).
Basedonthisobservation,were-designedthehandlingofarraysbyaddingnewdatasym-bols.
Asasideeffect,thehandlingoffetcheddatabaseresultsinformofanarrayandthehandlingofthesuper-globalSESSIONarrayissignicantlyimproved.
1functioninsert(table,array){2fields=implode(",",array_keys(array));3values=implode(",",array);4mysql_query("INSERTINTO{table}5(".
fields.
")VALUES(".
values.
")");6}78new_user=array(9"name"=>addslashes(_POST[name]),10"pass"=>md5(_POST[pass]),11);12insert("users",new_user);13//INSERTINTOusers(name,pass)VALUES(X,123abc.
.
.
)Listing5:Usingarraystowritedatatoadatabase.
Wemodelthepopularbuilt-infunctionimplode()byaddingthedatasymbolArrayJoin.
Withthehelpofthissymbol,itispossibletokeeptrackofthedelimiterthatisusedtojoinstrings.
IfthesymbolisinferredtoanArrayDimTreesymbol,aValueConcatsymboliscre-atedthatjoinsallsymbolsoftheArrayDimTreesymbolwiththestoreddelimitersymbol.
Furthermore,weintroducethenewsymbolArrayKey.
Itisusedwhenthekeyofanarrayisex-plicitlyaccessed,suchasintheloopforeach(arrayaskey=>value).
ItishandledsimilartotheVariablesymbolandisassociatedwiththearray'sname.
IftheArrayKeysymbolisinferredintoanArrayDimTreesymbolduringdataowortaintanaly-sis,aMultiplesymbolcontainingalledges'symbolsisreturned.
Built-infunctions,suchasarraykeys()andarraysearch(),returnallorpartsoftheavailablekeysinanarrayandcanbemodeledmorepreciselywiththeArrayKeysymbol.
Figure1:Dataowmodelofaconventional(a)andasecond-order(b,c)vulnerability.
3.
4PDS-centricTaintAnalysisWenowintroduceournovelapproachtodetectsecond-ordervulnerabilities.
ThedataowisillustratedinFig-ure1(b).
Contrarilytoaconventionaltaint-stylevulner-abilityasshowninFigure1(a),asourceowsintoaPDSbeforeitowsfromthePDSintoasensitivesink.
WemodelthedatathatisreadfromaPDSbynewdatasymbolsδthatholdinformationabouttheirorigin.
Duringcodeanalysis,taintablePDSareidentied.
Theyarestoredtogetherwiththeminimumsetofappliedsanitizationandencodingtagsofthetaintingdatasym-bolδ.
Ifoneofthenewdatasymbolsδisencounteredunsanitizedduringthetaintanalysisofasensitivesink,avulnerabilityreportiscreatedifitsoriginatingPDSwasidentiedastaintable.
IfthePDSisnotknownastaintable,atemporaryvul-nerabilityreportiscreated,asshowninFigure1(c).
Thereportisconnectedtothedatasymbolδ.
Attheendofthecodeanalysis,wedecideifthedatasymbolorigi-natesfromataintablePDSbycomparingitsorigintoallcollectedtaintablePDS.
Inthefollowing,weintroducetheanalysisofwritingstodifferentPDS.
Furthermore,ournewdatasymbolsδareintroducedthatmodelthereadingandaccessofdatathatisstoredinPDS.
3.
4.
1DatabasesModelingthedataowthroughdatabasesisacomplextask,mainlyduetothelargeAPIthatisavailablefordatabasesandtheusageofaquerylanguage.
First,ourprototypetriestoobtainasmuchknowledgeoftheSQLschemaaspossible.
ThenwetrytoreconstructallSQLqueriesduringSQLinjectionanalysisof110built-inqueryfunctions.
Finally,thetypeofoperationisdeter-mined,aswellasthetargetedtableandcolumnnames.
Theaccessofdataismodeledbynewdatasymbols.
6USENIXAssociation23rdUSENIXSecuritySymposium995PreparationDuringtheinitializationofourtool,wecollectallleswitha.
sqlextension.
AllavailableCREATETABLEinstructionswithintheselesareparsedsothatwecanreconstructthedatabaseschema,includ-ingalltableandcolumnnamesaswellascolumntypesandlength.
Ifnoschemaleisfound,eachPHPleintheprojectissearchedviaregularexpression.
Theknowledgeofthedatabaseschemaimprovesprecisionwhendataisreadinanunspeciedway,orwhendataissanitizedbythecolumntypeorlength.
WritingAwriteoperationtoadatabaseisdetectediftheSQLparseridentiesanINSERT,UPDATE,orREPLACEstatement.
BytokenizingtheSQLquery,wedeterminethetargetedtable'sname,allspeciedcolumnnames,andtheircorrespondinginputvalues.
Incaseofanunspeciedwrite,theparsermakesuseofthedatabaseschema.
IfaninputvalueofacolumncontainsaTID(seeSection3.
2),theaffectedcolumnandtablenameismarkedastaintabletogetherwiththelinkedsourcesym-bolanditssanitizationtags.
ReadingIftheSQLparserencountersaSELECTstate-ment,wetrytodetermineallselectedcolumnandta-blenames.
Multipletablenamescanoccuriftablesarejoinedorunioned.
Aliasnameswithinthequeryaremappedandresolved.
Incaseofuncertainty,theparsermakesuseofthedatabaseschema.
Finally,anewResourceDBsymbolismappedtotheanalyzedqueryfunctionasreturnvalue.
Thissymbolholdsinformationaboutallselectedcolumnnamesinanumericalhashmapanditscorrespondingtablenames.
AccessInPHP,databaseresultresourcesaretrans-formedintoarraysbybuilt-infetchfunctions(refertoListing2).
Weignorethemodeofaccessandlet89con-guredfetchfunctionsreturnaVariablesymbolwiththenameoftheresource.
WhenanArrayDimFetchsymbolaccessestheresultofthesefetchfunctions,itisinferredtothecorrespondingResourceDBsymbol.
Inthiscase,thecarrieddimensionoftheArrayDimFetchsymbolisevaluatedagainsttheavailablecolumnnamesintheResourceDBsymbol.
Iftheasteriskcharacteriscontainedinthecolumnlistandthedimensionisnumer-ical,thedatabaseschemaisusedtondthecorrectcol-umnname.
Otherwise,ifthedimensionequalsacolumnnameintheeldlist,anewDataDBsymbolisreturnedthatstateswhichcolumnofwhichtableisaccessed.
SanitizationCertainimplicitsanitizationisconsideredwhendealingwithSQL.
IfacolumniscomparedtoastaticvaluewithinaWHEREclauseinaSELECTstate-ment,thereturnvalueforthiscolumnissanitized.
Inthiscase,thestaticvalueissavedwithintheResourceDBsymbolandmappedtothecolumnasreturnvalue.
Fur-thermore,asanitizationtagfortheusedquotetypeisremovedwhendataisupdatedorinsertedtothedatabasebecauseonelevelofescapingislostduringwriting.
3.
4.
2SessionKeysTheanalysisofsessionvariablesdoesnotrequireacom-plexmarkupparserornewdatasymbol.
Instead,sessiondataishandledsimilartootherglobalarrays.
Taintablesessionkeysarestoredduringtheanalysisphase.
WritingIfdataisassignedtoaVariableorArrayDimFetchsymbolduringblocksimulationandthesymbol'snameisSESSION,theassigneddataisanalyzedviataintanalysis.
Iftheassigneddataistainted,itsresolvedsourcesymbolisstoredintoanArrayDimTreesymbolintheenvironment,togetherwiththedimensionoftheSESSIONsymbol.
Thisway,anArrayDimTreeisbuiltwithalltaintabledimensionsofthesessionarraythatlinktothetaintedsourcesym-bolsandtheircorrespondingsanitizationtags.
ReadingTheaccesstosessiondataismodeledbyArrayDimFetchsymbolswiththenameSESSIONandrequiresnomodication.
Duringtaintanalysisinsideauser-denedfunction,sessionvariablesarehandledasglobalvariables.
Theyareaddedtothefunctionsum-maryandtheyareinspectedforeachfunctioncallinacontext-sensitiveway.
Thisavoidsprematuredecisionsaboutthetaintstatusinsideafunctionifthesessionkeyisoverwrittenbeforethefunctioniscalled.
JustasforaDataDBsymbol,atemporaryvulnerabilityreportiscre-atedifaSESSIONvariabletaintsasensitivesink.
3.
4.
3FileNamesTodetecttaintablelenames,wecollectlepathsausercanwriteto.
Forthispurpose,newdatasymbolsmodeldirectoryresourcesandtheiraccesses.
Wheneverapathisreconstructedonlypartially,weusethesameapproachasinleinclusionanalysis.
Here,aregularexpressioniscreatedandmappedtoallavailablepathsthatweredetectedwhenloadingtheapplicationles.
WritingTodetectalenamemanipulationwithuserinput,weanalyze27built-infunctionssuchascopy(),rename(),andfileputcontents().
Additionally,leuploadswithmoveuploadedfile()areanalyzed.
Notethatatthesametimethesebuilt-infunctionsaresensitivesinksandgeneratevulnerabilityreportssuchasanarbitraryleuploadvulnerability.
Thepathargumentisanalyzedbyconventionalcontext-sensitivestringanal-ysis.
Ifthepathistainted,westoreitwithitsprexastaintable.
Whennoprexispresent,thelepathofthecurrentlyanalyzedleistaken.
Additionally,ifthesourceisnotsanitizedagainstpathtraversalattacks,allpathsareassumedastaintableandaagissetduringanalysisaccordingly.
ReadingWehandlethreedifferentwaysofopeningadirectorywithPHP'sbuilt-infunctions.
First,wemodelthebuilt-infunctionscandir()thatreturnsanarray,listingalllesanddirectorieswithinaspeciedpath.
799623rdUSENIXSecuritySymposiumUSENIXAssociationSecond,wemodelthebuilt-infunctionglob()thatalsoreturnsanarraythatlistsalllesanddirectoriesspeci-edbyapattern.
Wetransformthepatternintoaregularexpressionbysubstitutingthepatterncharacters*andintoregularexpressionequivalents.
Third,wemodelthebuilt-infunctionopendir()whichreturnsadirec-toryhandle.
Forallmentionedbuilt-infunctions,were-constructtheopenedpathbystringanalysisandreturnaResourceDirsymbolthatstoresthepath'sname.
AccessThereturnedresultofscandir()andglob()isaccessedbyanarraykey.
Sincewedonotknownei-thertheamountnortheorderoflesinadirectory,wereturnaDataPathsymbolwheneveraResourceDirsymbolisinferredfromanArrayDimFetchsymbol,re-gardlessofitsdimension.
Forthispurpose,weletthebuilt-infunctionreaddir()thatissupposedtoreadanentryofadirectoryhandlereturnanArrayDimFetchsymbolwithanarbitrarydimensionandthenameofthedirectoryhandle.
ItisinferredtoaDataPathsymbolwhenthetraceoftheArrayDimFetchsymbolresultsinaResourceDirsymbol.
SanitizationInordertomodelsanitizationthatchecksifagivenstringisavalidlename,11built-infunctionssuchasfileexistsandisfile()aresimulated.
Wemodiedthesanitizationcheckinawaythatthesefunc-tionsonlysanitizeifthereisnotaintablelepathfound.
Forthispurpose,aagissetduringtaintanalysisifsan-itizationofasourcebylenameisdetected.
Theagissuesonlyatemporaryvulnerabilityreportthatisre-visedattheendoftheanalysisregardingtheabilitytotaintalepath.
3.
4.
4Multi-StepExploitsInordertodetectmulti-stepexploits,westoreallta-blenamesofallwritingSQLqueriesthatareaffectedbySQLi.
Furthermore,wesetaagduringtheanaly-sisprocessifanarbitrarylewriteorarbitrarylere-namevulnerabilityisdetected.
Attheendoftheanalysis,whenthetaintdecisionismadefordatathatcomesfromaPDS,multi-stepexploitreportsareaddedtotheinitialvulnerability.
ThisisdoneforallvulnerabilitiesthatrelyonaDataDBsymbolthatisnottaintedthroughsecond-orderbutwhichtablenameisaffectedbySQLi.
Also,amulti-stepexploitisreportedifaDataDirsymboloc-cursandtheagforalerenamevulnerabilitywasset.
Allsessiondataistreatedastaintedifanarbitrarylewritevulnerabilitywasdetected.
Additionally,anylocalleinclusionvulnerabilityisextendedtoaremotecodeexecutionifalewriteoruploadfeatureisdetected.
Moreover,aSQLivulnerabilitywithinaSELECTqueryreturnsaDataDBsymbolwithataintag.
ThisagindicatesthatallaccessedcolumnsaretaintablebymodifyingtheSELECTqueryduringanattack.
Thus,allcolumnsoftheDataDBsymbolaretaintable.
3.
5Inter-proceduralPDSAnalysisWeoptimizedtheinter-proceduralanalysistoreneourstringanalysisresults.
Functionsummariesofferahighperformancebuttheyarealsoinexibleforfunctionswithdynamicbehavior.
Thus,theycanweakenthestaticreconstructionofdynamicallycreatedstrings.
3.
5.
1MultipleParameterTraceAsweillustratedinListing5,modernapplicationsof-tendenewrapperfunctionsforPDSaccesswheremorethanoneparameterisusedwithinonesensitivesink.
Inthiscase,theapproachofstoringeachparametertogetherwithitsprexedandpostxedmarkup,andthecorre-spondingvulnerabilitytypeassensitiveparameterinthefunctionsummary,iserror-prone.
Whenacalltothisfunctionoccurs,theapproachswapstheparametersym-bolwiththeargumentofthefunctioncallandtracesitforuserinput.
Whilethisapproachworksneforvulnera-bilitydetection,itleadstoimprecisionwhenitcomestostringreconstruction.
Becauseeachargumentistracedseparatelybutbothareusedinthesamesink,theresultofonetraceismissingintheresultoftheothertrace.
InListing5,forexample,thetablenameismissinginthereconstructedquerywhilethedataisreconstructedfromthenewuserarray.
Tocircumventthisproblem,werenedthisapproachforsinksthatexecuteSQLqueriesoropenlepathswithinauser-denedfunction.
Ifmultipleparametersorglobalvariablesareinvolved,allsymbolsarecombinedtooneValueConcatsymbol.
Thenthissymbolisstoredinthefunctionsummaryandanalyzedforeachfunctioncall.
Thisway,eachparameteristracedwithinoneanal-ysisandallresultsarepresentatthesametime.
3.
5.
2MappingReturnedResourcesWorkingwithfunctionsummariesisveryefcientwhenitcomestoperformancebecauseeachfunctiononlyre-quiresasingleanalysisontherstcall.
Foreveryothercall,thefunctionsummaryisreused.
However,auser-denedfunctionmightreturnaresourcethathasdif-ferentpropertiesforeachcall.
Forexample,aSELECTquerythatembedstheparameterofanuser-denedfunc-tionasthetablenamereturnsadifferentResourceDBsymbolforeverycall,dependingonthefunction'sar-gument.
Iftheresourceisreturnedbytheuser-denedfunction,itssymbol'spropertieschangeforeverydiffer-entfunctioncall.
Asasolution,weaddemptyResourceDBsymbolstothefunctionsummary'ssetofreturnvaluesforuser-denedfunctionswithdynamicSQLqueries.
Oncethesensitiveparametersareanalyzedandthequeriesarere-constructed,acopyofthesesymbolsisupdatedwiththetableandcolumninformationandusedasreturneddata.
8USENIXAssociation23rdUSENIXSecuritySymposium9974EvaluationForevaluatingourapproach,weselectedsixreal-worldwebapplications.
WechosetheconferencemanagementsystemsOpenConf5.
30andHotCRP2.
61fortheirpop-ularityintheacademiceldandosCommerce2.
3.
3.
4foritslargesize.
Furthermore,weevaluatedthefollow-upversionsofthemostprominentsoftwareusedinrelatedwork[3,11,30,31]:NewsPro1.
1.
5,MyBloggie2.
1.
4,andScarf2007-02-27.
Asecond-ordervulnerabilityconsistsoftwodataows:taintingthePDSandtaintingthesensitivesink.
Weevaluatedourprototypeforbothstepsandpresentthetruepositives(TP)andfalsepositives(FP)inthissection.
Inaddition,wediscusstherootcauseforfalsenegatives(FN)andoutlinethelimitationsofourapproach.
4.
1PDSUsageandCoverageToobtainanoverviewoftheusageofPDSinwebappli-cations,wemanuallyevaluatedthetotalamountofdif-ferentmemorylocations.
Notethatthesenumbersdonotreecthowoftenonememorylocationisusedatrun-time.
Then,weevaluatedtheabilitytotaintthesemem-orylocationsbyanapplication'suserandcomparedittothedetectionrateofourprototype.
APDSisdenedastaintableifitcancontainatleastoneofthefollow-ingcharacterssubmittedbyanapplicationuser:\'".
Intotal,wemanuallyidentied841PDSofwhich23%aretaintable.
Ourprototypesuccessfullydetected71%ofthetaintablePDSwithafalsediscoveryrateof6%.
4.
1.
1DatabasesOurimplementationsuccessfullyrecoveredthedatabaseschemaforalltestedapplicationsduringtheinitializa-tionphase.
Forevaluation,wecategorizedallavail-ablecolumnsintheapplication'sdatabaseschemabyde-clareddatatype.
Onlycolumnswithastringtype,suchasVARCHARorTEXT,areofinterestbecausetheycanstoretainteddata.
AsshowninTable1,wefoundthatonaverageabouthalfofthecolumnsarenottaintableduetonumericdatatypessuchasINTandDATE.
Table1:Columntypesinselectedapplications.
SoftwareTablesColumnsNumStringosCommerce50331193138HotCRP2921714275OpenConf181294881NewsPro8431825Scarf7372215MyBloggie4241014Total11678155%45%Wethencarefullyfuzzedalocalinstanceofeachapplicationmanuallywithcommonattackpayloadsinordertodeterminewhichcolumnsoftypestringaretaintable.
Furthermore,weobservedwhichcolumnswerereportedbyourprototypeimplementationastaintablewhentheschemaisavailableandwhennot.
TheresultsarecomparedinTable2.
Amongthecolumnswithastringtype,53%aretaintable.
Asaresult,only24%ofallavailablecolumnsarenotsanitizedbytheap-plicationorthecolumns'datatype.
Table2:Taintablecolumnsinselectedapplications.
SchemaNoschemaSoftwareTaintableTPFPTPFPosCommerce635545537HotCRP43271273OpenConf47161164NewsPro12120120Scarf10101103MyBloggie99090Total18470%5%70%27%Fortheratheroldandsimpleapplications,alltaintablecolumnsweredetectedbyourprototype.
Themodernandlargeapplicationsoftenuseloopstoconstructdy-namicSQLquerieswherereconstructioniserror-prone.
Overall,wedetected70%ofalltaintablecolumns.
Whenthedatabaseschemaisknown,5%ofourreportsareFP.
Therootcauseispath-sensitivesanitizationofdatathatiswrittentothedatabase—asanitizationthatourcurrentprototypeisnotabletodetectyet.
Thefalsediscoveryrateishigherifthedatabaseschemaofanapplicationisnotfound.
Inthiscase,astaticanalysistoolcannotrea-sonaboutdatatypeswithinthedatabaseandmayagcolumnsofnumericdatatypeastaintable.
4.
1.
2SessionsToobtainagroundtruthforourevaluation,weagainmanuallyassessedtheapplications'codeforallaccessedkeysofthesuperglobalSESSIONarray.
Dynamickeyswerereconstructedandkeysinmulti-dimensionalarrayswerecountedmultipletimes.
Then,wemanuallyexam-inedwhichsessionkeysaretaintablebytheapplication'suserandcomparedthistotheanalysisresultgeneratedbyourprototypeimplementation.
AsshowninTable3,wefoundthatonly12%ofthe52identiedsessionkeysaretaintablewithinourselectedapplications.
Ourprototypecorrectlydetectedalltaintablesessionkeys.
OneFPoccurredbecausethesanitizedemailad-dressofauseriswrittentothesessionafteritisfetchedfromthedatabase.
ThisFPisbasedonthepreviouslyintroducedFPinidentifyingtaintablecolumns.
Acus-tomsessionmanagementinosCommerceledtoexclu-sionfromourevaluation.
999823rdUSENIXSecuritySymposiumUSENIXAssociationTable3:Taintablesessionkeysinselectedapplications.
SoftwareKeysTaintableTPFPHotCRP29220OpenConf14210NewsPro2110Scarf4001MyBloggie3110Total5212%83%16%4.
1.
3FileNamesToevaluatethefeaturesthatallowanapplication'susertoalteralename,weagainmanuallyassessedeachapplicationforleupload,lecreation,andlerenamefeaturesandcountedthedifferenttargetpathstoobtainagroundtruth.
Next,wecountedthecollectedtaintablepathnamesreportedbyourprototype.
TheresultsareshowninTable4.
Table4:Taintablepathsinselectedapplications.
SoftwarePathsTaintableTPFPosCommerce2220HotCRP1000OpenConf1001NewsPro1000Scarf1110MyBloggie2220Total863%100%16%Wefoundatleastonefeatureineachoftheapplica-tion'ssourcecodetocreateanewle.
However,halfoftheapplicationssanitizethenameofthelebeforecre-atingit.
Ourprototypedetectedalltaintablepathnames.
OneFPoccurredforOpenConf,whereuploadedlesaresanitizedinapath-sensitiveway.
Interestingly,aleuploadinScarfisbasedonasecond-orderdataow.
Thenameoftheuploadedleisspeciedseparatelyandstoredasacongurationvalueinthedatabasebeforeitisreadfromthedatabaseagainandtheleiscopied.
Becausenosanitizationisapplied,anadministratorisabletocopyanyletoanylocationoftheserver'slesystemwhichleadstoremotecodeexe-cution.
Thiscriticalvulnerabilitywasmissedinpreviousworkthatalsousedthisapplicationforevaluatingtheirapproach[3,31].
4.
2Second-OrderVulnerabilitiesWeevaluatedtheabilityofourprototypetodetectsecond-ordervulnerabilities.
Reportsofrst-ordervul-nerabilitiesareignoredfornow.
Ourprototypereportedatotalof159validsecond-ordervulnerabilitieswithafalsediscoveryrateof21%(seeTable5fordetails).
Insummary,97%ofthevalidreportsarepersistentXSSvulnerabilitieswherethepayloadisstoredinthedatabase.
FivepersistentXSSvulnerabilitiesarecausedbysessiondataorlenames.
Thisiscloselyrelatedtothefactthat94%ofalltaintablePDSweidentiedarecolumnsindatabasetables(seeSection4.
1)andsensi-tivesinkssuchasechoareoneofPHP'smostprominentbuilt-infeatures[10].
Table5:Evaluationresultsforselectedapplications.
SoftwareFilesLOCTPFPFNosCommerce5706638197296HotCRP7440339110OpenConf121204041640NewsPro235077710Scarf1916863783MyBloggie589485100Total865143372159439Average1442389579%21%Ourevaluationrevealedthatsecond-ordervulnerabil-itiesarehighlycritical.
NexttopersistentXSSandlevulnerabilities,wedetectedvariousremotecodeexe-cutionvulnerabilitiesinosCommerce,OpenConf,andNewsPro.
Inthefollowing,weintroducetwoselectedvulnerabilitiestoillustratethecomplexityandseverityofreal-worldsecond-ordervulnerabilities.
Itisevidentthatthesevulnerabilitiescouldonlybedetectedwithournovelapproachofanalyzingsecond-orderdataows.
4.
2.
1Second-OrderLFItoRCEinOpenConfOpenConfisawell-knownconferencemanagementsoftwareusedbymany(academic)conferences.
Ourprototypefoundasecond-orderlocalleinclusionvul-nerabilityintheuser-denedprintHeaderfunctionthatleadstoremotecommandexecution.
Therelevantpartsoftheaffectedleinclude.
phpisshowninListing6.
1functionprintHeader(what,function="0"){2require_onceGLOBALS[pfx].
3GLOBALS[OC_configAR][OC_headerFile];4}56r=mysql_query("SELECTsetting,value,parse7FROM".
OCC_TABLE_CONFIG.
"");8while(l=mysql_fetch_assoc(r)){9OC_configAR[l[setting]]=l[value];10}11printHeader();Listing6:Simpliedinclude.
phpofOpenConf.
Whenlookingatthecode,itdoesnotrevealanyvul-nerability.
Wheneverthecodeisincluded,settingsareloadedfromthedatabaseandtheuser-denedfunctionprintHeader()iscalled.
Thisfunctionincludesacon-guredheaderleandprintssomeHTML.
10USENIXAssociation23rdUSENIXSecuritySymposium9991functionupdateConfigSetting(setting,value){2q="UPDATE".
OCC_TABLE_CONFIG.
"3SETvalue=".
safeSQLstr(trim(value)).
"4WHEREsetting=".
safeSQLstr(setting).
"";5return(ocsql_query(q));6}78foreach(array_keys(_POST)asp){9if(preg_match("/^OC_[\w-]+/",p)){10updateConfigSetting(p,_POST[p]);11}12}Listing7:SimpliedcodetochangesettingsinOpenConf.
However,asshowninListing7,itispossibleforaprivilegedchairusertochangeanycongurationsetting.
ThecongurationpagedoesnotspecifyaninputeldtochangetheheaderFilesetting.
Nonetheless,byaddingthekeyOCheaderFiletoamanipulatedHTTPPOSTrequest,thesettingischanged.
Theloopoverthesub-mittedkeysofthePOSTarrayinListing7,line8,aswellastheloopovertheOCconfigARinListing6,line9,showsonceagainhowimportantitistotrackthetaintstatusofPHP'sarraykeysprecisely.
Achairmembercannowincludeanylocalleofthesystemtotheoutput.
Additionally,becausethesoftwareallowstouploadPDFlestotheserver,ourprototypeaddedamulti-stepexploitreport.
Indeed,ifaPDFlecontainingPHPcodeisuploadedtotheserverandtheheaderFilesettingispointedtothatPDF,arbitraryPHPcodeisexecuted.
Moreover,ourtoolreportedaSQLinjectionvulnerabilitythatisaccessibletounprivilegedusers.
Thisallowsanyvisitortoextractthechair'spass-wordhash(saltedSHA1)fromthedatabase.
4.
2.
2Second-OrderRCEinNewsProUtopiaNewsProisabloggingsoftwareandwasusedinpreviousworkforevaluation[29–31].
Ourprototypere-portedasecond-ordercodeexecutionvulnerabilityintheadministratorinterface.
Here,auserisabletoalterthetemplatelesoftheblog.
ThesimpliedcodeisshowninListing8.
1tempid=(int)_POST[tempid];2template=mysql_real_escape_string(_POST[template]);3updateTemplate=mysql_query("UPDATEunp_template4SETtemplate=templateWHEREid=tempid");Listing8:SimpliedcodetochangethetemplateinNewsPro.
Thetemplatecodeisreadfromthedatabaseinvariousplacesofthesourcecodewithhelpoftheuser-denedfunctionunpprintTemplate()(seeListing9).
First,thisfunctionwritesthetemplate'scodetoacachearray(line6)andthenreturnsitfromthisarrayagain.
Theexampledemonstratestheimportanceofinter-proceduralanalysisandarrayhandling.
1functionunp_printTemplate(template){2globaltemplatecache,DB;3getTemplate=mysql_query("SELECTname,template4FROMunp_templateWHEREname=templateLIMIT1");5while(temp=mysql_fetch_array(getTemplate)){6templatecache[template]=temp[template];7}8returnaddslashes(templatecache[template]);9}10eval(headlines_displaybit=".
11unp_printTemplate(headlines_displaybit).
";);Listing9:SimpliedRemoteCodeExecutionvulnerabilityinNewsPro.
Atthecall-site,thefetchedtemplateisevaluatedwithPHP'sevaloperatorthatexecutesPHPcode(line10).
Thetemplate'scodeisescaped(line8),however,thedouble-quotedvalueoftheevaluatedvari-ableheadlinesdisplaybitallowstoexecutearbi-traryPHPcodeusingcurlysyntax.
Byaddingthecode{{system(id)}}toatemplate,thesystemcommandidisexecuted.
Notethatrelatedworkmissedtodetectthisvulnerability,whichisalsopresentinpriorversions.
4.
3Multi-StepExploitsOurprototypereportedtwoarbitraryleuploadvulner-abilitiesand14SQLinjectionvulnerabilities.
Becausethesevulnerabilitiesaffectastorageoperation,thestoreddatacanbemanipulatedduringmulti-stepexploitation.
Ourprototypefound14validmulti-stepexploitsandasingleFPasshowninTable6.
Table6:Reportedmulti-stepexploitsinselectedappli-cations.
FileSQLiMulti-StepSoftwareTPTPFPTPFPosCommerce13030HotCRP01701OpenConf04110NewsPro06090Scarf11010MyBloggie05000Total2208141Average100%71%29%93%7%Alldetectedmulti-stepexploitsconsistoftwostepsandnothird-ordervulnerabilitiesweredetectedwithinourselectedapplications.
Inthefollowing,weexaminetwomulti-stepexploitsinosCommercethatleadtore-motecommandexecutiontoillustratethatthesevulnera-bilitiescanonlybedetectedwithournovelapproachofanalyzingmulti-stepexploits.
11100023rdUSENIXSecuritySymposiumUSENIXAssociation4.
3.
1Multi-StepRCEinosCommerceOsCommerceisapopulare-commercesoftware.
ForoneofthreereportedSQLivulnerabilitiesinosCom-merce,ourprototypeadditionallyreportedamulti-stepremotecodeexecutionexploit.
TheSQLiislocatedinthebackuptooloftheadministratorinterfaceandshowninListing10.
Here,aSQLleisuploadedtorestoreadatabasebackup.
SincethenameoftheuploadedleislaterusedunsanitizedinaSQLquery,anattackerisabletoinsertanydataintotheconfigurationta-blebyuploadingaSQLlewithacraftedname.
Thisenablesanother,moreseverevulnerability:thetableconfigurationstoresaconfigurationvalueandaconfigurationtitleforeachsetting.
Furthermore,ausefunctioncanbespeciedoptionallytodeploytheconguration'svalue.
1sql_file=newupload(sql_file);2read_from=sql_file->filename;3tep_db_query("insertinto".
TABLE_CONFIGURATION.
4"values(null,LastDatabaseRestore,DB_RESTORE,5".
read_from.
",Lastdatabaserestorefile,66,0,null,now(Listing10:Simpliedcodeofthebackup.
phpleinosCommerceshowsaSQLithroughalename.
Whenthelistofcongurationvaluesisloadedfromthedatabase,thefunctionnamespeciedintheusefunctioncolumniscalledwiththeconfigurationvalueasargument(seeListing11,line5).
AnattackercanabusetheSQLitoinsertanarbitraryPHPfunction'sname,suchassystem,tothecolumnusefunctionandinsertanarbitraryargu-ment,suchasid,tothecolumnconfigurationvalue.
Whenloadingthecongurationlist,thespeciedfunc-tionisfetchedandcalledwiththespeciedargumentthatexecutesthesystemcommandid.
1conf_query=tep_db_query("selectconfiguration_id,configuration_title,configuration_value,use_functionfrom".
TABLE_CONFIGURATION.
"whereconfiguration_group_id=".
(int)gID.
"");2while(configuration=tep_db_fetch_array(conf_query)){3if(tep_not_null(configuration[use_function])){4use_function=configuration[use_function];5cfgValue=call_user_func(use_function,6configuration[configuration_value]);Listing11:Simpliedcodeoftheconguration.
phpleinosCommercedemonstratesamulti-stepRCE.
4.
3.
2SanitizationBypassinosCommerceAnothermulti-stepRCEexploitwasreportedinosCom-mercethatinvolvesasanitizationbypass.
Thepreviouslymentionedbackuptooloftheadministratorinterfaceal-lowstospecifyalocalZIPlethatisunpackedviathesystemcommandunzip.
Here,thetargetlenameisspeciedasanargumentinthecommandlineifthespec-iedlenameexistsonthelesystem.
ThesimpliedcodeisshowninListing12.
1if(file_exists(DIR_FS_BACKUP.
HTTP_GET_VARS[file])){2restore_file=DIR_FS_BACKUP.
HTTP_GET_VARS[file];3exec(LOCAL_EXE_UNZIP.
.
restore_file.
-d.
DIR_FS_BACKUP);4}Listing12:AdynamicallyconstructedsystemcommandinosCommerceincludesthenameofanexistingle.
AnattackercanbypassthischeckbyabusingoneoftheleuploadfunctionalitiesinosCommerce.
Byup-loadingalewiththename;id;.
zipandafterwardsspec-ifyingthisleasbackuple,thecommandidisexe-cuted.
Thesemicolonswithinthelenameterminatethepreviousunzipcommandandintroduceanewcommand.
4.
4FalsePositivesOurprototypegenerated43falsesecond-ordervulnera-bilityreports,leadingtoafalsediscoveryrateof21%forourselectedapplications.
Allfalsepositivesarebasedonthefactthatourprototypeisnotabletodetectpath-sensitivesanitization.
Thus,persistentXSSwasreportedinScarfandHotCRPthatarebasedonemailaddressesstoredinthedatabase.
Ourprototypeerroneouslyiden-tiedthesecolumnsastaintable(seeSection4.
1.
1).
ThesameerrorappliestoapaperformatinOpenConfwhichleadstofourfalsepositives.
Auser-denedsanitiza-tionfunctionusingpath-sensitivesanitizationbasedonitsargumentleadto29falsepersistentXSSreportsinos-Commerce.
Afalsemulti-stepexploitwasreportedinHotCRPcausedbyafalseSQLireport.
Byperformingapath-sensitivesanitizationanalysis,thesefalsepositivescanbeaddressedinthefuture.
4.
5FalseNegativesEvaluatingfalsenegativesisanerror-pronetaskbecausetheactualnumberofvulnerabilitiesisunknown.
Further-more,noCVEentriesarepublicregardingsecond-ordervulnerabilitiesinourselectedapplications.
However,itispossibletotestforfalsenegativesthatstemfromin-sufcientdetectionoftaintablePDS.
Bypre-conguringourimplementationwiththetaintablePDSweidenti-edmanually,wecancomparetheamountofdetectedsecond-ordervulnerabilitieswiththenumberofreportswhenPDSareanalyzedautomatically.
Asaresult,onlysixpreviouslymissedpersistentXSSinosCommercewerereported.
Additionally,anothertaintablesessionkeyinOpenConfwasreported,al-thoughthekeydoesnotleadtoavulnerability.
Fur-thermore,wemanuallyinspectedthesourcecodeoftheapplicationsandobservedthatourSQLparserneedsim-provement.
ThreefalsenegativesoccurredinScarfbe-causeourparserdoesnothandleSQLstringfunctionssuchasconcat().
MorecomplexSQLinstructionsmightleadtofurtherfalsenegativesbutareusedrarely.
12USENIXAssociation23rdUSENIXSecuritySymposium10014.
6PerformanceWeevaluatedourprototypewiththeimplementationofourapproachtodetectsecond-ordervulnerabilities(+SO)andwithoutit(-SO).
OurtestingenvironmentwasequippedwithanInteli7-2600CPUwith3.
4GHzand16GBofmemory.
Theamountofmemoryconsump-tion(M,inmegabytes),scantime(T,inseconds),andsecond-ordervulnerabilityreports(R)forourselectedapplicationsaregiveninTable7.
Table7:Performanceresultsforselectedapplications.
-SOAnalysis+SOAnalysisSoftwareM[mb]T[s]M[mb]T[s]RosCommerce834134846213129HotCRP7521867753453OpenConf528335234721NewsPro50150317Scarf391401446MyBloggie87787111Total22903622321633217Average3826038710636Whilethememoryconsumptiondoesnotincreasesig-nicantlybyaddingsecond-orderanalysis,theaveragescantimeincreasesby40%.
Note,however,thatthisin-cludes217processedvulnerabilityreportstheprototypewouldhavemissedwithouttheadditionalsecond-orderanalysis.
Furthermore,webelievethatatotalscantimeoflessthan11minutesforourselectedapplicationsisstillreasonable.
5RelatedWorkWebapplicationsarewidelyusedinthemodernWebandasaresult,securityanalysisofsuchapplicationshasat-tractedaconsiderableamountofresearch.
Wenowre-viewrelatedworkinthisareaanddiscusshowourap-proachdiffersfrompreviousapproaches.
DynamicAnalysisTherearemanydifferentdynamicapproachestoperformasecurityanalysisofagivenwebapplication.
Forexample,Apollo[1]leveragessymbolicandconcreteexecutiontechniquesincombinationwithexplicit-statemodelcheckingtoperformpersistentstateanalysisforsessionvariablesinPHP.
Sekarproposessyntax-andtaint-awarepoliciesthatcanaccuratelyde-tectand/orblockmostinjectionattacks[23].
However,suchapproachesaretypicallylimitedtosimpletypesoftaint-stylevulnerabilities.
Therearealsodynamicapproachestodetectsecond-ordervulnerabilities.
Forexample,McAllisteretal.
presentablackboxscannercapableofdetectingpersis-tentXSS[19].
Ardilla[14]aimsatdetectingbothSQLinjectionandXSSvulnerabilitiesbygeneratingsampleinputs,symbolicallytrackingtaintinformationthroughexecution(includingthroughdatabaseaccesses),andau-tomaticallygeneratingconcreteexploits.
Thetypicaldrawbacksofsuchdynamicapproachesarethelimitedtestcoverageandthemissingabilitytocrawlagivensite"deep"enough.
ThisinsightisconrmedbyDoupeetal.
,whotestedelevenblack-boxdynamicvulnerabilityscannersandfoundthatwholeclassesofvulnerabilitiesarenotwell-understoodandcannotbedetectedbythestate-of-the-artscanners[7].
StaticAnalysisWeperformstaticanalysisofPHPcodeandusetheconceptofblocksummariesasproposedbyXieandAiken[30]andlateronrenedbyDahseandHolz[6].
Ouranalysistoolextendstheseideasandweimprovedthemodelingofthelanguage.
Morepre-cisely,weintroducemoredatasymbols(e.
g.
,toanalyzearrayaccessesinamorepreciseway)andenhancetheanalysisofbuilt-infunctionssuchthatwecanperformataintanalysisforpersistentdatastores.
Furthermore,weoptimizedtheinter-proceduralanalysistoreneourstringanalysisresults.
Thisenablesustoanalyzethetwodistinctdataowsthatleadtosecond-ordervulnerabili-ties:(i)sourcetoPDSand(ii)PDStosink.
Asaresult,weareabletodetectvulnerabilitiesmissedbytheseap-proaches.
Pixy[11]andSaner[2]areotherstaticcodeanalysistoolsforwebapplications,butbothdonotrec-ognizesecond-ordervulnerabilities.
Therearestaticanalysisapproachesthattargetotherclassesofsecurityvulnerabilities.
Forexample,Safer-PHP[25]attemptstondsemanticattacks(e.
g.
,denialofserviceattacksduetoinniteloopscausedbymali-ciousinputs,orunauthorizeddatabaseoperationsduetomissingsecuritychecks)withinwebapplications.
Role-Cast[24]identiessecurity-criticalvariablesandap-pliesrole-specicvariableconsistencyanalysistoiden-tifymissingsecuritychecks,whilePhantm[17]detectstypeerrorsinPHPcode.
Suchkindsofsoftwaredefectsareoutofscopeforouranalysis.
StaticSecond-OrderAnalysisTheworkclosestre-latedtoourapproachisMiMoSA[3].
ItisanextensionofPixy[11]todetectmulti-moduledataowandworkowvulnerabilities.
Thedataowthroughdatabasesismodeled,however,itusesadynamicapproachforthereconstructionofSQLqueries.
Moreover,itfocusesonthedetectionoftheworkowofanapplicationanddoesnothandleneitherothertypesofPDSnormulti-stepex-ploits.
Incomparison,onlythreedataowvulnerabilitiesweredetectedinScarf,whereasourapproachdetected37second-ordervulnerabilitiesandonemulti-stepexploit.
13100223rdUSENIXSecuritySymposiumUSENIXAssociationZhengandZhangproposedanapproachtodetectatomicityviolationsinwebapplicationsregardingexter-nalresources[31],whichcanbeseenasbeingcloselyrelatedtosecond-ordervulnerabilitiessincesuchcon-currencyerrorsareapre-conditionforsecond-orderex-ploits.
Theyperformacontext-andpath-sensitiveinter-proceduralstaticanalysistoautomaticallydetectatom-icityviolationsonsharedexternalresources.
ThetoolsNewsProandScarfareincludedintotheirevaluation,buttheauthorsdidnotndanyofthesecond-ordervulnera-bilitiesdetectedbyourapproach.
Assuch,ourapproachoutperformedpriorworkonstaticdetectionofsecond-ordervulnerabilities.
6ConclusionandFutureWorkInthispaper,wedemonstratedthatitispossibletostat-icallymodelthedataowthroughpersistentdatastoresbycollectingallstoragewritingsandreadings.
Attheendoftheanalysis,wecandetermineifdatareadfromapersistentstorecanbecontrolledbyanattackerandifthisleadstoasecurityvulnerability.
Ourprototypeimplementationdemonstratedthatthisisanoverlookedprobleminpractice:weidentiedmorethan150vulner-abilitiesinsixpopularwebapplicationsandshowedthatpriorworkinthisareadidnotdetectthesesoftwarede-fects.
Fromabroaderperspective,ourapproachcanbebrokendowntotheproblemofstaticallyreconstructingallstringsthatcanbegeneratedatruntimebytheappli-cationandthus,islimitedbythehaltingproblem.
Futureworkincludesmodelingthedataowwhenpreparedstatementsareused,supportingmoreSQLfea-tures,andanalyzingdataowthroughlecontent.
Also,path-sensitivesanitizationandaliasingshouldbeana-lyzedmoreprecisely[32].
References[1]ARTZI,S.
,KIEZUN,A.
,DOLBY,J.
,TIP,F.
,DIG,D.
,PARAD-KAR,A.
,ANDERNST,M.
D.
FindingBugsinWebApplica-tionsUsingDynamicTestGenerationandExplicit-StateModelChecking.
IEEETrans.
Softw.
Eng.
36,4(2010).
[2]BALZAROTTI,D.
,COVA,M.
,FELMETSGER,V.
,JOVANOVIC,N.
,KIRDA,E.
,KRUEGEL,C.
,ANDVIGNA,G.
Saner:Com-posingStaticandDynamicAnalysistoValidateSanitizationinWebApplications.
InIEEESymposiumonSecurityandPrivacy(2008).
[3]BALZAROTTI,D.
,COVA,M.
,FELMETSGER,V.
V.
,ANDVI-GNA,G.
Multi-ModuleVulnerabilityAnalysisofWeb-basedApplications.
InACMConferenceonComputerandCommu-nicationsSecurity(CCS)(2007).
[4]BAU,J.
,BURSZTEIN,E.
,GUPTA,D.
,ANDMITCHELL,J.
StateoftheArt:AutomatedBlack-BoxWebApplicationVulnerabilityTesting.
InIEEESymposiumonSecurityandPrivacy(2010).
[5]BOJINOV,H.
,BURSZTEIN,E.
,ANDBONEH,D.
XCS:CrossChannelScriptingandItsImpactonWebApplications.
InACMConferenceonComputerandCommunicationsSecurity(CCS)(2009).
[6]DAHSE,J.
,ANDHOLZ,T.
SimulationofBuilt-inPHPFeaturesforPreciseStaticCodeAnalysis.
InSymposiumonNetworkandDistributedSystemSecurity(NDSS)(2014).
[7]DOUPE,A.
,COVA,M.
,ANDVIGNA,G.
WhyJohnnyCan'tPentest:AnAnalysisofBlack-boxWebVulnerabilityScanners.
InDetectionofIntrusionsandMalware,andVulnerabilityAs-sessment(DIMVA)(2010).
[8]GUNDY,M.
V.
,ANDCHEN,H.
Noncespaces:UsingRandom-izationtoEnforceInformationFlowTrackingandThwartCross-SiteScriptingAttacks.
InSymposiumonNetworkandDistributedSystemSecurity(NDSS)(2009).
[9]HALFOND,W.
G.
,VIEGAS,J.
,ANDORSO,A.
AClassicationofSQLInjectionAttacksandCountermeasures.
InProceedingsoftheIEEEInternationalSymposiumonSecureSoftwareEngi-neering(2006).
[10]HILLS,M.
,KLINT,P.
,VINJU,J.
,ANDHILLS,M.
AnEmpiricalStudyofPHPFeatureUsage.
InInternationalSymposiumonSoftwareTestingandAnalysis(ISSTA)(2013).
[11]JOVANOVIC,N.
,KRUEGEL,C.
,ANDKIRDA,E.
StaticAnaly-sisforDetectingTaint-styleVulnerabilitiesinWebApplications.
JournalofComputerSecurity18,5(082010).
[12]KERNIGHAN,B.
W.
,ANDPIKE,R.
ThePracticeofProgram-ming.
InAddison-Wesley,Inc(1999).
[13]KHOURY,N.
,ZAVARSKY,P.
,LINDSKOG,D.
,ANDRUHL,R.
TestingandAssessingWebVulnerabilityScannersforPersis-tentSQLInjectionAttacks.
InProceedingsoftheFirstIn-ternationalWorkshoponSecurityandPrivacyPreservingine-Societies(2011),SeceS'11,pp.
12–18.
[14]KIEYZUN,A.
,GUO,P.
J.
,JAYARAMAN,K.
,ANDERNST,M.
D.
AutomaticCreationofSQLInjectionandCross-siteScriptingAttacks.
InInternationalConferenceonSoftwareEn-gineering(ICSE)(2009).
[15]KIRDA,E.
,KRUEGEL,C.
,VIGNA,G.
,ANDJOVANOVIC,N.
Noxes:AClient-sideSolutionforMitigatingCross-siteScript-ingAttacks.
InACMSymposiumOnAppliedComputing(SAC)(2006).
[16]KLEIN,A.
Cross-SiteScriptingExplained.
SanctumWhitePaper(2002).
[17]KNEUSS,E.
,SUTER,P.
,ANDKUNCAK,V.
Phantm:PHPAn-alyzerforTypeMismatch.
InACMSIGSOFTSymposiumontheFoundationsofSoftwareEngineering(FSE)(2010).
[18]LIVSHITS,B.
,ANDCUI,W.
Spectator:DetectionandContain-mentofJavaScriptWorms.
InUSENIXAnnualTechnicalCon-ference(2008).
[19]MCALLISTER,S.
,KIRDA,E.
,ANDKRUEGEL,C.
LeveragingUserInteractionsforIn-DepthTestingofWebApplications.
InSymposiumonRecentAdvancesinIntrusionDetection(RAID)(2008).
[20]MICROSOFTDEVELOPERNETWORKLIBRARY.
NamingFiles,Paths,andNamespaces.
http://msdn.
microsoft.
com/en-us/library/aa365247(VS.
85),asofFebruary2014.
[21]NADJI,Y.
,SAXENA,P.
,ANDSONG,D.
DocumentStructureIntegrity:ARobustBasisforCross-siteScriptingDefense.
InSymposiumonNetworkandDistributedSystemSecurity(NDSS)(2009).
14USENIXAssociation23rdUSENIXSecuritySymposium1003[22]SCHOLTE,T.
,ROBERTSON,W.
,BALZAROTTI,D.
,ANDKIRDA,E.
AnEmpiricalAnalysisofInputValidationMecha-nismsinWebApplicationsandLanguages.
InACMSymposiumOnAppliedComputing(SAC)(2012).
[23]SEKAR,R.
AnEfcientBlack-BoxTechniqueforDefeatingWebApplicationAttacks.
InSymposiumonNetworkandDistributedSystemSecurity(NDSS)(2009).
[24]SON,S.
,MCKINLEY,K.
S.
,ANDSHMATIKOV,V.
RoleCast:FindingMissingSecurityCheckswhenYouDoNotKnowWhatChecksAre.
InACMSIGPLANConferenceonObject-OrientedProgrammingSystems,Languages,andApplications(OOPSLA)(2011).
[25]SON,S.
,ANDSHMATIKOV,V.
SAFERPHP:FindingSeman-ticVulnerabilitiesinPHPApplications.
InACMSIGPLANWorkshoponProgrammingLanguagesandAnalysisforSecurity(PLAS)(2011).
[26]SUN,F.
,XU,L.
,ANDSU,Z.
Client-sideDetectionofXSSWormsbyMonitoringPayloadPropagation.
InEuropeanSym-posiumonResearchinComputerSecurity(ESORICS)(2009).
[27]VOGT,P.
,NENTWICH,F.
,JOVANOVIC,N.
,KIRDA,E.
,KR¨UGEL,C.
,ANDVIGNA,G.
CrossSiteScriptingPreventionwithDynamicDataTaintingandStaticAnalysis.
InSymposiumonNetworkandDistributedSystemSecurity(NDSS)(2007).
[28]W3TECHS.
WorldWideWebTechnologySurveys.
http://w3techs.
com/,asofFebruary2014.
[29]WASSERMAN,G.
,ANDSU,Z.
StaticDetectionofCross-SiteScriptingVulnerabilities.
InInternationalConferenceonSoft-wareEngineering(ICSE)(2008).
[30]XIE,Y.
,ANDAIKEN,A.
StaticDetectionofSecurityVulnera-bilitiesinScriptingLanguages.
InUSENIXSecuritySymposium(2006).
[31]ZHENG,Y.
,ANDZHANG,X.
StaticDetectionofResourceCon-tentionProblemsinServer-sideScripts.
InInternationalConfer-enceonSoftwareEngineering(ICSE)(2012),pp.
584–594.
[32]ZHENG,Y.
,ZHANG,X.
,ANDGANESH,V.
Z3-str:AZ3-basedStringSolverforWebApplicationAnalysis.
InProceedingsofthe20139thJointMeetingonFoundationsofSoftwareEngineer-ing(2013),ESEC/FSE2013,pp.
114–124.
15