sponsors
usenix conference policies
Static Detection of Second-Order Vulnerabilities in Web Applications
Johannes Dahse and Thorsten Holz, Ruhr-University Bochum
Facebook Internet Defense Prize Winner!
Web applications evolved in the last decades from simple scripts to multi-functional applications. Such complex web applications are prone to different types of security vulnerabilities that lead to data leakage or a compromise of the underlying web server. So called secondorder vulnerabilities occur when an attack payload is first stored by the application on the web server and then later on used in a security-critical operation.
In this paper, we introduce the first automated static code analysis approach to detect second-order vulnerabilities and related multi-step exploits in web applications. By analyzing reads and writes to memory locations of the web server, we are able to identify unsanitized data flows by connecting input and output points of data in persistent data stores such as databases or session data. As a result, we identified 159 second-order vulnerabilities in six popular web applications such as the conference management systems HotCRP and Open- Conf. Moreover, the analysis of web applications evaluated in related work revealed that we are able to detect several critical vulnerabilities previously missed.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Johannes Dahse and Thorsten Holz},
title = {Static Detection of {Second-Order} Vulnerabilities in Web Applications},
booktitle = {23rd USENIX Security Symposium (USENIX Security 14)},
year = {2014},
isbn = {978-1-931971-15-7},
address = {San Diego, CA},
pages = {989--1003},
url = {https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/dahse},
publisher = {USENIX Association},
month = aug
}
connect with us