Static Detection of Second-Order Vulnerabilities in Web Applications
Web applications evolved in the last decades from simple scripts to multi-functional applications. Such complex web applications are prone to different types of security vulnerabilities that lead to data leakage or a compromise of the underlying web server. So called secondorder vulnerabilities occur when an attack payload is first stored by the application on the web server and then later on used in a security-critical operation.
In this paper, we introduce the first automated static code analysis approach to detect second-order vulnerabilities and related multi-step exploits in web applications. By analyzing reads and writes to memory locations of the web server, we are able to identify unsanitized data flows by connecting input and output points of data in persistent data stores such as databases or session data. As a result, we identified 159 second-order vulnerabilities in six popular web applications such as the conference management systems HotCRP and Open- Conf. Moreover, the analysis of web applications evaluated in related work revealed that we are able to detect several critical vulnerabilities previously missed.
Friday, August 1, 2014 - 10:45am
Authors:
Johannes Dahse and Thorsten Holz, Ruhr-University Bochum
Papers are restricted to registered attendees until the event begins. Once the event begins, the content becomes free and open to everyone. Journal articles are open to everyone upon publication. If available, video, audio, and/or slides of this presentation will be posted here after the event.
@inproceedings {184419,
author = {Johannes Dahse and Thorsten Holz},
title = {Static Detection of Second-Order Vulnerabilities in Web Applications},
booktitle = {23rd USENIX Security Symposium (USENIX Security 14)},
year = {2014},
month = Aug,
isbn = {978-1-931971-15-7},
address = {San Diego, CA},
pages = {989--1003},
url = {https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/dahse},
publisher = {USENIX Association},
}
<br><a href="/biblio/export/bibtex/184419">Download</a>
Abstract:
Web applications evolved in the last decades from simple scripts to multi-functional applications. Such complex web applications are prone to different types of security vulnerabilities that lead to data leakage or a compromise of the underlying web server. So called secondorder vulnerabilities occur when an attack payload is first stored by the application on the web server and then later on used in a security-critical operation.
In this paper, we introduce the first automated static code analysis approach to detect second-order vulnerabilities and related multi-step exploits in web applications. By analyzing reads and writes to memory locations of the web server, we are able to identify unsanitized data flows by connecting input and output points of data in persistent data stores such as databases or session data. As a result, we identified 159 second-order vulnerabilities in six popular web applications such as the conference management systems HotCRP and Open- Conf. Moreover, the analysis of web applications evaluated in related work revealed that we are able to detect several critical vulnerabilities previously missed.
connect with us