Backporting Security Patches of Web Applications: A Prototype Design and Implementation on Injection Vulnerability Patches

Authors: 

Youkun Shi, Yuan Zhang, Tianhan Luo, and Xiangyu Mao, Fudan University; Yinzhi Cao, Johns Hopkins University; Ziwen Wang, Yudi Zhao, Zongan Huang, and Min Yang, Fudan University

Abstract: 

Web vulnerabilities, especially injection-related ones, are popular among web application frameworks (such as Word-Press and Piwigo), which can lead to severe consequences like user information leak and server-side malware execution. One major practice of fixing web vulnerabilities on real-world websites is to apply security patches from the official developers of web frameworks. However, such a practice is challenging because security patches are developed for the latest version of a web framework, but real-world websites often run an old version due to legacy reasons. A direct application of security patches on the old version often fails because web frameworks, especially the code around the vulnerable location, may change between versions.

In this paper, we design a security patch backporting framework and implement a prototype on injection vulnerability patches, called SKYPORT. SKYPORT first identifies safely-backportable patches of injection vulnerabilities and web framework versions in theory and then backports patches to corresponding old versions. In the evaluation, SKYPORT identifies 98 out of 155 security patches targeting legacy injection vulnerabilities, which can be backported to 750 old versions of web application frameworks. Then, SKYPORT successfully backported all of the aforementioned backportable patches to corresponding old versions to correctly fix vulnerabilities. We believe that this is a first-step towards this important research problem and hope our research can draw further attention from the research community in backporting security patches to fix unpatched vulnerabilities in general beyond injection-related ones.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {280014,
author = {Youkun Shi and Yuan Zhang and Tianhan Luo and Xiangyu Mao and Yinzhi Cao and Ziwen Wang and Yudi Zhao and Zongan Huang and Min Yang},
title = {Backporting Security Patches of Web Applications: A Prototype Design and Implementation on Injection Vulnerability Patches},
booktitle = {31st USENIX Security Symposium (USENIX Security 22)},
year = {2022},
isbn = {978-1-939133-31-1},
address = {Boston, MA},
pages = {1993--2010},
url = {https://www.usenix.org/conference/usenixsecurity22/presentation/shi},
publisher = {USENIX Association},
month = aug
}

Presentation Video