Neil P Thimmaiah, Yashashvi J Dave, Rigel Gjomemo, and V.N. Venkatakrishnan, University of Illinois Chicago
Comprehensively analyzing modern-day web applications to detect different vulnerabilities and related exploits is challenging and time-consuming. Security researchers spend significant time discovering and creating vulnerabilities and exploiting disclosures. However, such disclosures are often limited to single vulnerability instances and do not contain information about other instances of the same vulnerability in the application. In this paper, we propose FIXX, a tool that can automatically find multiple similar exploits from taint-style vulnerabilities inside the same PHP application. FIXX aims to help web application developers detect all possible instances of a known exploit within the program's code. To do this, FIXX combines novel notions of path and graph similarity over graph representations of code. We evaluate FIXX on 32 CVE reports containing cross-site scripting and SQL injection vulnerabilities associated with 19 PHP applications and discover 1097 similar exploitable paths leading to 10 new CVE entries.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Neil P Thimmaiah and Yashashvi J Dave and Rigel Gjomemo and V.N. Venkatakrishnan},
title = {{FIXX}: {FInding} {eXploits} from {eXamples}},
booktitle = {34th USENIX Security Symposium (USENIX Security 25)},
year = {2025},
isbn = {978-1-939133-52-6},
address = {Seattle, WA},
pages = {8313--8327},
url = {https://www.usenix.org/conference/usenixsecurity25/presentation/thimmaiah},
publisher = {USENIX Association},
month = aug
}
