Leveraging Flawed Tutorials for Seeding Large-Scale Web Vulnerability Discovery


Tommi Unruh and Bhargava Shastry, TU Berlin; Malte Skoruppa, Saarland University; Federico Maggi, FTR, Trend Micro Inc.; Konrad Rieck, TU Braunschweig; Jean-Pierre Seifert, TU Berlin; Fabian Yamaguchi, TU Braunschweig


The Web is replete with tutorial-style content on how to accomplish programming tasks. Unfortunately, even top-ranked tutorials suffer from severe security vulnerabilities, such as cross-site scripting (XSS), and SQL injection (SQLi). Assuming that these tutorials influence real-world software development, we hypothesize that code snippets from popular tutorials can be used to bootstrap vulnerability discovery at scale. To validate our hypothesis, we propose a semi-automated approach to find recurring vulnerabilities starting from a handful of top-ranked tutorials that contain vulnerable code snippets. We evaluate our approach by performing an analysis of tens of thousands of open-source web applications to check if vulnerabilities originating in the selected tutorials recur. Our analysis framework has been running on a standard PC, analyzed 64,415 PHP codebases hosted on GitHub thus far, and found a total of 117 vulnerabilities that have a strong syntactic similarity to vulnerable code snippets present in popular tutorials. In addition to shedding light on the anecdotal belief that programmers reuse web tutorial code in an ad hoc manner, our study finds disconcerting evidence of insufficiently reviewed tutorials compromising the security of open-source projects. Moreover, our findings testify to the feasibility of large-scale vulnerability discovery using poorly written tutorials as a starting point.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {206146,
author = {Tommi Unruh and Bhargava Shastry and Malte Skoruppa and Federico Maggi and Konrad Rieck and Jean-Pierre Seifert and Fabian Yamaguchi},
title = {Leveraging Flawed Tutorials for Seeding {Large-Scale} Web Vulnerability Discovery},
booktitle = {11th USENIX Workshop on Offensive Technologies (WOOT 17)},
year = {2017},
address = {Vancouver, BC},
url = {https://www.usenix.org/conference/woot17/workshop-program/presentation/unruh},
publisher = {USENIX Association},
month = aug