Jun Zhu,Bill Chu,Heather Richter Lipford,Tyler Thomas

DOI: https://doi.org/10.1145/2752952.2752976

2015-01-01

Abstract:ABSTRACTAccess control vulnerabilities due to programming errors have consistently ranked amongst top software vulnerabilities. Previous research efforts have concentrated on using automatic program analysis techniques to detect access control vulnerabilities in applications. We report a comparative study of six open source PHP applications, and find that implicit assumptions of previous research techniques can significantly limit their effectiveness. We propose a more effective hybrid approach to mitigate access control vulnerabilities. Developers are reminded in-situ of potential access control vulnerabilities, where self-review of code can help them discover mistakes. Additionally, developers are prompted for application-specific access control knowledge, providing samples of code that could be thought of as static analysis by example. These examples are turned into code patterns that can be used in performing static analysis to detect additional access control vulnerabilities and alert the developer to take corrective actions. Our evaluation of six open source applications detected 20 zero-day access control vulnerabilities in addition to finding all access control vulnerabilities detected in previous works.

Feng Xiao,Jianwei Huang,Yichang Xiong,Guangliang Yang,Hong Hu,Guofei Gu,Wenke Lee

2021-01-01

Abstract:Nowadays, Node.js has been widely used in the development of server-side and desktop programs (e.g., Skype), with its cross-platform and high-performance execution environment of JavaScript. In past years, it has been reported other dynamic programming languages (e.g., PHP and Ruby) are unsafe on sharing objects. However, this security risk is not well studied and understood in JavaScript and Node.js programs. In this paper, we fill the gap by conducting the first systematic study on the communication process between client- and server-side code in Node.js programs. We extensively identify several new vulnerabilities in popular Node.js programs. To demonstrate their security implications, we design and develop a novel feasible attack, named hidden property abusing (HPA). Our further analysis shows HPA attacks are subtly different from existing findings regarding exploitation and attack effects. Through HPA attacks, a remote web attacker may obtain dangerous abilities, such as stealing confidential data, bypassing security checks, and launching DoS (Denial of Service) attacks. To help Node.js developers vet their programs against HPA, we design a novel vulnerability detection and verification tool, named LYNX, that utilizes hybrid program analysis to automatically reveal HPA vulnerabilities and even synthesize exploits. We apply LYNX on a set of widely-used Node.js programs and identify 15 previously unknown vulnerabilities. We have reported all of our findings to the Node.js community. 10 of them have been assigned with CVE, and 8 of them are rated as "Critical" or "High" severity. This indicates HPA attacks can cause serious security threats.

Zhenhua Wang,Wei Xie,Jing Tao,Yong Tang,Enze Wang

DOI: https://doi.org/10.1007/978-3-030-90022-9_2

2021-01-01

Abstract:XXE vulnerability is a severe cybersecurity threat. OWASP listed the 10 most serious web application security risks, and XXE ranked fourth. This vulnerability can lead to sensitive information leakage, DoS attacks, and intranet asset discovery. Little attention has been given to this problem, and manual work is still needed to detect these vulnerabilities. Here, we design a penetration test framework, XHunter, to discover and exploit XXE vulnerabilities automatically. XHunter can find the call chain that triggers a vulnerability and determine the vulnerability's influence scope. Specifically, our work addresses many challenges in the analysis of modern web applications, such as object-oriented structures. In addition to detecting vulnerable sinks, we find the exploit path automatically. We give each vulnerability a risk rating based on the potential impact of the exploits. In this paper, we analyze 22 real-world web frameworks and find 8 unreported vulnerabilities, 2 of which have obtained CVE IDs.

LI Yulin,CHEN Libo,LIU Yujiang,DU Wenlong,XUE Zhi

DOI: https://doi.org/10.11959/j.issn.2096-109x.2024021

2024-01-01

Abstract:The discovery of deserialization vulnerabilities has garnered significant attention from cybersecurity researchers,with an increasing number of vulnerabilities being uncovered,posing severe threats to enterprise network security.The Java language's polymorphism and reflection capabilities render its deserialization vulnerability exploitation chains more varied and intricate,amplifying the challenges in defense and detection efforts.Consequently,developing strategies to counter Java deserialization vulnerability attacks has become a critical aspect of network security.Following an examination of numerous publicly known Java deserialization vulnerabilities,a runtime detection-based defense technology solution for Java deserialization vulnerabilities was proposed.Deserialization vulnerabilities were categorized into four types based on the data formats involved:Java native deserialization vulnerability,JSON deserialization vulnerability,XML deserialization vulnerability,and YAML deserialization vulnerability.For each type,the entry function within the exploitation process was identified and summarized.Utilizing Java's runtime protection technology,the solution monitored sensitive behaviors,such as command execution at the Java level,and captured the current runtime context information of the system.By correlating the deserialization entry function with the context information,the system can determine if the current behavior constitutes an exploitation of a deserialization vulnerability.The solution's efficacy was validated through testing on prevalent Java applications,including WebLogic,JBoss,and Jenkins.The results demonstrate that this approach can effectively protect against Java deserialization vulnerability attacks without inflicting a substantial performance penalty on the targeted system.Furthermore,when compared to other mainstream protection solutions,this method exhibits superior protective efficacy.

Jinfeng Li

DOI: https://doi.org/10.33166/AETiC.2020.03.001

2020-07-04

Abstract:The delivery of a framework in place for secure application development is of real value for application development teams to integrate security into their development life cycle, especially when a mobile or web application moves past the scanning stage and focuses increasingly on the remediation or mitigation phase based on static application security testing (SAST). For the first time, to the author's knowledge, the industry-standard Open Web Application Security Project (OWASP) top 10 vulnerabilities and CWE/SANS top 25 most dangerous software errors are synced up in a matrix with Checkmarx vulnerability queries, producing an application security framework that helps development teams review and address code vulnerabilities, minimise false positives discovered in static scans and penetration tests, targeting an increased accuracy of the findings. A case study is conducted for vulnerabilities scanning of a proof-of-concept mobile malware detection app. Mapping the OWASP/SANS with Checkmarx vulnerabilities queries, flaws and vulnerabilities are demonstrated to be mitigated with improved efficiency.

Cryptography and Security,Software Engineering

Yogesh Handge,

DOI: https://doi.org/10.55041/ijsrem30497

2024-04-10

INTERANTIONAL JOURNAL OF SCIENTIFIC RESEARCH IN ENGINEERING AND MANAGEMENT

Abstract:The increasing dependence on web applications amplifies the importance of protecting them against cyber threats. Vulnerability scanners are of utmost importance in this process, as they periodically detect vulnerabilities within network infras- tructures. This tool automates vulnerability detection, eliminating the need for manual intervention. This paper introduces a vulnerability scanner tool that determines probable threats to a web application by utilizing technologies such as header analysis, port scanning, and comparison against a database of known vulnerabilities(CVEs),thereby providing a robust solution Index Terms—Vulnerability Scanning, Header Analysis, Port Scanning, CVEs, Web Crawling,Socket Programming, Automation

Jun Zhu,Jing Xie,Heather Richter Lipford,Bill Chu

DOI: https://doi.org/10.1016/j.jare.2013.11.006

IF: 12.822

2014-01-01

Journal of Advanced Research

Abstract:Many security incidents are caused by software developers’ failure to adhere to secure programming practices. Static analysis tools have been used to detect software vulnerabilities. However, their wide usage by developers is limited by the special training required to write rules customized to application-specific logic. Our approach is interactive static analysis, to integrate static analysis into Integrated Development Environment (IDE) and provide in-situ secure programming support to help developers prevent vulnerabilities during code construction. No additional training is required nor are there any assumptions on ways programs are built. Our work is motivated in part by the observation that many vulnerabilities are introduced due to failure to practice secure programming by knowledgeable developers. We implemented a prototype interactive static analysis tool as a plug-in for Java in Eclipse. Our technical evaluation of our prototype detected multiple zero-day vulnerabilities in a large open source project. Our evaluations also suggest that false positives may be limited to a very small class of use cases.

Sicong Cao,Biao He,Xiaobing Sun,Yu Ouyang,Chao Zhang,Xiaoxue Wu,Ting Su,Lili Bo,Bin Li,Chuanlei Ma,Jiajia Li,Tao Wei

2023-04-09

Abstract:Java deserialization vulnerability is a severe threat in practice. Researchers have proposed static analysis solutions to locate candidate vulnerabilities and fuzzing solutions to generate proof-of-concept (PoC) serialized objects to trigger them. However, existing solutions have limited effectiveness and efficiency. In this paper, we propose a novel hybrid solution ODDFUZZ to efficiently discover Java deserialization vulnerabilities. First, ODDFUZZ performs lightweight static taint analysis to identify candidate gadget chains that may cause deserialization vulner-abilities. In this step, ODDFUZZ tries to locate all candidates and avoid false negatives. Then, ODDFUZZ performs directed greybox fuzzing (DGF) to explore those candidates and generate PoC testcases to mitigate false positives. Specifically, ODDFUZZ applies a structure-aware seed generation method to guarantee the validity of the testcases, and adopts a novel hybrid feedback and a step-forward strategy to guide the directed fuzzing. We implemented a prototype of ODDFUZZ and evaluated it on the popular Java deserialization repository ysoserial. Results show that, ODDFUZZ could discover 16 out of 34 known gadget chains, while two state-of-the-art baselines only identify three of them. In addition, we evaluated ODDFUZZ on real-world applications including Oracle WebLogic Server, Apache Dubbo, Sonatype Nexus, and protostuff, and found six previously unreported exploitable gadget chains with five CVEs assigned.

Cryptography and Security

Goran Piskachev,Tobias Petrasch,Johannes Späth,Eric Bodden

DOI: https://doi.org/10.1007/978-3-030-54997-8_34

2020-01-01

Abstract:According to security rankings such as the SANS Top 25 and the OWASP Top 10, access-control vulnerabilities are still highly relevant. Even though developers use web frameworks such as Spring and Struts, which handle the entire access-control mechanism, their implementation can still be vulnerable because of misuses, errors, or inconsistent implementation from the design specification. We propose AuthCheck, a static analysis that tracks the program’s state using a finite state machine to report illegal states caused by vulnerable implementation. We implemented AuthCheck for the Spring framework and identified four types of mistakes that developers can make when using Spring Security. With AuthCheck, we analyzed an existing open-source Spring application with inserted vulnerable code and detected the vulnerabilities.

Xiaowei Li,Xujie Si,Yuan Xue

DOI: https://doi.org/10.1145/2557547.2557552

2014-01-01

Abstract:Access control vulnerabilities within web applications pose serious security threats to the sensitive information stored at back-end databases. Existing approaches are limited from several aspects, including the coarse granularity at which the access control is modeled, the incapability of handling complex relationship between data entities and the requirement of source code and the specific application platform. In this paper, we present an automated black-box technique for identifying a broad range of access control vulnerabilities, which can be applied to applications that are developed using different languages and platforms. We model the access control policy based on a novel virtual SQL query concept, which captures both the database access operations (i.e., through SQL queries) and the post-processing filters within the web application. We leverage a crawler to automatically explore the application and collect execution traces. From the traces, we identify the set of database access operations that are allowed for each role (i.e., role-level policy inference) and extract the constraints over the operation parameters to characterize the relationship between the users and the accessed data (i.e., user-level policy inference). Based on the inferred policy, we construct test inputs to exploit the application for potential access control flaws. We implement a prototype system BATMAN and evaluate it over a set of PHP and JSP web applications. The experiment results demonstrate the effectiveness and accuracy of our approach.

Na Meng,Stefan Nagy,Daphne Yao,Wenjie Zhuang,Gustavo Arango Argoty

DOI: https://doi.org/10.48550/arXiv.1709.09970

2017-09-28

Abstract:Java platform and third-party libraries provide various security features to facilitate secure coding. However, misusing these features can cost tremendous time and effort of developers or cause security vulnerabilities in software. Prior research was focused on the misuse of cryptography and SSL APIs, but did not explore the key fundamental research question: what are the biggest challenges and vulnerabilities in secure coding practices? In this paper, we conducted a comprehensive empirical study on StackOverflow posts to understand developers' concerns on Java secure coding, their programming obstacles, and potential vulnerabilities in their code. We observed that developers have shifted their effort to the usage of authentication and authorization features provided by Spring security--a third-party framework designed to secure enterprise applications. Multiple programming challenges are related to APIs or libraries, including the complicated cross-language data handling of cryptography APIs, and the complex Java-based or XML-based approaches to configure Spring security. More interestingly, we identified security vulnerabilities in the suggested code of accepted answers. The vulnerabilities included using insecure hash functions such as MD5, breaking SSL/TLS security through bypassing certificate validation, and insecurely disabling the default protection against Cross Site Request Forgery (CSRF) attacks. Our findings reveal the insufficiency of secure coding assistance and education, and the gap between security theory and coding practices.

Cryptography and Security

Bofei Chen,Lei Zhang,Xinyou Huang,Yinzhi Cao,Keke Lian,Yuan Zhang,Min Yang

DOI: https://doi.org/10.1109/sp54263.2024.00150

2024-01-01

Abstract:Java Object Injection (JOI) is a severe type of vulnerability affecting Java deserialization, which allows adversaries to inject a well-crafted, serialized object, thus triggering a series of chained internal methods (called gadgets) and then achieving attack consequences such as Remote Code Execution (RCE). Prior works studied the problem of detecting and chaining gadgets for JOI vulnerability using static search for possible gadget chains and dynamic construction of payload via fuzzing. However, prior works face two following challenges: (i) path explosion in static gadget search and (ii) a lack of fine-grained object relations connected via object fields in dynamic payload construction.In this paper, we design and implement a novel Java deserialization gadget detection framework, called JDD. On one hand, JDD solves the static path explosion problem by a bottom-up approach, which first looks for gadget fragments and then chains gadget fragments from sinks to sources. The approach reduces maximum static search time from exponential to polynomial, i.e., from O(eM n ) to O(M 2 n 3 + enM), where n is the number of dynamic function calls in a gadget chain, M is the average number of dynamic function call candidates, and e is the number of entry points. On the other hand, JDD constructs a so-called Injection Object Construction Diagram (IOCD), which models the dataflow dependencies between injection objects’ fields to facilitate dynamic fuzzing. Our evaluation of JDD upon six real-world Java applications reveals 127 zero-day, exploitable gadget chains with six Common Vulnerabilities and Exposures (CVE) identifiers assigned. We also responsibly reported these vulnerabilities to application developers and obtained their acknowledgments and confirmations.

Yulun Wu,Zeliang Yu,Ming Wen,Qiang Li,Deqing Zou,Hai Jin

DOI: https://doi.org/10.1109/icse48619.2023.00095

2023-01-01

Abstract:Modern software systems are increasingly relying on dependencies from the ecosystem. A recent estimation shows that around 35% of an open-source project's code come from its depended libraries. Unfortunately, open-source libraries are often threatened by various vulnerability issues, and the number of disclosed vulnerabilities is increasing steadily over the years. Such vulnerabilities can pose significant security threats to the whole ecosystem, not only to the vulnerable libraries themselves, but also to the corresponding downstream projects. Many Software Composition Analysis (SCA) tools have been proposed, aiming to detect vulnerable libraries or components referring to existing vulnerability databases. However, recent studies report that such tools often generate a large number of false alerts. Particularly, up to 73.3% of the projects depending on vulnerable libraries are actually safe. Aiming to devise more precise tools, understanding the threats of vulnerabilities holistically in the ecosystem is significant, as already performed by a number of existing studies. However, previous researches either analyze at a very coarse granularity (e.g., without analyzing the source code) or are limited by the study scales. This study aims to bridge such gaps. In particular, we collect 44,450 instances of < CVE, upstream, downstream > relations and analyze around 50 million invocations made from downstream to upstream projects to understand the potential threats of upstream vulnerabilities to downstream projects in the Maven ecosystem. Our investigation makes interesting yet significant findings with respect to multiple aspects, including the reachability of vulnerabilities, the complexities of the reachable paths as well as how downstream projects and developers perceive upstream vulnerabilities. We believe such findings can not only provide a holistic understanding towards the threats of upstream vulnerabilities in the Maven ecosystem, but also can guide future researches in this field.

Lijiu Zhang,Qing Gu,Shushen Peng,Xiang Chen,Haigang Zhao,Daoxu Chen

DOI: https://doi.org/10.1109/icsea.2010.85

2010-01-01

Abstract:Finding effective approaches to detect vulnerabilities is important to guarantee the security of Web applications. Web application security issues are mostly related to malicious input data and Web forms are the main interface to input these data. According to the above observation, we propose a novel approach to detect Web application vulnerabilities. In our approach, given a URL, we get a target Web form. After analyzing characteristics of this Web form, we assign a set of test values to each field in this form. Then we propose a method to generate test suites taking the weight of each test value into account. Finally, we execute these test suites and analyze corresponding result based on HTTP response code and response HTML. We implement our approach into a tool called D-WAV and choose several Web applications as benchmarks to conduct empirical studies. Final results show that our approach can automatically and effectively discover Web application vulnerabilities such as cross-site scripting and SQL injection.

Baojiang Cui,Tingting Hou,Baolian Long,Lingling Xu

DOI: https://doi.org/10.1007/978-3-662-49017-4_3

2015-01-01

Abstract:Along with the wide use of web application, XSS vulnerability has become one of the most common security problems and caused many serious losses. In this paper, on the basis of database query language technique, we put forward a static analysis method of XSS defect detection of Java web application by analyzing data flow reversely. This method first converts the JSP file to a Servlet file, and then uses the mock test method to generate calls for all Java code automatically for comprehensive analysis. We get the methods where XSS security defect may occur by big data analysis. Originated from the methods where XSS security defect may occur, we analyze the data flow and program semantic reversely to detect XSS defect by judging whether it can be introduced by user input without filter. Moreover, to trace the taint path and to improve the analysis precision, we put forward bidirectional analysis. Originated from the results of the reverse analysis, we analyze the data flow forward to trace the taint path. These two methods have effectively reduced analyzing tasks which are necessary in forward ways. It was proved by experiments on some open source Java web projects, bidirectional and reverse methods not only improved the efficiency of detection, but also improved the detection accuracy for XSS defect.

Qi Wang,Jianjun Chen,Zheyu Jiang,Run Guo,Ximeng Liu,Chao Zhang,Haixin Duan

DOI: https://doi.org/10.1109/sp54263.2024.00129

2024-01-01

Abstract:Web Application Firewalls (WAFs) are a crucial line of defense against web-based attacks. However, an emerging threat comes from protocol-level evasion vulnerabilities, in which adversaries exploit parsing discrepancies between the WAF HTTP parser and those of web applications to circumvent WAFs. Currently, uncovering these vulnerabilities still depends on manual, ad hoc methods. In this paper, we propose WAF Manis, a novel testing methodology to automatically discover protocol-level evasion vulnerabilities in WAFs. We evaluated WAF Manis against 14 popular WAFs including Cloudflare and ModSecurity and 20 popular web frameworks including Laravel and Spring. In total, we discovered 311 protocol-level evasion cases affecting all tested WAFs and applications. Due to the generic nature of protocol-level evasions, these evasion vulnerabilities do not hinge on specific payload patterns and can transmit any malicious payloads - for instance, SQL injection, XSS, or Log4jShell - to the target websites. We further analyzed these vulnerabilities and identified three primary reasons contributing to WAF evasions. We have reported those identified vulnerabilities to the affected providers and received acknowledgments and bug bounty rewards from Cloudflare WAF, Fortinet WAF, Alibaba Cloud WAF, Huawei Cloud WAF, ModSecurity, Go security Team, and the PHP security team.

Jens Dietrich,Shawn Rasheed,Alexander Jordan,Tim White

DOI: https://doi.org/10.48550/arXiv.2306.05534

2023-10-10

Abstract:Modern software heavily relies on the use of components. Those components are usually published in central repositories, and managed by build systems via dependencies. Due to issues around vulnerabilities, licenses and the propagation of bugs, the study of those dependencies is of utmost importance, and numerous software composition analysis tools have emerged for this purpose. A particular challenge are hidden dependencies that are the result of cloning or shading where code from a component is "inlined", and, in the case of shading, moved to different namespaces. We present a novel approach to detect vulnerable clones in the Maven repository. Our approach is lightweight in that it does not require the creation and maintenance of a custom index. Starting with 29 vulnerabilities with assigned CVEs and proof-of-vulnerability projects, we retrieve over 53k potential vulnerable clones from Maven Central. After running our analysis on this set, we detect 727 confirmed vulnerable clones (86 if versions are aggregated) and synthesize a testable proof-of-vulnerability project for each of those. We demonstrate that existing SCA tools often miss those exposures. At the time of submission those results have led to changes to the entries for six CVEs in the GitHub Security Advisory Database (GHSA) via accepted pull requests, with more pending.

Software Engineering

Qian Wang,Jinan Sun,Chen Wang,Shikun Zhang,Sisi Xuanyuan,Bin Zheng

DOI: https://doi.org/10.1109/bigdatasecurity-hpsc-ids49724.2020.00016

2020-01-01

Abstract:In this paper we review the research progress of the mainstream approaches of detecting access control vulnerabilities and classify them based on the key techniques for web application components. And we compare different detection methods, analyze their advantages and flaws. Then we discuss the experimental results of relevant detection tools for realistic usage. Finally, we summarize the general framework of detection method and provide future research directions in this area.

Davide Corradini,Michele Pasqua,Mariano Ceccato

DOI: https://doi.org/10.48550/arXiv.2301.01261

2023-01-04

Abstract:Mass assignment is one of the most prominent vulnerabilities in RESTful APIs. This vulnerability originates from a misconfiguration in common web frameworks, such that naming convention and automatic binding can be exploited by an attacker to craft malicious requests writing confidential resources and (massively) overriding data, that should be read-only and/or confidential. In this paper, we adopt a black-box testing perspective to automatically detect mass assignment vulnerabilities in RESTful APIs. Execution scenarios are generated purely based on the OpenAPI specification, that lists the available operations and their message format. Clustering is used to group similar operations and reveal read-only fields, the latter are candidate for mass assignment. Then, interaction sequences are automatically generated by instantiating abstract testing templates, trying to exploit the potential vulnerabilities. Finally, test cases are run, and their execution is assessed by a specific oracle, in order to reveal whether the vulnerability could be successfully exploited. The proposed novel approach has been implemented and evaluated on a set of case studies written in different programming languages. The evaluation highlights that the approach is quite effective in detecting seeded vulnerabilities, with a remarkably high accuracy.

Cryptography and Security,Software Engineering

WU Yongxing,CHEN Libo,JIANG Kaida

DOI: https://doi.org/10.11959/j.issn.2096-109x.2022009

2022-01-01

Abstract:Java deserialization vulnerabilities have become a common threat to Java application security nowadays.Finding out the gadget chain determines whether this type of vulnerability can be exploited.Due to the large code space of Java applications and dependent libraries and the polymorphism of Java itself, manual analysis of Java deserialization gadget chains consumes a lot of time and effort and it is highly dependent on the experienced knowledge.Therefore, it is crucial to study how to efficiently and accurately automate the discovery of gadget chains.Java deserialization gadget chain discovery method based on hybrid analysis was proposed.Call graph based on the variable declaration type was constructed, and then the deserialization entry functions that may reach the dangerous functions were screened using the call graph analysis.The screened entry functions were used as the entry point of the hybrid information flow analysis.The hybrid information flow analysis was carried out for both pointer and tainted variables.The tainted objects created implicitly were marked.The tainted information and the pointer information were propagated simultaneously to construct the hybrid information flow graph.The reachability of external taint data propagation to the dangerous function was judged based on the hybrid information flow graph.The corresponding deserialization gadget chain was constructed according to the taint propagation path.The hybrid analysis took into account the efficiency of call graph analysis and the accuracy of hybrid information flow analysis.The corresponding static analysis tool, namely GadgetSearch, was implemented based on the proposed hybrid analysis method.In the experimental evaluation, GadgetSearch had lower false positive and lower false negative than the existing tool GadgetInspector on four datasets of Ysoserial, Marshalsec, Jackson historical CVE, and XStream historical CVE.Additionally, GadgetSearch also found multiple undisclosed gadget chains.The experimental results show that the proposed method can efficiently and accurately discover the Java deserialization gadget chain in multiple practical Java applications.