RecurScan: Detecting Recurring Vulnerabilities in PHP Web Applications
Authors: 
Youkun Shi, Yuan Zhang, Tianhao Bai, Lei Zhang, Xin Tan, Min YangAuthors Info & Claims
Youkun Shi, Yuan Zhang, Tianhao Bai, Lei Zhang, Xin Tan, Min YangAuthors Info & ClaimsPages 1746 - 1755
Abstract
Detecting recurring vulnerabilities has become a popular means of static vulnerability detection in recent years because they do not require labor-intensive vulnerability modeling. Recently, a body of work, with HiddenCPG as a representative, has redefined the problem of statically identifying recurring vulnerabilities as the subgraph isomorphism problem. More specifically, these approaches represent known vulnerable code as graph-based structures (e.g., PDG or CPG), and then identify subgraphs within target applications that match the vulnerable graphs. However, since these methods are highly sensitive to changes in the code graph, they may miss a significant number of recurring vulnerabilities with slight code differences from known vulnerabilities.
In this paper, we propose a novel approach, namely RecurScan, which can accurately detect recurring vulnerabilities with resilience to code differences. To achieve this goal, RecurScan works around security patches and symbolic tracking techniques, detecting recurring vulnerabilities by comparing symbolic expressions and selective constraints between the target applications and known vulnerabilities. Benefiting from this design, RecurScan can tolerate the code differences arising from complex data or control flows within the applications. We evaluated RecurScan on 200 popular PHP web applications using 184 known vulnerability patches. The results demonstrate that RecurScan discovered 232 previously unknown vulnerabilities, 174 of which were assigned CVE identifiers, outperforming state-of-the-art approach (i.e., HiddenCPG) by 25.98% in precision and 87.09% in recall.
Supplemental Material
MP4 File
video presentation
- Download
- 1074.91 MB
MP4 File
Supplemental video
- Download
- 31.60 MB
References
[1]
2014. The Practical-guide-to-code-clones. https://www.cqse.eu/en/news/blog/practical-guide-to-code-clones-part1/.
[2]
2021. Cybercrime To Cost The World $10.5 Trillion Annually By 2025. https://cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021.
[3]
2021. Cybersecurity: A Global Priority and Career Opportunity. https://ung.edu/continuing-education/news-and-media/cybersecurity.php.
[4]
2023. Companies Using PHP by Domain. https://www.softkraft.co/companiesusing-php.
[5]
2023. Facebook. https://www.facebook.com.
[6]
2023. HiddenCPG Source Code. https://github.com/WSP-LAB/HiddenCPG.
[7]
2023. Spotify. https://open.spotify.com.
[8]
2023. The Introduction of Jaro Distance Algorithm. https://www.rosettacode.org/wiki/Jaro_similarity.
[9]
2023. The National Vulnerability Database. https://nvd.nist.gov/.
[10]
2023. The Official Website of Github. https://github.com/.
[11]
2023. The Official Website of Ne04j. https://neo4j.com/.
[12]
Michael Backes, Konrad Rieck, Malte Skoruppa, Ben Stock, and Fabian Yamaguchi. 2017. Efficient and Flexible Discovery of PHP Application Vulnerabilities. In 2017 IEEE european symposium on security and privacy (EuroS&P). IEEE, 334--349.
[13]
Cristiano Calcagno and Dino Distefano. 2011. Infer: An Automatic Program Verifier for Memory Safety of C Programs. In NASA Formal Methods Symposium. Springer, 459--465.
[14]
Johannes Dahse and Thorsten Holz. 2014. Simulation of Built-in PHP Features for Precise Static Code Analysis. In NDSS, Vol. 14. 23--26.
[15]
Johannes Dahse and Thorsten Holz. 2014. Static Detection of Second-order Vulnerabilities in Web Applications. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security). 989--1003.
[16]
Johannes Dahse, Nikolai Krein, and Thorsten Holz. 2014. Code Reuse Attacks in PHP: Automated POP Chain Generation. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 42--53.
[17]
Adam Doupé, Ludovico Cavedon, Christopher Kruegel, and Giovanni Vigna. 2012. Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner. In Proceeding of the 21st USENIX Security Symposium (USENIX Security). 523--538.
[18]
Kostas Drakonakis, Sotiris Ioannidis, and Jason Polakis. 2023. ReScan: A Middleware Framework for Realistic and Robust Black-box Web Application Scanning. In NDSS.
[19]
Benjamin Eriksson, Giancarlo Pellegrino, and Andrei Sabelfeld. 2021. Black Widow: Blackbox Data-driven Web Scanning. In 2021 IEEE Symposium on Security and Privacy (SP). IEEE, 1125--1142.
[20]
Jiyong Jang, Abeer Agrawal, and David Brumley. 2012. ReDeBug: Finding Unpatched Uode Clones in Entire OS Distributions. In Proceedings of the 33rd IEEE Symposium on Security and Privacy.
[21]
Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. 2006. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities. In 2006 IEEE Symposium on Security and Privacy (S&P'06). IEEE, 6--pp.
[22]
Wooseok Kang, Byoungho Son, and Kihong Heo. 2022. TRACER: Signature-based Static Analysis for Detecting Recurring Vulnerabilities. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security.
[23]
Jinhyun Kim, HyukGeun Choi, Hansang Yun, and Byung-Ro Moon. 2016. Measuring Source Code Similarity by Finding Similar Subgraph with An Incremental Genetic Algorithm. In Proceedings of the Genetic and Evolutionary Computation Conference 2016. 925--932.
[24]
Seulbae Kim and Heejo Lee. 2018. Software systems at risk: An empirical study of cloned vulnerabilities in practice. Computers & Security 77 (2018), 720--736.
[25]
Seulbae Kim, Seunghoon Woo, Heejo Lee, and Hakjoo Oh. 2017. VUDDY: A Scalable Approach for Vulnerable Code Clone Discovery. In Proceedings of the 38th IEEE Symposium on Security and Privacy.
[26]
Soyoung Lee, Seongil Wi, and Sooel Son. 2022. Link: Black-Box Detection of Cross-Site Scripting Vulnerabilities Using Reinforcement Learning. In Proceedings of the ACM Web Conference 2022. 743--754.
[27]
Jingyue Li and Michael D Ernst. 2012. CBCD: Cloned Buggy Code Detector. In 2012 34th International Conference on Software Engineering (ICSE). IEEE, 310--320.
[28]
Penghui Li and Wei Meng. 2021. Lchecker: Detecting Loose Comparison Bugs in PHP. In Proceedings of the Web Conference 2021. 2721--2732.
[29]
Zhenmin Li, Shan Lu, Suvda Myagmar, and Yuanyuan Zhou. 2006. CP-Miner: Finding Copy-Paste and Related Bugs in Large-Scale Software Code. IEEE Transactions on software Engineering 32, 3 (2006), 176--192.
[30]
Changhua Luo, Penghui Li, and Wei Meng. 2022. TChecker: Precise Static Inter-Procedural Analysis for Detecting Taint-Style Vulnerabilities in PHP Applications. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security.
[31]
Maliheh Monshizadeh, Prasad Naldurg, and VN Venkatakrishnan. 2014. MACE: Detecting Privilege Escalation Vulnerabilities in Web Applications. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 690--701.
[32]
Benjamin Nielsen, Behnaz Hassanshahi, and François Gauthier. 2019. Nodest: Feedback-Driven Static Analysis of Node.js Applications. In Proceedings of the 27th Joint Meeting on Foundations of Software Engineering (FSE). https://doi.org/10.1145/3338906.3338933
[33]
Giancarlo Pellegrino, Martin Johns, Simon Koch, Michael Backes, and Christian Rossow. 2017. Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs. In Proceedings of the 24th ACM SIGSAC Conference on Computer and Communications Security (CCS).
[34]
Giancarlo Pellegrino, Constantin Tschürtz, Eric Bodden, and Christian Rossow. 2015. j-k: Using Dynamic Analysis to Crawl and Test Modern Web Applications. In Proceedings of the 18th International Symposium on Research in Attacks, Intrusions and Defenses (RAID). 295--316.
[35]
Nam H Pham, Tung Thanh Nguyen, Hoan Anh Nguyen, and Tien N Nguyen. 2010. Detection of Recurring Software Vulnerabilities. In Proceedings of the 25th IEEE/ACM International Conference on Automated Software Engineering. 447--456.
[36]
Weizhong Qiang, Yuehua Liao, Guozhong Sun, Laurence T Yang, Deqing Zou, and Hai Jin. 2017. Patch-related Vulnerability Detection based on Symbolic Execution. IEEE Access 5 (2017), 20777--20784.
[37]
Orpheas van Rooij, Marcos Antonios Charalambous, Demetris Kaizer, Michalis Papaevripides, and Elias Athanasopoulos. 2021. WebFuzz: Grey-Box Fuzzing for Web Applications. In Proceedings of the 26th European Symposium on Research in Computer Security (ESORICS). 152--172.
[38]
Prateek Saxena, David Molnar, and Benjamin Livshits. 2011. SCRIPTGARD: Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications. In Proceedings of the 18th ACM conference on Computer and communications security. 601--614.
[39]
Sooel Son, Kathryn S McKinley, and Vitaly Shmatikov. 2013. Fix Me Up: Repairing Access-Control Bugs in Web Applications. In NDSS. Citeseer.
[40]
Fangqi Sun, Liang Xu, and Zhendong Su. 2011. Static Detection of Access Control Vulnerabilities in Web Applications. In Proceedings of the 18th ISOC Network and Distributed System Security Symposium (NDSS).
[41]
Erik Trickel, Fabio Pagani, Chang Zhu, Lukas Dresel, Giovanni Vigna, Christopher Kruegel, Ruoyu Wang, Tiffany Bao, Yan Shoshitaishvili, and Adam Doupé. 2023. Toss a Fault to Your Witcher: Applying Grey-box Coverage-Guided Mutational Fuzzing to Detect SQL and Command Injection Vulnerabilities. In 2023 IEEE Symposium on Security and Privacy (SP). IEEE, 2658--2675.
[42]
Raja Vallée-Rai, Phong Co, Etienne Gagnon, Laurie Hendren, Patrick Lam, and Vijay Sundaresan. 1999. Soot: A Java Bytecode Optimization Framework. In Proceedings of the Conference of the Centre for Advanced Studies on Collaborative Research (CASCON). 13.
[43]
Gary Wassermann and Zhendong Su. 2007. Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In Proceedings of the 28th ACMSIGPLAN Conference on Programming Language Design and Implementation. 32--41.
[44]
Joel Weinberger, Prateek Saxena, Devdatta Akhawe, Matthew Finifter, Richard Shin, and Dawn Song. 2011. An Empirical Analysis of XSS Sanitization in Web Application Frameworks. In European Conference on Research in Computer Security (ESORICS).
[45]
Seongil Wi, Sijae Woo, Joyce Jiyoung Whang, and Sooel Son. 2022. HiddenCPG: Large-Scale Vulnerable Clone Detection using Subgraph Isomorphism of Code Property Graphs. In Proceedings of the ACM Web Conference 2022.
[46]
Yang Xiao, Bihuan Chen, Chendong Yu, Zhengzi Xu, Zimu Yuan, Feng Li, Binghong Liu, Yang Liu, Wei Huo, Wei Zou, et al. 2020. MVP: Detecting Vulnerabilities using Patch-Enhanced Vulnerability Signatures. In 29th USENIX Security Symposium.
[47]
Fang Yu, Muath Alkhalaf, Tevfik Bultan, and Oscar H Ibarra. 2014. Automatabased Symbolic String Analysis for Vulnerability Detection. Formal Methods in System Design 44 (2014), 44--70.
[48]
Qianchong Zhao, Cheng Huang, and Liuhu Dai. 2023. VULDEFF: Vulnerability detection method based on function fingerprints and code differences. Knowledge-Based Systems 260 (2023), 110139.
Index Terms
- RecurScan: Detecting Recurring Vulnerabilities in PHP Web Applications
Recommendations
Precise (Un)Affected Version Analysis for Web Vulnerabilities
ASE '22: Proceedings of the 37th IEEE/ACM International Conference on Automated Software EngineeringWeb applications are attractive attack targets given their popularity and large number of vulnerabilities. To mitigate the threat of web vulnerabilities, an important piece of information is their affected versions. However, it is non-trivial to build ...
Securing web applications from injection and logic vulnerabilities
Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...
Security vulnerabilities and mitigation techniques of web applications
SIN '13: Proceedings of the 6th International Conference on Security of Information and NetworksWeb applications contain vulnerabilities, which may lead to serious security breaches such as stealing of confidential information. To protect against security breaches, it is necessary to understand the detailed steps of attacks and the pros and cons ...
Comments
Information & Contributors
Information
Published In
May 2024
4826 pages
ISBN:9798400701719
DOI:10.1145/3589334
- General Chairs:
- Tat-Seng Chua,
- Chong-Wah Ngo,
- Proceedings Chair:
- Roy Ka-Wei Lee,
- Program Chairs:
- Ravi Kumar,
- Hady W. Lauw
Copyright © 2024 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 13 May 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- The Shanghai Pilot Program for Basic Research-Fudan University
- The Funding of Ministry of Industry and Information Technology of the People's Republic of China
- National Natural Science Foundation of China
- The National Key Research and Development Program
- The Shanghai Rising-Star Program
Conference
WWW '24
Sponsor:
Acceptance Rates
Overall Acceptance Rate 1,899 of 8,196 submissions, 23%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 179Total Downloads
- Downloads (Last 12 months)179
- Downloads (Last 6 weeks)18
Reflects downloads up to 05 Mar 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in