ABSTRACT
In modern websites, stored Cross-Site Scripting (XSS) is the most dangerous XSS vulnerability, which can store payloads in the web system and be triggered directly by the victim. Database (DB) as the most commonly used storage medium for data on websites is therefore also the most common place where stored XSS occurs. Due to the modularity of modern programming architectures, the complex underlying database operations will often be encapsulated and abstracted as a Data Access Layer (DAL) to provide unified data access services to the business layer. The heavy use of Object-Oriented (OO) and dynamic language features involved in the encapsulation makes it increasingly challenging for static taint analysis tools to understand how tainted data flows between the source code and the exact locations in database.
In this paper, we propose the first static analysis framework for detecting stored XSS in modern web applications using DAL and implement a prototype Splendor for PHP code analysis. The highlight in the framework is the design of a heuristic but precise token-matching method to locate the flows of taint data between database and source code. The precisions of the identified DB read and write (R/W) locations are 91.3% and 82.6%, respectively. With the identified R/W locations, the disconnected taint paths can be statically stitched to obtain a complete taint propagation path of stored XSS. Comparisons with existing works on 5 real-world applications and large-scale experiments on PHP web applications in Github show that Splendor significantly outperforms both the state-of-the-art static and dynamic approaches on stored-XSS detection, and detects 17 zero-day vulnerabilities.
- Awesome CMS. https://github.com/postlight/awesome-cms. Google Scholar
- Catfish. https://github.com/xwlrbh/Catfish. Google Scholar
- Data Access Layer. https://en.wikipedia.org/wiki/Data_access_layer. Google Scholar
- Gremlin. https://tinkerpop.apache.org/gremlin.html. Google Scholar
- How to use Method Chaining in PHP. https://programmingdive.com/how-to-use-method-chaining-in-php/. Google Scholar
- MySQL Documentation. https://dev.mysql.com/doc/refman/8.0/en/string-types.html. Google Scholar
- Neo4j. http://www.neo4j.com. Google Scholar
- osCommerce. https://www.oscommerce.com/. Google Scholar
- PHP built-in functions. https://www.php.net/manual/en/indexes.functions.php. Google Scholar
- PunBB. https://punbb.informer.com/. Google Scholar
- SPLENDOR’s data. https://github.com/splendor-pro/data. Google Scholar
- SPLENDOR’s source code. https://github.com/splendor-pro/splendor. Google Scholar
- ThinkPHP. https://github.com/top-think. Google Scholar
- Usage statistics of content management systems. https://w3techs.com/technologies/overview/content_management. Google Scholar
- Usage statistics of server-side programming languages for websites. https://w3techs.com/technologies/overview/programming_language. Google Scholar
- WP Google Review Slider. https://wordpress.org/plugins/wp-google-places-review-slider/. Google Scholar
- Alhuzali, A., Gjomemo, R., Eshete, B., and Venkatakrishnan, V. NAVEX: Precise and scalable exploit generation for dynamic web applications. In 27th USENIX Security Symposium (USENIX Security 18) (2018), pp. 377–392. Google Scholar
- Anagandula, K., and Zavarsky, P. An Analysis of Effectiveness of Black-Box Web Application Scanners in Detection of Stored SQL Injection and Stored XSS Vulnerabilities. In 2020 3rd International Conference on Data Intelligence and Security (ICDIS) (2020), pp. 40–48. Google Scholar
- Avancini, A., and Ceccato, M. Circe: A grammar-based oracle for testing cross-site scripting in web applications. In 20th Working Conference on Reverse Engineering, WCRE 2013, Koblenz, Germany, October 14-17, 2013 (2013), R. Lämmel, R. Oliveto, and R. Robbes, Eds., IEEE Computer Society, pp. 262–271. Google ScholarCross Ref
- Backes, M., Rieck, K., Skoruppa, M., Stock, B., and Yamaguchi, F. Efficient and flexible discovery of PHP application vulnerabilities. In 2017 IEEE European Symposium on Security and Privacy (2017), pp. 334–349. Google ScholarCross Ref
- Castro, E., Alcaide, A., Orfila, A., and Alís, J. B. A multi-agent scanner to detect stored-XSS vulnerabilities. 2010 International Conference for Internet Technology and Secured Transactions (2010), 1–6. Google Scholar
- Dahse, J., and Holz, T. Simulation of built-in PHP features for precise static code analysis. In 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February 23-26, 2014 (2014). Google ScholarCross Ref
- Dahse, J., and Holz, T. Static Detection of Second-Order Vulnerabilities in Web Applications. In Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, August 20-22, 2014 (2014), K. Fu and J. Jung, Eds., pp. 989–1003. Google Scholar
- Eriksson, B., Pellegrino, G., and Sabelfeld, A. Black Widow: Blackbox Data-driven Web Scanning. pp. 1125–1142. Google Scholar
- Fang, Y., Li, Y., Liu, L., and Huang, C. DeepXSS: Cross Site Scripting Detection Based on Deep Learning. In International Conference on Computing and Artificial Intelligence (2018). Google ScholarDigital Library
- Gupta, M. K., Govil, M. C., and Singh, G. Text-mining based predictive model to detect XSS vulnerable files in web applications. In 2015 Annual IEEE India Conference (INDICON) (2015), pp. 1–6. Google ScholarCross Ref
- Hannousse, A., Yahiouche, S., and Nait-Hamoud, M. C. Twenty-two years since revealing cross-site scripting attacks: a systematic mapping and a comprehensive survey. ArXiv abs/2205.08425 (2022). Google Scholar
- Heiderich, M., Schwenk, J., Frosch, T., Magazinius, J., and Yang, E. Z. MXSS Attacks: Attacking Well-Secured Web-Applications by Using InnerHTML Mutations. In Proceedings of the 2013 ACM SIGSAC Conference on Computer Communications Security (New York, NY, USA, 2013), CCS ’13, Association for Computing Machinery, pp. 777–788. Google ScholarDigital Library
- Jovanovic, N., Krügel, C., and Kirda, E. Pixy: a static analysis tool for detecting web application vulnerabilities. 2006 IEEE Symposium on Security and Privacy (S&P’06) (2006), 6 pp.–263. Google ScholarDigital Library
- Khazal, I. F., and Hussain, M. A. Server Side Method to Detect and Prevent Stored XSS Attack. vol. 17. Google Scholar
- Li, C., Wang, Y., Miao, C., and Huang, C. Cross-Site Scripting Guardian: A Static XSS Detector Based on Data Stream Input-Output Association Mining. Applied Sciences 10, 14 (2020). Google Scholar
- Li, D., Lyu, Y., Wan, M., and Halfond, W. G. J. String analysis for Java and Android applications. In Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering, ESEC/FSE 2015, Bergamo, Italy, August 30 - September 4, 2015 (2015), ACM, pp. 661–672. Google ScholarDigital Library
- Luo, C., Li, P., and Meng, W. TChecker: Precise Static Inter-Procedural Analysis for Detecting Taint-Style Vulnerabilities in PHP Applications. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (2022), CCS ’22, pp. 2175–2188. Google ScholarDigital Library
- Lv, C., Zhang, L., Zeng, F., and Zhang, J. Adaptive random testing for XSS vulnerability. In 26th Asia-Pacific Software Engineering Conference, APSEC 2019, Putrajaya, Malaysia, December 2-5, 2019 (2019), IEEE, pp. 63–69. Google ScholarCross Ref
- McAllister, S., Kirda, E., and Krügel, C. Leveraging user interactions for in-depth testing of web applications. In International Symposium on Recent Advances in Intrusion Detection (2008). Google ScholarCross Ref
- Mohammadi, M., Chu, B., and Lipford, H. R. Detecting cross-site scripting vulnerabilities through automated unit testing. In 2017 IEEE International Conference on Software Quality, Reliability and Security (QRS) (2017), pp. 364–373. Google ScholarCross Ref
- Olivo, O., Dillig, I., and Lin, C. Detecting and Exploiting Second Order Denial-of-Service Vulnerabilities in Web Applications. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, October 12-16, 2015 (2015), I. Ray, N. Li, and C. Kruegel, Eds., ACM, pp. 616–628. Google ScholarDigital Library
- Shar, L. K., and Tan, H. B. K. Auditing the XSS defence features implemented in web application programs. IET Softw. 6 (2012), 377–390. Google ScholarCross Ref
- Shar, L. K., and Tan, H. B. K. Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns. Inf. Softw. Technol. 55, 10 (2013), 1767–1780. Google ScholarDigital Library
- Su, H., Xu, L., Chao, H., Li, F., Yuan, Z., Zhou, J., and Huo, W. A Sanitizer-centric Analysis to Detect Cross-Site Scripting in PHP Programs. In 2022 IEEE 33rd International Symposium on Software Reliability Engineering (ISSRE) (2022), pp. 355–365. Google ScholarCross Ref
- Vernotte, A., Dadeau, F., Lebeau, F., Legeard, B., Peureux, F., and Piat, F. Efficient detection of multi-step cross-site scripting vulnerabilities. In International Conferences on Information Science and System (2014). Google ScholarCross Ref
- Wang, Y., Li, Z., and Guo, T. Program Slicing Stored XSS Bugs in Web Application. In 2011 Fifth International Conference on Theoretical Aspects of Software Engineering (2011), pp. 191–194. Google Scholar
- Yamaguchi, F., Golde, N., Arp, D., and Rieck, K. Modeling and discovering vulnerabilities with code property graphs. In 2014 IEEE Symposium on Security and Privacy (May 2014), pp. 590–604. Google ScholarDigital Library
Index Terms
- Splendor: Static Detection of Stored XSS in Modern Web Applications
Recommendations
A Survey on XSS Attack Detection and Prevention in Web Applications
ICMLC '20: Proceedings of the 2020 12th International Conference on Machine Learning and ComputingWith the popularity of web technology, web applications become more increasingly vulnerable and are exposed to malicious attacks. Cross Site Scripting(XSS) is a typical attack in web applications. When a vulnerability is exploited, an attacker may ...
Static analysis for detecting taint-style vulnerabilities in web applications
The number and the importance of web applications have increased rapidly over the last years. At the same time, the quantity and impact of security vulnerabilities in such applications have grown as well. Since manual code reviews are time-consuming, ...
Adapting Static Taint Analyzers to Software Marketplaces: A Leverage Point for Mass Vulnerability Detection?
SCORED'22: Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem DefensesImproper input validation is still one of the most severe problem classes in web application security, although there are concepts with a good problem-solution fit, such as static taint analysis. In practice, however, existing static taint analyzers ...
Comments