ESP: path-sensitive program verification in polynomial time
PLDI '02 Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation
Improving web application testing with user session data
Proceedings of the 25th International Conference on Software Engineering
Preventing SQL injection attacks using AMNESIA
Proceedings of the 28th international conference on Software engineering
Saturn: A scalable framework for error detection using Boolean satisfiability
ACM Transactions on Programming Languages and Systems (TOPLAS) - Special issue on POPL 2005
Sound and precise analysis of web applications for injection vulnerabilities
Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation
Finding bugs in dynamic web applications
ISSTA '08 Proceedings of the 2008 international symposium on Software testing and analysis
TAJ: effective taint analysis of web applications
Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation
HAMPI: a solver for string constraints
Proceedings of the eighteenth international symposium on Software testing and analysis
Precise interface identification to improve testing and analysis of web applications
Proceedings of the eighteenth international symposium on Software testing and analysis
Automated security testing of web widget interactions
Proceedings of the the 7th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering
Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Regular expressions considered harmful in client-side XSS filters
Proceedings of the 19th international conference on World wide web
A Symbolic Execution Framework for JavaScript
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Solving string constraints lazily
Proceedings of the IEEE/ACM international conference on Automated software engineering
Patching vulnerabilities with sanitization synthesis
Proceedings of the 33rd International Conference on Software Engineering
Path- and index-sensitive string analysis based on monadic second-order logic
Proceedings of the 2011 International Symposium on Software Testing and Analysis
Static detection of access control vulnerabilities in web applications
SEC'11 Proceedings of the 20th USENIX conference on Security
String abstractions for string verification
Proceedings of the 18th international SPIN conference on Model checking software
WAPTEC: whitebox analysis of web applications for parameter tampering exploit construction
Proceedings of the 18th ACM conference on Computer and communications security
SCRIPTGARD: automatic context-sensitive sanitization for large-scale legacy web applications
Proceedings of the 18th ACM conference on Computer and communications security
Symbolic finite state transducers: algorithms and applications
POPL '12 Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Proceedings of the 2012 International Symposium on Software Testing and Analysis
Automated repair of HTML generation errors in PHP applications using string constraint solving
Proceedings of the 34th International Conference on Software Engineering
Static detection of resource contention problems in server-side scripts
Proceedings of the 34th International Conference on Software Engineering
Z3-str: a z3-based string solver for web application analysis
Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering
Hi-index | 0.00 |
Remote code execution (RCE) attacks are one of the most prominent security threats for web applications. It is a special kind of cross-site-scripting (XSS) attack that allows client inputs to be stored and executed as server side scripts. RCE attacks often require coordination of multiple requests and manipulation of string and non-string inputs from the client side to nullify the access control protocol and induce unusual execution paths on the server side. We propose a path- and context-sensitive interprocedural analysis to detect RCE vulnerabilities. The analysis features a novel way of analyzing both the string and non-string behavior of a web application in a path sensitive fashion. It thoroughly handles the practical challenges entailed by modeling RCE attacks. We develop a prototype system and evaluate it on ten real-world PHP applications. We have identified 21 true RCE vulnerabilities, with 8 unreported before.