UFuzzer: Lightweight Detection of PHP-based unrestricted file upload vulnerabilities via static-fuzzing co-analysis

Jin Huang, Junjie Zhang, Jialun Liu, Chuang Li, Rui Dai

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Unrestricted file upload vulnerabilities enable attackers to upload malicious scripts to a web server for later execution. We have built a system, namely UFuzzer, to effectively and automatically detect such vulnerabilities in PHP-based server-side web programs. Different from existing detection methods that use either static program analysis or fuzzing, UFuzzer integrates both (i.e., static-fuzzing co-analysis). Specifically, it leverages static program analysis to generate executable code templates that compactly and effectively summarize the vulnerability-relevant semantics of a server-side web application. UFuzzer then “fuzzes” these templates in a local, native PHP runtime environment for vulnerability detection. Compared to static-analysis-based methods, UFuzzer preserves the semantics of an analyzed program more effectively, resulting in higher detection performance. Different from fuzzing-based methods, UFuzzer exercises each generated code template locally, thereby reducing the analysis overhead and meanwhile eliminating the need of operating web services. Experiments using real-world data have demonstrated that UFuzzer outperforms existing methods in either efficiency, or accuracy, or both. In addition, it has detected 31 unknown vulnerable PHP scripts including 5 CVEs.

Original languageEnglish
Title of host publicationRAID '21: Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses
PublisherAssociation for Computing Machinery
Pages78-90
Number of pages13
ISBN (Electronic)9781450390583
DOIs
StatePublished - Oct 7 2021
Event24th International Symposium on Research in Attacks, Intrusions and Defenses - Donostia-San Sebastián, Spain
Duration: Oct 6 2021Oct 8 2021
Conference number: 24

Conference

Conference24th International Symposium on Research in Attacks, Intrusions and Defenses
Abbreviated titleRAID 2021
Country/TerritorySpain
CityDonostia-San Sebastián
Period10/6/2110/8/21
OtherOffered has a hybrid conference.

ASJC Scopus Subject Areas

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications

Keywords

  • detection
  • fuzzing
  • program analysis
  • vulnerability
  • web security

Disciplines

  • Computer Sciences
  • Engineering

Cite this