Abstract
Unrestricted file upload vulnerabilities enable attackers to upload malicious scripts to a web server for later execution. We have built a system, namely UFuzzer, to effectively and automatically detect such vulnerabilities in PHP-based server-side web programs. Different from existing detection methods that use either static program analysis or fuzzing, UFuzzer integrates both (i.e., static-fuzzing co-analysis). Specifically, it leverages static program analysis to generate executable code templates that compactly and effectively summarize the vulnerability-relevant semantics of a server-side web application. UFuzzer then “fuzzes” these templates in a local, native PHP runtime environment for vulnerability detection. Compared to static-analysis-based methods, UFuzzer preserves the semantics of an analyzed program more effectively, resulting in higher detection performance. Different from fuzzing-based methods, UFuzzer exercises each generated code template locally, thereby reducing the analysis overhead and meanwhile eliminating the need of operating web services. Experiments using real-world data have demonstrated that UFuzzer outperforms existing methods in either efficiency, or accuracy, or both. In addition, it has detected 31 unknown vulnerable PHP scripts including 5 CVEs.
Original language | English |
---|---|
Title of host publication | RAID '21: Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses |
Publisher | Association for Computing Machinery |
Pages | 78-90 |
Number of pages | 13 |
ISBN (Electronic) | 9781450390583 |
DOIs | |
State | Published - Oct 7 2021 |
Event | 24th International Symposium on Research in Attacks, Intrusions and Defenses - Donostia-San Sebastián, Spain Duration: Oct 6 2021 → Oct 8 2021 Conference number: 24 |
Conference
Conference | 24th International Symposium on Research in Attacks, Intrusions and Defenses |
---|---|
Abbreviated title | RAID 2021 |
Country/Territory | Spain |
City | Donostia-San Sebastián |
Period | 10/6/21 → 10/8/21 |
Other | Offered has a hybrid conference. |
ASJC Scopus Subject Areas
- Software
- Human-Computer Interaction
- Computer Vision and Pattern Recognition
- Computer Networks and Communications
Keywords
- detection
- fuzzing
- program analysis
- vulnerability
- web security
Disciplines
- Computer Sciences
- Engineering