The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. ex. Some numerals are expressed as "XNUMX".
Copyrights notice
The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. Copyrights notice
Les vulnérabilités de second ordre des applications Web injectent d'abord du code malveillant dans le magasins de données persistants du serveur Web, puis l'exécuter lors d'opérations sensibles ultérieures, provoquant de graves conséquences. Néanmoins, les caractéristiques dynamiques, la propagation complexe des données et les dépendances entre États posent de nombreux défis dans la découverte de telles vulnérabilités. Pour relever ces défis, nous proposons DISOV, un graphique des propriétés d'application Web (WAPG) méthode basée sur la découverte des vulnérabilités de second ordre. Plus précisément, DISOV construit d'abord WAPG pour représenter la propagation des données et les dépendances interétatiques de l'application Web, qui peuvent être davantage exploitées pour trouver les chemins potentiels de vulnérabilités de second ordre. Ensuite, il exploite les tests fuzz pour vérifier les chemins de vulnérabilités potentiels. Pour vérifier l'efficacité de DISOV, nous l'avons testé dans 13 applications Web populaires dans le monde réel et comparé à Black Widow, le scanner de vulnérabilité Web de pointe. DISOV a découvert 43 vulnérabilités de second ordre, dont 23 vulnérabilités XSS de second ordre, 3 vulnérabilités d'injection SQL de second ordre et 17 vulnérabilités RCE de second ordre. Alors que Black Widow n’a découvert que 18 vulnérabilités XSS de second ordre, sans aucune vulnérabilité d’injection SQL de second ordre ni de vulnérabilité RCE de second ordre. De plus, DISOV a découvert 12 vulnérabilités de second ordre de 0 jour, démontrant ainsi son efficacité dans la pratique.
Yu CHEN
National University of Defense Technology,the Anhui Province Key Laboratory of Cyberspace Security Situation Awareness and Evaluation
Zulie PAN
National University of Defense Technology,the Anhui Province Key Laboratory of Cyberspace Security Situation Awareness and Evaluation
Yuanchao CHEN
National University of Defense Technology,the Anhui Province Key Laboratory of Cyberspace Security Situation Awareness and Evaluation
Yuwei LI
National University of Defense Technology,the Anhui Province Key Laboratory of Cyberspace Security Situation Awareness and Evaluation
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Copier
Yu CHEN, Zulie PAN, Yuanchao CHEN, Yuwei LI, "DISOV: Discovering Second-Order Vulnerabilities Based on Web Application Property Graph" in IEICE TRANSACTIONS on Fundamentals,
vol. E106-A, no. 2, pp. 133-145, February 2023, doi: 10.1587/transfun.2022EAP1045.
Abstract: Web application second-order vulnerabilities first inject malicious code into the persistent data stores of the web server and then execute it at later sensitive operations, causing severe impact. Nevertheless, the dynamic features, the complex data propagation, and the inter-state dependencies bring many challenges in discovering such vulnerabilities. To address these challenges, we propose DISOV, a web application property graph (WAPG) based method to discover second-order vulnerabilities. Specifically, DISOV first constructs WAPG to represent data propagation and inter-state dependencies of the web application, which can be further leveraged to find the potential second-order vulnerabilities paths. Then, it leverages fuzz testing to verify the potential vulnerabilities paths. To verify the effectiveness of DISOV, we tested it in 13 popular web applications in real-world and compared with Black Widow, the state-of-the-art web vulnerability scanner. DISOV discovered 43 second-order vulnerabilities, including 23 second-order XSS vulnerabilities, 3 second-order SQL injection vulnerabilities, and 17 second-order RCE vulnerabilities. While Black Widow only discovered 18 second-order XSS vulnerabilities, with none second-order SQL injection vulnerability and second-order RCE vulnerability. In addition, DISOV has found 12 0-day second-order vulnerabilities, demonstrating its effectiveness in practice.
URL: https://global.ieice.org/en_transactions/fundamentals/10.1587/transfun.2022EAP1045/_p
Copier
@ARTICLE{e106-a_2_133,
author={Yu CHEN, Zulie PAN, Yuanchao CHEN, Yuwei LI, },
journal={IEICE TRANSACTIONS on Fundamentals},
title={DISOV: Discovering Second-Order Vulnerabilities Based on Web Application Property Graph},
year={2023},
volume={E106-A},
number={2},
pages={133-145},
abstract={Web application second-order vulnerabilities first inject malicious code into the persistent data stores of the web server and then execute it at later sensitive operations, causing severe impact. Nevertheless, the dynamic features, the complex data propagation, and the inter-state dependencies bring many challenges in discovering such vulnerabilities. To address these challenges, we propose DISOV, a web application property graph (WAPG) based method to discover second-order vulnerabilities. Specifically, DISOV first constructs WAPG to represent data propagation and inter-state dependencies of the web application, which can be further leveraged to find the potential second-order vulnerabilities paths. Then, it leverages fuzz testing to verify the potential vulnerabilities paths. To verify the effectiveness of DISOV, we tested it in 13 popular web applications in real-world and compared with Black Widow, the state-of-the-art web vulnerability scanner. DISOV discovered 43 second-order vulnerabilities, including 23 second-order XSS vulnerabilities, 3 second-order SQL injection vulnerabilities, and 17 second-order RCE vulnerabilities. While Black Widow only discovered 18 second-order XSS vulnerabilities, with none second-order SQL injection vulnerability and second-order RCE vulnerability. In addition, DISOV has found 12 0-day second-order vulnerabilities, demonstrating its effectiveness in practice.},
keywords={},
doi={10.1587/transfun.2022EAP1045},
ISSN={1745-1337},
month={February},}
Copier
TY - JOUR
TI - DISOV: Discovering Second-Order Vulnerabilities Based on Web Application Property Graph
T2 - IEICE TRANSACTIONS on Fundamentals
SP - 133
EP - 145
AU - Yu CHEN
AU - Zulie PAN
AU - Yuanchao CHEN
AU - Yuwei LI
PY - 2023
DO - 10.1587/transfun.2022EAP1045
JO - IEICE TRANSACTIONS on Fundamentals
SN - 1745-1337
VL - E106-A
IS - 2
JA - IEICE TRANSACTIONS on Fundamentals
Y1 - February 2023
AB - Web application second-order vulnerabilities first inject malicious code into the persistent data stores of the web server and then execute it at later sensitive operations, causing severe impact. Nevertheless, the dynamic features, the complex data propagation, and the inter-state dependencies bring many challenges in discovering such vulnerabilities. To address these challenges, we propose DISOV, a web application property graph (WAPG) based method to discover second-order vulnerabilities. Specifically, DISOV first constructs WAPG to represent data propagation and inter-state dependencies of the web application, which can be further leveraged to find the potential second-order vulnerabilities paths. Then, it leverages fuzz testing to verify the potential vulnerabilities paths. To verify the effectiveness of DISOV, we tested it in 13 popular web applications in real-world and compared with Black Widow, the state-of-the-art web vulnerability scanner. DISOV discovered 43 second-order vulnerabilities, including 23 second-order XSS vulnerabilities, 3 second-order SQL injection vulnerabilities, and 17 second-order RCE vulnerabilities. While Black Widow only discovered 18 second-order XSS vulnerabilities, with none second-order SQL injection vulnerability and second-order RCE vulnerability. In addition, DISOV has found 12 0-day second-order vulnerabilities, demonstrating its effectiveness in practice.
ER -