[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences
Online ISSN : 1745-1337
Print ISSN : 0916-8508
Regular Section
DISOV: Discovering Second-Order Vulnerabilities Based on Web Application Property Graph
Anhui Province Key Laboratory of Cyberspace Security Situation Awareness and Evaluation">Yu CHEN Anhui Province Key Laboratory of Cyberspace Security Situation Awareness and Evaluation">Zulie PAN Anhui Province Key Laboratory of Cyberspace Security Situation Awareness and Evaluation">Yuanchao CHEN Anhui Province Key Laboratory of Cyberspace Security Situation Awareness and Evaluation">Yuwei LI
Author information
JOURNAL FREE ACCESS

2023 Volume E106.A Issue 2 Pages 133-145

Details
Abstract

Web application second-order vulnerabilities first inject malicious code into the persistent data stores of the web server and then execute it at later sensitive operations, causing severe impact. Nevertheless, the dynamic features, the complex data propagation, and the inter-state dependencies bring many challenges in discovering such vulnerabilities. To address these challenges, we propose DISOV, a web application property graph (WAPG) based method to discover second-order vulnerabilities. Specifically, DISOV first constructs WAPG to represent data propagation and inter-state dependencies of the web application, which can be further leveraged to find the potential second-order vulnerabilities paths. Then, it leverages fuzz testing to verify the potential vulnerabilities paths. To verify the effectiveness of DISOV, we tested it in 13 popular web applications in real-world and compared with Black Widow, the state-of-the-art web vulnerability scanner. DISOV discovered 43 second-order vulnerabilities, including 23 second-order XSS vulnerabilities, 3 second-order SQL injection vulnerabilities, and 17 second-order RCE vulnerabilities. While Black Widow only discovered 18 second-order XSS vulnerabilities, with none second-order SQL injection vulnerability and second-order RCE vulnerability. In addition, DISOV has found 12 0-day second-order vulnerabilities, demonstrating its effectiveness in practice.

Content from these authors
© 2023 The Institute of Electronics, Information and Communication Engineers
Previous article Next article
feedback
Top