UChecker: Automatically Detecting PHP-Based Unrestricted File Upload Vulnerabilities

Unrestricted file upload vulnerabilities enable attackers to upload and execute malicious scripts in web servers. We have built a system, namely UChecker, to effectively and automatically detect such vulnerabilities in PHP server-side web applications. Towards this end, UChecker first interprets abstract syntax trees (AST) of program source code to perform symbolic execution. It then models vulnerabilities using SMT constraints and further leverages an SMT solver to verify the satisfiability of these constraints. UChecker features a novel vulnerability-oriented locality analysis algorithm to reduce the workload of symbolic execution, an AST-driven symbolic execution engine with compact data structures, and rules to translate PHP-based constraints into SMT-based constraints by mitigating their semantic gaps. Experiments based on real-world examples have demonstrated that UChecker has accomplished a high detection accuracy. In addition, it detected three vulnerable PHP scripts that are previously unknown.

[1]  Dmitry Kozlov,et al.  Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis with Penetration Testing , 2008 .

[2]  L. D. Moura,et al.  The YICES SMT Solver , 2006 .

[3]  Dawn Xiaodong Song,et al.  Secure Content Sniffing for Web Browsers, or How to Stop Papers from Reviewing Themselves , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[4]  Vitaly Shmatikov,et al.  SAFERPHP: finding semantic vulnerabilities in PHP applications , 2011, PLAS '11.

[5]  O. Andreeva,et al.  INDUSTRIAL CONTROL SYSTEMS VULNERABILITIES STATISTICS , 2016 .

[6]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[7]  Miguel Correia,et al.  Detecting and Removing Web Application Vulnerabilities with Static Analysis and Data Mining , 2016, IEEE Transactions on Reliability.

[8]  Thorsten Holz,et al.  Static Detection of Second-Order Vulnerabilities in Web Applications , 2014, USENIX Security Symposium.

[9]  Thorsten Holz,et al.  No Honor Among Thieves: A Large-Scale Analysis of Malicious Web Shells , 2016, WWW.

[10]  Davide Balzarotti,et al.  Behind the Scenes of Online Attacks: an Analysis of Exploitation Behaviors on the Web , 2013, NDSS.

[11]  Nasir Uddin,et al.  File Upload Security and Validation in Context of Software as a Service Cloud Model , 2016, 2016 6th International Conference on IT Convergence and Security (ICITCS).

[12]  Thorsten Holz,et al.  Simulation of Built-in PHP Features for Precise Static Code Analysis , 2014, NDSS.

[13]  Miguel Correia,et al.  Benchmarking Static Analysis Tools for Web Security , 2018, IEEE Transactions on Reliability.

[14]  Steve Hanna,et al.  FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications , 2010, NDSS.

[15]  Hiroshi Inamura,et al.  Dynamic test input generation for web applications , 2008, ISSTA '08.

[16]  David Notkin,et al.  An empirical study of static call graph extractors , 1998, TSEM.

[17]  Steve Hanna,et al.  A Symbolic Execution Framework for JavaScript , 2010, 2010 IEEE Symposium on Security and Privacy.

[18]  Xiangyu Zhang,et al.  Z3-str: a z3-based string solver for web application analysis , 2013, ESEC/FSE 2013.

[19]  Johannes Dahse,et al.  RIPS: A static source code analyser for vulnerabilities in PHP scripts , 2010 .

[20]  Koushik Sen,et al.  Symbolic execution for software testing: three decades later , 2013, CACM.

[21]  Cesare Tinelli,et al.  Satisfiability Modulo Theories , 2021, Handbook of Satisfiability.

[22]  Alexander Aiken,et al.  Static Detection of Security Vulnerabilities in Scripting Languages , 2006, USENIX Security Symposium.

[23]  Frank Tip,et al.  Automated repair of HTML generation errors in PHP applications using string constraint solving , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[24]  Frank Tip,et al.  Finding bugs in dynamic web applications , 2008, ISSTA '08.

[25]  Imam Riadi,et al.  An Analysis of Vulnerability Web Against Attack Unrestricted Image File Upload , 2016 .

[26]  Zhendong Su,et al.  Static detection of cross-site scripting vulnerabilities , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[27]  Xiangyu Zhang,et al.  Path sensitive static analysis of web applications for remote code execution vulnerability detection , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[28]  Zhendong Su,et al.  Sound and precise analysis of web applications for injection vulnerabilities , 2007, PLDI '07.

[29]  Benjamin Livshits,et al.  SYNODE: Understanding and Automatically Preventing Injection Attacks on NODE.JS , 2018, NDSS.