skip to main content
10.1145/3301417.3312497acmconferencesArticle/Chapter ViewAbstractPublication PageseurosysConference Proceedingsconference-collections
research-article

Pythia: Identifying Dangerous Data-flows in Django-based Applications

Published: 25 March 2019 Publication History

Abstract

Web frameworks that allow developers to create applications based on design patterns such as the Model View Controller (MVC), provide by default a number of security checks. Nevertheless, by using specific constructs, developers may disable these checks thus re-introducing classic application vulnerabilities such as Cross-site Scripting (XSS) and Cross-Site Request Forgery (CSRF). Framework-specific elements including (1) the complex nature of these applications, (2) the different features that they involve (e.g. templates), and (3) the inheritance mechanisms that governs them, make the identification of such issues very difficult.
To tackle this problem, we have developed Pythia, a scheme that analyzes applications based on the Django framework. To identify potentially dangerous data flows that can lead to XSS and CSRF defects, Pythia takes into account all the aforementioned elements and employs ideas coming from standard data-flow analysis and taint tracking schemes. To the best of our knowledge, Pythia is the first mechanism to consider framework-specific elements in its analysis. We have evaluated our scheme with positive results. Specifically, we used Pythia to examine five open-source applications that are currently in production and have thousands of users including an e-voting service, and a web-based translation management system. In four cases we have identified dangerous paths that in turn led to vulnerabilities. Notably, in many cases the paths involved the particular features of Django-based applications e.g. templates.

References

[1]
{n. d.}. Misago Project Forums. https://misago-project.org/. {Online; accessed 1-January-2019}.
[2]
{n. d.}. phpMyAdmin: Bringing MySQL to the web. https://www.phpmyadmin.net/. {Online; accessed 1-January-2019}.
[3]
{n. d.}. Pylint: Code Analysis for Python. https://www.pylint.org/. {Online; accessed 20-December-2018}.
[4]
{n. d.}. Python AST-based static analyzer from OpenStack Security Group. https://github.com/openstack/bandit. {Online; accessed 20-December-2018}.
[5]
{n. d.}. ~okeanos: The Greek Research and Technology Network Cloud Service. https://okeanos.grnet.gr/home/. {Online; accessed 1-January-2019}.
[6]
{n. d.}. The Debian Administrator's Handbook. https://debian-handbook.info/. {Online; accessed 1-January-2019}.
[7]
{n. d.}. ViMa, Virtual Machines. https://vima.grnet.gr. {Online; accessed 1-January-2019}.
[8]
{n. d.}. Weblate: Improve Engage Page Patch. https://github.com/WeblateOrg/weblate/commit/63218cd4256941f02030b663d7207d69a0f1f173. {Online; accessed 10-February-2019}.
[9]
{n. d.}. Zeus E-voting Service. https://zeus.grnet.gr/zeus/. {Online; accessed 1-January-2019}.
[10]
Ronan Barrett and Sarah Jane Delany. 2004. OpenMVC: A Non-proprietry Component-based Framework for Web Applications. In Proceedings of the 13th International World Wide Web Conference on Alternate Track Papers & Posters (WWW Alt. '04). ACM, New York, NY, USA, 464--465.
[11]
Michal Cihar. {n. d.}. Weblate: Bring translators closer to development. https://weblate.org/en/. {Online; accessed 1-January-2019}.
[12]
Johannes Dahse and Thorsten Holz. 2014. Static Detection of Second-order Vulnerabilities in Web Applications. In Proceedings of the 23rd USENIX Security Symposium. USENIX Association, Berkeley, CA, USA, 989--1003.
[13]
Luo GuangChun, WangYanhua Lu, and Xianliang Hanhong. 2003. A Novel Web Application Frame Developed by MVC. SIGSOFT Softw. Eng. Notes 28, 2 (March 2003), 7--.
[14]
Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. 2006. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper). In Proceedings of the 2006 IEEE Symposium on Security and Privacy. IEEE Computer Society, Washington, DC, USA, 258--263.
[15]
Chris Lamb. {n. d.}. Django-Lint: Static analysis tool for Django projects. https://chris-lamb.co.uk/projects/django-lint. {Online; accessed 20-December-2018}.
[16]
V. Benjamin Livshits and Monica S. Lam. 2005. Finding Security Vulnerabilities in Java Applications with Static Analysis. In Proceedings of the 14th USENIX Security Symposium. USENIX Association, Berkeley, CA, USA, 18--18.
[17]
Panos Louridas, Georgios Tsoukalas, and Dimitris Mitropoulos. {n. d.}. Requirements and User Interface Design. https://panoramix-project.eu/wp-content/uploads/2016/10/D5.1.pdf. {Online; accessed 20-December-2018}.
[18]
Stephen McCamant and Michael D. Ernst. 2007. A Simulation-based Proof Technique for Dynamic Information Flow. In Proceedings of the 2007 Workshop on Programming Languages and Analysis for Security (PLAS '07). ACM, New York, NY, USA, 41--46.
[19]
Stefan Micheelsen and Bruno Thalmann. 2016. PyT - A Static Analysis Tool for Detecting Security Vulnerabilities in Python Web Applications. https://github.com/python-security/pyt
[20]
Dimitris Mitropoulos, Panos Louridas, Michalis Polychronakis, and Angelos D. Keromytis. 2017. Defending against Web application attacks: approaches, challenges and implications. IEEE Transactions on Dependable and Secure Computing PP (2017).
[21]
Susanta Nanda, Lap-Chung Lam, and Tzi-cker Chiueh. 2007. Dynamic Multiprocess Information Flow Tracking for Web Application Security. In Proceedings of the 2007 International Conference on Middleware Companion. ACM, Article 19, 20 pages.
[22]
Frolin S. Ocariza, Jr., Karthik Pattabiraman, and Ali Mesbah. 2015. Detecting Inconsistencies in JavaScript MVC Applications. In Proceedings of the 37th International Conference on Software Engineering (ICSE '15). IEEE Press, Piscataway, NJ, USA, 325--335.
[23]
Ioannis Papagiannis, Matteo Migliavacca, and Peter Pietzuch. 2011. PHP Aspis: Using Partial Taint Tracking to Protect Against Injection Attacks. In Proceedings of the 2Nd USENIX Conference on Web Application Development. 2--2.
[24]
PHP Laravel {n. d.}. Laravel - The PHP Framework For Web Artisans. https://laravel.com/. {Online; accessed 20-December-2018}.
[25]
PyCQA {n. d.}. Flake8: Your Tool For Style Guide Enforcement. PyCQA. {Online; accessed 20-December-2018}.
[26]
Armin Ronacher. {n. d.}. Jinja - Template engine for Python. (2.1 ed.). http://jinja.pocoo.org/ {Online; accessed 20-December-2018}.
[27]
Stack Overflow Django CSRF {n. d.}. How to exempt CSRF Protection on direct_to_template. https://stackoverflow.com/questions/11610306/how-to-exempt-csrf-protection-on-direct-to-template. {Online; accessed 20-December-2018}.
[28]
Ben Stock, Sebastian Lekies, Tobias Mueller, Patrick Spiegel, and Martin Johns. 2014. Precise Client-side Protection against DOM-based Cross-Site Scripting. In 23rd USENIX Security. 655--670.
[29]
Georgios Tsoukalas, Kostas Papadimitriou, Panos Louridas, and Panayiotis Tsanakas. 2013. From Helios to Zeus. In 2013 Electronic Voting Technology Workshop / Workshop on Trustworthy Elections, EVT/WOTE '13, Washington, D.C., USA, August 12--13.
[30]
P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. 2007. Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In NDSS '07.

Cited By

View all

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
EuroSec '19: Proceedings of the 12th European Workshop on Systems Security
March 2019
59 pages
ISBN:9781450362740
DOI:10.1145/3301417
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 March 2019

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Application Security
  2. Cross-Site Request Forgery
  3. Cross-site Scripting
  4. Data-flow Analysis
  5. Django
  6. Templates
  7. Unsanitized Output

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Funding Sources

  • European Commission, HORIZON 2020

Conference

EuroSys '19
Sponsor:
EuroSys '19: Fourteenth EuroSys Conference 2019
March 25 - 28, 2019
Dresden, Germany

Acceptance Rates

EuroSec '19 Paper Acceptance Rate 9 of 25 submissions, 36%;
Overall Acceptance Rate 47 of 113 submissions, 42%

Upcoming Conference

EuroSys '25
Twentieth European Conference on Computer Systems
March 30 - April 3, 2025
Rotterdam , Netherlands

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)27
  • Downloads (Last 6 weeks)0
Reflects downloads up to 12 Jan 2025

Other Metrics

Citations

Cited By

View all

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media