Splendor: Static Detection of Stored XSS in Modern Web Applications
Authors: 
He Su, Feng Li, Lili Xu, Wenbo Hu, Yujie Sun, Qing Sun, Huina Chao, Wei HuoAuthors Info & Claims
He Su, Feng Li, Lili Xu, Wenbo Hu, Yujie Sun, Qing Sun, Huina Chao, Wei HuoAuthors Info & ClaimsPages 1043 - 1054
Abstract
In modern websites, stored Cross-Site Scripting (XSS) is the most dangerous XSS vulnerability, which can store payloads in the web system and be triggered directly by the victim. Database (DB) as the most commonly used storage medium for data on websites is therefore also the most common place where stored XSS occurs. Due to the modularity of modern programming architectures, the complex underlying database operations will often be encapsulated and abstracted as a Data Access Layer (DAL) to provide unified data access services to the business layer. The heavy use of Object-Oriented (OO) and dynamic language features involved in the encapsulation makes it increasingly challenging for static taint analysis tools to understand how tainted data flows between the source code and the exact locations in database.
In this paper, we propose the first static analysis framework for detecting stored XSS in modern web applications using DAL and implement a prototype Splendor for PHP code analysis. The highlight in the framework is the design of a heuristic but precise token-matching method to locate the flows of taint data between database and source code. The precisions of the identified DB read and write (R/W) locations are 91.3% and 82.6%, respectively. With the identified R/W locations, the disconnected taint paths can be statically stitched to obtain a complete taint propagation path of stored XSS. Comparisons with existing works on 5 real-world applications and large-scale experiments on PHP web applications in Github show that Splendor significantly outperforms both the state-of-the-art static and dynamic approaches on stored-XSS detection, and detects 17 zero-day vulnerabilities.
References
[1]
Awesome CMS. https://github.com/postlight/awesome-cms.
[2]
Catfish. https://github.com/xwlrbh/Catfish.
[3]
Data Access Layer. https://en.wikipedia.org/wiki/Data_access_layer.
[4]
Gremlin. https://tinkerpop.apache.org/gremlin.html.
[5]
How to use Method Chaining in PHP. https://programmingdive.com/how-to-use-method-chaining-in-php/.
[6]
MySQL Documentation. https://dev.mysql.com/doc/refman/8.0/en/string-types.html.
[7]
Neo4j. http://www.neo4j.com.
[8]
osCommerce. https://www.oscommerce.com/.
[9]
PHP built-in functions. https://www.php.net/manual/en/indexes.functions.php.
[10]
PunBB. https://punbb.informer.com/.
[11]
SPLENDOR’s data. https://github.com/splendor-pro/data.
[12]
SPLENDOR’s source code. https://github.com/splendor-pro/splendor.
[13]
ThinkPHP. https://github.com/top-think.
[14]
Usage statistics of content management systems. https://w3techs.com/technologies/overview/content_management.
[15]
Usage statistics of server-side programming languages for websites. https://w3techs.com/technologies/overview/programming_language.
[16]
WP Google Review Slider. https://wordpress.org/plugins/wp-google-places-review-slider/.
[17]
Alhuzali, A., Gjomemo, R., Eshete, B., and Venkatakrishnan, V. NAVEX: Precise and scalable exploit generation for dynamic web applications. In 27th USENIX Security Symposium (USENIX Security 18) (2018), pp. 377–392.
[18]
Anagandula, K., and Zavarsky, P. An Analysis of Effectiveness of Black-Box Web Application Scanners in Detection of Stored SQL Injection and Stored XSS Vulnerabilities. In 2020 3rd International Conference on Data Intelligence and Security (ICDIS) (2020), pp. 40–48.
[19]
Avancini, A., and Ceccato, M. Circe: A grammar-based oracle for testing cross-site scripting in web applications. In 20th Working Conference on Reverse Engineering, WCRE 2013, Koblenz, Germany, October 14-17, 2013 (2013), R. Lämmel, R. Oliveto, and R. Robbes, Eds., IEEE Computer Society, pp. 262–271.
[20]
Backes, M., Rieck, K., Skoruppa, M., Stock, B., and Yamaguchi, F. Efficient and flexible discovery of PHP application vulnerabilities. In 2017 IEEE European Symposium on Security and Privacy (2017), pp. 334–349.
[21]
Castro, E., Alcaide, A., Orfila, A., and Alís, J. B. A multi-agent scanner to detect stored-XSS vulnerabilities. 2010 International Conference for Internet Technology and Secured Transactions (2010), 1–6.
[22]
Dahse, J., and Holz, T. Simulation of built-in PHP features for precise static code analysis. In 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February 23-26, 2014 (2014).
[23]
Dahse, J., and Holz, T. Static Detection of Second-Order Vulnerabilities in Web Applications. In Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, August 20-22, 2014 (2014), K. Fu and J. Jung, Eds., pp. 989–1003.
[24]
Eriksson, B., Pellegrino, G., and Sabelfeld, A. Black Widow: Blackbox Data-driven Web Scanning. pp. 1125–1142.
[25]
Fang, Y., Li, Y., Liu, L., and Huang, C. DeepXSS: Cross Site Scripting Detection Based on Deep Learning. In International Conference on Computing and Artificial Intelligence (2018).
[26]
Gupta, M. K., Govil, M. C., and Singh, G. Text-mining based predictive model to detect XSS vulnerable files in web applications. In 2015 Annual IEEE India Conference (INDICON) (2015), pp. 1–6.
[27]
Hannousse, A., Yahiouche, S., and Nait-Hamoud, M. C. Twenty-two years since revealing cross-site scripting attacks: a systematic mapping and a comprehensive survey. ArXiv abs/2205.08425 (2022).
[28]
Heiderich, M., Schwenk, J., Frosch, T., Magazinius, J., and Yang, E. Z. MXSS Attacks: Attacking Well-Secured Web-Applications by Using InnerHTML Mutations. In Proceedings of the 2013 ACM SIGSAC Conference on Computer Communications Security (New York, NY, USA, 2013), CCS ’13, Association for Computing Machinery, pp. 777–788.
[29]
Jovanovic, N., Krügel, C., and Kirda, E. Pixy: a static analysis tool for detecting web application vulnerabilities. 2006 IEEE Symposium on Security and Privacy (S&P’06) (2006), 6 pp.–263.
[30]
Khazal, I. F., and Hussain, M. A. Server Side Method to Detect and Prevent Stored XSS Attack. vol. 17.
[31]
Li, C., Wang, Y., Miao, C., and Huang, C. Cross-Site Scripting Guardian: A Static XSS Detector Based on Data Stream Input-Output Association Mining. Applied Sciences 10, 14 (2020).
[32]
Li, D., Lyu, Y., Wan, M., and Halfond, W. G. J. String analysis for Java and Android applications. In Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering, ESEC/FSE 2015, Bergamo, Italy, August 30 - September 4, 2015 (2015), ACM, pp. 661–672.
[33]
Luo, C., Li, P., and Meng, W. TChecker: Precise Static Inter-Procedural Analysis for Detecting Taint-Style Vulnerabilities in PHP Applications. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (2022), CCS ’22, pp. 2175–2188.
[34]
Lv, C., Zhang, L., Zeng, F., and Zhang, J. Adaptive random testing for XSS vulnerability. In 26th Asia-Pacific Software Engineering Conference, APSEC 2019, Putrajaya, Malaysia, December 2-5, 2019 (2019), IEEE, pp. 63–69.
[35]
McAllister, S., Kirda, E., and Krügel, C. Leveraging user interactions for in-depth testing of web applications. In International Symposium on Recent Advances in Intrusion Detection (2008).
[36]
Mohammadi, M., Chu, B., and Lipford, H. R. Detecting cross-site scripting vulnerabilities through automated unit testing. In 2017 IEEE International Conference on Software Quality, Reliability and Security (QRS) (2017), pp. 364–373.
[37]
Olivo, O., Dillig, I., and Lin, C. Detecting and Exploiting Second Order Denial-of-Service Vulnerabilities in Web Applications. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, October 12-16, 2015 (2015), I. Ray, N. Li, and C. Kruegel, Eds., ACM, pp. 616–628.
[38]
Shar, L. K., and Tan, H. B. K. Auditing the XSS defence features implemented in web application programs. IET Softw. 6 (2012), 377–390.
[39]
Shar, L. K., and Tan, H. B. K. Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns. Inf. Softw. Technol. 55, 10 (2013), 1767–1780.
[40]
Su, H., Xu, L., Chao, H., Li, F., Yuan, Z., Zhou, J., and Huo, W. A Sanitizer-centric Analysis to Detect Cross-Site Scripting in PHP Programs. In 2022 IEEE 33rd International Symposium on Software Reliability Engineering (ISSRE) (2022), pp. 355–365.
[41]
Vernotte, A., Dadeau, F., Lebeau, F., Legeard, B., Peureux, F., and Piat, F. Efficient detection of multi-step cross-site scripting vulnerabilities. In International Conferences on Information Science and System (2014).
[42]
Wang, Y., Li, Z., and Guo, T. Program Slicing Stored XSS Bugs in Web Application. In 2011 Fifth International Conference on Theoretical Aspects of Software Engineering (2011), pp. 191–194.
[43]
Yamaguchi, F., Golde, N., Arp, D., and Rieck, K. Modeling and discovering vulnerabilities with code property graphs. In 2014 IEEE Symposium on Security and Privacy (May 2014), pp. 590–604.
Index Terms
- Splendor: Static Detection of Stored XSS in Modern Web Applications
Recommendations
A Survey on XSS Attack Detection and Prevention in Web Applications
ICMLC '20: Proceedings of the 2020 12th International Conference on Machine Learning and ComputingWith the popularity of web technology, web applications become more increasingly vulnerable and are exposed to malicious attacks. Cross Site Scripting(XSS) is a typical attack in web applications. When a vulnerability is exploited, an attacker may ...
Static analysis for detecting taint-style vulnerabilities in web applications
The number and the importance of web applications have increased rapidly over the last years. At the same time, the quantity and impact of security vulnerabilities in such applications have grown as well. Since manual code reviews are time-consuming, ...
Information Theoretic XSS Attack Detection in Web Applications
Cross-Site Scripting (XSS) has been ranked among the top three vulnerabilities over the last few years. XSS vulnerability allows an attacker to inject arbitrary JavaScript code that can be executed in the victim's browser to cause unwanted behaviors and ...
Comments
Information & Contributors
Information
Published In
July 2023
1554 pages
Copyright © 2023 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 13 July 2023
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
ISSTA '23
Sponsor:
ISSTA '23: 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis
July 17 - 21, 2023
WA, Seattle, USA
Acceptance Rates
Overall Acceptance Rate 58 of 213 submissions, 27%
Upcoming Conference
ISSTA '25
- Sponsor:
- sigsoft
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 319Total Downloads
- Downloads (Last 12 months)202
- Downloads (Last 6 weeks)23
Reflects downloads up to 25 Dec 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in