skip to main content
10.1145/3597926.3598116acmconferencesArticle/Chapter ViewAbstractPublication PagesisstaConference Proceedingsconference-collections
research-article

Splendor: Static Detection of Stored XSS in Modern Web Applications

Published: 13 July 2023 Publication History

Abstract

In modern websites, stored Cross-Site Scripting (XSS) is the most dangerous XSS vulnerability, which can store payloads in the web system and be triggered directly by the victim. Database (DB) as the most commonly used storage medium for data on websites is therefore also the most common place where stored XSS occurs. Due to the modularity of modern programming architectures, the complex underlying database operations will often be encapsulated and abstracted as a Data Access Layer (DAL) to provide unified data access services to the business layer. The heavy use of Object-Oriented (OO) and dynamic language features involved in the encapsulation makes it increasingly challenging for static taint analysis tools to understand how tainted data flows between the source code and the exact locations in database.
In this paper, we propose the first static analysis framework for detecting stored XSS in modern web applications using DAL and implement a prototype Splendor for PHP code analysis. The highlight in the framework is the design of a heuristic but precise token-matching method to locate the flows of taint data between database and source code. The precisions of the identified DB read and write (R/W) locations are 91.3% and 82.6%, respectively. With the identified R/W locations, the disconnected taint paths can be statically stitched to obtain a complete taint propagation path of stored XSS. Comparisons with existing works on 5 real-world applications and large-scale experiments on PHP web applications in Github show that Splendor significantly outperforms both the state-of-the-art static and dynamic approaches on stored-XSS detection, and detects 17 zero-day vulnerabilities.

References

[1]
Awesome CMS. https://github.com/postlight/awesome-cms.
[2]
Catfish. https://github.com/xwlrbh/Catfish.
[3]
Data Access Layer. https://en.wikipedia.org/wiki/Data_access_layer.
[4]
Gremlin. https://tinkerpop.apache.org/gremlin.html.
[5]
How to use Method Chaining in PHP. https://programmingdive.com/how-to-use-method-chaining-in-php/.
[6]
MySQL Documentation. https://dev.mysql.com/doc/refman/8.0/en/string-types.html.
[7]
Neo4j. http://www.neo4j.com.
[8]
osCommerce. https://www.oscommerce.com/.
[9]
PHP built-in functions. https://www.php.net/manual/en/indexes.functions.php.
[10]
PunBB. https://punbb.informer.com/.
[11]
SPLENDOR’s data. https://github.com/splendor-pro/data.
[12]
SPLENDOR’s source code. https://github.com/splendor-pro/splendor.
[13]
ThinkPHP. https://github.com/top-think.
[14]
Usage statistics of content management systems. https://w3techs.com/technologies/overview/content_management.
[15]
Usage statistics of server-side programming languages for websites. https://w3techs.com/technologies/overview/programming_language.
[16]
WP Google Review Slider. https://wordpress.org/plugins/wp-google-places-review-slider/.
[17]
Alhuzali, A., Gjomemo, R., Eshete, B., and Venkatakrishnan, V. NAVEX: Precise and scalable exploit generation for dynamic web applications. In 27th USENIX Security Symposium (USENIX Security 18) (2018), pp. 377–392.
[18]
Anagandula, K., and Zavarsky, P. An Analysis of Effectiveness of Black-Box Web Application Scanners in Detection of Stored SQL Injection and Stored XSS Vulnerabilities. In 2020 3rd International Conference on Data Intelligence and Security (ICDIS) (2020), pp. 40–48.
[19]
Avancini, A., and Ceccato, M. Circe: A grammar-based oracle for testing cross-site scripting in web applications. In 20th Working Conference on Reverse Engineering, WCRE 2013, Koblenz, Germany, October 14-17, 2013 (2013), R. Lämmel, R. Oliveto, and R. Robbes, Eds., IEEE Computer Society, pp. 262–271.
[20]
Backes, M., Rieck, K., Skoruppa, M., Stock, B., and Yamaguchi, F. Efficient and flexible discovery of PHP application vulnerabilities. In 2017 IEEE European Symposium on Security and Privacy (2017), pp. 334–349.
[21]
Castro, E., Alcaide, A., Orfila, A., and Alís, J. B. A multi-agent scanner to detect stored-XSS vulnerabilities. 2010 International Conference for Internet Technology and Secured Transactions (2010), 1–6.
[22]
Dahse, J., and Holz, T. Simulation of built-in PHP features for precise static code analysis. In 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February 23-26, 2014 (2014).
[23]
Dahse, J., and Holz, T. Static Detection of Second-Order Vulnerabilities in Web Applications. In Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, August 20-22, 2014 (2014), K. Fu and J. Jung, Eds., pp. 989–1003.
[24]
Eriksson, B., Pellegrino, G., and Sabelfeld, A. Black Widow: Blackbox Data-driven Web Scanning. pp. 1125–1142.
[25]
Fang, Y., Li, Y., Liu, L., and Huang, C. DeepXSS: Cross Site Scripting Detection Based on Deep Learning. In International Conference on Computing and Artificial Intelligence (2018).
[26]
Gupta, M. K., Govil, M. C., and Singh, G. Text-mining based predictive model to detect XSS vulnerable files in web applications. In 2015 Annual IEEE India Conference (INDICON) (2015), pp. 1–6.
[27]
Hannousse, A., Yahiouche, S., and Nait-Hamoud, M. C. Twenty-two years since revealing cross-site scripting attacks: a systematic mapping and a comprehensive survey. ArXiv abs/2205.08425 (2022).
[28]
Heiderich, M., Schwenk, J., Frosch, T., Magazinius, J., and Yang, E. Z. MXSS Attacks: Attacking Well-Secured Web-Applications by Using InnerHTML Mutations. In Proceedings of the 2013 ACM SIGSAC Conference on Computer Communications Security (New York, NY, USA, 2013), CCS ’13, Association for Computing Machinery, pp. 777–788.
[29]
Jovanovic, N., Krügel, C., and Kirda, E. Pixy: a static analysis tool for detecting web application vulnerabilities. 2006 IEEE Symposium on Security and Privacy (S&P’06) (2006), 6 pp.–263.
[30]
Khazal, I. F., and Hussain, M. A. Server Side Method to Detect and Prevent Stored XSS Attack. vol. 17.
[31]
Li, C., Wang, Y., Miao, C., and Huang, C. Cross-Site Scripting Guardian: A Static XSS Detector Based on Data Stream Input-Output Association Mining. Applied Sciences 10, 14 (2020).
[32]
Li, D., Lyu, Y., Wan, M., and Halfond, W. G. J. String analysis for Java and Android applications. In Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering, ESEC/FSE 2015, Bergamo, Italy, August 30 - September 4, 2015 (2015), ACM, pp. 661–672.
[33]
Luo, C., Li, P., and Meng, W. TChecker: Precise Static Inter-Procedural Analysis for Detecting Taint-Style Vulnerabilities in PHP Applications. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (2022), CCS ’22, pp. 2175–2188.
[34]
Lv, C., Zhang, L., Zeng, F., and Zhang, J. Adaptive random testing for XSS vulnerability. In 26th Asia-Pacific Software Engineering Conference, APSEC 2019, Putrajaya, Malaysia, December 2-5, 2019 (2019), IEEE, pp. 63–69.
[35]
McAllister, S., Kirda, E., and Krügel, C. Leveraging user interactions for in-depth testing of web applications. In International Symposium on Recent Advances in Intrusion Detection (2008).
[36]
Mohammadi, M., Chu, B., and Lipford, H. R. Detecting cross-site scripting vulnerabilities through automated unit testing. In 2017 IEEE International Conference on Software Quality, Reliability and Security (QRS) (2017), pp. 364–373.
[37]
Olivo, O., Dillig, I., and Lin, C. Detecting and Exploiting Second Order Denial-of-Service Vulnerabilities in Web Applications. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, October 12-16, 2015 (2015), I. Ray, N. Li, and C. Kruegel, Eds., ACM, pp. 616–628.
[38]
Shar, L. K., and Tan, H. B. K. Auditing the XSS defence features implemented in web application programs. IET Softw. 6 (2012), 377–390.
[39]
Shar, L. K., and Tan, H. B. K. Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns. Inf. Softw. Technol. 55, 10 (2013), 1767–1780.
[40]
Su, H., Xu, L., Chao, H., Li, F., Yuan, Z., Zhou, J., and Huo, W. A Sanitizer-centric Analysis to Detect Cross-Site Scripting in PHP Programs. In 2022 IEEE 33rd International Symposium on Software Reliability Engineering (ISSRE) (2022), pp. 355–365.
[41]
Vernotte, A., Dadeau, F., Lebeau, F., Legeard, B., Peureux, F., and Piat, F. Efficient detection of multi-step cross-site scripting vulnerabilities. In International Conferences on Information Science and System (2014).
[42]
Wang, Y., Li, Z., and Guo, T. Program Slicing Stored XSS Bugs in Web Application. In 2011 Fifth International Conference on Theoretical Aspects of Software Engineering (2011), pp. 191–194.
[43]
Yamaguchi, F., Golde, N., Arp, D., and Rieck, K. Modeling and discovering vulnerabilities with code property graphs. In 2014 IEEE Symposium on Security and Privacy (May 2014), pp. 590–604.

Index Terms

  1. Splendor: Static Detection of Stored XSS in Modern Web Applications

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    ISSTA 2023: Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis
    July 2023
    1554 pages
    ISBN:9798400702211
    DOI:10.1145/3597926
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 13 July 2023

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. Static Taint Analysis
    2. Stored XSS
    3. Vulnerability Detection
    4. Web Application Security

    Qualifiers

    • Research-article

    Conference

    ISSTA '23
    Sponsor:

    Acceptance Rates

    Overall Acceptance Rate 58 of 213 submissions, 27%

    Upcoming Conference

    ISSTA '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • 0
      Total Citations
    • 319
      Total Downloads
    • Downloads (Last 12 months)202
    • Downloads (Last 6 weeks)16
    Reflects downloads up to 26 Dec 2024

    Other Metrics

    Citations

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media