Detecting Server-Side Web Applications with Unrestricted File Upload Vulnerabilities

Author

Jin Huang, Wright State University

Publication Date

2021

Document Type

Dissertation/Thesis

Committee Members

Junjie Zhang, Ph.D. (Advisor); Krishnaprasad Thirunarayan, Ph.D. (Committee Member); Michelle Andreen Cheatham, Ph.D. (Committee Member); Phu H. Phung, Ph.D. (Committee Member)

Degree Name

Doctor of Philosophy (PhD)

Abstract

Vulnerable web applications fundamentally undermine website security as they often expose critical infrastructures and sensitive information behind them to potential risks and threats. Web applications with unrestricted file upload vulnerabilities allow attackers to upload a file with malicious code, which can be later executed on the server by attackers to enable various attacks such as information exfiltration, spamming, phishing, and spreading malware. This dissertation presents our research in building two novel frameworks to detect server-side applications vulnerable to unrestricted file uploading attacks. We design the innovative model that holistically characterizes both data and control flows using a graphbased data structure. Such a model makes effortless critical program analysis mechanisms, such as static analysis and constraint modeling. We build the interpreter to model a web program by symbolically interpreting its abstract syntax tree (AST). Our research has led to three complementary systems that can effectively detect unrestricted file uploading vulnerabilities. The first system, namely UChecker, leverages satisfiability modulo theory to perform detection, whereas the second system, namely UFuzzer, detects such vulnerability by intelligently synthesizing code snippets and performing fuzzing. We also proposed the third system to mitigate the challenge of path explosion that the previous two systems suffered and enable a computationally efficient model generation process for large programs. We have deployed all of our systems, namely UGraph, to scan many server-side applications. They have identified 49 vulnerable PHP-based web applications that are previously unknown, including 11 CVEs.

Page Count

118

Department or Program

Department of Computer Science and Engineering

Year Degree Awarded

2021

Copyright

Copyright 2021, all rights reserved. My ETD will be available under the "Fair Use" terms of copyright law.

Creative Commons License

This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License.