Publication Date


Document Type


Committee Members

Junjie Zhang, Ph.D. (Advisor); Krishnaprasad Thirunarayan, Ph.D. (Committee Member); Michelle Andreen Cheatham, Ph.D. (Committee Member); Phu H. Phung, Ph.D. (Committee Member)

Degree Name

Doctor of Philosophy (PhD)


Vulnerable web applications fundamentally undermine website security as they often expose critical infrastructures and sensitive information behind them to potential risks and threats. Web applications with unrestricted file upload vulnerabilities allow attackers to upload a file with malicious code, which can be later executed on the server by attackers to enable various attacks such as information exfiltration, spamming, phishing, and spreading malware. This dissertation presents our research in building two novel frameworks to detect server-side applications vulnerable to unrestricted file uploading attacks. We design the innovative model that holistically characterizes both data and control flows using a graphbased data structure. Such a model makes effortless critical program analysis mechanisms, such as static analysis and constraint modeling. We build the interpreter to model a web program by symbolically interpreting its abstract syntax tree (AST). Our research has led to three complementary systems that can effectively detect unrestricted file uploading vulnerabilities. The first system, namely UChecker, leverages satisfiability modulo theory to perform detection, whereas the second system, namely UFuzzer, detects such vulnerability by intelligently synthesizing code snippets and performing fuzzing. We also proposed the third system to mitigate the challenge of path explosion that the previous two systems suffered and enable a computationally efficient model generation process for large programs. We have deployed all of our systems, namely UGraph, to scan many server-side applications. They have identified 49 vulnerable PHP-based web applications that are previously unknown, including 11 CVEs.

Page Count


Department or Program

Department of Computer Science and Engineering

Year Degree Awarded


Creative Commons License

Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License.