DISOV: Discovering Second-Order Vulnerabilities Based on Web Application Property Graph

摘要

Web application second-order vulnerabilities first injectmalicious code into the persistent data stores of the web server and thenexecute it at later sensitive operations, causing severe impact. Nevertheless,the dynamic features, the complex data propagation, and the inter-statedependencies bring many challenges in discovering such vulnerabilities.To address these challenges, we propose DISOV, a web application propertygraph (WAPG) based method to discover second-order vulnerabilities.Specifically, DISOV first constructs WAPG to represent data propagationand inter-state dependencies of the web application, which can be furtherleveraged to find the potential second-order vulnerabilities paths. Then, itleverages fuzz testing to verify the potential vulnerabilities paths. To verifythe effectiveness of DISOV, we tested it in 13 popular web applicationsin real-world and compared with Black Widow, the state-of-the-art webvulnerability scanner. DISOV discovered 43 second-order vulnerabilities,including 23 second-order XSS vulnerabilities, 3 second-order SQL injectionvulnerabilities, and 17 second-order RCE vulnerabilities. While BlackWidow only discovered 18 second-order XSS vulnerabilities, with nonesecond-order SQL injection vulnerability and second-order RCE vulnerability.In addition, DISOV has found 12 0-day second-order vulnerabilities,demonstrating its effectiveness in practice.