Authors:
Liu Fengyu; Shi Youkun; Zhang Yuan; Yang Guangliang; Li Enhao; Yang Min
Publication:
This paper is included in proceedings of the 46th IEEE Symposium on Security and Privacy (S&P 2025)
Abstract:
Java web applications have been extensively utilized for hosting and powering high-value commercial websites. However, their intricate complexities leave them susceptible to a critical security flaw, named Missing-Owner-Check (MOC), that may expose websites to unauthorized access and data breaches. However, the research on identifying and analyzing MOC vulnerabilities has been limited over the years. In this work, we propose a novel end-to-end vulnerability analysis approach, called MOCGuard, that can effectively vet Java web applications against MOC issues. Different from related techniques, MOCGuard pinpoints MOC vulnerabilities from a new perspective of database-centric analysis. MOCGuard first applies database structure analysis to infer user table and user-owned data. Then, MOCGuard conducts insecure access checks across both the Java and SQL layers. To thoroughly evaluate the effectiveness of MOCGuard, we collaborated with a world-leading tech company. Through our evaluation of 30 high-profile open-source Java web applications and 7 industrial Java web applications, we demonstrate that MOCGuard is automatic and effective. Consequently, it successfully uncovered 161 (confirmed) 0-day MOC vulnerabilities, leading to the assignment of 73 CVE identifiers.