Authors:
Huang Xinyou; Zhang Lei; Liu Yongheng; Deng Peng; Cao Yinzhi; Zhang Yuan; Yang Min
Publication:
This paper is included in proceedings of the 34th USENIX Security Symposium (USENIX Security 2025)
Abstract:
Java Web applications are of great importance for information systems deployed across critical sections of our society as demonstrated in the severe impacts caused by notorious log4j vulnerability. One major challenge in detecting Java Web Application vulnerabilities is cross-thread dataflows, which are caused by shared Java objects and triggered by multiple web requests in the same session. To the best of our knowledge, none of the prior works can handle such cross-thread dataflows in Java Web applications. In this paper, we design and implement the first framework, called JAEX, to automatically detect and exploit Java Web Application vulnerabilities via concolic execution guided by so-called Cross-thread Object Manipulation. Our key insight is that cross-thread dataflows can be triggered by manipulation of shared Java objects using different requests, thus guiding concolic execution to reach the sink and generate exploits. We also evaluate JAEX on popular Java applications, which discovers 35 zero-day vulnerabilities. We responsibly disclosed all the vulnerabilities to their vendors and received acknowledgments for all of them.