Abstract:
The Cross-Site Scripting (XSS) vulnerability is one of the most prevalent security issues in PHP web applications. To detect XSS vulnerabilities, existing dynamic techniques are commonly hindered by insufficient code exploration capabilities and non-trivial execution environment setup. Comparably, static techniques offer more flexible detection of target code by identifying vulnerable source-sink paths. However, these paths would probably be guarded by custom sanitizers (i.e., implemented to filter malicious inputs). Without establishing reliable sanitizer modeling and analysis techniques, existing work can hardly achieve satisfactory effectiveness.
In light of this, we propose a static sanitizer-tolerant XSS detector, named XSSky. Our key insight is that concrete malicious inputs, which evade sanitizers and trigger XSS vulnerabilities, serve as strong proof of a vulnerability’s existence. Based on this idea, XSSky attempts to deterministically curate malicious inputs for potentially vulnerable source-sink paths using a path-persistent fuzzing strategy. Specifically, XSSky first converts each given source-sink path into locally executable Programs Under Test (PUTs). Then it uses XSS-oriented exploit primitives and PHP interpreter feedback to generate malicious inputs to efficiently confirm the existence of vulnerabilities. Evaluation results show that XSSky successfully detected 60 previously unknown XSS vulnerabilities (including 31 caused by sanitizer evasion) across 20 popular PHP web applications. Compared with several existing state-of-the-art techniques, XSSky achieved a precision improvement of 11.48%~642.49% and a recall improvement of 87.51%~172.70%. Furthermore, XSSky identified 18 unique vulnerabilities that none of the baselines could detect.