research-article

Pythia: Identifying Dangerous Data-flows in Django-based Applications

Authors:

Linos Giannopoulos,

Eirini Degkleri,

Panayiotis Tsanakas,

Dimitris MitropoulosAuthors Info & Claims

EuroSec '19: Proceedings of the 12th European Workshop on Systems Security

Article No.: 5, Pages 1 - 6

https://doi.org/10.1145/3301417.3312497

Published: 25 March 2019 Publication History

Abstract

Web frameworks that allow developers to create applications based on design patterns such as the Model View Controller (MVC), provide by default a number of security checks. Nevertheless, by using specific constructs, developers may disable these checks thus re-introducing classic application vulnerabilities such as Cross-site Scripting (XSS) and Cross-Site Request Forgery (CSRF). Framework-specific elements including (1) the complex nature of these applications, (2) the different features that they involve (e.g. templates), and (3) the inheritance mechanisms that governs them, make the identification of such issues very difficult.

To tackle this problem, we have developed Pythia, a scheme that analyzes applications based on the Django framework. To identify potentially dangerous data flows that can lead to XSS and CSRF defects, Pythia takes into account all the aforementioned elements and employs ideas coming from standard data-flow analysis and taint tracking schemes. To the best of our knowledge, Pythia is the first mechanism to consider framework-specific elements in its analysis. We have evaluated our scheme with positive results. Specifically, we used Pythia to examine five open-source applications that are currently in production and have thousands of users including an e-voting service, and a web-based translation management system. In four cases we have identified dangerous paths that in turn led to vulnerabilities. Notably, in many cases the paths involved the particular features of Django-based applications e.g. templates.

References

[1]

{n. d.}. Misago Project Forums. https://misago-project.org/. {Online; accessed 1-January-2019}.

[2]

{n. d.}. phpMyAdmin: Bringing MySQL to the web. https://www.phpmyadmin.net/. {Online; accessed 1-January-2019}.

[3]

{n. d.}. Pylint: Code Analysis for Python. https://www.pylint.org/. {Online; accessed 20-December-2018}.

[4]

{n. d.}. Python AST-based static analyzer from OpenStack Security Group. https://github.com/openstack/bandit. {Online; accessed 20-December-2018}.

[5]

{n. d.}. ~okeanos: The Greek Research and Technology Network Cloud Service. https://okeanos.grnet.gr/home/. {Online; accessed 1-January-2019}.

[6]

{n. d.}. The Debian Administrator's Handbook. https://debian-handbook.info/. {Online; accessed 1-January-2019}.

[7]

{n. d.}. ViMa, Virtual Machines. https://vima.grnet.gr. {Online; accessed 1-January-2019}.

[8]

{n. d.}. Weblate: Improve Engage Page Patch. https://github.com/WeblateOrg/weblate/commit/63218cd4256941f02030b663d7207d69a0f1f173. {Online; accessed 10-February-2019}.

[9]

{n. d.}. Zeus E-voting Service. https://zeus.grnet.gr/zeus/. {Online; accessed 1-January-2019}.

[10]

Ronan Barrett and Sarah Jane Delany. 2004. OpenMVC: A Non-proprietry Component-based Framework for Web Applications. In Proceedings of the 13th International World Wide Web Conference on Alternate Track Papers & Posters (WWW Alt. '04). ACM, New York, NY, USA, 464--465.

Digital Library

[11]

Michal Cihar. {n. d.}. Weblate: Bring translators closer to development. https://weblate.org/en/. {Online; accessed 1-January-2019}.

[12]

Johannes Dahse and Thorsten Holz. 2014. Static Detection of Second-order Vulnerabilities in Web Applications. In Proceedings of the 23rd USENIX Security Symposium. USENIX Association, Berkeley, CA, USA, 989--1003.

Digital Library

[13]

Luo GuangChun, WangYanhua Lu, and Xianliang Hanhong. 2003. A Novel Web Application Frame Developed by MVC. SIGSOFT Softw. Eng. Notes 28, 2 (March 2003), 7--.

Digital Library

[14]

Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. 2006. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper). In Proceedings of the 2006 IEEE Symposium on Security and Privacy. IEEE Computer Society, Washington, DC, USA, 258--263.

Digital Library

[15]

Chris Lamb. {n. d.}. Django-Lint: Static analysis tool for Django projects. https://chris-lamb.co.uk/projects/django-lint. {Online; accessed 20-December-2018}.

[16]

V. Benjamin Livshits and Monica S. Lam. 2005. Finding Security Vulnerabilities in Java Applications with Static Analysis. In Proceedings of the 14th USENIX Security Symposium. USENIX Association, Berkeley, CA, USA, 18--18.

Digital Library

[17]

Panos Louridas, Georgios Tsoukalas, and Dimitris Mitropoulos. {n. d.}. Requirements and User Interface Design. https://panoramix-project.eu/wp-content/uploads/2016/10/D5.1.pdf. {Online; accessed 20-December-2018}.

[18]

Stephen McCamant and Michael D. Ernst. 2007. A Simulation-based Proof Technique for Dynamic Information Flow. In Proceedings of the 2007 Workshop on Programming Languages and Analysis for Security (PLAS '07). ACM, New York, NY, USA, 41--46.

Digital Library

[19]

Stefan Micheelsen and Bruno Thalmann. 2016. PyT - A Static Analysis Tool for Detecting Security Vulnerabilities in Python Web Applications. https://github.com/python-security/pyt

[20]

Dimitris Mitropoulos, Panos Louridas, Michalis Polychronakis, and Angelos D. Keromytis. 2017. Defending against Web application attacks: approaches, challenges and implications. IEEE Transactions on Dependable and Secure Computing PP (2017).

[21]

Susanta Nanda, Lap-Chung Lam, and Tzi-cker Chiueh. 2007. Dynamic Multiprocess Information Flow Tracking for Web Application Security. In Proceedings of the 2007 International Conference on Middleware Companion. ACM, Article 19, 20 pages.

Digital Library

[22]

Frolin S. Ocariza, Jr., Karthik Pattabiraman, and Ali Mesbah. 2015. Detecting Inconsistencies in JavaScript MVC Applications. In Proceedings of the 37th International Conference on Software Engineering (ICSE '15). IEEE Press, Piscataway, NJ, USA, 325--335.

Digital Library

[23]

Ioannis Papagiannis, Matteo Migliavacca, and Peter Pietzuch. 2011. PHP Aspis: Using Partial Taint Tracking to Protect Against Injection Attacks. In Proceedings of the 2Nd USENIX Conference on Web Application Development. 2--2.

Digital Library

[24]

PHP Laravel {n. d.}. Laravel - The PHP Framework For Web Artisans. https://laravel.com/. {Online; accessed 20-December-2018}.

[25]

PyCQA {n. d.}. Flake8: Your Tool For Style Guide Enforcement. PyCQA. {Online; accessed 20-December-2018}.

[26]

Armin Ronacher. {n. d.}. Jinja - Template engine for Python. (2.1 ed.). http://jinja.pocoo.org/ {Online; accessed 20-December-2018}.

[27]

Stack Overflow Django CSRF {n. d.}. How to exempt CSRF Protection on direct_to_template. https://stackoverflow.com/questions/11610306/how-to-exempt-csrf-protection-on-direct-to-template. {Online; accessed 20-December-2018}.

[28]

Ben Stock, Sebastian Lekies, Tobias Mueller, Patrick Spiegel, and Martin Johns. 2014. Precise Client-side Protection against DOM-based Cross-Site Scripting. In 23rd USENIX Security. 655--670.

Digital Library

[29]

Georgios Tsoukalas, Kostas Papadimitriou, Panos Louridas, and Panayiotis Tsanakas. 2013. From Helios to Zeus. In 2013 Electronic Voting Technology Workshop / Workshop on Trustworthy Elections, EVT/WOTE '13, Washington, D.C., USA, August 12--13.

[30]

P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. 2007. Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In NDSS '07.

Cited By

Frantz MXiao YPias TMeng NYao D(2024)Methods and Benchmark for Detecting Cryptographic API Misuses in PythonIEEE Transactions on Software Engineering10.1109/TSE.2024.337718250:5(1118-1129)Online publication date: May-2024
https://doi.org/10.1109/TSE.2024.3377182
Krohmer DSharma KChen STorres-Arias SMelara MSimon L(2022)Adapting Static Taint Analyzers to Software MarketplacesProceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3560835.3564553(73-82)Online publication date: 11-Nov-2022
https://dl.acm.org/doi/10.1145/3560835.3564553
Rao AGebusion BPorpora J(2022)Developing surveillance applications with Raspberry Pi, Django, and cloud services2022 IEEE Integrated STEM Education Conference (ISEC)10.1109/ISEC54952.2022.10025125(270-277)Online publication date: 26-Mar-2022
https://doi.org/10.1109/ISEC54952.2022.10025125
Show More Cited By

Index Terms

Pythia: Identifying Dangerous Data-flows in Django-based Applications
1. Security and privacy
  1. Software and application security
    1. Web application security
2. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis

Recommendations

Vulnerability Analysis of Iframe Attacks on Websites
MISNC, SI, DS 2016: Proceedings of the The 3rd Multidisciplinary International Social Networks Conference on SocialInformatics 2016, Data Science 2016

Clickjacking attacks are emerging threats to websites of different sizes and shapes. They are particularly used by threat agents to get more likes and/or followers in Online Social Networks (OSNs). This paper reviews the clickjacking attacks and the ...
Client-Side Detection of Cross-Site Request Forgery Attacks
ISSRE '10: Proceedings of the 2010 IEEE 21st International Symposium on Software Reliability Engineering

Cross Site Request Forgery (CSRF) allows an attacker to perform unauthorized activities without the knowledge of a user. An attack request takes advantage of the fact that a browser appends valid session information for each request. As a result, a ...
Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection
Financial Cryptography and Data Security

A cross site request forgery (CSRF) attack occurs when a user's web browser is instructed by a malicious webpage to send a request to a vulnerable web site, resulting in the vulnerable web site performing actions not intended by the user. CSRF ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

EuroSec '19: Proceedings of the 12th European Workshop on Systems Security

March 2019

59 pages

ISBN:9781450362740

DOI:10.1145/3301417

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGOPS: ACM Special Interest Group on Operating Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 March 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

European Commission, HORIZON 2020

Conference

EuroSys '19

Sponsor:

SIGOPS

EuroSys '19: Fourteenth EuroSys Conference 2019

March 25 - 28, 2019

Dresden, Germany

Acceptance Rates

EuroSec '19 Paper Acceptance Rate 9 of 25 submissions, 36%;

Overall Acceptance Rate 47 of 113 submissions, 42%

Upcoming Conference

EuroSys '25

Sponsor:
sigops

Twentieth European Conference on Computer Systems

March 30 - April 3, 2025

Rotterdam , Netherlands

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
275
Total Downloads

Downloads (Last 12 months)27
Downloads (Last 6 weeks)0

Reflects downloads up to 06 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Frantz MXiao YPias TMeng NYao D(2024)Methods and Benchmark for Detecting Cryptographic API Misuses in PythonIEEE Transactions on Software Engineering10.1109/TSE.2024.337718250:5(1118-1129)Online publication date: May-2024
https://doi.org/10.1109/TSE.2024.3377182
Krohmer DSharma KChen STorres-Arias SMelara MSimon L(2022)Adapting Static Taint Analyzers to Software MarketplacesProceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3560835.3564553(73-82)Online publication date: 11-Nov-2022
https://dl.acm.org/doi/10.1145/3560835.3564553
Rao AGebusion BPorpora J(2022)Developing surveillance applications with Raspberry Pi, Django, and cloud services2022 IEEE Integrated STEM Education Conference (ISEC)10.1109/ISEC54952.2022.10025125(270-277)Online publication date: 26-Mar-2022
https://doi.org/10.1109/ISEC54952.2022.10025125
Pham VKim NSeo EHa JChung T(2019)A Method to Enhance the Security Capability of Python IDEFuture Data and Security Engineering10.1007/978-3-030-35653-8_27(399-410)Online publication date: 20-Nov-2019
https://doi.org/10.1007/978-3-030-35653-8_27

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents