Poster: Whether We Are Good Enough to Detect Server-Side Request Forgeries in PHP-native Applications?
Authors: 
Yuchen Ji, Ting Dai, Yutian Tang, Jingzhu HeAuthors Info & Claims
Yuchen Ji, Ting Dai, Yutian Tang, Jingzhu HeAuthors Info & ClaimsPages 4928 - 4930
Abstract
Server-side request forgeries (SSRFs) are inevitable in PHP web applications. Existing static taint analysis tools for PHP suffer from both high rates of false positives and false negatives in detecting SSRF because they do not incorporate application-specific sources and sinks, account for PHP's dynamic type characteristics, and include SSRF-specific taint analysis rules, leading to over-tainting and under-tainting. In this work, we propose a technique to accurately detect SSRF vulnerabilities in PHP web applications. First, we extract both PHP built-in and application-specific functions as candidate source and sink functions. Second, we extract explicit and implicit function calls to construct applications' call graphs. Third, we perform a taint analysis based on a set of rules that prevent over-tainting and under-tainting. We have implemented a prototype and evaluated it with different types of PHP web applications. Our preliminary experiment shows that we detect 24 SSRF vulnerabilities in 13 different types of applications. 20 of the vulnerabilities are known and 4 of the vulnerabilities are new.
References
[1]
2019. What We Can Learn from the Capital One Hack. https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack.
[2]
2022. OWASP Top 10 - 2021. https://owasp.org/Top10/.
[3]
2022. phan-plugin. https://github.com/wikimedia/mediawiki-tools-phan-SecurityCheckPlugin.
[4]
2023. Awesome-Selfhosted. https://github.com/awesome-selfhosted/awesomeselfhosted.
[5]
2023. CVE database. https://cve.mitre.org/index.html.
[6]
2023. Magic Methods. https://www.php.net/manual/en/language.oop5.overloading.php.
[7]
2023. Popular Plugins. https://wordpress.org/plugins/browse/popular.
[8]
2023. PSR-5: PHPDoc. https://github.com/php-fig/fig-standards/blob/master/proposed/phpdoc.md.
[9]
2023. Usage statistics of PHP for websites. https://w3techs.com/technologies/details/pl-php.
[10]
2024. Variable Functions. https://www.php.net/manual/en/functions.variablefunctions.php/.
[11]
Johannes Dahse and Thorsten Holz. 2014. Simulation of Built-in PHP Features for Precise Static Code Analysis. In NDSS, Vol. 14. 23--26.
[12]
Changhua Luo, Penghui Li, and Wei Meng. 2022. Tchecker: Precise static interprocedural analysis for detecting taint-style vulnerabilities in php applications. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 2175--2188.
[13]
Giancarlo Pellegrino, Onur Catakoglu, Davide Balzarotti, and Christian Rossow. 2016. Uses and abuses of server-side requests. In Research in Attacks, Intrusions, and Defenses: 19th International Symposium, RAID 2016, Paris, France, September 19--21, 2016, Proceedings 19. Springer, 393--414.
Index Terms
- Poster: Whether We Are Good Enough to Detect Server-Side Request Forgeries in PHP-native Applications?
Recommendations
TChecker: Precise Static Inter-Procedural Analysis for Detecting Taint-Style Vulnerabilities in PHP Applications
CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications SecurityPHP applications provide various interfaces for end-users to interact with on the Web. They thus are prone to taint-style vulnerabilities such as SQL injection and cross-site scripting. For its high efficiency, static taint analysis is widely adopted to ...
Comments
Information & Contributors
Information
Published In
December 2024
5188 pages
ISBN:9798400706363
DOI:10.1145/3658644
- General Chairs:
- Bo Luo,
- Xiaojing Liao,
- Jun Xu,
- Program Chairs:
- Engin Kirda,
- David Lie
Copyright © 2024 Owner/Author.
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 09 December 2024
Check for updates
Author Tags
Qualifiers
- Poster
Funding Sources
- National Natural Science Foundation of China
- Shanghai Sailing Program
Conference
CCS '24
Sponsor:
CCS '24: ACM SIGSAC Conference on Computer and Communications Security
October 14 - 18, 2024
UT, Salt Lake City, USA
Acceptance Rates
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%
Upcoming Conference
CCS '25
- Sponsor:
- sigsac
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 69Total Downloads
- Downloads (Last 12 months)69
- Downloads (Last 6 weeks)42
Reflects downloads up to 25 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in