Skip to Main Content
 

Global Search Box

 
 
 
 

Files

File List


JinH_PhD_Dissertation.pdf (1.08 MB)

ETD Abstract Container

Abstract Header

Detecting Server-Side Web Applications with Unrestricted File Upload Vulnerabilities

Huang, Jin
http://rave.ohiolink.edu/etdc/view?acc_num=wright163007760528389

Abstract Details

2021, Doctor of Philosophy (PhD), Wright State University, Computer Science and Engineering PhD.
Vulnerable web applications fundamentally undermine website security as they often expose critical infrastructures and sensitive information behind them to potential risks and threats. Web applications with unrestricted file upload vulnerabilities allow attackers to upload a file with malicious code, which can be later executed on the server by attackers to enable various attacks such as information exfiltration, spamming, phishing, and spreading malware. This dissertation presents our research in building two novel frameworks to detect server-side applications vulnerable to unrestricted file uploading attacks. We design the innovative model that holistically characterizes both data and control flows using a graphbased data structure. Such a model makes effortless critical program analysis mechanisms, such as static analysis and constraint modeling. We build the interpreter to model a web program by symbolically interpreting its abstract syntax tree (AST). Our research has led to three complementary systems that can effectively detect unrestricted file uploading vulnerabilities. The first system, namely UChecker, leverages satisfiability modulo theory to perform detection, whereas the second system, namely UFuzzer, detects such vulnerability by intelligently synthesizing code snippets and performing fuzzing. We also proposed the third system to mitigate the challenge of path explosion that the previous two systems suffered and enable a computationally efficient model generation process for large programs. We have deployed all of our systems, namely UGraph, to scan many server-side applications. They have identified 49 vulnerable PHP-based web applications that are previously unknown, including 11 CVEs.
Junjie Zhang, Ph.D. (Advisor)
Krishnaprasad Thirunarayan, Ph.D. (Committee Member)
Michelle Andreen Cheatham, Ph.D. (Committee Member)
Phu H. Phung, Ph.D. (Committee Member)
118 p.
Computer Science
Web Security; Vulnerability; Detection; Symbolic Execution; Fuzzing; Program Analysis

Recommended Citations

Citations

  • Huang, J. (2021). Detecting Server-Side Web Applications with Unrestricted File Upload Vulnerabilities [Doctoral dissertation, Wright State University]. OhioLINK Electronic Theses and Dissertations Center. http://rave.ohiolink.edu/etdc/view?acc_num=wright163007760528389

    APA Style (7th edition)

  • Huang, Jin. Detecting Server-Side Web Applications with Unrestricted File Upload Vulnerabilities. 2021. Wright State University, Doctoral dissertation. OhioLINK Electronic Theses and Dissertations Center, http://rave.ohiolink.edu/etdc/view?acc_num=wright163007760528389.

    MLA Style (8th edition)

  • Huang, Jin. "Detecting Server-Side Web Applications with Unrestricted File Upload Vulnerabilities." Doctoral dissertation, Wright State University, 2021. http://rave.ohiolink.edu/etdc/view?acc_num=wright163007760528389

    Chicago Manual of Style (17th edition)

wright163007760528389
517
© 2021, all rights reserved.
This open access ETD is published by Wright State University and OhioLINK.