Skip to main content
Springer Nature Link
Log in

A Formal Approach to Exploiting Multi-stage Attacks Based on File-System Vulnerabilities of Web Applications

  • Conference paper
  • First Online:
Engineering Secure Software and Systems (ESSoS 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10379))

Included in the following conference series:

Abstract

We propose a formal approach that allows one to (i) reason about file-system vulnerabilities of web applications and (ii) combine file-system vulnerabilities and SQL-Injection vulnerabilities for complex, multi-stage attacks. We have developed an automatic tool that implements our approach and we show its efficiency by discussing four real-world case studies, which are witness to the fact that our tool can generate, and exploit, attacks that, to the best of our knowledge, no other tool for the security of web applications can find.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
eBook
USD 39.99
Price excludes VAT (USA)
Softcover Book
USD 54.99
Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    The Top 10 compiled by OWASP is a general classification and it does not include a specific category named “file-system vulnerability”; however, “Injections”, “Broken Authentication and session Management”, “Security misconfiguration” (just to name a few) can all lead to a vulnerability related to the file-system.

  2. 2.

    We assume the communication with the file-system to be secure since the file-system actually is not a real network node, and thus no attacker can put himself between the communication with the file-system, i.e., man-in-the-middle attacks are not possible.

  3. 3.

    In this paper, we need not distinguish between different kinds of encrypted messages, but we could do it by following standard practice. Here we don’t even need to consider explicitly encrypted messages, but we add them for completeness.

  4. 4.

    We don’t need to consider access control policies/models as they are external to the web app. Hence, we assume that every file that is in the file-system can always be read and that every writing operation will always succeed..

  5. 5.

    We plan to extend CL-AtSe or replace it with a tool capable of generating multiple attack traces.

References

  1. Akhawe, D., Barth, A., Lam, P., Mitchell, J., Song, D.: Towards a formal foundation of web security. In CSF. IEEE (2010). doi:10.1109/CSF.2010.27

  2. Armando, A., et al.: The AVANTSSAR platform for the automated validation of trust and security of service-oriented architectures. In: Flanagan, C., König, B. (eds.) TACAS 2012. LNCS, vol. 7214, pp. 267–282. Springer, Heidelberg (2012). doi:10.1007/978-3-642-28756-5_19

    Chapter  Google Scholar 

  3. ASP documentation: Including Files in ASP Applications. https://msdn.microsoft.com/en-us/library/ms524876(v=vs.90).aspx

  4. Büchler, M., Oudinet, J., Pretschner, A.: Semi-automatic security testing of web applications from a secure model. In: SERE. doi:10.1109/SERE.2012.38

  5. Calvi, A., Viganò, L.: An automated approach for testing the security of web applications against chained attacks. In: 31st ACM/SIGAPP Symposium on Applied Computing (SAC). ACM Press (2016). doi:10.1145/2851613.2851803

  6. Carey, M.: Penetration Testing vs. Vulnerability Scanning - What’s the Difference? https://www.alienvault.com/blogs/security-essentials/penetration-testing-vs-vulnerability-scanning-whats-the-difference

  7. Christey, S.: The 2009 CWE/SANS top 25 most dangerous programming errors. http://cwe.mitre.org/top25

  8. Damele, B., Guimarães, A.: Advanced SQL injection to operating system full control. In: BlackHat EU (2009)

    Google Scholar 

  9. De Meo, F., Rocchetto, M., Viganò, L.: Formal analysis of vulnerabilities of web applications based on SQL injection. In: Barthe, G., Markatos, E., Samarati, P. (eds.) STM 2016. LNCS, vol. 9871, pp. 179–195. Springer, Cham (2016). doi:10.1007/978-3-319-46598-2_13

    Chapter  Google Scholar 

  10. De Meo, F., Viganò, L.: WAFEx: Web Application Formal Exploiter. http://regis.di.univr.it/wafex/

  11. De Meo, F., Viganò, L.: A Formal Approach to Exploiting Multi-Stage Attacks based on File-System Vulnerabilities of Web Applications (Extended Version) (2017). https://arxiv.org/abs/1705.03658

  12. Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Trans. Inf. Theory 29, 198–208 (1983). doi:10.1109/TIT.1983.1056650

    Article  MathSciNet  MATH  Google Scholar 

  13. DotDotPwn - The Directory Traversal Fuzzer. https://github.com/wireghoul/dotdotpwn

  14. Doupé, A., Cova, M., Vigna, G.: Why johnny can’t pentest: an analysis of black-box web vulnerability scanners. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 111–131. Springer, Heidelberg (2010). doi:10.1007/978-3-642-14215-4_7

    Chapter  Google Scholar 

  15. DVWA: Damn Vulnerable Web Application. http://www.dvwa.co.uk/

  16. Glynn, F.: Vulnerability Assessment and Penetration Testing. http://www.veracode.com/security/vulnerability-assessment-and-penetration-testing

  17. Joomla! https://www.joomla.org

  18. The Java EE 5 Tutorial: Reusing Content in JSP Pages. http://docs.oracle.com/javaee/5/tutorial/doc/bnajb.html

  19. OWASP. Top 10 for 2013. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

  20. PHP documentation: include. http://php.net/manual/it/function.include.php

  21. Postswigger. Burp Proxy (2014). https://portswigger.net/burp/proxy.html

  22. Rocchetto, M., Ochoa, M., Torabi Dashti, M.: Model-based detection of CSRF. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds.) SEC 2014. IFIP AICT, vol. 428, pp. 30–43. Springer, Heidelberg (2014). doi:10.1007/978-3-642-55415-5_3

    Chapter  Google Scholar 

  23. SANS Institute. Penetration Testing: Assessing Your Overall Security Before Attackers Do. https://www.sans.org/reading-room/whitepapers/analyst/penetration-testing-assessing-security-attackers-34635

  24. Trustwave SpiderLabs. Joomla SQL Injection Vulnerability Exploit Results in Full Administrative Access (2015). https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access

  25. Viganò, L.: The SPaCIoS project: secure provision and consumption in the internet of services. In: Software Testing, Verification and Validation (ICST) (2013). doi:10.1109/ICST.2013.75

  26. Wfuzz: The Web Bruteforcer. https://github.com/xmendez/wfuzz

Download references

Author information

Authors and Affiliations

  1. Dipartimento di Informatica, Università degli Studi di Verona, Verona, Italy

    Federico De Meo

  2. Department of Informatics, King’s College London, London, UK

    Luca Viganò

Authors
  1. Federico De Meo
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Luca Viganò
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Federico De Meo .

Editor information

Editors and Affiliations

  1. University of Paderborn, Paderborn, Germany

    Eric Bodden

  2. Purdue University, West Lafayette, USA

    Mathias Payer

  3. University of Cyprus, Nicosia, Cyprus

    Elias Athanasopoulos

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

De Meo, F., Viganò, L. (2017). A Formal Approach to Exploiting Multi-stage Attacks Based on File-System Vulnerabilities of Web Applications. In: Bodden, E., Payer, M., Athanasopoulos, E. (eds) Engineering Secure Software and Systems. ESSoS 2017. Lecture Notes in Computer Science(), vol 10379. Springer, Cham. https://doi.org/10.1007/978-3-319-62105-0_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-62105-0_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-62104-3

  • Online ISBN: 978-3-319-62105-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation