Automatic Exploit Generation for Web Applications

Web applications are valuable targets for security attacks because of their popularity and the sensitive data that they handle (e.g., credit card data, medical records, and personal information). Vulnerabilities that can be exploited in these applications may have potentially catastrophic effects in terms of financial losses to the online enterprise as well as privacy losses to the consumer. Therefore, the security of web applications is critically important for both end users and online enterprises. Several approaches exist for analyzing the security of modern web applications. These approaches use a series of analysis techniques to identify vulnerabilities such as SQL Injection (SQLI) and Cross-Site Scripting (XSS). However, these analysis techniques are susceptible to false alarms, and therefore require manual efforts to check whether each one of the reported vulnerabilities is indeed exploitable. Automatic exploit generation approaches take a further step and try to include methods for automatically verifying that vulnerabilities are real by generating concrete exploits. Here, an exploit is a that a reported vulnerability is indeed exploitable. Identifying exploitable vulnerabilities helps web developers prioritize their efforts on fixing those critical bugs first. The research community is aware of the need for automated techniques that construct exploits for modern web applications. However, prior research works in this area do not scale to find deep vulnerabilities and cannot handle large and complex web applications. Several challenges contribute to this problem. Mainly, these challenges arise from the unique characteristics of modern web applications such as their complex workflows, multi-module nature, interposed user input, and multi-tier architectures. This dissertation presents an effort to secure web applications by automatically generating exploits that validate the existence and exploitability of vulnerabilities. It covers research efforts that contribute to our overall goal of providing an automatic exploit generation solution that scales to large, complex, and dynamic web applications. First, the dissertation describes an approach that automatically generates injection exploits that span several HTTP requests. Our approach develops precise models of application workflows, database schemas, and native functions to achieve the goal of automatic exploit generation. To assess the effectiveness of our approach, we evaluated it on several web applications of different complexities. The experimental results demonstrate that our approach can overcome the challenges of modern web applications by successfully generating first- and second-order exploits for them. Second, we present an exploit construction approach that overcomes the challenges posed by the dynamic nature of web applications. Our approach is based on combining dynamic analysis that is guided by static analysis techniques in order to automatically identify vulnerabilities and build working exploits. We evaluated our system over a codebase of 3.2 million lines of PHP code. Experimental results demonstrate that our system can scale the process of automatic vulnerability analysis and exploit generation to large applications and to multiple classes of vulnerabilities. By presenting the results of both systems, this thesis demonstrates an automated exploit generation approach that scales to large, complex, and dynamic web applications despite the complexities associated with the automated analysis of modern web applications.