Guiding Exploit Generation towards Success Using Prioritized Exploration

In the modern era, web applications have become more and more popular: with the rise of social networks and the industry’s trend towards the cloud, most of the tasks that used to be done on a local machine can now be executed inside a browser. Due to the widespread adoption of this paradigm, even desktop applications are written as web applications (using frameworks such as Electron). With this new browser-centric trend, securing the information stored in the browser becomes more and more crucial; however, this aspect is often overlooked by web developers, as testified by the fact that Cross-Site Scripting vulnerabilities have been present in the OWASP’s famous Top 10 Web Application Security Risks List since its conception in 2003. Many security researchers have tried to create automated scanners for web applications, using both “static” (based on the analysis of the source code) and “dynamic” (based on the analysis of the application at runtime) techniques, each with its own set of strengths and limitations, that will be analyzed in the first section of this document. We’ve designed a novel hybrid approach that is able to take advantage of the strength of both static and dynamic analysis, while reducing their weaknesses. In real-world experiments, our implementation EXP2 was able to analyze over 10 million lines of source code across 32 popular PHP applications, identifying 113 XSS vulnerabilities which resulted in 20 CVE entries.