Automated Data Binding Vulnerability Detection for Java Web Frameworks via Nested Property Graph
Data binding has been widely adopted by popular web frameworks due to its convenience of automatically binding web request parameters to the web program's properties. However, its improper implementation in web frameworks exposes sensitive properties, leading to data binding vulnerabilities, which can be exploited to launch severe attacks, such as the Spring4Shell remote code execution. Despite their criticalness, these issues are overlooked, and there is no systematic study addressing them.
This paper presents the first automatic analysis of the data binding vulnerabilities in Java web frameworks. We develop an automatic Data bInding Vulnerabilities dEtectoR, named DIVER, to analyze data binding vulnerabilities. DIVER employs three new techniques: the Nested Property Graph-based Extraction to extract nested properties, the Bind-Site Instrumentation-based Identification to identify bindable nested properties, and the Property-aware Fuzzing to trigger and detect data binding vulnerabilities.
We evaluated DIVER on two widely used Java web frameworks, Spring and Grails, and discovered 81 data binding vulnerabilities. These vulnerabilities can be exploited to launch remote code execution, arbitrary file read, and denial of service attacks. We have responsibly reported these vulnerabilities to the corresponding teams and helped to fix them. Three new CVEs with critical and high severity ratings have been assigned to us, including the infamous Spring4Shell.
Wed 18 SepDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
13:30 - 14:50 | Vulnerability DetectionTechnical Papers at EI 3 Sahulka Chair(s): Cuiyun Gao Harbin Institute of Technology | ||
13:30 20mTalk | Automated Data Binding Vulnerability Detection for Java Web Frameworks via Nested Property Graph Technical Papers Xiaoyong Yan Zhejiang University, Biao He Ant Group, Wenbo Shen Zhejiang University, Yu Ouyang Ant Group, Kaihang Zhou Zhejiang University, Xingjian Zhang Zhejiang University, Xingyu Wang Zhejiang University, Yukai Cao Zhejiang University, Rui Chang Zhejiang University DOI | ||
13:50 20mTalk | SCALE: Constructing Structured Natural Language Comment Trees for Software Vulnerability Detection Technical Papers Xin-Cheng Wen Harbin Institute of Technology, Cuiyun Gao Harbin Institute of Technology, Shuzheng Gao Chinese University of Hong Kong, Yang Xiao Chinese Academy of Sciences, Michael Lyu Chinese University of Hong Kong DOI | ||
14:10 20mTalk | CEBin: A Cost-Effective Framework for Large-Scale Binary Code Similarity Detection Technical Papers Hao Wang Tsinghua University, Zeyu Gao Tsinghua University, Chao Zhang Tsinghua University, Mingyang Sun University of Electronic Science and Technology of China, Yuchen Zhou Beijing University of Technology, Han Qiu Tsinghua University, Xi Xiao Tsinghua University DOI | ||
14:30 20mTalk | Graph Neural Networks for Vulnerability Detection: A Counterfactual Explanation Technical Papers Zhaoyang Chu Huazhong University of Science and Technology, Yao Wan Huazhong University of Science and Technology, Qian Li Curtin University, Yang Wu Huazhong University of Science and Technology, Hongyu Zhang Chongqing University, Yulei Sui UNSW, Guandong Xu University of Technology, Hai Jin Huazhong University of Science and Technology DOI Pre-print | ||