Argus: All your (PHP) Injection-sinks are belong to us.

Injection-based vulnerabilities in web applications such as cross-site scripting (XSS), insecure deserialization, and command injection have proliferated in recent years, exposing both clients and web applications to security breaches. Current studies in this area focus on detecting injection vulnerabilities in applications. Crucially, existing systems rely on manually curated lists of functions, so-called sinks, to detect such vulnerabilities. However, current studies are oblivious to the internal mechanics of the underlying programming language. In such a case, existing systems rely on an incomplete set of sinks, which results in disregarding security vulnerabilities. Despite numerous studies on injection vulnerabilities, there has been no study that comprehensively identifies the set of functions that an attacker can exploit for injection attacks.

This paper addresses the drawbacks of relying on manually curated lists of sinks to identify such vulnerabilities. We devise a novel generic approach to automatically identify the set of sinks that can lead to injection-style security vulnerabilities. To demonstrate the generality, we focused on three types of injection vulnerabilities: XSS, command injection, and insecure deserialization. We implemented a prototype of our approach in a tool called Argus to identify the set of PHP functions that deserialize user-input, execute operating system (OS) commands, or write user-input to the output buffer. We evaluated our prototype on the three most popular major versions of the PHPinterpreter. Argus detected 284 deserialization functions that allow adversaries to perform deserialization attacks, an order of magnitude more than the most exhaustive manually curated list used in related work. Furthermore, we detected 22 functions that can lead to XSS attacks, which is twice the number of functions used in prior work. To demonstrate thatArgus produces security-relevant findings, we integrated its results with three existing analysis systems– Psalm and RIPS, two static taint analyses, and FUGIO, an exploit generation tool. Themodifiedtoolsdetected 13 previously unknown deserialization and XSS vulnerabilities in WordPress and its plugins, of which 11 have been assigned CVE IDs and designated as high-severity vulnerabilities.