A Formal Approach to Exploiting Multi-stage Attacks Based on File-System Vulnerabilities of Web Applications

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10379)


We propose a formal approach that allows one to (i) reason about file-system vulnerabilities of web applications and (ii) combine file-system vulnerabilities and SQL-Injection vulnerabilities for complex, multi-stage attacks. We have developed an automatic tool that implements our approach and we show its efficiency by discussing four real-world case studies, which are witness to the fact that our tool can generate, and exploit, attacks that, to the best of our knowledge, no other tool for the security of web applications can find.


  1. 1.
    Akhawe, D., Barth, A., Lam, P., Mitchell, J., Song, D.: Towards a formal foundation of web security. In CSF. IEEE (2010). doi: 10.1109/CSF.2010.27
  2. 2.
    Armando, A., et al.: The AVANTSSAR platform for the automated validation of trust and security of service-oriented architectures. In: Flanagan, C., König, B. (eds.) TACAS 2012. LNCS, vol. 7214, pp. 267–282. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-28756-5_19 CrossRefGoogle Scholar
  3. 3.
    ASP documentation: Including Files in ASP Applications.
  4. 4.
    Büchler, M., Oudinet, J., Pretschner, A.: Semi-automatic security testing of web applications from a secure model. In: SERE. doi: 10.1109/SERE.2012.38
  5. 5.
    Calvi, A., Viganò, L.: An automated approach for testing the security of web applications against chained attacks. In: 31st ACM/SIGAPP Symposium on Applied Computing (SAC). ACM Press (2016). doi: 10.1145/2851613.2851803
  6. 6.
    Carey, M.: Penetration Testing vs. Vulnerability Scanning - What’s the Difference?
  7. 7.
    Christey, S.: The 2009 CWE/SANS top 25 most dangerous programming errors.
  8. 8.
    Damele, B., Guimarães, A.: Advanced SQL injection to operating system full control. In: BlackHat EU (2009)Google Scholar
  9. 9.
    De Meo, F., Rocchetto, M., Viganò, L.: Formal analysis of vulnerabilities of web applications based on SQL injection. In: Barthe, G., Markatos, E., Samarati, P. (eds.) STM 2016. LNCS, vol. 9871, pp. 179–195. Springer, Cham (2016). doi: 10.1007/978-3-319-46598-2_13 CrossRefGoogle Scholar
  10. 10.
    De Meo, F., Viganò, L.: WAFEx: Web Application Formal Exploiter.
  11. 11.
    De Meo, F., Viganò, L.: A Formal Approach to Exploiting Multi-Stage Attacks based on File-System Vulnerabilities of Web Applications (Extended Version) (2017).
  12. 12.
    Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Trans. Inf. Theory 29, 198–208 (1983). doi: 10.1109/TIT.1983.1056650 MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    DotDotPwn - The Directory Traversal Fuzzer.
  14. 14.
    Doupé, A., Cova, M., Vigna, G.: Why johnny can’t pentest: an analysis of black-box web vulnerability scanners. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 111–131. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-14215-4_7 CrossRefGoogle Scholar
  15. 15.
    DVWA: Damn Vulnerable Web Application.
  16. 16.
    Glynn, F.: Vulnerability Assessment and Penetration Testing.
  17. 17.
  18. 18.
    The Java EE 5 Tutorial: Reusing Content in JSP Pages.
  19. 19.
  20. 20.
  21. 21.
    Postswigger. Burp Proxy (2014).
  22. 22.
    Rocchetto, M., Ochoa, M., Torabi Dashti, M.: Model-based detection of CSRF. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds.) SEC 2014. IFIP AICT, vol. 428, pp. 30–43. Springer, Heidelberg (2014). doi: 10.1007/978-3-642-55415-5_3 CrossRefGoogle Scholar
  23. 23.
    SANS Institute. Penetration Testing: Assessing Your Overall Security Before Attackers Do.
  24. 24.
    Trustwave SpiderLabs. Joomla SQL Injection Vulnerability Exploit Results in Full Administrative Access (2015).
  25. 25.
    Viganò, L.: The SPaCIoS project: secure provision and consumption in the internet of services. In: Software Testing, Verification and Validation (ICST) (2013). doi: 10.1109/ICST.2013.75
  26. 26.
    Wfuzz: The Web Bruteforcer.

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Dipartimento di InformaticaUniversità degli Studi di VeronaVeronaItaly
  2. 2.Department of InformaticsKing’s College LondonLondonUK

Personalised recommendations