Artemis: Toward Accurate Detection of Server-Side Request Forgeries through LLM-Assisted Inter-Procedural Path-Sensitive Taint Analysis
Server-side request forgery (SSRF) vulnerabilities are inevitable in PHP web applications. Existing static tools in detecting vulnerabilities in PHP web applications neither contain SSRF-related features to enhance detection accuracy nor consider PHP’s dynamic type features. In this paper, we present Artemis, a static taint analysis tool for detecting SSRF vulnerabilities in PHP web applications. First, Artemis extracts both PHP built-in and application-specific functions as candidate source and sink functions. Second, Artemis constructs both explicit and implicit call graphs to infer functions’ relationships. Third, Artemis performs taint analysis based on a set of rules that prevent over-tainting and pauses when SSRF exploitation is impossible. Fourth, Artemis analyzes the compatibility of path constraints to prune false positives. We have implemented a prototype of Artemis and evaluated it on 250 PHP web applications. Our results show that Artemis reports 207 true vulnerable paths (106 true SSRFs) and 15 false positives. 35 out of the 106 detected SSRFs are newly found and we have reported them to developers. 24 SSRFs have been confirmed with assigned CVE IDs.
Fri 17 OctDisplayed time zone: Perth change
10:30 - 12:15 | Analysis 1OOPSLA at Orchid East Chair(s): Bor-Yuh Evan Chang University of Colorado Boulder & Amazon | ||
10:30 15mTalk | Artemis: Toward Accurate Detection of Server-Side Request Forgeries through LLM-Assisted Inter-Procedural Path-Sensitive Taint Analysis OOPSLA Yuchen Ji ShanghaiTech University, Ting Dai IBM Research, Zhichao Zhou School of Information Science and Technology, ShanghaiTech University, Yutian Tang University of Glasgow, United Kingdom, Jingzhu He ShanghaiTech University | ||
10:45 15mTalk | A Sound Static Analysis Approach to I/O API Migration OOPSLA Shangyu Li The Hong Kong University of Science and Technology, Zhaoyang Zhang The Hong Kong University of Science and Technology, Sizhe Zhong The Hong Kong University of Science and Technology, Diyu Zhou Peking University, Jiasi Shen The Hong Kong University of Science and Technology File Attached | ||
11:00 15mTalk | Automatic Linear Resource Bound Analysis for Rust via Prophecy Potentials OOPSLA Pre-print | ||
11:15 15mTalk | Denotational Foundations for Expected Cost Analysis OOPSLA Pedro Henrique Azevedo de Amorim Cornell University | ||
11:30 15mTalk | IncIDFA: An Efficient and Generic Algorithm for Incremental Iterative Dataflow Analysis OOPSLA | ||
11:45 15mTalk | Revealing Sources of (Memory) Errors via Backward Analysis OOPSLA Flavio Ascari University of Pisa, Roberto Bruni University of Pisa, Roberta Gori Diaprtimento di Informatica, Universita' di Pisa, Italy, Francesco Logozzo Meta | ||
12:00 15mTalk | Two Approaches to Fast Bytecode Frontend for Static Analysis OOPSLA Chenxi Li Nanjing University, China, Haoran Lin Nanjing University, China, Tian Tan Nanjing University, Yue Li Nanjing University | ||