Modern web services utilize complex architectures involving diverse HTTP processing components. These components include CDNs, WAFs, proxies, and web servers (e.g., Nginx, Apache, Cloudflare, and GCP). Independent parsing rules across these components lead to discrepancies in interpreting identical HTTP requests, including the URI. This phenomenon, known as Path Confusion, leads to critical security vulnerabilities, such as authentication bypass and sensitive data exposure. However, existing penetration testing methods fail to identify these vulnerabilities adequately. This limitation stems from limited system-wide visibility and operational risks in live environments. To address these challenges, we present PathFault, an automated methodology leveraging a Predicate Logic-based Surrogate Model. This model systematically abstracts component-specific parsing behaviors, enabling precise vulnerability analysis with minimal invasive testing. Furthermore, PathFault incorporates SMT solving techniques to automatically generate targeted exploit payloads. It combines security researchers’ domain expertise with web service-specific parsing logic. Consequently, our approach significantly improves detection accuracy. It comprehensively assesses dynamic system interactions and addresses limitations of traditional root-cause analysis. Evaluation demonstrates PathFault’s efficacy in identifying previously overlooked Path Confusion vulnerabilities.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

PathFault: Automated Exploit Generator for Web Services via HTTP Message Parser Discrepancies

  • Juryeok Kim,
  • Youngjoo Shin

摘要

Modern web services utilize complex architectures involving diverse HTTP processing components. These components include CDNs, WAFs, proxies, and web servers (e.g., Nginx, Apache, Cloudflare, and GCP). Independent parsing rules across these components lead to discrepancies in interpreting identical HTTP requests, including the URI. This phenomenon, known as Path Confusion, leads to critical security vulnerabilities, such as authentication bypass and sensitive data exposure. However, existing penetration testing methods fail to identify these vulnerabilities adequately. This limitation stems from limited system-wide visibility and operational risks in live environments. To address these challenges, we present PathFault, an automated methodology leveraging a Predicate Logic-based Surrogate Model. This model systematically abstracts component-specific parsing behaviors, enabling precise vulnerability analysis with minimal invasive testing. Furthermore, PathFault incorporates SMT solving techniques to automatically generate targeted exploit payloads. It combines security researchers’ domain expertise with web service-specific parsing logic. Consequently, our approach significantly improves detection accuracy. It comprehensively assesses dynamic system interactions and addresses limitations of traditional root-cause analysis. Evaluation demonstrates PathFault’s efficacy in identifying previously overlooked Path Confusion vulnerabilities.