PathFault: Automated Exploit Generator for Web Services via HTTP Message Parser Discrepancies
摘要
Modern web services utilize complex architectures involving diverse HTTP processing components. These components include CDNs, WAFs, proxies, and web servers (e.g., Nginx, Apache, Cloudflare, and GCP). Independent parsing rules across these components lead to discrepancies in interpreting identical HTTP requests, including the URI. This phenomenon, known as Path Confusion, leads to critical security vulnerabilities, such as authentication bypass and sensitive data exposure. However, existing penetration testing methods fail to identify these vulnerabilities adequately. This limitation stems from limited system-wide visibility and operational risks in live environments. To address these challenges, we present PathFault, an automated methodology leveraging a Predicate Logic-based Surrogate Model. This model systematically abstracts component-specific parsing behaviors, enabling precise vulnerability analysis with minimal invasive testing. Furthermore, PathFault incorporates SMT solving techniques to automatically generate targeted exploit payloads. It combines security researchers’ domain expertise with web service-specific parsing logic. Consequently, our approach significantly improves detection accuracy. It comprehensively assesses dynamic system interactions and addresses limitations of traditional root-cause analysis. Evaluation demonstrates PathFault’s efficacy in identifying previously overlooked Path Confusion vulnerabilities.