Context:

Injection vulnerabilities remain an omnipresent threat to web application security. These issues arise when user-supplied input is included in commands constructed by the application without applying adequate validation and filtering, permitting attackers to modify the resulting instructions.

Objective:

Tools used in real-world security assessments commonly employ a static list of malicious input strings to be submitted to the system under test (SUT) to gauge the presence of vulnerabilities. However, sanitizing filters may cause these simulated attacks to fail, even if they only mitigate a subset of potentially harmful values. This may result in a false sense of security. This work introduces HYDRA, a feedback-driven black-box security testing approach for the exploitation of injection vulnerabilities. It is capable of constructing inputs designed to evade such imperfect filters while allowing users to define and rank output contexts, abstract locations in the output of the SUT that are associated with desirable semantics (for instance, allowing the execution of JavaScript code).

Method:

Starting with an innocuous initial input string that is submitted to the SUT and appears anywhere in the output, HYDRA identifies the initial output context. It extends the input string with the goal of reaching contexts that are deemed ”better” according to domain knowledge. This process continues until an ”ideal” output context is reached, usually corresponding to an exploit that impacts the security of the SUT. In addition to this dynamic approach, we present a static variant based on combinatorial security testing. We instantiate our approach by targeting cross-site scripting (XSS) vulnerabilities, detailing the unique challenges posed by HTML parsing, and implement this application of HYDRA in a prototype tool.

Results:

The evaluation shows that our implementation is able to evade faulty filters and is effective at identifying injection vulnerabilities while remaining more flexible than existing approaches by allowing users to define desirable output contexts.

Conclusion:

Based on the results of our evaluation, we are confident that including the HYDRA approach in security assessments will increase the number of identified XSS vulnerabilities, particularly those that are difficult to exploit. We anticipate that an application to other classes of vulnerabilities such as SQL injections will significantly advance the state of the art.

中文翻译：

---

HYDRA：反馈驱动的注入漏洞黑盒利用

语境：

注入漏洞仍然是对 Web 应用程序安全的无处不在的威胁。当用户提供的输入包含在应用程序构建的命令中而没有应用足够的验证和过滤时，就会出现这些问题，从而允许攻击者修改生成的指令。

客观的：

现实世界安全评估中使用的工具通常采用要提交给被测系统 (SUT) 的恶意输入字符串的静态列表来衡量漏洞的存在。但是，清理过滤器可能会导致这些模拟攻击失败，即使它们只减轻了潜在有害值的一个子集。这可能会导致错误的安全感。这项工作介绍了 HYDRA，这是一种反馈驱动的黑盒安全测试方法，用于利用注入漏洞。它能够构建旨在规避此类不完美过滤器的输入，同时允许用户定义和排序输出上下文、SUT 输出中与所需语义相关联的抽象位置（例如，允许执行 JavaScript 代码）。

方法：

从提交给 SUT 并出现在输出中任何位置的无害初始输入字符串开始，HYDRA 识别初始输出上下文。它扩展输入字符串的目标是达到根据领域知识被认为“更好”的上下文。这个过程一直持续到达到“理想”的输出上下文，通常对应于影响 SUT 安全性的漏洞利用。除了这种动态方法之外，我们还提出了一种基于组合安全测试的静态变体。我们通过针对跨站点脚本 (XSS) 漏洞、详细说明 HTML 解析带来的独特挑战来实例化我们的方法，并在原型工具中实现 HYDRA 的此应用程序。

结果：

评估表明，我们的实现能够规避错误的过滤器，并且可以有效地识别注入漏洞，同时通过允许用户定义所需的输出上下文来保持比现有方法更灵活。

结论：

根据我们的评估结果，我们相信在安全评估中包含 HYDRA 方法将增加已识别的 XSS 漏洞的数量，尤其是那些难以利用的漏洞。我们预计，针对 SQL 注入等其他类别漏洞的应用程序将显着提高现有技术水平。