Revealing injection vulnerabilities by leveraging existing tests

Code injection attacks, like the one used in the high-pro le 2017 Equifax breach, have become increasingly common, now ranking #1 on OWASP's list of critical web application vulnerabilities. Static analyses for detecting these vulnerabilities can overwhelm developers with false positive reports. Meanwhile, most dynamic analyses rely on detecting vulnerabilities as they occur in the eld, which can introduce a high performance overhead in production code. This paper describes a new approach for detecting injection vulnerabilities in applications by harnessing the combined power of human developers' test suites and automated dynamic analysis. Our new approach, R , monitors the execution of developerwritten functional tests in order to detect information ows that may be vulnerable to attack. Then, R uses a white-box test generation technique to repurpose those functional tests to check if any vulnerable ow could be exploited. When applied to the version of Apache Struts exploited in the 2017 Equifax attack, R quickly identi es the vulnerability, leveraging only the tests that existed in Struts at that time. We compared R to the state-ofthe-art static vulnerability detector Julia on benchmarks, nding that R outperformed Julia in both false positives and false negatives. We also used R to detect new vulnerabilities. CCS Concepts • Security and privacy → Vulnerability management; Web application security; • Software and its engineering → Software testing and debugging.