Ardilla

Automatic Creation of SQL Injection and
Cross-site Scripting (XSS) Attacks
Ardilla is an automated tool for creating SQL injection and XSS attack vectors in PHP Web applications. SQL Injection (SQLI) and cross-site scripting (XSS) attacks are widespread forms of attack in which the attacker crafts the input to the application to access or modify user data and execute malicious code. In the most serious attacks (called second-order, or persistent, XSS), an attacker can corrupt a database so as to cause subsequent users to execute malicious code.

Ardilla automatically creates inputs that expose SQLI and XSS vulnerabilities. Ardilla generates sample inputs, symbolically tracks taints through execution (including through database accesses), and mutates the inputs to produce concrete exploits. Ours is the first analysis of which we are aware that precisely addresses second-order XSS attacks.

Ardilla creates real attack vectors, has few false positives, incurs no runtime overhead for the deployed application, works without requiring modification of application code, and handles dynamic programming-language constructs. We evaluated Ardilla on five PHP applications and found 68 previously unknown vulnerabilities (23 SQLI, 33 first-order XSS, and 12 second-order XSS).

Paper

Adam Kieżun, Philip J. Guo, Karthick Jayaraman, and Michael D. Ernst
“Automatic Creation of SQL Injection and Cross-Site Scripting Attacks”

The paper was published in the proceedings of ICSE'09 (31st International Conference on Software Engineering, Vancouver, Canada, May 16-24, 2009).

Availability

We regret that Ardilla's implementation is not available as open source.

Part of Ardilla's implementation depends on modifications to the open-source Zend interpreter, so that it computes extra information at run time. Those modifications were made (for a different purpose) by a student while he was an intern at IBM. We have since made many more modifications, but since the original small diffs are owned by IBM, we cannot release either those original modifications or our later work that builds on them.

It would be valuable for someone to re-implement the original changes, so that we could release our entire system as we would prefer. We have written a description of the changes that will help to guide you if you would like to help with this task.

Contributors

Adam Kieżun project leader (Harvard)
Philip J. Guo (Stanford University)
Karthick Jayaraman (Syracuse University)
Shay Artzi (IBM Research)
Michael D. Ernst (professor, University of Washington)

Experimental Results

Program
 mode
 lenient mode
 strict mode
vulnerabilities
 false positives
 vulnerabilities
 false positives
schoolmate
 SQLI
 6
 0
 6
 0
XSS1
 14
 6
 10
 0
XSS2
 4
 0
 2
 0
webchess
 SQLI
 12
 0
 12
 0
XSS1
 13
 18
 13
 0
XSS2
 0
 0
 0
 0
faqforge
 SQLI
 1
 0
 1
 0
XSS1
 4
 0
 4
 0
XSS2
 0
 0
 0
 0
EVE
 SQLI
 2
 0
 2
 0
XSS1
 2
 0
 2
 0
XSS2
 4
 0
 2
 0
geccbblite
 SQLI
 2
 0
 2
 0
XSS1
 0
 0
 0
 0
XSS2
 5
 0
 4
 0

XSS attack patterns, SQLI attack patterns