There are two main scenarios where SATC fails to detect vulnerabilities caused by non-hidden data. First, instead of just using the key alone as an identifier to extract user input, it will also combine the URI and key. For vulnerability CVE-A in motivation, the key SubnetMask are identified in the frontend file SetVirtualServerSettings.xml. However, in the backend program prog.cgi, websGetVarString extracts user input based on the combined keyword of URI and key. Consequently, SATC fails to recognize this keyword, resulting in the inability to detect the vulnerability CVE-A. Second, incomplete predefined rules prevent non-hidden key extraction. For another vulnerability CVE-2022-45997, the URI setPortMirror and key portMirrorMirroredPorts that lead to the vulnerability can both be found in the frontend file portMirror.js. However, SATC fails to detect this vulnerability. Through manual confirmation, we have verified that SATC does not extract the corresponding keywords from portMirror.js, which further demonstrates the incomplete of keyword matching rules using by SATC.

It shows the vulnerability CVE-2023-23270 caused by hidden URI and key detected by LARA. The main process of discovering this vulnerability was as follows: ❶ URI modifyDNSForward and key DNSDomainName were extracted from the frontend file DNSForward.html; ❷ In the backend program httpd, URI modifyDNSForward was used to extract the registration function websDefineAction; ❸ In the backend program httpd, key DNSDomainName were used to extract the key handling function websGetVar; ❹ In the backend program httpd, registration function websDefineAction was used to extract URI setDebugCfg and its corresponding handling function formSetDebugCfg; ❺ In function formSetDebugCfg, key handling function websGetVar was used to to extract key enable, level and module; ❻ In the function formSetDebugCfg, taint analysis was performed on the user inputs represented by key enable, level and module, and then the command injection vulnerability was discovered. When we manually examined the code, we found that the URI and key that caused the vulnerability were not present in the frontend file. Therefore, SATC was unable to detect this vulnerability, while LARA was able to extract hidden URI and key through the backend program handling logic and successfully discover this vulnerability.

It shows the vulnerability CVE-2022-29328 caused by a 3-layer wrapper function checkValidUpgrade detected by LARA. LARA identified wrappers of dangerous functions in the shared library libhnap.so. When the function splite_cookie copies a string pointed to by a1 into buffer v4, it does not check the length of the string, resulting in a potential buffer overflow vulnerability. LARA found that a buffer overflow occurs when the second argument to function checkValidUpgrade is controllable. In program web_cgi.cgi which is linked to library libhnap.so, function main first reads the value of parameter cookie from HTTP request and then passes it to function checkValidUpgrade for processing. If we provide a very long value for parameter cookie, the buffer overflow vulnerability can be triggered.