On Security Analysis of PHP Web Applications

Abstract: Abstract-In recent years, focus of business world has been moved towards the Internet. Web applications provide a generous interface non-stop thus offering to malicious users a wide spectrum of possible attacks. Consequently, the security of web applications has become a crucial issue.The state-of-the-art tools for bug discovery in languages used for web-application development, such as PHP, suffer from a relatively high false-positive rate and low coverage of real errors; this is caused mainly by unprecise mo… Show more

“…Dynamic languages such as PHP contain features that pose significant challenges for static analysis. In our previous position paper [1] we introduced our approach to static analysis of PHP and described particular parts of the Weverca analyzer [2]. In this paper we focused on the data modeling part.…”

“…1 as a running example. $t = $arr [1]; // t can be either undefined or can have value 1 6 $t[2] = 2; // can update also $alias [2] and e.g. $arr […”

“…The statement at line 4 makes variable $alias an alias of a statically unknown index of array $arr. Hence, the statement at line 7 accesses $arr [1] [2] and may also access $alias [2]. Similarly, the statement at line 15 makes $alias2 an alias of $arr [2][1] and may also make it an alias of $alias [1].…”

“…1. At the second level, must 2 set consists of the variable [r(GEN )][arr] [1] and the may 2 set is empty. The must 3 set is empty, while the may 3…”

“…In this paper we present our approach to these challenges. Our contribution includes: (1) value and points-to analysis of associative arrays with an arbitrary depth and accessible using statically unknown values and arbitrary expressions, (2) modeling explicit aliases, and (3) a prototype implementation.…”

Data-flow Analysis of Programs with Associative Arrays

“…Dynamic languages such as PHP contain features that pose significant challenges for static analysis. In our previous position paper [1] we introduced our approach to static analysis of PHP and described particular parts of the Weverca analyzer [2]. In this paper we focused on the data modeling part.…”

“…1 as a running example. $t = $arr [1]; // t can be either undefined or can have value 1 6 $t[2] = 2; // can update also $alias [2] and e.g. $arr […”

“…The statement at line 4 makes variable $alias an alias of a statically unknown index of array $arr. Hence, the statement at line 7 accesses $arr [1] [2] and may also access $alias [2]. Similarly, the statement at line 15 makes $alias2 an alias of $arr [2][1] and may also make it an alias of $alias [1].…”

“…1. At the second level, must 2 set consists of the variable [r(GEN )][arr] [1] and the may 2 set is empty. The must 3 set is empty, while the may 3…”

“…In this paper we present our approach to these challenges. Our contribution includes: (1) value and points-to analysis of associative arrays with an arbitrary depth and accessible using statically unknown values and arbitrary expressions, (2) modeling explicit aliases, and (3) a prototype implementation.…”

Data-flow Analysis of Programs with Associative Arrays

Detecting and Fixing SQL Injection and Cross-Site Scripting Vulnerabilities in Web Applications

Inferring Common Language Infrastructure metadata for an ambiguous dynamic language type