论文信息 - A New Framework of Security Vulnerabilities Detection in PHP Web Application

A New Framework of Security Vulnerabilities Detection in PHP Web Application

Nowadays, Web applications provide us most of the Internet services, but also give birth to more and more new types of Internet applications. While, according to the developers' programming techniques and safety awareness, there are many kinds of Web application security flaws and vulnerabilities hiding in the program. So it is very important to improve their reliability and security. Usually people use code review based on static or dynamic analysis to detect security vulnerabilities, but each method has shortcomings that can't overcome easily which can result in a big number of false positives and omission. To address this issue, this paper proposed a new framework of detecting security vulnerabilities of PHP web application. In this framework, we combine dynamic and static analysis to make full use of the advantages of the two, greatly improve the efficiency of detection. An implementation based on this framework has also been completed and it will also be presented in the paper.

Jingling Zhao | Rulin Gong | Jingling Zhao | Rulin Gong

[1] David Gregg,et al. Static analysis of dynamic scripting languages , 2009 .

[2] Ezequiel Gutesman,et al. A dynamic technique for enhancing the security and privacy of web applications , 2007 .

[3] Fang Yu,et al. Stranger: An Automata-Based String Analysis Tool for PHP , 2010, TACAS.

[4] Marcelo d'Amorim,et al. Tainted Flow Analysis on e-SSA-Form Programs , 2011, CC.

[5] Christopher Krügel,et al. Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[6] Jan Kofron,et al. Data-flow Analysis of Programs with Associative Arrays , 2014, ESSS.

[7] D. T. Lee,et al. Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[8] David Gregg,et al. Static analysis of dynamic scripting languages Draft : Monday 17 , 2009 .

[9] Christopher Krügel,et al. Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).