publication . Master thesis . 2018

PHPWander: A Static Vulnerability Analysis Tool for PHP

Jurasek, Pavel;
Open Access English
  • Published: 01 Jan 2018
Abstract
PHP is a leading server-side scripting language for developing dynamic web sites. Given the prevalence, PHP applications have become the common targets of attacks. One cannot rely on the programmers alone to deliver a vulnerability-free code. Automated tools can help discovering these vulnerabilities. We present PHPWander, a static vulnerability analysis tool for PHP written in PHP. As modern PHP applications are written in object-oriented manner, the tool is able to process object-oriented code as well.
Subjects
ACM Computing Classification System: InformationSystems_GENERAL
23 references, page 1 of 2

2 Security vulnerabilities 5 2.1 Injections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2 Cross-site scripting (XSS) . . . . . . . . . . . . . . . . . . . . . 6 2.3 Command injection . . . . . . . . . . . . . . . . . . . . . . . . 7 2.4 Code injection . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.5 Path traversal . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.6 Other vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . 8

3 PHP Language 9 3.1 History and description . . . . . . . . . . . . . . . . . . . . . 9 3.2 Typing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.3 Predefined variables . . . . . . . . . . . . . . . . . . . . . . . 10 3.4 Object-oriented aspects in PHP . . . . . . . . . . . . . . . . . 10 3.5 Class autoloading . . . . . . . . . . . . . . . . . . . . . . . . . 11

4 Static analysis 13 4.1 Data flow analysis . . . . . . . . . . . . . . . . . . . . . . . . . 13 4.2 Taint analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 4.2.1 Tainting method . . . . . . . . . . . . . . . . . . . . . 14 4.2.2 Control flow graphs . . . . . . . . . . . . . . . . . . . 14 4.3 Data flow sensitivities . . . . . . . . . . . . . . . . . . . . . . 15 4.3.1 Flow sensitivity . . . . . . . . . . . . . . . . . . . . . . 15 4.3.2 Context sensitivity . . . . . . . . . . . . . . . . . . . . 16 4.4 SSA form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 4.5 Static analysis tools for PHP . . . . . . . . . . . . . . . . . . . 17 4.5.1 Code improvement tools . . . . . . . . . . . . . . . . . 17 4.5.2 Security checking tools . . . . . . . . . . . . . . . . . . 18

5 Development phase 21 5.1 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

6 Evaluation 27 6.1 Competing tools . . . . . . . . . . . . . . . . . . . . . . . . . . 27 6.1.1 RIPS scanner . . . . . . . . . . . . . . . . . . . . . . . 27 6.1.2 Phortress . . . . . . . . . . . . . . . . . . . . . . . . . . 27 6.1.3 Progpilot . . . . . . . . . . . . . . . . . . . . . . . . . . 27 6.2 Code snippets analysis results . . . . . . . . . . . . . . . . . . 28 6.2.1 Comparison . . . . . . . . . . . . . . . . . . . . . . . . 28 6.2.2 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . 29 6.3 DVWA analysis results . . . . . . . . . . . . . . . . . . . . . . 29 6.3.1 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . 30

7 Conclusion and future work 31 7.1 Future work . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 7.1.1 Detailed vulnerability report . . . . . . . . . . . . . . 31 7.1.2 Web interface . . . . . . . . . . . . . . . . . . . . . . . 32 7.1.3 Early termination . . . . . . . . . . . . . . . . . . . . . 32 7.1.4 Templating engines support . . . . . . . . . . . . . . . 32 7.1.5 Reflection without side-effects . . . . . . . . . . . . . 32

[1] Frances E. Allen. 'Control Flow Analysis'. In: SIGPLAN Not. 5.7 (July 1970), pp. 1-19. ISSN: 0362-1340. DOI: 10 . 1145 / 390013 . 808479. URL: http://doi.acm.org/10.1145/390013.808479. [OpenAIRE]

[2] Sepehr Amir-Mohammadian and Christian Skalka. 'In-Depth Enforcement of Dynamic Integrity Taint Analysis'. In: Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security. PLAS '16. Vienna, Austria: ACM, 2016, pp. 43-56. ISBN: 978-1- 4503-4574-3. DOI: 10.1145/2993600.2993610. URL: http://doi.acm.org/ 10.1145/2993600.2993610. [OpenAIRE]

[3] Alexandre Bergel et al. 'Stateful traits and their formalization'. In: Computer Languages, Systems and Structures 34.2 (2008). Best Papers 2006 International Smalltalk Conference, pp. 83-108. ISSN: 1477-8424.

DOI: https : / / doi . org / 10 . 1016 / j . cl . 2007 . 05 . 003. URL: http : / / www .

sciencedirect.com/science/article/pii/S1477842407000140.

[4] Eric Bodden et al. 'Information Flow Analysis for Go'. In: Leveraging Applications of Formal Methods, Verification and Validation: Foundational Techniques. Ed. by Tiziana Margaria and Bernhard Steffen. Cham: Springer International Publishing, 2016, pp. 431-445. ISBN: 978-3-319- 47166-2.

[12] Gary A. Kildall. 'A Unified Approach to Global Program Optimization'. In: Proceedings of the 1st Annual ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages. POPL '73. Boston, Massachusetts: ACM, 1973, pp. 194-206. DOI: 10.1145/512927.512945. URL: http://doi.acm.org/10.1145/512927.512945. [OpenAIRE]

[13] V. Benjamin Livshits and Monica S. Lam. 'Finding Security Vulnerabilities in Java Applications with Static Analysis'. In: Proceedings of the 14th Conference on USENIX Security Symposium - Volume 14. SSYM'05. Baltimore, MD: USENIX Association, 2005, pp. 18-18. URL: http://dl. acm.org/citation.cfm?id=1251398.1251416.

[14] BuiltWith Pty Ltd. Framework Usage Statistics. 2018. URL: https : / / trends.builtwith.com/framework (visited on 17/05/2018).

23 references, page 1 of 2
Abstract
PHP is a leading server-side scripting language for developing dynamic web sites. Given the prevalence, PHP applications have become the common targets of attacks. One cannot rely on the programmers alone to deliver a vulnerability-free code. Automated tools can help discovering these vulnerabilities. We present PHPWander, a static vulnerability analysis tool for PHP written in PHP. As modern PHP applications are written in object-oriented manner, the tool is able to process object-oriented code as well.
Subjects
ACM Computing Classification System: InformationSystems_GENERAL
23 references, page 1 of 2

2 Security vulnerabilities 5 2.1 Injections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2 Cross-site scripting (XSS) . . . . . . . . . . . . . . . . . . . . . 6 2.3 Command injection . . . . . . . . . . . . . . . . . . . . . . . . 7 2.4 Code injection . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.5 Path traversal . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.6 Other vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . 8

3 PHP Language 9 3.1 History and description . . . . . . . . . . . . . . . . . . . . . 9 3.2 Typing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.3 Predefined variables . . . . . . . . . . . . . . . . . . . . . . . 10 3.4 Object-oriented aspects in PHP . . . . . . . . . . . . . . . . . 10 3.5 Class autoloading . . . . . . . . . . . . . . . . . . . . . . . . . 11

4 Static analysis 13 4.1 Data flow analysis . . . . . . . . . . . . . . . . . . . . . . . . . 13 4.2 Taint analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 4.2.1 Tainting method . . . . . . . . . . . . . . . . . . . . . 14 4.2.2 Control flow graphs . . . . . . . . . . . . . . . . . . . 14 4.3 Data flow sensitivities . . . . . . . . . . . . . . . . . . . . . . 15 4.3.1 Flow sensitivity . . . . . . . . . . . . . . . . . . . . . . 15 4.3.2 Context sensitivity . . . . . . . . . . . . . . . . . . . . 16 4.4 SSA form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 4.5 Static analysis tools for PHP . . . . . . . . . . . . . . . . . . . 17 4.5.1 Code improvement tools . . . . . . . . . . . . . . . . . 17 4.5.2 Security checking tools . . . . . . . . . . . . . . . . . . 18

5 Development phase 21 5.1 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

6 Evaluation 27 6.1 Competing tools . . . . . . . . . . . . . . . . . . . . . . . . . . 27 6.1.1 RIPS scanner . . . . . . . . . . . . . . . . . . . . . . . 27 6.1.2 Phortress . . . . . . . . . . . . . . . . . . . . . . . . . . 27 6.1.3 Progpilot . . . . . . . . . . . . . . . . . . . . . . . . . . 27 6.2 Code snippets analysis results . . . . . . . . . . . . . . . . . . 28 6.2.1 Comparison . . . . . . . . . . . . . . . . . . . . . . . . 28 6.2.2 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . 29 6.3 DVWA analysis results . . . . . . . . . . . . . . . . . . . . . . 29 6.3.1 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . 30

7 Conclusion and future work 31 7.1 Future work . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 7.1.1 Detailed vulnerability report . . . . . . . . . . . . . . 31 7.1.2 Web interface . . . . . . . . . . . . . . . . . . . . . . . 32 7.1.3 Early termination . . . . . . . . . . . . . . . . . . . . . 32 7.1.4 Templating engines support . . . . . . . . . . . . . . . 32 7.1.5 Reflection without side-effects . . . . . . . . . . . . . 32

[1] Frances E. Allen. 'Control Flow Analysis'. In: SIGPLAN Not. 5.7 (July 1970), pp. 1-19. ISSN: 0362-1340. DOI: 10 . 1145 / 390013 . 808479. URL: http://doi.acm.org/10.1145/390013.808479. [OpenAIRE]

[2] Sepehr Amir-Mohammadian and Christian Skalka. 'In-Depth Enforcement of Dynamic Integrity Taint Analysis'. In: Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security. PLAS '16. Vienna, Austria: ACM, 2016, pp. 43-56. ISBN: 978-1- 4503-4574-3. DOI: 10.1145/2993600.2993610. URL: http://doi.acm.org/ 10.1145/2993600.2993610. [OpenAIRE]

[3] Alexandre Bergel et al. 'Stateful traits and their formalization'. In: Computer Languages, Systems and Structures 34.2 (2008). Best Papers 2006 International Smalltalk Conference, pp. 83-108. ISSN: 1477-8424.

DOI: https : / / doi . org / 10 . 1016 / j . cl . 2007 . 05 . 003. URL: http : / / www .

sciencedirect.com/science/article/pii/S1477842407000140.

[4] Eric Bodden et al. 'Information Flow Analysis for Go'. In: Leveraging Applications of Formal Methods, Verification and Validation: Foundational Techniques. Ed. by Tiziana Margaria and Bernhard Steffen. Cham: Springer International Publishing, 2016, pp. 431-445. ISBN: 978-3-319- 47166-2.

[12] Gary A. Kildall. 'A Unified Approach to Global Program Optimization'. In: Proceedings of the 1st Annual ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages. POPL '73. Boston, Massachusetts: ACM, 1973, pp. 194-206. DOI: 10.1145/512927.512945. URL: http://doi.acm.org/10.1145/512927.512945. [OpenAIRE]

[13] V. Benjamin Livshits and Monica S. Lam. 'Finding Security Vulnerabilities in Java Applications with Static Analysis'. In: Proceedings of the 14th Conference on USENIX Security Symposium - Volume 14. SSYM'05. Baltimore, MD: USENIX Association, 2005, pp. 18-18. URL: http://dl. acm.org/citation.cfm?id=1251398.1251416.

[14] BuiltWith Pty Ltd. Framework Usage Statistics. 2018. URL: https : / / trends.builtwith.com/framework (visited on 17/05/2018).

23 references, page 1 of 2
Powered by OpenAIRE Open Research Graph
Any information missing or wrong?Report an Issue