| | |
Summary: Static Detection of Security Vulnerabilities
in Scripting Languages
Yichen Xie Alex Aiken
Computer Science Department
Stanford University
Stanford, CA 94305
{yxie,aiken}@cs.stanford.edu
Abstract
We present a static analysis algorithm for detecting secu-
rity vulnerabilities in PHP, a popular server-side script-
ing language for building web applications. Our analysis
employs a novel three-tier architecture to capture infor-
mation at decreasing levels of granularity at the intra-
block, intraprocedural, and interprocedural level. This
architecture enables us to handle dynamic features of
scripting languages that have not been adequately ad-
dressed by previous techniques.
We demonstrate the effectiveness of our approach on
six popular open source PHP code bases, finding 105 pre-
viously unknown security vulnerabilities, most of which
|
