A New Source Code Auditing Algorithm for Detecting LFI and RFI in PHP Programs

Static analysis of source code is used for auditing web applications to detect the vulnerabilities. In this paper, we propose a new algorithm to analyze the PHP source code for detecting LFI and RFI potential vulnerabilities. In our approach, we first define some patterns for finding some functions which have potential to be abused because of unhandled user inputs. More precisely, we use regular expression as a fast and simple method to define some patterns for detection of vulnerabilities. As inclusion functions could be also used in a safe way, there could occur many false positives (FP). The first cause of these FP-s could be that the function does not use a usersupplied variable as an argument. So, we extract a list of usersupplied variables to be used for detecting vulnerable lines of code. On the other side, as vulnerability could spread among the variables like by multi-level assignment, we also try to extract the hidden usersupplied variables. We use the resulted list to decrease the false positives of our method. Finally, as there exist some ways to prevent the vulnerability of inclusion functions, we define also some patterns to detect them and decrease our false positives.

Authors:

• Seyed Ali Mir Heydari
• Mohsen Sayadiharikandeh

Keywords:

• User-supplied Variables
• hidden user-supplied variables
• PHP vulnerabilities.

References:

[1] Y.-W. Huang, S.-K. Huang, T.-P. Lin, and C.-H. Tsai. Web application
security assessment by fault injection and behavior monitoring. In
WWW '03: Proceedings of the 12th International Conference on World
Wide Web, 2003.
[2] A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans.
Automatically hardening web applications using precise tainting. In IFIP
Security 2005, 2005.
[3] T. Pietraszek and C. V. Berghe. Defending against injection attacks
through context-sensitive string evaluation. In Recent Advances in
Intrusion Detection 2005 (RAID), 2005.
[4] Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D. Lee, and S.-Y. Kuo.
Securing web application code by static analysis and runtime protection.
In Proceedings of the 13th InternationalWorldWideWeb Conference,
2004.
[5] Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, D.
T.Lee, and Sy-Yen Kuo. Verifying web applications using bounded
model checking. In DSN, 2004.
[6] V. B. Livshits and M. S. Lam. Finding security errors in Java programs
with static analysis. In Proceedings of the 14th Usenix Security
Symposium, Aug. 2005.
[7] Y. Minamide. Static approximation of dynamically generated web pages.
In WWW '05: Proceedings of the 14th International Conference on
World Wide Web, 2005.
[8] FIS. http://www.segfault.gr
[9] Engin Kirda, Christopher Kruegel, Giovanni Vigna, and Nenad
Jovanovic. Noxes: A client-side solution for mitigating cross-site
scripting attacks. In The 21st ACM Symposium on Applied Computing
(SAC 2006), 2006
[10] Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai
Lee, and Sy-Yen Kuo. Securing web application code by static analysis
and runtime protection. In WWW -04: Proceedings of the 13th
International Conference on World Wide Web, 2006.
[11] Engin Kirda, Christopher Kruegel, Giovanni Vigna, and Nenad
Jovanovic. Noxes: A client-side solution for mitigating cross-site
scripting attacks. In The 21st ACM Symposium on Applied Computing
(SAC 2006), 2006.
[12] Yichen Xie, Alex Aiken. Static Detection of Security Vulnerabilities in
Scripting Languages. In Proceedings of the 15th USENIX Security
Symposium, pages 179-192, July 2006.
[13] Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. Pixy: A Static
Analysis Tool for Detecting Web Application Vulnerabilities (Short
Paper). In IEEE Symposium on Security and Privacy, 2006.
[14] PHP-Sat. http://PHP-SAT.org
[15] DAPHPScan version 1.0. http://www.acid-root.new.fr
[16] http://www.netcraft.com
[17] http://www.securityfocus.com
[18] http://www.milw0rm.com