A New Source Code Auditing Algorithm for Detecting LFI and RFI in PHP Programs
Static analysis of source code is used for auditing web
applications to detect the vulnerabilities. In this paper, we propose a
new algorithm to analyze the PHP source code for detecting LFI and
RFI potential vulnerabilities. In our approach, we first define some
patterns for finding some functions which have potential to be abused
because of unhandled user inputs. More precisely, we use regular
expression as a fast and simple method to define some patterns for
detection of vulnerabilities. As inclusion functions could be also used
in a safe way, there could occur many false positives (FP). The first
cause of these FP-s could be that the function does not use a usersupplied
variable as an argument. So, we extract a list of usersupplied
variables to be used for detecting vulnerable lines of code.
On the other side, as vulnerability could spread among the variables
like by multi-level assignment, we also try to extract the hidden usersupplied
variables. We use the resulted list to decrease the false
positives of our method. Finally, as there exist some ways to prevent
the vulnerability of inclusion functions, we define also some patterns
to detect them and decrease our false positives.
[1] Y.-W. Huang, S.-K. Huang, T.-P. Lin, and C.-H. Tsai. Web application
security assessment by fault injection and behavior monitoring. In
WWW '03: Proceedings of the 12th International Conference on World
Wide Web, 2003.
[2] A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans.
Automatically hardening web applications using precise tainting. In IFIP
Security 2005, 2005.
[3] T. Pietraszek and C. V. Berghe. Defending against injection attacks
through context-sensitive string evaluation. In Recent Advances in
Intrusion Detection 2005 (RAID), 2005.
[4] Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D. Lee, and S.-Y. Kuo.
Securing web application code by static analysis and runtime protection.
In Proceedings of the 13th InternationalWorldWideWeb Conference,
2004.
[5] Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, D.
T.Lee, and Sy-Yen Kuo. Verifying web applications using bounded
model checking. In DSN, 2004.
[6] V. B. Livshits and M. S. Lam. Finding security errors in Java programs
with static analysis. In Proceedings of the 14th Usenix Security
Symposium, Aug. 2005.
[7] Y. Minamide. Static approximation of dynamically generated web pages.
In WWW '05: Proceedings of the 14th International Conference on
World Wide Web, 2005.
[8] FIS. http://www.segfault.gr
[9] Engin Kirda, Christopher Kruegel, Giovanni Vigna, and Nenad
Jovanovic. Noxes: A client-side solution for mitigating cross-site
scripting attacks. In The 21st ACM Symposium on Applied Computing
(SAC 2006), 2006
[10] Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai
Lee, and Sy-Yen Kuo. Securing web application code by static analysis
and runtime protection. In WWW -04: Proceedings of the 13th
International Conference on World Wide Web, 2006.
[11] Engin Kirda, Christopher Kruegel, Giovanni Vigna, and Nenad
Jovanovic. Noxes: A client-side solution for mitigating cross-site
scripting attacks. In The 21st ACM Symposium on Applied Computing
(SAC 2006), 2006.
[12] Yichen Xie, Alex Aiken. Static Detection of Security Vulnerabilities in
Scripting Languages. In Proceedings of the 15th USENIX Security
Symposium, pages 179-192, July 2006.
[13] Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. Pixy: A Static
Analysis Tool for Detecting Web Application Vulnerabilities (Short
Paper). In IEEE Symposium on Security and Privacy, 2006.
[14] PHP-Sat. http://PHP-SAT.org
[15] DAPHPScan version 1.0. http://www.acid-root.new.fr
[16] http://www.netcraft.com
[17] http://www.securityfocus.com
[18] http://www.milw0rm.com
[1] Y.-W. Huang, S.-K. Huang, T.-P. Lin, and C.-H. Tsai. Web application
security assessment by fault injection and behavior monitoring. In
WWW '03: Proceedings of the 12th International Conference on World
Wide Web, 2003.
[2] A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans.
Automatically hardening web applications using precise tainting. In IFIP
Security 2005, 2005.
[3] T. Pietraszek and C. V. Berghe. Defending against injection attacks
through context-sensitive string evaluation. In Recent Advances in
Intrusion Detection 2005 (RAID), 2005.
[4] Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D. Lee, and S.-Y. Kuo.
Securing web application code by static analysis and runtime protection.
In Proceedings of the 13th InternationalWorldWideWeb Conference,
2004.
[5] Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, D.
T.Lee, and Sy-Yen Kuo. Verifying web applications using bounded
model checking. In DSN, 2004.
[6] V. B. Livshits and M. S. Lam. Finding security errors in Java programs
with static analysis. In Proceedings of the 14th Usenix Security
Symposium, Aug. 2005.
[7] Y. Minamide. Static approximation of dynamically generated web pages.
In WWW '05: Proceedings of the 14th International Conference on
World Wide Web, 2005.
[8] FIS. http://www.segfault.gr
[9] Engin Kirda, Christopher Kruegel, Giovanni Vigna, and Nenad
Jovanovic. Noxes: A client-side solution for mitigating cross-site
scripting attacks. In The 21st ACM Symposium on Applied Computing
(SAC 2006), 2006
[10] Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai
Lee, and Sy-Yen Kuo. Securing web application code by static analysis
and runtime protection. In WWW -04: Proceedings of the 13th
International Conference on World Wide Web, 2006.
[11] Engin Kirda, Christopher Kruegel, Giovanni Vigna, and Nenad
Jovanovic. Noxes: A client-side solution for mitigating cross-site
scripting attacks. In The 21st ACM Symposium on Applied Computing
(SAC 2006), 2006.
[12] Yichen Xie, Alex Aiken. Static Detection of Security Vulnerabilities in
Scripting Languages. In Proceedings of the 15th USENIX Security
Symposium, pages 179-192, July 2006.
[13] Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. Pixy: A Static
Analysis Tool for Detecting Web Application Vulnerabilities (Short
Paper). In IEEE Symposium on Security and Privacy, 2006.
[14] PHP-Sat. http://PHP-SAT.org
[15] DAPHPScan version 1.0. http://www.acid-root.new.fr
[16] http://www.netcraft.com
[17] http://www.securityfocus.com
[18] http://www.milw0rm.com
@article{"International Journal of Information, Control and Computer Sciences:54448", author = "Seyed Ali Mir Heydari and Mohsen Sayadiharikandeh", title = "A New Source Code Auditing Algorithm for Detecting LFI and RFI in PHP Programs", abstract = "Static analysis of source code is used for auditing web
applications to detect the vulnerabilities. In this paper, we propose a
new algorithm to analyze the PHP source code for detecting LFI and
RFI potential vulnerabilities. In our approach, we first define some
patterns for finding some functions which have potential to be abused
because of unhandled user inputs. More precisely, we use regular
expression as a fast and simple method to define some patterns for
detection of vulnerabilities. As inclusion functions could be also used
in a safe way, there could occur many false positives (FP). The first
cause of these FP-s could be that the function does not use a usersupplied
variable as an argument. So, we extract a list of usersupplied
variables to be used for detecting vulnerable lines of code.
On the other side, as vulnerability could spread among the variables
like by multi-level assignment, we also try to extract the hidden usersupplied
variables. We use the resulted list to decrease the false
positives of our method. Finally, as there exist some ways to prevent
the vulnerability of inclusion functions, we define also some patterns
to detect them and decrease our false positives.", keywords = "User-supplied Variables, hidden user-supplied
variables, PHP vulnerabilities.", volume = "2", number = "9", pages = "2967-6", }