Johannes Dahse
Thorsten Holz
ABSTRACT
The World Wide Web mainly consists of web applications written in weakly typed scripting languages, with PHP being the most popular language in practice. Empirical evidence based on the analysis of vulnerabilities suggests that security is often added as an ad-hoc solution, rather than planning a web application with security in mind during the design phase. Although some best-practice guidelines emerged, no comprehensive security standards are available for developers. Thus, developers often apply their own favorite security mechanisms for data sanitization or validation to prohibit malicious input to a web application. In the context of our development of a new static code analysis tool for vulnerability detection, we studied commonly used input sanitization or validation mechanisms in 25 popular PHP applications. Our analysis of 2.5 million lines of code and over 26 thousand secured data flows provides a comprehensive overview of how developers utilize security mechanisms in practice regarding different markup contexts. In this paper, we discuss these security mechanisms in detail and reveal common pitfalls. For example, we found certain markup contexts and security mechanisms more frequently vulnerable than others. Our empirical study helps researchers, web developers, and tool developers to focus on error-prone markup contexts and security mechanisms in order to detect and mitigate vulnerabilities.
- D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In IEEE Symposium on Security and Privacy (S&P), 2008. Google Scholar
Digital Library
- D. Bates, A. Barth, and C. Jackson. Regular Expressions Considered Harmful in Client-side XSS Filters. In Conference on the World Wide Web (WWW), 2010. Google ScholarDigital Library
- S. Christey and R. A. Martin. Vulnerability Type Distributions in CVE, May 2007.Google Scholar
- J. Dahse and T. Holz. Simulation of Built-in PHP Features for Precise Static Code Analysis. In Symposium on Network and Distributed System Security (NDSS), 2014.Google Scholar
- J. Dahse and T. Holz. Static Detection of Second-Order Vulnerabilities in Web Applications. In USENIX Security Symposium, 2014. Google ScholarDigital Library
- J. Dahse, N. Krein, and T. Holz. Code Reuse Attacks in PHP: Automated POP Chain Generation. In ACM Conference on Computer and Communications Security (CCS), 2014. Google ScholarDigital Library
- M. Doyle and J. Walden. An Empirical Study of the Evolution of PHP Web Application Security. In Security Measurements and Metrics (Metrisec), 2011. Google ScholarDigital Library
- W. G. Halfond, J. Viegas, and A. Orso. A Classification of SQL Injection Attacks and Countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering, 2006.Google Scholar
- M. Hills, P. Klint, and J. Vinju. An Empirical Study of PHP Feature Usage. In International Symposium on Software Testing and Analysis (ISSTA), 2013. Google ScholarDigital Library
- P. Hooimeijer. Decision Procedures for String Constraints. Ph.D. Dissertation, University of Virginia, 2010.Google Scholar
- P. Hooimeijer, B. Livshits, D. Molnar, P. Saxena, and M. Veanes. Fast and Precise Sanitizer Analysis with BEK. In USENIX Security Symposium, 2011. Google ScholarDigital Library
- N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In IEEE Symposium on Security and Privacy (S&P), 2006. Google ScholarDigital Library
- A. Klein. Cross-Site Scripting Explained. Sanctum White Paper, 2002.Google Scholar
- E. Kneuss, P. Suter, and V. Kuncak. Phantm: PHP Analyzer for Type Mismatch. In ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE), 2010. Google ScholarDigital Library
- B. Livshits and S. Chong. Towards Fully Automatic Placement of Security Sanitizers and Declassifiers. In ACM Symposium on Principles of Programming Languages (POPL), 2013. Google ScholarDigital Library
- Y. Minamide. Static Approximation of Dynamically Generated Web Pages. In Conference on the World Wide Web (WWW), 2005. Google ScholarDigital Library
- OWASP. OWASP Secure Coding Practices. https://www.owasp.org/index.php/OWASP_Secure_Coding_ Practices_-_Quick_Reference_Guide, as of January 2015.Google Scholar
- B. Ray, D. Posnett, V. Filkov, and P. Devanbu. A Large Scale Study of Programming Languages and Code Quality in Github. In ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE), 2014. Google ScholarDigital Library
- M. Samuel, P. Saxena, and D. Song. Context-sensitive Auto-sanitization in Web Templating Languages using Type Qualifiers. In ACM Conference on Computer and Communications Security (CCS), pages 587–600, 2011. Google ScholarDigital Library
- P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A Symbolic Execution Framework for Javascript. In IEEE Symposium on Security and Privacy (S&P), 2010. Google ScholarDigital Library
- P. Saxena, S. Hanna, P. Poosankam, and D. Song. FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications. In Symposium on Network and Distributed System Security (NDSS), 2010.Google Scholar
- P. Saxena, D. Molnar, and B. Livshits. SCRIPTGARD: Automatic Context-sensitive Sanitization for Large-scale Legacy Web Applications. In ACM Conference on Computer and Communications Security (CCS), 2011. Google ScholarDigital Library
- T. Scholte, W. Robertson, D. Balzarotti, and E. Kirda. An Empirical Analysis of Input Validation Mechanisms in Web Applications and Languages. In ACM Symposium On Applied Computing (SAC), 2012. Google ScholarDigital Library
- L. K. Shar and H. B. K. Tan. Predicting Common Web Application Vulnerabilities from Input Validation and Sanitization Code Patterns. In Automated Software Engineering (ASE), 2012. Google ScholarDigital Library
- L. K. Shar, H. B. K. Tan, and L. C. Briand. Mining SQL Injection and Cross Site Scripting Vulnerabilities using Hybrid Program Analysis. In International Conference on Software Engineering (ICSE), 2013. Google ScholarDigital Library
- M. Sridharan, S. Artzi, M. Pistoia, S. Guarnieri, O. Tripp, and R. Berg. F4F: Taint Analysis of Framework-based Web Applications. ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages, and Applications (OOPSLA), 2011. Google ScholarDigital Library
- O. Tripp, M. Pistoia, S. J. Fink, M. Sridharan, and O. Weisman. TAJ: Effective Taint Analysis of Web Applications. ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), 2009. Google ScholarDigital Library
- V. van der Veen, N. dutt Sharma, L. Cavallaro, and H. Bos. Memory Errors: The Past, the Present, and the Future. In Symposium on Recent Advances in Intrusion Detection (RAID), 2012. Google ScholarDigital Library
- W3Techs. Usage of Content Management Systems for Websites. http://w3techs.com/technologies/overview/ content_management/all, as of January 2015.Google Scholar
- W3Techs. Usage of Server-side Programming Languages for Websites. http://w3techs.com/technologies/overview/ programming_language/all, as of January 2015.Google Scholar
- J. Walden, M. Doyle, G. A. Welch, and M. Whelan. Security of Open Source Web Applications. In Proceedings of the International Symposium on Empirical Software Engineering and Measurement (ESEM), 2009. Google ScholarDigital Library
- G. Wasserman and Z. Su. Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), 2007. Google ScholarDigital Library
- G. Wasserman and Z. Su. Static Detection of Cross-Site Scripting Vulnerabilities. In International Conference on Software Engineering (ICSE), 2008. Google ScholarDigital Library
- J. Weinberger, P. Saxena, D. Akhawe, M. Finifter, R. Shin, and D. Song. A Systematic Analysis of XSS Sanitization in Web Application Frameworks. In European Symposium on Research in Computer Security (ESORICS), 2011. Google ScholarDigital Library
- Y. Xie and A. Aiken. Static Detection of Security Vulnerabilities in Scripting Languages. In USENIX Security Symposium, 2006. Google ScholarDigital Library
- F. Yu, M. Alkhalaf, and T. Bultan. STRANGER: An Automata-based String Analysis Tool for PHP. In Symposium on Tools and Algorithms for the Construction and Analysis of Systems (TACAS), 2010. Google ScholarDigital Library
- F. Yu, M. Alkhalaf, and T. Bultan. Patching Vulnerabilities with Sanitization Synthesis. In International Conference on Software Engineering (ICSE), 2011. Google ScholarDigital Library
- Y. Zheng and X. Zhang. Path Sensitive Static Analysis of Web Applications for Remote Code Execution Vulnerability Detection. In International Conference on Software Engineering (ICSE), 2013. Google ScholarDigital Library
Index Terms
- Experience report: an empirical study of PHP security mechanism usage
Recommendations
An empirical study of PHP feature usage: a static analysis perspective
ISSTA 2013: Proceedings of the 2013 International Symposium on Software Testing and AnalysisPHP is one of the most popular languages for server-side application development. The language is highly dynamic, providing programmers with a large amount of flexibility. However, these dynamic features also have a cost, making it difficult to apply ...
Comments