Effect of Coding Styles in Detection of Web Application Vulnerabilities

Abstract

Web application security has become paramount for the organisation's operation, and therefore, static analysis tools (SAT) for vulnerability detection have been widely researched in the last years. Nevertheless, SATs often generate errors (false positives & negatives), whose cause is recurrently associated with very diverse coding styles, i.e., similar functionality is implemented in distinct manners, and programming practices that create ambiguity, such as the reuse and share of variables. The paper presents an analysis of SAT's behaviour and results when they process various relevant web applications coded with different coding styles. Furthermore, it discusses if the SQL injection vulnerabilities detected by SATs as true positives are really exploitable. Our results demonstrate that SATs are built having in mind how to detect specific vulnerabilities, without considering such forms of programming. They call to action for a new generation of SATs that are highly malleable to be capable of processing the codes observed in the wild.