静态检测PHP应用程序重定向后执行的漏洞

2016 7th IEEE International Conference on Software Engineering and Service Science (ICSESS) Pub Date : 2016-08-01 DOI:10.1109/ICSESS.2016.7883115

Chuansen Chai, Xuexiong Yan, Qingxian Wang, Shukai Liu

{"title":"静态检测PHP应用程序重定向后执行的漏洞","authors":"Chuansen Chai, Xuexiong Yan, Qingxian Wang, Shukai Liu","doi":"10.1109/ICSESS.2016.7883115","DOIUrl":null,"url":null,"abstract":"In recent years, modern web applications are becoming more and more complex and it makes difficult for developers to audit the code. The number of attacks against these applications has increased rapidly. Automated detection techniques for web applications are badly in need. Execution after execution (EAR) vulnerability is a kind of logic flaws for web application. It allows the server-side execution continuing after the intended halting point. This may result in serious consequences such as information leakage. In this paper, we propose a path-sensitive inter-procedural analysis to detect EAR vulnerabilities in PHP web applications. The analysis improves the traditional detection method by verifying the path conditions and considers more details which may influence the false-positive rate. We have shown how our approach can handle situations where other existing tools may fail by some real-world examples.","PeriodicalId":175933,"journal":{"name":"2016 7th IEEE International Conference on Software Engineering and Service Science (ICSESS)","volume":"14 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Static detection of execution after redirect vulnerabilities in PHP applications\",\"authors\":\"Chuansen Chai, Xuexiong Yan, Qingxian Wang, Shukai Liu\",\"doi\":\"10.1109/ICSESS.2016.7883115\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"In recent years, modern web applications are becoming more and more complex and it makes difficult for developers to audit the code. The number of attacks against these applications has increased rapidly. Automated detection techniques for web applications are badly in need. Execution after execution (EAR) vulnerability is a kind of logic flaws for web application. It allows the server-side execution continuing after the intended halting point. This may result in serious consequences such as information leakage. In this paper, we propose a path-sensitive inter-procedural analysis to detect EAR vulnerabilities in PHP web applications. The analysis improves the traditional detection method by verifying the path conditions and considers more details which may influence the false-positive rate. We have shown how our approach can handle situations where other existing tools may fail by some real-world examples.\",\"PeriodicalId\":175933,\"journal\":{\"name\":\"2016 7th IEEE International Conference on Software Engineering and Service Science (ICSESS)\",\"volume\":\"14 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2016-08-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2016 7th IEEE International Conference on Software Engineering and Service Science (ICSESS)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ICSESS.2016.7883115\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 7th IEEE International Conference on Software Engineering and Service Science (ICSESS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICSESS.2016.7883115","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

摘要

近年来，现代web应用程序变得越来越复杂，这使得开发人员很难审核代码。针对这些应用程序的攻击数量迅速增加。web应用程序非常需要自动检测技术。执行后执行(EAR)漏洞是web应用程序的一种逻辑缺陷。它允许服务器端执行在预期的停止点之后继续执行。这可能会导致信息泄露等严重后果。在本文中，我们提出了一种路径敏感的过程间分析方法来检测PHP web应用程序中的EAR漏洞。该分析改进了传统的检测方法，通过验证路径条件，并考虑了更多可能影响假阳性率的细节。我们通过一些现实世界的例子展示了我们的方法如何处理其他现有工具可能失败的情况。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Static detection of execution after redirect vulnerabilities in PHP applications

In recent years, modern web applications are becoming more and more complex and it makes difficult for developers to audit the code. The number of attacks against these applications has increased rapidly. Automated detection techniques for web applications are badly in need. Execution after execution (EAR) vulnerability is a kind of logic flaws for web application. It allows the server-side execution continuing after the intended halting point. This may result in serious consequences such as information leakage. In this paper, we propose a path-sensitive inter-procedural analysis to detect EAR vulnerabilities in PHP web applications. The analysis improves the traditional detection method by verifying the path conditions and considers more details which may influence the false-positive rate. We have shown how our approach can handle situations where other existing tools may fail by some real-world examples.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2016 7th IEEE International Conference on Software Engineering and Service Science (ICSESS)

自引率

0.00%

发文量