A New Source Code Auditing Algorithm for Detecting LFI and RFI in PHP Programs
Commenced in January 2007
Frequency: Monthly
Edition: International
Paper Count: 32769
A New Source Code Auditing Algorithm for Detecting LFI and RFI in PHP Programs

Authors: Seyed Ali Mir Heydari, Mohsen Sayadiharikandeh

Abstract:

Static analysis of source code is used for auditing web applications to detect the vulnerabilities. In this paper, we propose a new algorithm to analyze the PHP source code for detecting LFI and RFI potential vulnerabilities. In our approach, we first define some patterns for finding some functions which have potential to be abused because of unhandled user inputs. More precisely, we use regular expression as a fast and simple method to define some patterns for detection of vulnerabilities. As inclusion functions could be also used in a safe way, there could occur many false positives (FP). The first cause of these FP-s could be that the function does not use a usersupplied variable as an argument. So, we extract a list of usersupplied variables to be used for detecting vulnerable lines of code. On the other side, as vulnerability could spread among the variables like by multi-level assignment, we also try to extract the hidden usersupplied variables. We use the resulted list to decrease the false positives of our method. Finally, as there exist some ways to prevent the vulnerability of inclusion functions, we define also some patterns to detect them and decrease our false positives.

Keywords: User-supplied Variables, hidden user-supplied variables, PHP vulnerabilities.

Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1060896

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 2452

References:


[1] Y.-W. Huang, S.-K. Huang, T.-P. Lin, and C.-H. Tsai. Web application security assessment by fault injection and behavior monitoring. In WWW '03: Proceedings of the 12th International Conference on World Wide Web, 2003.
[2] A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In IFIP Security 2005, 2005.
[3] T. Pietraszek and C. V. Berghe. Defending against injection attacks through context-sensitive string evaluation. In Recent Advances in Intrusion Detection 2005 (RAID), 2005.
[4] Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In Proceedings of the 13th InternationalWorldWideWeb Conference, 2004.
[5] Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, D. T.Lee, and Sy-Yen Kuo. Verifying web applications using bounded model checking. In DSN, 2004.
[6] V. B. Livshits and M. S. Lam. Finding security errors in Java programs with static analysis. In Proceedings of the 14th Usenix Security Symposium, Aug. 2005.
[7] Y. Minamide. Static approximation of dynamically generated web pages. In WWW '05: Proceedings of the 14th International Conference on World Wide Web, 2005.
[8] FIS. http://www.segfault.gr
[9] Engin Kirda, Christopher Kruegel, Giovanni Vigna, and Nenad Jovanovic. Noxes: A client-side solution for mitigating cross-site scripting attacks. In The 21st ACM Symposium on Applied Computing (SAC 2006), 2006
[10] Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai Lee, and Sy-Yen Kuo. Securing web application code by static analysis and runtime protection. In WWW -04: Proceedings of the 13th International Conference on World Wide Web, 2006.
[11] Engin Kirda, Christopher Kruegel, Giovanni Vigna, and Nenad Jovanovic. Noxes: A client-side solution for mitigating cross-site scripting attacks. In The 21st ACM Symposium on Applied Computing (SAC 2006), 2006.
[12] Yichen Xie, Alex Aiken. Static Detection of Security Vulnerabilities in Scripting Languages. In Proceedings of the 15th USENIX Security Symposium, pages 179-192, July 2006.
[13] Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper). In IEEE Symposium on Security and Privacy, 2006.
[14] PHP-Sat. http://PHP-SAT.org
[15] DAPHPScan version 1.0. http://www.acid-root.new.fr
[16] http://www.netcraft.com
[17] http://www.securityfocus.com
[18] http://www.milw0rm.com