15th USENIX Security Symposium Abstract
Pp. 179192 of the Proceedings
Static Detection of Security Vulnerabilities in Scripting
Yichen Xie and Alex Aiken,
We present a static analysis algorithm for detecting security
vulnerabilities in PHP, a popular server-side scripting
language for building web applications. Our analysis
employs a novel three-tier architecture to capture information
at decreasing levels of granularity at the intrablock,
intraprocedural, and interprocedural level. This
architecture enables us to handle dynamic features of
scripting languages that have not been adequately addressed
by previous techniques.
We demonstrate the effectiveness of our approach on
six popular open source PHP code bases, finding 105 previously
unknown security vulnerabilities, most of which
we believe are remotely exploitable.
- View the full text of this paper in HTML and PDF. Listen to the presentation and Q & A in MP3 format.
Until August 2007, you will need your USENIX membership identification in order to access the full papers.
The Proceedings are published as a collective work, © 2006 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.