Automated Detection of Complex Vulnerabilities with Static Code Analysis
PHP remains the most popular server-side language on the Web and the
favored language for Web attacks. Although developers become more aware
of traditional vulnerabilities types, such as XSS and SQLi, these flaws
still persist due to faulty security mechanisms or intricate language
features. Besides, more complex vulnerability types, such as
second-order vulnerabilities or PHP object injections, are comparatively
unknown and actively exploited by attackers.
The manual detection of such complex vulnerabilities in modern PHP
applications with hundreds of thousands lines of code is time-consuming
and expensive. With the help of static code analysis, security
vulnerabilities can be detected in an automated fashion and subsequently
remediated. However, previous research in this area focused only on the
shallow detection of traditional vulnerability types and dismissed more
complex occurrences or types of vulnerabilities.
This talk shows how to detect complex vulnerabilities automatically with
state-of-the-art code analysis techniques. The techniques are able to
precisely detect traditional security vulnerabilities in various markup
contexts, as well as second-order vulnerabilities and gadget chains for
PHP object injections. Further, open challenges and lessons learned
during the development and evaluation of the techniques are outlined.