Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper) Export

@inproceedings{citeulike:4457601, abstract = {The number and the importance of Web applications have increased rapidly over the last years. At the same time, the quantity and impact of security vulnerabilities in such applications have grown as well. Since manual code reviews are time-consuming, error-prone and costly, the need for automated solutions has become evident. In this paper, we address the problem of vulnerable Web applications by means of static source code analysis. More precisely, we use flow-sensitive, interprocedural and context-sensitive data flow analysis to discover vulnerable points in a program. In addition, alias and literal analysis are employed to improve the correctness and precision of the results. The presented concepts are targeted at the general class of taint-style vulnerabilities and can be applied to the detection of vulnerability types such as SQL injection, cross-site scripting, or command injection. Pixy, the open source prototype implementation of our concepts, is targeted at detecting cross-site scripting vulnerabilities in PHP scripts. Using our tool, we discovered and reported 15 previously unknown vulnerabilities in three web applications, and reconstructed 36 known vulnerabilities in three other web applications. The observed false positive rate is at around 50 \% (i.e., one false positive for each vulnerability) and therefore, low enough to permit effective security audits. }, author = {Jovanovic, Nenad and Kruegel, Christopher and Kirda, Engin}, booktitle = {IN 2006 IEEE SYMPOSIUM ON SECURITY AND PRIVACY}, citeulike-article-id = {4457601}, citeulike-linkout-0 = {http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.60.6774}, keywords = {information\_flow\_control, joe\_e, security, web\_application\_security, web\_applications}, pages = {258--263}, posted-at = {2009-10-16 22:56:06}, priority = {2}, title = {Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)}, url = {http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.60.6774}, year = {2006} }

TY - CONF ID - citeulike:4457601 L3 - citeulike-article-id:4457601 N2 - The number and the importance of Web applications have increased rapidly over the last years. At the same time, the quantity and impact of security vulnerabilities in such applications have grown as well. Since manual code reviews are time-consuming, error-prone and costly, the need for automated solutions has become evident. In this paper, we address the problem of vulnerable Web applications by means of static source code analysis. More precisely, we use flow-sensitive, interprocedural and context-sensitive data flow analysis to discover vulnerable points in a program. In addition, alias and literal analysis are employed to improve the correctness and precision of the results. The presented concepts are targeted at the general class of taint-style vulnerabilities and can be applied to the detection of vulnerability types such as SQL injection, cross-site scripting, or command injection. Pixy, the open source prototype implementation of our concepts, is targeted at detecting cross-site scripting vulnerabilities in PHP scripts. Using our tool, we discovered and reported 15 previously unknown vulnerabilities in three web applications, and reconstructed 36 known vulnerabilities in three other web applications. The observed false positive rate is at around 50 % (i.e., one false positive for each vulnerability) and therefore, low enough to permit effective security audits. EP - 263 TI - Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper) T2 - IN 2006 IEEE SYMPOSIUM ON SECURITY AND PRIVACY SP - 258 KW - information_flow_control KW - joe_e KW - security KW - web_application_security KW - web_applications AU - Jovanovic, Nenad AU - Kruegel, Christopher AU - Kirda, Engin PY - 2006/// UR - http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.60.6774 ER -