Advertisement

WeVerca: Web Applications Verification for PHP

  • David Hauzar
  • Jan Kofroň
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8702)

Abstract

Static analysis of web applications developed in dynamic languages is a challenging yet very important task. In this paper, we present WeVerca, a framework that allows one to define static analyses of PHP applications. It supports dynamic type system, dynamic method calls, dynamic data structures, etc. These common features of dynamic languages cause implementation of static analyses to be either imprecise or overly complex. Our framework addresses this problem by defining end-user static analyses independently of value and heap analyses necessary just to resolve these features. As our results show, taint analysis defined using the framework found more real problems and reduced the number of false positives comparing to existing state-of-the-art analysis tools for PHP.

Keywords

Program Point Abstract Syntax Tree Static Analysis Tool Benchmark Application Tainted Data 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Hauzar, D., Kofroň, J., Baštecký, P.: Data-flow analysis of programs with associative arrays. In: ESSS 2014. EPTCS (2014)Google Scholar
  2. 2.
    Jensen, S.H., Møller, A., Thiemann, P.: Type analysis for JavaScript. In: Palsberg, J., Su, Z. (eds.) SAS 2009. LNCS, vol. 5673, pp. 238–255. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  3. 3.
    Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting Web application vulnerabilities. In: S&P 2006. IEEE (2006)Google Scholar
  4. 4.
    Kneuss, E., Suter, P., Kuncak, V.: Phantm: PHP Analyzer for Type Mismatch. In: FSE 2010. ACM (2010)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • David Hauzar
    • 1
  • Jan Kofroň
    • 1
  1. 1.Department of Distributed and Dependable Systems, Faculty of Mathematics and PhysicsCharles University in PragueCzech Republic

Personalised recommendations