Abstract
In this paper we describe the THAPS vulnerability scanner for PHP web applications. THAPS is based on symbolic execution of PHP with specialised support for scanning extensions and plug-ins of larger application frameworks. We further show how THAPS can integrate the results of dynamic analyses, generated by a customised web crawler, into the static analysis. This enables analysis of often used advanced dynamic features such as dynamic code load and reflection. To the best of our knowledge, THAPS is the first tool to apply this approach and the first tool with specific support for analysis of plug-ins.
In order to verify our approach, we have scanned 375 WordPress plug-ins and a commercial (monolithic) web application, resulting in 68 and 28 confirmed vulnerabilities respectively.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Ashcraft, K., Engler, D.R.: Using programmer-written compiler extensions to catch security holes. In: Proc. IEEE Symposium on Security and Privacy (S&P 2002), pp. 143–159 (2002)
Huang, Y.-W., Yu, F., Hang, C., Tsai, C.-H., Lee, D.-T., Kuo, S.-Y.: Securing web application code by static analysis and runtime protection. In: Proceedings of the 13th International Conference on World Wide Web (WWW 2004), pp. 40–52 (2004)
Jensen, T., Pedersen, H.: THAPS—Analysis of PHP web applications. Master’s thesis, Department of Computer Science, Aalborg University, Denmark (2012), http://plazm.dk/THAPS%20-%20detection%20of%20web%20application%20vulnerabilities.pdf
Benjamin Livshits, V., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. In: Proceedings of the 14th USENIX Security Symposium. USENIX (2005)
Martin, B., Browne, M., Paller, A., Kirby, D.: 2011 CWE/SANS top 25 most dangerous software errors (September 2011), http://cwe.mitre.org/top25/index.html (last accessed June 10, 2012)
Miller, B.P., Fredrikson, L., So, B.: An empirical study of the reliability of unix utilities. Comm. of the ACM 33(12), 32 (1990)
Newsome, J., Song, D.X.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2005 (2005)
Pedersen, H., Jensen, T.: A study of web application vulnerabilities and vulnerability detection tools. Project report (sw9), Department of Computer Science, Aalborg University (2011), http://plazm.dk/A%20study%20of%20web%20application%20vulnerabilities%20and%20vulnerability%20detection%20tools.pdf
Schwartz, E.J., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: Proc. IEEE Symposium on Security and Privacy (S&P 2010), pp. 317–331 (2010)
Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. In: Proceedings of the 15th USENIX Security Symposium. USENIX (August 2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Jensen, T., Pedersen, H., Olesen, M.C., Hansen, R.R. (2012). THAPS: Automated Vulnerability Scanning of PHP Applications. In: Jøsang, A., Carlsson, B. (eds) Secure IT Systems. NordSec 2012. Lecture Notes in Computer Science, vol 7617. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34210-3_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-34210-3_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-34209-7
Online ISBN: 978-3-642-34210-3
eBook Packages: Computer ScienceComputer Science (R0)