Sciweavers

PLDI
2006
ACM

Precise alias analysis for static detection of web application vulnerabilities

14 years 6 months ago
Precise alias analysis for static detection of web application vulnerabilities
The number and the importance of web applications have increased rapidly over the last years. At the same time, the quantity and impact of security vulnerabilities in such applications have grown as well. Since manual code reviews are time-consuming, errorprone and costly, the need for automated solutions has become evident. In this paper, we address the problem of vulnerable web applications by means of static source code analysis. To this end, we present a novel, precise alias analysis targeted at the unique reference semantics commonly found in scripting languages. Moreover, we enhance the quality and quantity of the generated vulnerability reports by employing a novel, iterative two-phase algorithm for fast and precise resolution of file inclusions. We integrated the presented concepts into Pixy [14], a highprecision static analysis tool aimed at detecting cross-site scripting vulnerabilities in PHP scripts. To demonstrate the effectiveness of our techniques, we analyzed three we...
Nenad Jovanovic, Christopher Kruegel, Engin Kirda
Added 14 Jun 2010
Updated 14 Jun 2010
Type Conference
Year 2006
Where PLDI
Authors Nenad Jovanovic, Christopher Kruegel, Engin Kirda
Comments (0)