Chuansen Chai, Xuexiong Yan, Qingxian Wang, Shukai Liu
{"title":"Static detection of execution after redirect vulnerabilities in PHP applications","authors":"Chuansen Chai, Xuexiong Yan, Qingxian Wang, Shukai Liu","doi":"10.1109/ICSESS.2016.7883115","DOIUrl":null,"url":null,"abstract":"In recent years, modern web applications are becoming more and more complex and it makes difficult for developers to audit the code. The number of attacks against these applications has increased rapidly. Automated detection techniques for web applications are badly in need. Execution after execution (EAR) vulnerability is a kind of logic flaws for web application. It allows the server-side execution continuing after the intended halting point. This may result in serious consequences such as information leakage. In this paper, we propose a path-sensitive inter-procedural analysis to detect EAR vulnerabilities in PHP web applications. The analysis improves the traditional detection method by verifying the path conditions and considers more details which may influence the false-positive rate. We have shown how our approach can handle situations where other existing tools may fail by some real-world examples.","PeriodicalId":175933,"journal":{"name":"2016 7th IEEE International Conference on Software Engineering and Service Science (ICSESS)","volume":"14 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 7th IEEE International Conference on Software Engineering and Service Science (ICSESS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICSESS.2016.7883115","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
Abstract
In recent years, modern web applications are becoming more and more complex and it makes difficult for developers to audit the code. The number of attacks against these applications has increased rapidly. Automated detection techniques for web applications are badly in need. Execution after execution (EAR) vulnerability is a kind of logic flaws for web application. It allows the server-side execution continuing after the intended halting point. This may result in serious consequences such as information leakage. In this paper, we propose a path-sensitive inter-procedural analysis to detect EAR vulnerabilities in PHP web applications. The analysis improves the traditional detection method by verifying the path conditions and considers more details which may influence the false-positive rate. We have shown how our approach can handle situations where other existing tools may fail by some real-world examples.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
