A master thesis from Aalborg University
Eir - Static Vulnerability Detection in PHP Applications
[Eir - Statisk Sårbarheds Analyse i PHP Applikationer]
Author(s)
Term
4. term
Education
Publication year
2015
Submitted on
2015-06-03
Pages
70 pages
Abstract
This report presents a static vulnerability analysis tool called Eir, created for scanning PHP applications for XSS and SQLi vulnerabilities. The tool uses known theories in the field of static analysis. It is able to detect reflected as well as stored vulnerabilities. Using pattern matching to find storage locations, this prototype shows that it is possible to find stored vulnerabilities by matching pairs of incoming and outgoing data sets in a static analysis. The tool also looks into modeling of large frameworks to scan extensions such as WordPress plugins. Modeling a large amount of functionality made it possible to detect a large amount of vulnerabilities in WordPress plugins. Eir was able to detect 66 new confirmed vulnerabilities in WordPress plugins, where 17 of these were stored vulnerabilities.
Keywords
Statisk ; analyse ; Eir ; sårbarhedsanalyse ; sårbarheder ; xss ; cross-site scripting ; sql ; sqli ; sql injection ; injection ; lattice ; php ; static ; analysis ; c# ; plugins ; wordpress ; extensions ; extensibility ; drupal ; stored ; vulnerabilities ; data flow ; cfg ; control flow ; control flow graph ; data flow analysis ; taint analysis ; taint ; untaint ; taint tracking ; awesome
Documents
Colophon: This page is part of the AAU Student Projects portal, which is run by Aalborg University. Here, you can find and download publicly available bachelor's theses and master's projects from across the university dating from 2008 onwards. Student projects from before 2008 are available in printed form at Aalborg University Library.
If you have any questions about AAU Student Projects or the research registration, dissemination and analysis at Aalborg University, please feel free to contact the VBN team. You can also find more information in the AAU Student Projects FAQs.