PyT - A Static Analysis Tool for Detecting Security Vulnerabilities in Python Web Applications

Studenteropgave: Speciale (inkl. HD afgangsprojekt)

  • Stefan Marstrand Getreuer Micheelsen
  • Bruno Thalmann
4. semester, Software, Kandidat (Kandidatuddannelse)
The amount of vulnerabilities in soft-
ware grows everyday. This report ex-
amines vulnerabilities in Flask web
applications, which is a Python web
framework. Cross site scripting, com-
mand injection, SQL injection and path
traversal attacks are used as example
vulnerabilities. A static analysis of
Python is used to analyse the flow of
information in the given program. The
static analysis consists of constructing
a control flow graph using polyvariant
interprocedural analysis. The fixed-
point theorem is used for analysing
the control flow graph. Using an ex-
tended version of the reaching defi-
nitions it is possible to capture infor-
mation flow through a program. A
tool has been implemented and can be
used on whole projects giving possi-
ble vulnerabilities as output. At last an
evaluation of the tool is presented. All
example vulnerabilities were detected
and real world projects were success-
fully used as input.
SprogEngelsk
Udgivelsesdato31 maj 2016
Antal sider113
EmneordPython, Static analysis, static, flask, web, security, web application, cfg, control flow graph, reaching definitions, liveness, polyvariant interprocedural, command line tool, fixed point algorithm, worklist, fixed point, vulnerabilities, vulnerability, command injection, cross site scripting, xss, path traversal, django, sql injection, injection, lattice, dataflow analysis, dataflow, abstract syntax tree, python programs, ast, python program analysis, program anlysis, test, unittest, integration test, framework, fixed point theorem, flow, analyse project
ID: 234498602