A master thesis from Aalborg University
PyT - A Static Analysis Tool for Detecting Security Vulnerabilities in Python Web Applications
Author(s)
Term
4. term
Education
Publication year
2016
Submitted on
2016-05-31
Pages
113 pages
Abstract
The amount of vulnerabilities in soft- ware grows everyday. This report ex- amines vulnerabilities in Flask web applications, which is a Python web framework. Cross site scripting, com- mand injection, SQL injection and path traversal attacks are used as example vulnerabilities. A static analysis of Python is used to analyse the flow of information in the given program. The static analysis consists of constructing a control flow graph using polyvariant interprocedural analysis. The fixed- point theorem is used for analysing the control flow graph. Using an ex- tended version of the reaching defi- nitions it is possible to capture infor- mation flow through a program. A tool has been implemented and can be used on whole projects giving possi- ble vulnerabilities as output. At last an evaluation of the tool is presented. All example vulnerabilities were detected and real world projects were success- fully used as input.
Keywords
Python ; Static analysis ; static ; flask ; web ; security ; web application ; cfg ; control flow graph ; reaching definitions ; liveness ; polyvariant interprocedural ; command line tool ; fixed point algorithm ; worklist ; fixed point ; vulnerabilities ; vulnerability ; command injection ; cross site scripting ; xss ; path traversal ; django ; sql injection ; injection ; lattice ; dataflow analysis ; dataflow ; abstract syntax tree ; python programs ; ast ; python program analysis ; program anlysis ; test ; unittest ; integration test ; framework ; fixed point theorem ; flow ; analyse project
Documents
Colophon: This page is part of the AAU Student Projects portal, which is run by Aalborg University. Here, you can find and download publicly available bachelor's theses and master's projects from across the university dating from 2008 onwards. Student projects from before 2008 are available in printed form at Aalborg University Library.
If you have any questions about AAU Student Projects or the research registration, dissemination and analysis at Aalborg University, please feel free to contact the VBN team. You can also find more information in the AAU Student Projects FAQs.