PyT - A Static Analysis Tool for Detecting Security Vulnerabilities in Python Web Applications
Term
4. term
Education
Publication year
2016
Submitted on
2016-05-31
Pages
113
Abstract
The amount of vulnerabilities in soft- ware grows everyday. This report ex- amines vulnerabilities in Flask web applications, which is a Python web framework. Cross site scripting, com- mand injection, SQL injection and path traversal attacks are used as example vulnerabilities. A static analysis of Python is used to analyse the flow of information in the given program. The static analysis consists of constructing a control flow graph using polyvariant interprocedural analysis. The fixed- point theorem is used for analysing the control flow graph. Using an ex- tended version of the reaching defi- nitions it is possible to capture infor- mation flow through a program. A tool has been implemented and can be used on whole projects giving possi- ble vulnerabilities as output. At last an evaluation of the tool is presented. All example vulnerabilities were detected and real world projects were success- fully used as input.
Keywords
Python ; Static analysis ; static ; flask ; web ; security ; web application ; cfg ; control flow graph ; reaching definitions ; liveness ; polyvariant interprocedural ; command line tool ; fixed point algorithm ; worklist ; fixed point ; vulnerabilities ; vulnerability ; command injection ; cross site scripting ; xss ; path traversal ; django ; sql injection ; injection ; lattice ; dataflow analysis ; dataflow ; abstract syntax tree ; python programs ; ast ; python program analysis ; program anlysis ; test ; unittest ; integration test ; framework ; fixed point theorem ; flow ; analyse project
Documents