PyT - A Static Analysis Tool for Detecting Security Vulnerabilities in Python Web Applications
Authors
Micheelsen, Stefan Marstrand Getreuer ; Thalmann, Bruno
Term
4. term
Education
Publication year
2016
Submitted on
2016-05-31
Pages
113
Abstract
The amount of vulnerabilities in software grows everyday. This report examines vulnerabilities in Flask web applications, which is a Python web framework. Cross site scripting, command injection, SQL injection and path traversal attacks are used as example vulnerabilities. A static analysis of Python is used to analyse the flow of information in the given program. The static analysis consists of constructing a control flow graph using polyvariant interprocedural analysis. The fixedpoint theorem is used for analysing the control flow graph. Using an extended version of the reaching definitions it is possible to capture information flow through a program. A tool has been implemented and can be used on whole projects giving possible vulnerabilities as output. At last an evaluation of the tool is presented. All example vulnerabilities were detected and real world projects were successfully used as input.
Keywords
Python ; Static analysis ; static ; flask ; web ; security ; web application ; cfg ; control flow graph ; reaching definitions ; liveness ; polyvariant interprocedural ; command line tool ; fixed point algorithm ; worklist ; fixed point ; vulnerabilities ; vulnerability ; command injection ; cross site scripting ; xss ; path traversal ; django ; sql injection ; injection ; lattice ; dataflow analysis ; dataflow ; abstract syntax tree ; python programs ; ast ; python program analysis ; program anlysis ; test ; unittest ; integration test ; framework ; fixed point theorem ; flow ; analyse project
Documents