Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities with Static Code Analysisvon Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
Johannes Dahse, Dortmund, 10 Nov 2016 Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities with Static Code Analysisvon Webapplikationen
1. Introduction
2. Static Code Analysis
3. First-order Bug Detection
4. Second-order Bug Detection
5. Gadget Chain Detection 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
1.1 About
● Dr. Johannes Dahse
● CEO of RIPS Technologies
● Study/Ph.D. IT-Security, Ruhr-University Bochum
● Security Consultant
● CTF participant
● @FluxReiners, websec.wordpress.com
● Developer of RIPS www.ripstech.com
3 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
1.2 Research Timeline
● 2007 – 2009: PHP Scanner based on Regex used for CTF competitions
● 2009 – 2011: RIPS 1st Generation based on Tokenizer open sourced during MOPS (2nd place)
● 2012: RIPS 2nd Generation based on AST and CFG subject of master thesis
● 2013 – 2015: RIPS 3rd Generation subject of doctor thesis
● 2016: RIPS (Standalone / Cloud)
4 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
1.3 The Role of PHP in Security
● 82.2 % of the websites run PHP as server-side language
● Dynamic language, built-in features, oddities / pitfalls
● 25 % of all reported CVE vulnerabilities are related to PHP
● Sucuri Website Hacked Report: 97 % of hacked websites run PHP CMS
Source: W3Techs Source: MITRE CVE 8000 PHP 7000 ASP 6000 Java 5000 CFM Other 4000 Ruby PHP 3000 Perl 2000 Python 1000 JS 0 0 10 20 30 40 50 60 70 80 90 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14
5 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
1.4 Security Vulnerability Demo
6 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
1.5 Goal
● Automated security analysis of PHP code - Analyze dynamic language - Support variety of language features - Detect common vulnerability types - Detect complex vulnerabilities - Scale to large applications - Non-annotation based
7 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
2. Static Code Analysis
8 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
2.1 Overview ● Transform code into abstract syntax tree (AST) ● Split AST into basic blocks ● Analyze data flow within each basic block ● Summarize data flow in block and function summaries ● Connect basic blocks to a control flow graph (CFG) ● Perform backwards-directed taint analysis for each sensitive sink
Code AST Basic Blocks CFG Report
9 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains 3. First-order Bug Detection
10 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
3.1 Traditional Vulnerability Types
✗ Authorization Bypass ✔ File Inclusion ✔ Open Redirect ✗ Cross-Site Request Forgery ✔ File Write ✔ PHP Object Injection ✔ Cross-Site Scripting ✔ File System Manipulation ✔ PHP Object Instantiation ✔ Code Execution ✔ File Upload ✔ Reflection/Autoload Injection ✔ Command Execution ✔ HTTP Response Splitting ✔ Server-Side JavaScript Injection ✔ Connection String Injection ✔ Information Leakage ✔ Server-Side Request Forgery ✔ Denial of Service ✔ LDAP Injection ✔ Session Fixation ✔ Directory Listing ✔ Library Injection ✔ SQL Injection ✔ Environment Manipulation ✔ Log Forge ✔ Variable Manipulation ✔ Execution After Redirect ✔ Mass Assignment ✔ Weak Cryptography ✔ File Create ✔ Memcached Injection ✔ XML/XXE Injection ✔ File Delete ✔ MongoDB Injection ✔ XPath Injection ✔ File Disclosure ✔ NoSQL Injection ✔ Xquery Injection
11 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
3.2 Taint Analysis
user input sensitive sink $_GET print() XSS $_POST mysql_query() SQL Injection $_COOKIE include() File Inclusion + = $_REQUEST eval() Code Execution $_FILES system() Command Execution $_SERVER ......
12 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
3.2 Taint Analysis (Refined)
user input sanitization sensitive sink $_GET htmlentities() print() XSS $_POST addslashes() mysql_query() SQL Injection $_COOKIE basename() include() File Inclusion + + = $_REQUEST (int) eval() Code Exec $_FILES escapeshellarg() system() Cmd Exec $_SERVER ......
13 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
3.3 Security Mechanisms
source 1 $url = htmlentities($_GET['id']); “ → " 2 echo '' . $url . ''; < → < 3 echo “click“; sanitization 4 echo 'click';
sensitive sink
14 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
3.3 Security Mechanisms
source 1 $url = htmlentities($_GET['id']); “ → " 2 echo '' . $url . ''; < → < 3 echo “click“; 'onclick='alert(1) sanitization 4 echo 'click';
javascript:alert(1)
sensitive sink
15 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
3.4 Taint Analysis (Context-Sensitive) user input sanitization markup sensitive sink $_GET htmlentities() HTML print() XSS $_POST addslashes() SQL mysql_query() SQL Injection $_COOKIE basename() File Path include() File Inclusion + + + = $_REQUEST (int) PHP eval() Code Exec $_FILES escapeshellarg() OS Command system() Cmd Exec $_SERVER ......
16 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
3.5 Context-Sensitive Taint Analysis
1 $id = $_POST['id']; $id = $_POST['id']; 2 if(...) { 3 $id = (int)$id; 4 } $id = (int)$id; $id = htmlentities($id); 5 else { 6 $id = htmlentities($id); 7 } 8 echo "
Code AST Basic CFG Report Blocks 17 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
3.5 Context-Sensitive Taint Analysis
$id = $_POST['id'];
$id = (int)$id; $id = htmlentities($id);
Markup Context $id: HTML attribute single-quoted (SQ) echo "
Code AST Basic CFG Report Blocks 18 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
3.5 Context-Sensitive Taint Analysis
$id = $_POST['id']; Sanitized: Integer only
$id = (int)$id; $id = htmlentities($id);
$id Markup Context $id: HTML attribute single-quoted (SQ) echo "
Code AST Basic CFG Report Blocks 19 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
3.5 Context-Sensitive Taint Analysis Vulnerable! User input (no " < >) $_POST $id = $_POST['id']; $id id
XSS <> XSS DQ" $id = htmlentities($id); Element Attribute $id = (int)$id;
Markup Context $id: HTML attribute single-quoted (SQ) echo "
Code AST Basic CFG Report Blocks 20 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
3.6 Examples
Software Version Vulnerability detected by RIPS Wordpress 4.01 Cross-Site Scripting phpBB 2.0.23 SQL Injection phpMyAdmin 4.2.10 Local File Inclusion CMS Made Simple 1.11.11 SQL Injection
21 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains 4. Second-order Bug Detection
22 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
4.1 Second-order Vulnerabilities
!“*$()&/'\
write user input read
application database
23 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
4.2 Persistent Data Stores
User input Persistent Data Store (PDS) Sensitive Sink
1. 2.
● $_GET ● Databases ● Cross-Site Scripting ● $_POST ● File Names ● SQL Injection ● $_COOKIE ● $_SESSION (File Content) ● Code Execution ● $_FILES ... ● File Inclusion ● $_SERVER ● File Disclosure ......
24 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
SQLi 4.3 First-order Taint Analysis POST[name]
1 $name = $_POST['name']; 2 if(...) { $name = $_POST['name']; 3 $role = 'admin'; 4 } 5 else { $role = 'admin'; $role = 'user'; 6 $role = 'user'; 7 } 8 mysql_query("INSERT INTO users VALUES('$name', '$role')"); mysql_query("INSERT INTO users VALUES('$name', '$role')");
25 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
4.4 Second-order Taint Analysis
1 $name = addslashes($_POST['name']); 2 if(...) { $name = addslashes($_POST['name']); 3 $role = 'admin'; 4 } 5 else { $role = 'admin'; $role = 'user'; 6 $role = 'user'; 7 } 8 mysql_query("INSERT INTO users VALUES('$name', '$role')"); mysql_query("INSERT INTO users VALUES('$name', '$role')");
users INSERT INTO users VALUES('$_POST[name]', 'admin') INSERT INTO users VALUES('$_POST[name]', 'user') name role
26 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
4.4 Second-order Taint Analysis Temp XSS users[name]
1 $r = mysql_query( 'SELECT name FROM users'); $r = mysql_query( 2 if(...) { 'SELECT name FROM users'); 3 $row = mysql_fetch_assoc($r); 4 } 5 else { $row = mysql_fetch_assoc($r); 6 die('error'); 7 } 8 echo "Hi " . $row['name']; echo "Hi " . $row['name'];
27 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
4.5 Second-order Vulnerability Report
PDS Reads Writes
users id name pass Temp XSS users[name]
*
Second-Order XSS $_POST[name]
PDS'
28 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
4.6 Examples
Software Version Vulnerability detected by RIPS Gallery3 3.0.4 Remote Code Execution OpenConf 5.30 Remote Code Execution osCommerce 2.3.4 Remote Command Execution
29 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains 5. Gadget Chain Detection
30 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
5.1 PHP Object Injection + POP Chain
PHP Object Injection Chaining existing code (gadgets)
Object
31 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
5.2 PHP Serialization
class Text { public function __construct($data) { $this->data = $data; } }
$object1 = new Text('Ruhr'); $tmp = serialize($object1);
// O:4:"Text":1:{s:4:"data";s:4:"Ruhr";} Unified string representation of $object1 $object2 = unserialize($tmp); echo $object2->data;
32 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
5.3 PHP Object Injection (POI)
class Text { public function __construct($data) { $this->data = $data; } }
$object1 = new Text('Ruhr'); setcookie('tmp', serialize($object1));
// O:4:"Text":1:{s:4:"data";s:4:"Ruhr";}
$object2 = unserialize($_COOKIE['tmp']); echo $object2->data;
33 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
5.3 PHP Object Injection (POI)
class Text { public function __construct($data) { $this->data = $data; } }
$object1 = new Text('Ruhr'); setcookie('tmp', serialize($object1));
// O:4:"Text":1:{s:4:"data";s:4:"Ruhr";} // O:8:"stdClass":1:{s:4:"data";s:4:"RIPS";}
$object2 = unserialize($_COOKIE['tmp']); echo $object2->data;
34 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
5.4 Magic Methods
class Text { class File { public function __construct($d){ public function __destruct(){ $this->data = $d; unlink($this->filename); } } } }
// O:4:"Text":1:{s:4:"data";s:4:"Ruhr";} // O:4:"File":1:{s:8:"filename";s:10:"config.php";}
$object2 = unserialize($_COOKIE['tmp']); echo $object2->data;
35 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
5.5 Property-oriented Programming (POP)
class File { public function __destruct(){ $this->handler->close(); } } POP
// O:4:"File":1:{s:7:"handler";O:3:"ABC":0:{};}
$object2 = unserialize($_COOKIE['tmp']); echo $object2->data;
36 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
5.5 Property-oriented Programming (POP)
class File { class Process { public function __destruct(){ public function close() { $this->handler->close(); system('kill '.$this->pid); } } } Process }
// O:4:"File":1:{s:7:"handler";O:7:"Process":0:{};}
$object2 = unserialize($_COOKIE['tmp']); echo $object2->data;
37 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
5.5 Property-oriented Programming (POP)
class File { class Process { public function __destruct(){ public function close() { $this->handler->close(); system('kill '.$this->pid); } } } } >kill 0;calc
// O:4:"File":1:{s:7:"handler";O:7:"Process":1: {s:3:"pid";s:6:"0;calc";};}
$object2 = unserialize($_COOKIE['tmp']); echo $object2->data;
38 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
5.5 Property-oriented Programming (POP)
class File { class Process { public function __destruct(){ public function close() { $this->handler->close(); system('kill '.$this->pid); } } } } >kill 0;calc
// O:4:"File":1:{s:7:"handler";O:7:"Process":1: {s:3:"pid";s:6:"0;calc";};}
$object2 = unserialize($_COOKIE['tmp']); echo $object2->data;
39 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
5.6 POI Detection
● Backwards-directed taint analysis for unserialize() $tmp = $_COOKIE['tmp'];
● If argument is resolved to user $obj = unserialize($tmp); input, report POI vulnerability POI ● Vulnerable unserialize() call returns tainted object
40 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
5.6 POI Detection
● Backwards-directed taint analysis for unserialize() $tmp = $_COOKIE['tmp'];
● If argument is resolved to user $obj = unserialize($tmp); input, report POI vulnerability POI ● Vulnerable unserialize() call $obj returns tainted object
● Propagate tainted object forward echo $obj->data;
XSS
41 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
5.7 POP Chain Detection
● class File { Invoke inter-procedural analysis public function __destruct(){ for all magic methods on POI $this->handler->close(); } ● For unknown receivers, combine } analysis results of methods class Process { public function close() { system('kill '.$this->pid); } }
class Database { public function close() { mysql_close($this->db); } }
42 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
5.7 POP Chain Detection
● class File { Invoke inter-procedural analysis public function __destruct(){ for all magic methods on POI $this->handler->close(); } ● For unknown receivers, combine } analysis results of methods class Process { $this->pid public function close() { ● Arguments of a sensitive sink system('kill '.$this->pid); that are resolved to object } properties are stored as the } method's sensitive properties class Database { public function close() { mysql_close($this->db); } }
43 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
5.7 POP Chain Detection
$this->handler->pid ● class File { Invoke inter-procedural analysis public function __destruct(){ for all magic methods on POI $this->handler->close(); } ● For unknown receivers, combine } analysis results of methods class Process { $this->pid
● public function close() { Arguments of a sensitive sink system('kill '.$this->pid); that are resolved to object } properties are stored as the } method's sensitive properties class Database { public function close() { ● Sensitive properties are applied mysql_close($this->db); } to each receiver at call-site }
44 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
5.8 POP Chain Report
● Sensitive properties are applied to the receiving object at call-site $tmp = $_COOKIE['tmp'];
● If receiving object is tainted, $obj = unserialize($tmp); a POP gadget chain is reported and attached to the POI report $this->handler->pid $obj->handler->pid
POP Chain (Remote Command Execution)
45 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
5.9 Examples
Software Version Vulnerability detected by RIPS Joomla 3.3.4 PHP Object Injection Magento 1.9.0.1 PHP Object Injection Drupal 7.34 PHP Object Injection
46 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
6. Conclusion
● Requirements for SCA tools changed ● Diverse language features ● Applied security mechanisms ● Complex vulnerability types ● Growing code size
● SCA can automate bug detection ● Quickly identify traditional vulnerabilities ● Combine multiple bugs to detect complex bugs ● Challenges for frameworks (reflection, template engines)
47 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains
We are looking for PHP experts and UI designer
Join us building the superior PHP security analysis tool [email protected]
48