Detecting PHP-based Cross-Site Scripting Vulnerabilities Using Static Program Analysis

With the widespread adoption of dynamic web applications in recent years, a number of threats to the security of these applications have emerged as significant challenges for application developers. The security of developed applications has become a higher priority for both developers and their employers as cyber attacks become increasingly more prevalent and damaging. Some of the most used web application frameworks are written in PHP and have become major targets due to the large number of servers running these applications worldwide. A number of tools exist to evaluate PHP code for issues, however most of these applications are not targeted at vulnerability detection. At the same time, Cross-Site Scripting (XSS) vulnerabilities continue to be identified in existing software threatening the security of client data. Providing tools to software developers which can identify these XSS vulnerabilities in code during the development process could reduce the number of vulnerabilities that make it into production code and thus threaten users. This thesis proposes a solution for the problem of identifying non-persistent XSS vulnerabilities in PHP code by demonstrating a system which is capable of finding these vulnerable code paths. This is achieved through the use of static taint analysis, whereby a number of known sources of untrusted data are defined, along with several sensitive sinks which may present a vulnerability if untrusted data is used at these locations. Any data acquired from these taint sources and subsequent propagation of the data is tracked. Code analysis is performed on an Abstract Syntax Tree (AST), an intermediate representation which permits conversion to and from source code. This allows individual line numbers to be tracked for the purpose of clearly displaying taint flow to the user allowing them to visualize how the information flow could result in an unsafe condition and take appropriate action to remedy the vulnerability. This program is capable of analyzing non-object-oriented PHP code and supports most of the common language constructs. Initial testing has shown the program to be highly successful at identifying non-persistent XSS attacks in the supported subset of the PHP language, with future development efforts targeting expanded support for more elements of the language including object-oriented programming