A hybrid analysis framework for detecting web application vulnerabilities

Increasingly, web applications handle sensitive data and interface with critical back-end components, but are often written by poorly experienced programmers with low security skills. The majority of vulnerabilities that a ect web applications can be ascribed to the lack of proper validation of user's input, before it is used as argument of an output function. Several program analysis techniques were proposed to automatically spot these vulnerabilities. One particularly e ective is dy-namic taint analysis. Unfortunately, this approach in- troduces a signi cant run-time penalty. In this paper, we present a hybrid analysis frame-work that blends together the strengths of static and dynamic approaches for the detection of vulnerabilities in web applications: a static analysis, performed just once, is used to reduce the run-time overhead of the dynamic monitoring phase. We designed and implemented a tool, called Phan, that is able to statically analyze PHP bytecode search-ing for dangerous code statements; then, only these statements are monitored during the dynamic analysis phase