Research On Vulnerability Detection Methods For PHP Applications

PHP is the most popular server-side language.According to recent research,it is used by approximately 78%of websites.PHP applications are typically deployed on web servers and directly respond to user interactions and requests.This mode of interaction opens up a huge platform for various attacks,allowing attackers to exploit vulnerabilities in the application,such as SQL injection and cross-site scripting vulnerabilities.Attackers may exploit tainted vulnerabilities to extract sensitive data,evade their permissions or compromise web servers.Due to the elevated severity and universality of tainted vulnerabilities,it is essential to apply defense technologies to mitigate such threats and ensure the security of applications..Taint-based vulnerability detection methods for PHP applications fall into two main categories:static analysis and dynamic analysis.Static analysis is scalable and efficient and can achieve high code coverage.However,the excessive complexity of the PHP language makes precise static analysis difficult.Incomplete inter-procedural analysis and implementation issues lead to high false positives and false negatives in static analysis.Dynamic analysis detects vulnerabilities by injecting attack payloads and checking the corresponding outputs during program execution with high accuracy,but fails to reveal vulnerabilities that are inaccessible in the application code,which normally has limited code coverage,resulting in elevated false positives.In addition,dynamic analysis typically requires manual application configuration,which is less scalable and difficult to apply to many applications.In this thesis,we systematically study vulnerability detection solutions for existing PHP applications and conduct an in-depth study of the issues with existing methods.The main results obtained are as follows.1.In response to the problem of high manual analysis cost and low detection efficiency caused by the lack of sanitization detection in existing static analysis methods,this research proposes a sanitization identification-based approach to improve the efficiency of vulnerability detection-SanFinder.The effectiveness of this approach was assessed by crawling and analyzing PHP application vulnerabilities in public vulnerability library sites,using frequent sequence mining algorithms to extract sanitization samples from many opensource projects.On the other hand,implemented a classifier for identifying custom sanitizations based on function samples and machine learning algorithms.Experimental results show that SanFinder can reduce the false alarm rate of static analysis tools to 6.4%,reduce manual analysis costs by 29%,improve vulnerability analysis efficiency,and quickly discover new vulnerabilities by identifying sanitizations.2.In response to the fact that existing static analysis methods cannot handle vulnerability detection in modern complex PHP applications,this research presents VulPathsFinder,a modern application vulnerability detection method based on an enhanced code property graph.VulPathsFinder extends the PHP security analyzer Joern-PHP,improves the construction of the code property graph,and improves the call graph.VulPathsFinder implements vulnerability detection for multi-layer web applications based on an improved code property graph.Experiments selected 10 applications based on MVC architecture and 10 applications based on non-MVC architecture to evaluate VulPathsFinder.The results show that VulPathsFinder can more effectively handle framework class applications and perform vulnerability detection on framework class applications that cannot be detected by existing tools.3.In response to the low accuracy of static analysis results and the need for extensive manual verification,which leads to low detection efficiency,this research proposes a hybrid approach for PHP application vulnerability detection based on Xdebug parsing-HybridVulEG.HybridVulEG builds on the Xdebug plugin to associate web requests with the call stack of program execution,identify security-sensitive operation types,construct specific vulnerability exploitation requests,reduce blind spots in dynamic testing,and improve test efficiency.Experiments selected 10 applications from open-source projects as test sets and compared HybridVulEG with existing tools in terms of accuracy and time efficiency.Experimental results demonstrate the effectiveness of HybridVulEG by detecting vulnerabilities faster and more accurately than currently available tools.