| Web technology is an important part of today’s rapidly developing Internet technology,with the advent of dynamic web application requirements,scripting language gradually occupy the field of web application development,as an easy-to-use and flexible scripting language,PHP has developed rapidly in recent years and has become the most widely used web development language in the world.However,due to the lack of safety knowledge of some PHP developers,and the lack of security measures in the design of PHP language,PHP web applications are prone to security flaws.In order to solve the security problems of web applications,it is necessary to carry out security detection before the formal deployment of web applications,but pure artificial detection is a high cost and low efficiency code detection method,therefore,it is necessary to research the automated vulnerability detection method.Based on the research of PHP code vulnerability detection technology and open source tools,combined with the problems encountered in actual code vulnerability detection,this paper designed a vulnerability detection scheme based on static analysis technology.This paper selects the PHP-Parser that can support the mainstream PHP version as the basis of the front end of the code compilation,which implement code compilation and control flow graph generation that data flow analysis required for,and in view of the features of the MVC framework,we use a redefined entry set to solve the problem of overlaying the branch of the code.This paper used a flow-sensitive,context-sensitive and inter-procedural dataflow analysis to realize the taint propagation path analysis,and detect flaw based on vulnerability rules,as the same time,it is difficult to analyze the problem of whether the data in the taint propagation has be effectively purified,to solve this problem,we also proposed a dynamic detection method based on pollution propagation record. |
PDF Full Text Request