A hybrid analysis framework for detecting web application vulnerabilities

机译：用于检测Web应用程序漏洞的混合分析框架

获取原文

页面导航

摘要
著录项
相似文献
相关主题

摘要

Increasingly, web applications handle sensitive data and interface with critical back-end components, but are often written by poorly experienced programmers with low security skills. The majority of vulnerabilities that affect web applications can be ascribed to the lack of proper validation of user's input, before it is used as argument of an output function. Several program analysis techniques were proposed to automatically spot these vulnerabilities. One particularly effective is dynamic taint analysis. Unfortunately, this approach introduces a significant run-time penalty. In this paper, we present a hybrid analysis framework that blends together the strengths of static and dynamic approaches for the detection of vulnerabilities in web applications: a static analysis, performed just once, is used to reduce the run-time overhead of the dynamic monitoring phase. We designed and implemented a tool, called Phan, that is able to statically analyze PHP bytecode searching for dangerous code statements; then, only these statements are monitored during the dynamic analysis phase.

机译：Web应用程序越来越多地处理敏感数据并与关键的后端组件进行接口，但是通常由经验不足且安全技能较低的程序员编写。影响Web应用程序的大多数漏洞都可以归因于在用作输出函数的参数之前，对用户输入的正确验证不足。提出了几种程序分析技术来自动发现这些漏洞。一种特别有效的方法是动态污染分析。不幸的是，这种方法引入了显着的运行时间损失。在本文中，我们提供了一个混合分析框架，该框架将静态和动态方法的优势融合在一起，可用于检测Web应用程序中的漏洞：仅执行一次静态分析即可减少动态监控的运行时开销相。我们设计并实现了一个名为Phan的工具，该工具能够静态分析PHP字节码搜索危险代码语句。然后，在动态分析阶段仅监视这些语句。

著录项

来源
《Software Engineering for Secure Systems, 2009. SESS '09》|2009年|25-32|共8页
会议地点 Vancouver(CA);Vancouver(CA)
作者
Monga M.; Paleari R.; Passerini E.;
展开▼
作者单位

Univ. degli Studi di Milano, Milan;

展开▼
会议组织
原文格式 PDF
正文语种
中图分类
关键词
Internet; object-oriented programming; program diagnostics; security of data; Web application vulnerability; back-end components; dynamic taint analysis; poorly experienced programmers; run-time penalty; security skills;

机译：互联网;面向对象程序设计;程序诊断;数据安全性; Web应用程序漏洞;后端组件;动态污点分析;经验不足的程序员;运行时间损失;安全技能;

相似文献

外文文献
中文文献
专利

1. Benchmarking Approach to Compare Web Applications Static Analysis Tools Detecting OWASP Top Ten Security Vulnerabilities [J] . Juan R. Bermejo Higuera, Javier Bermejo Higuera, Juan A. Sicilia Montalvo, Computers, Materials & Continua . 2020,第3期

机译：基准测试方法以比较Web应用程序静态分析工具检测OWASP十大安全漏洞
2. An Integrated Approach for Effective Injection Vulnerability Analysis of Web Applications Through Security Slicing and Hybrid Constraint Solving [J] . IEEE Transactions on Software Engineering . 2020,第2期

机译：通过安全切片和混合约束解决方案对Web应用程序进行有效注入漏洞分析的集成方法
3. Detecting and Removing Web Application Vulnerabilities with Static Analysis and Data Mining [J] . Ibéria Medeiros, Nuno Neves, Miguel Correia IEEE Transactions on Reliability . 2016,第1期

机译：通过静态分析和数据挖掘检测和消除Web应用程序漏洞
4. A hybrid analysis framework for detecting web application vulnerabilities [C] . Mattia Monga, Roberto Paleari, Emanuele Passerini ICSE Workshop on Software Engineering for Secure Systems . 2009

机译：用于检测Web应用程序漏洞的混合分析框架
5. Automatic Unit Testing to Detect Security Vulnerabilities in Web Applications [D] . Mohammadi, Mahmoud. 2018

机译：自动单元测试以检测Web应用程序中的安全漏洞
6. Breaking and Fixing Origin-Based Access Control in Hybrid Web/Mobile Application Frameworks [O] . Martin Georgiev, Suman Jana, Vitaly Shmatikov -1

机译：在混合Web /移动应用程序框架中破坏和修复基于源的访问控制
7. Self assessment framework for detecting vulnerability in web applications [O] . Abdul Manaf Azizah, Awang Nor Fatimah 2013

机译：用于评估Web应用程序中漏洞的自我评估框架

A hybrid analysis framework for detecting web application vulnerabilities

摘要

著录项

相似文献

相关主题

期刊订阅