Virtual Static Security Analyzer for Web Applications

被引：0

作者：

Brinza, Mihail ^{[1
]}

Correia, Miguel ^{[1
]}

Pereira, Joao ^{[1
]}

机构：

[1] Univ Lisbon, Inst Super Tecn, INESC ID, Lisbon, Portugal

来源：

2021 IEEE 20TH INTERNATIONAL CONFERENCE ON TRUST, SECURITY AND PRIVACY IN COMPUTING AND COMMUNICATIONS (TRUSTCOM 2021) | 2021年

关键词：

D O I：

10.1109/TrustCom53373.2021.00119

中图分类号：

TP18 [人工智能理论];

学科分类号：

081104 ; 0812 ; 0835 ; 1405 ;

摘要：

Web applications are popular victims of injection attacks such as SQL injection and cross-site scripting. Vulnerability detection tools allow preventing these attacks but are often bound to a single language and hard to port to new languages. We propose a new approach to support the addition of new languages without much effort. In order to achieve this, our solution does not analyze the source code AST directly, instead, it traverses the source code AST and builds a generic AST (GAST) from it. Then, the tool analyzes the GAST to find vulnerabilities. This way we decouple the analysis and the source code parsing. To add support for a new language we just need to generate a parser and write a converter for that AST, which is usually less than 110 lines of code. We implemented a tool called GT with this approach. The tool currently supports four languages: Java, PHP, Python and JavaScript. It was tested against several web applications written in the same languages.

引用

页码：840 / 848

页数：9

共 50 条

[1] Static and dynamic analysis for web security in industry applications
Wu, Raymond
Hisada, Masayuki
[J]. INTERNATIONAL JOURNAL OF ELECTRONIC SECURITY AND DIGITAL FORENSICS, 2010, 3 (02) : 138 - 150
[2] Combinatorial Method with Static Analysis for Source Code Security in Web Applications
Higuera, Juan Ramon Bermejo
Higuera, Javier Bermejo
Montalvo, Juan Antonio Sicilia
Riera, Tomas Sureda
Argyros, Christopher I.
Magrenan, A. Alberto
[J]. CMES-COMPUTER MODELING IN ENGINEERING & SCIENCES, 2021, 129 (02): : 541 - 565
[3] A static analyzer for Industrial robotic applications
Mandal, Avijit
D'Souza, Meenakshi
Jetley, Raoul
Nair, Sreeja
[J]. 2017 IEEE 28TH INTERNATIONAL SYMPOSIUM ON SOFTWARE RELIABILITY ENGINEERING WORKSHOPS (ISSREW 2017), 2017, : 24 - 27
[4] Network Security Analyzer: Detection and Prevention of Web Attacks
Jain, Nilakshi
Pawar, Shwetambari
Kalbande, Dhananjay
[J]. PROCEEDINGS OF FIRST INTERNATIONAL CONFERENCE ON INFORMATION AND COMMUNICATION TECHNOLOGY FOR INTELLIGENT SYSTEMS: VOL 1, 2016, 50 : 497 - 505
[5] SOA Web Security and Applications
Wu, Raymond
Hisada, Masayuki
[J]. JOURNAL OF OBJECT TECHNOLOGY, 2010, 9 (02): : 163 - 171
[6] Enhancing the security of web applications
Striletchi, C
Vaida, MF
[J]. ITI 2003: PROCEEDINGS OF THE 25TH INTERNATIONAL CONFERENCE ON INFORMATION TECHNOLOGY INTERFACES, 2003, : 463 - 468
[7] Static Security Evaluation of an Industrial Web Application
Welearegai, Gebrehiwet B.
Schlueter, Max
Hammer, Christian
[J]. SAC '19: PROCEEDINGS OF THE 34TH ACM/SIGAPP SYMPOSIUM ON APPLIED COMPUTING, 2019, : 1952 - 1961
[8] Benchmarking Static Analysis Tools for Web Security
Nunes, Paulo
Medeiros, Iberia
Fonseca, Jose C.
Neves, Nuno
Correia, Miguel
Vieira, Marco
[J]. IEEE TRANSACTIONS ON RELIABILITY, 2018, 67 (03) : 1159 - 1175
[9] Comparison of Static and Dynamic Analyzer Tools for iOS Applications
Arpita Jadhav Bhatt
Chetna Gupta
[J]. Wireless Personal Communications, 2017, 96 : 4013 - 4046
[10] Comparison of Static and Dynamic Analyzer Tools for iOS Applications
Bhatt, Arpita Jadhav
Gupta, Chetna
[J]. WIRELESS PERSONAL COMMUNICATIONS, 2017, 96 (03) : 4013 - 4046

← 1 2 3 4 5 →