Virtual Static Security Analyzer for Web Applications

Web applications are popular victims of injection attacks such as SQL injection and cross-site scripting. Vulnerability detection tools allow preventing these attacks but are often bound to a single language and hard to port to new languages. We propose a new approach to support the addition of new languages without much effort. In order to achieve this, our solution does not analyze the source code AST directly, instead, it traverses the source code AST and builds a generic AST (GAST) from it. Then, the tool analyzes the GAST to find vulnerabilities. This way we decouple the analysis and the source code parsing. To add support for a new language we just need to generate a parser and write a converter for that AST, which is usually less than 110 lines of code. We implemented a tool called GT with this approach. The tool currently supports four languages: Java, PHP, Python and JavaScript. It was tested against several web applications written in the same languages.