taint analysis at the core of our engine, we
employ a precise alias analysis targeted at the unique reference semantics commonly found in scripting
languages. Moreover, we enhance the quality and quantity of the generated vulnerability reports by employing
an iterative two-phase algorithm for fast and precise resolution of file inclusions. The presented
concepts are targeted at the general class of taint-style vulnerabilities and can be easily applied to the detection
of vulnerability types such as SQL injection, cross-site scripting (XSS), and command injection.
We implemented the presented concepts in Pixy, a high-precision static analysis tool aimed at detecting
cross-site scripting and SQL injection vulnerabilities in PHP programs. To demonstrate the effectiveness
of our techniques, we analyzed a number of popular, open-source web applications and discovered hundreds
of previously unknown vulnerabilities. Both the high analysis speed as well as the low number of
generated false positives show that our techniques can be used for conducting effective security audits.
The number and the importance of web applications have increased rapidly over the last years. At the
same time, the quantity and impact of security vulnerabilities in such applications have grown as well.
Since manual code reviews are time-consuming, error-prone and costly, the need for automated solutions
has become evident.
In this paper, we address the problem of vulnerable web applications by means of static source code
analysis. More precisely, we use flow-sensitive, interprocedural and context-sensitive data flow analysis
to discover vulnerable points in a program. In addition to the