Static analysis for detecting taint-style vulnerabilities in web applications

Jovanovic, Nenad; Kruegel, Christopher; Kirda, Engin
Journal of Computer Security, Vol 18, N°5, August 2010





taint analysis at the core of our engine, we


employ a precise alias analysis targeted at the unique reference semantics commonly found in scripting


languages. Moreover, we enhance the quality and quantity of the generated vulnerability reports by employing


an iterative two-phase algorithm for fast and precise resolution of file inclusions. The presented


concepts are targeted at the general class of taint-style vulnerabilities and can be easily applied to the detection


of vulnerability types such as SQL injection, cross-site scripting (XSS), and command injection.


We implemented the presented concepts in Pixy, a high-precision static analysis tool aimed at detecting


cross-site scripting and SQL injection vulnerabilities in PHP programs. To demonstrate the effectiveness


of our techniques, we analyzed a number of popular, open-source web applications and discovered hundreds


of previously unknown vulnerabilities. Both the high analysis speed as well as the low number of


generated false positives show that our techniques can be used for conducting effective security audits.




The number and the importance of web applications have increased rapidly over the last years. At the


same time, the quantity and impact of security vulnerabilities in such applications have grown as well.


Since manual code reviews are time-consuming, error-prone and costly, the need for automated solutions


has become evident.


In this paper, we address the problem of vulnerable web applications by means of static source code


analysis. More precisely, we use flow-sensitive, interprocedural and context-sensitive data flow analysis


to discover vulnerable points in a program. In addition to the

Digital Security
Eurecom Ref:
© IOS Press. Personal use of this material is permitted. The definitive version of this paper was published in Journal of Computer Security, Vol 18, N°5, August 2010 and is available at :