Static Code Analysis of Complex PHP Application Vulnerabilities - - PowerPoint PPT Presentation

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

Static Code Analysis

• f Complex PHP Application Vulnerabilities

Johannes Dahse

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities
• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bug Detection
• 4. Second-order Bug Detection
• 5. Gadget Chain Detection

3

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

1.1 About

• Johannes Dahse
• @FluxReiners
• websec.wordpress.com
• Ph.D. IT-Security, Ruhr-University Bochum
• Security Consultant / CTF Player
• Developer of RIPS
• CEO of RIPS Technologies
• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

4

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

1.2 Research Timeline

• 2007 – 2009:

PHP Scanner based on Regex used for CTF competitions

• 2009 – 2011:

RIPS 0.1 - 0.5 based on Tokenizer

• pen sourced during MOPS
• 2012:

RIPS 1.0 based on AST and CFG subject of master thesis

• 2013 – 2015:

RIPS 1.0 – 2.0 subject of doctor thesis

• 2016:

RIPS 2.0 Standalone / Cloud Product

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

www.ripstech.com

5

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

1.3 The Role of PHP

• 82.2 % of the websites run PHP as server-side language
• Dynamic language, built-in features, oddities / pitfalls
• 25 % of all reported CVE vulnerabilities are related to PHP
• Sucuri Website Hacked Report: 97 % of hacked websites run PHP CMS

00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 1000 2000 3000 4000 5000 6000 7000 8000 Other PHP JS Python Perl Ruby CFM Java ASP PHP 10 20 30 40 50 60 70 80 90

Source: W3Techs Source: MITRE CVE

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

6

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

1.4 Problem

• Detect and eliminate security vulnerabilities

in PHP applications

• Hundred thousands lines of code
• Complex and hard to spot vulnerabilities
• Manual code reviews become ineffective

Callgraph for Wordpress Index Page

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

7

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

1.5 Approach

• Automated security analysis of PHP code
• Static code analysis

Static analyze code without execution Dynamic analyze code while execution Code Coverage full Single execution path Data Coverage Compile-time data Runtime data (valid for environment) Decidability Halting Problem Real data

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

8

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

1.6 Challenges

• Dynamic PHP language
• Support variety of language features
• Detect common vulnerability types
• Detect complex vulnerabilities
• Scale to large applications
• Non-annotation based
• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

9

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities
• 2. Static Code

Analysis

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

10

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

2.1 Overview

• Transform code into abstract syntax tree (AST)

Code AST CFG Report Basic Blocks

1 $cookie = $_COOKIE['text'];

$cookie = $_COOKIE['text'];

Variable Variable String

$cookie

Assign

$_COOKIE

var expr

'text'

dim variable array string

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

11

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

2.1 Overview

• Transform code into abstract syntax tree (AST)
• Split AST into basic blocks

Code AST CFG Report Basic Blocks

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

12

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

2.1 Overview

• Transform code into abstract syntax tree (AST)
• Split AST into basic blocks
• Analyze data flow within each basic block

Code AST CFG Report Basic Blocks

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

13

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

2.1 Overview

• Transform code into abstract syntax tree (AST)
• Split AST into basic blocks
• Analyze data flow within each basic block
• Summarize data flow in block and function summaries

Code AST CFG Report Basic Blocks

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

14

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

2.1 Overview

• Transform code into abstract syntax tree (AST)
• Split AST into basic blocks
• Analyze data flow within each basic block
• Summarize data flow in block and function summaries
• Connect basic blocks to a control flow graph (CFG)

Code AST CFG Basic Blocks Report

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

15

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

2.1 Overview

• Transform code into abstract syntax tree (AST)
• Split AST into basic blocks
• Analyze data flow within each basic block
• Summarize data flow in block and function summaries
• Connect basic blocks to a control flow graph (CFG)
• Perform backwards-directed taint analysis for each sensitive sink

Code AST CFG Basic Blocks Report

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

16

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

2.1 Overview

• Transform code into abstract syntax tree (AST)
• Split AST into basic blocks
• Analyze data flow within each basic block
• Summarize data flow in block and function summaries
• Connect basic blocks to a control flow graph (CFG)
• Perform backwards-directed taint analysis for each sensitive sink

Code AST CFG Basic Blocks Report

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

17

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

2.2 Refinement

Code AST CFG Basic Blocks Report

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

18

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

2.2 Refinement

Code AST CFG Basic Blocks Report

Precise Simulation of PHP Built-in Features

• Sources + sinks
• Input sanitization + encoding
• Built-in functions (data flow)
• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

19

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

2.2 Refinement

Code AST CFG Basic Blocks Report

Precise Simulation of PHP Built-in Features

• Sources + sinks
• Input sanitization + encoding
• Built-in functions (data flow)

source sink

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

20

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

2.2 Refinement

Code AST CFG Basic Blocks Report

Precise Simulation of PHP Built-in Features

• Sources + sinks
• Input sanitization + encoding
• Built-in functions (data flow)

Efficient Data Flow Analysis

• Block and function summaries
• Inter-procedural
• Object- and field-sensitive
• Backwards-directed data flow &

forwards-directed object analysis

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

21

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

2.2 Refinement

Code AST CFG Basic Blocks Report

Precise Simulation of PHP Built-in Features

• Sources + sinks
• Input sanitization + encoding
• Built-in functions (data flow)

Efficient Data Flow Analysis

• Block and function summaries
• Inter-procedural
• Object- and field-sensitive
• Backwards-directed data flow &

forwards-directed object analysis

Software KLOC Drupal 933 Magento 909 Typo3 646 Joomla 444

Wordpress

282

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

22

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

2.2 Refinement

Code AST CFG Basic Blocks Report

Precise Simulation of PHP Built-in Features

• Sources + sinks
• Input sanitization + encoding
• Built-in functions (data flow)

Detection of New Vulnerability Types

• 36 types supported
• Context-sensitive taint analysis
• Second-order vulnerabilities
• POP gadget chain generation

Efficient Data Flow Analysis

• Block and function summaries
• Inter-procedural
• Object- and field-sensitive
• Backwards-directed data flow &

forwards-directed object analysis

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

23

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities
• 3. First-order

Bug Detection

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

24

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

3.1 Traditional Vulnerability Types

✗ Authorization Bypass ✗ Cross-Site Request Forgery ✔ Cross-Site Scripting ✔ Code Execution ✔ Command Execution ✔ Connection String Injection ✔ Denial of Service ✔ Directory Listing ✔ Execution After Redirect ✔ File Delete ✔ File Disclosure ✔ File Inclusion ✔ File Overwrite ✔ File System Manipulation ✔ File Upload ✔ HTTP Response Splitting ✔ Information Leakage ✔ LDAP Injection ✔ Log Forgery ✔ Mass Assignment ✔ Memcached Injection ✔ Open Redirect ✔ PHP Object Injection ✔ Reflection/Autoload Injection ✗ Resource Contention ✔ Server-Side JavaScript Injection ✔ Server-Side Request Forgery ✔ Session Fixation ✔ SQL Injection ✔ Variable Manipulation ✗ Weak Cryptography ✔ XML/XXE Injection ✔ XPath Injection

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

25

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

3.2 Security Mechanisms

1 $url = htmlentities($_GET['id']); “ → &quot; 2 echo '<a href=““>' . $url . '</a>'; < → &lt; 3 echo “<a href='$url'>click</a>“; 4 echo '<a href=“' . $url . '“>click</a>';

• Converting
• Escaping

source sensitive sink sanitization

5 $id = mysql_real_escape_string($_GET['id']); ' → \' 6 mysql_query(“SELECT * FROM t WHERE id = '$id'“); 7 mysql_query('SELECT * FROM t WHERE id = ' . $id);

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

26

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

3.2 Security Mechanisms &

1 $url = htmlentities($_GET['id']); “ → &quot; 2 echo '<a href=““>' . $url . '</a>'; < → &lt; 3 echo “<a href='$url'>click</a>“; 'onclick='alert(1) 4 echo '<a href=“' . $url . '“>click</a>';

• Converting
• Escaping

source sensitive sink sanitization

javascript:alert(1)

5 $id = mysql_real_escape_string($_GET['id']); ' → \' 6 mysql_query(“SELECT * FROM t WHERE id = '$id'“); 7 mysql_query('SELECT * FROM t WHERE id = ' . $id);

1 or 1=1

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

27

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

3.3 Taint Analysis

$_GET $_POST $_COOKIE $_REQUEST $_FILES $_SERVER ... print() mysql_query() include() eval() system() ... XSS SQL Injection File Inclusion Code Execution Command Execution ...

= user input sensitive sink +

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

28

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

3.3 Taint Analysis (Refined)

$_GET $_POST $_COOKIE $_REQUEST $_FILES $_SERVER ... print() mysql_query() include() eval() system() ... XSS SQL Injection File Inclusion Code Exec Cmd Exec ...

= user input sensitive sink

htmlentities() addslashes() basename() (int) escapeshellarg() ...

sanitization + +

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

29

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

3.3 Taint Analysis (Context-Sensitive)

$_GET $_POST $_COOKIE $_REQUEST $_FILES $_SERVER ... print() mysql_query() include() eval() system() ... XSS SQL Injection File Inclusion Code Exec Cmd Exec ...

= user input sensitive sink

HTML SQL File Path PHP OS Command ...

markup

htmlentities() addslashes() basename() (int) escapeshellarg() ...

sanitization + + +

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

30

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

3.4 Context-Sensitive Taint Analysis

Code AST CFG Basic Blocks Report

1 $id = $_POST['id']; 2 if(...) { 3 $id = (int)$id; 4 } 5 else { 6 $id = htmlentities($id); 7 } 8 echo "<div id='$id'>";

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

31

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

1 $id = $_POST['id']; 2 if(...) { 3 $id = (int)$id; 4 } 5 else { 6 $id = htmlentities($id); 7 } 8 echo "<div id='$id'>";

3.4 Context-Sensitive Taint Analysis

Code AST CFG Basic Blocks Report

echo "<div id='$id'>"; $id = htmlentities($id); $id = (int)$id; $id = $_POST['id'];

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

32

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

3.4 Context-Sensitive Taint Analysis

Code AST CFG Basic Blocks Report

echo "<div id='$id'>";

Markup Context $id: HTML attribute single-quoted (SQ)

$id = (int)$id; $id = htmlentities($id); $id = $_POST['id'];

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

33

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

3.4 Context-Sensitive Taint Analysis

Code AST CFG Basic Blocks Report

echo "<div id='$id'>"; $id = $_POST['id']; $id = (int)$id; $id = htmlentities($id);

Markup Context $id: HTML attribute single-quoted (SQ)

$id

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

34

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

3.4 Context-Sensitive Taint Analysis

Code AST CFG Basic Blocks Report

echo "<div id='$id'>"; $id = $_POST['id']; $id = (int)$id; $id = htmlentities($id);

Markup Context $id: HTML attribute single-quoted (SQ)

$id

Sanitized: Integer only

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

35

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

3.4 Context-Sensitive Taint Analysis

Code AST CFG Basic Blocks Report

echo "<div id='$id'>"; $id = $_POST['id']; $id = (int)$id; $id = htmlentities($id);

Markup Context $id: HTML attribute single-quoted (SQ)

$id

Sanitizes: " < >

$id

XSS DQ" Attribute XSS <> Element

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

36

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

3.4 Context-Sensitive Taint Analysis

Code AST CFG Basic Blocks Report

echo "<div id='$id'>"; $id = $_POST['id']; $id = (int)$id; $id = htmlentities($id);

Markup Context $id: HTML attribute single-quoted (SQ)

$id

User input (no " < >)

$_POST

XSS DQ" Attribute

id

XSS <> Element

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

37

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

3.4 Context-Sensitive Taint Analysis

Code AST CFG Basic Blocks Report

echo "<div id='$id'>"; $id = $_POST['id']; $id = (int)$id; $id = htmlentities($id);

Markup Context $id: HTML attribute single-quoted (SQ)

$id

User input (no " < >)

$_POST

XSS DQ" Attribute

id

XSS <> Element

Vulnerable!

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

38

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

3.5 Markup Contexts (for 25 Apps, 2.5 MLOC)

3 21 16 20 5 24 2 25 1 17 23 13 7 8 14 18 22 15 10 19 9 11 4 6 12 50000 100000 150000 200000 250000 300000 350000

LOC

3 21 16 20 5 24 2 25 1 17 23 13 7 8 14 18 22 15 10 19 9 11 4 6 12 500 1000 1500 2000 2500 3000 3500

HTML SQL JS

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

39

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

3.6.1 HTML Markup Security

DQ Element SQ

1000 2000 3000 4000 5000 6000 7000 8000 9000 10000

Replace Regex Validate Explicit Typecast Comparing Type Validation Converting Other

Element DQ SQ

20 40 60 80 100 120 140 160 180

Converting Comparing Regex Replace Escaping Regex Validate Replace Other 52% 41% 5%

Mechanisms correctly applied Mechanisms wrongly applied

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

40

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

3.6.2 SQL Markup Security

SQ NQ DQ

1000 2000 3000 4000 5000 6000

Prepare Replace Regex Validate Comparing Type Validation Escape Explicit Typecast Other

NQ SQ DQ

20 40 60 80 100 120 140 160 180 200

Regex Replace Prepare Truncate Comparing Replace Regex Validate Escaping Other 67% 31% 2%

Mechanisms correctly applied Mechanisms wrongly applied

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

41

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

3.6.3 Markup Security

Pitfall density (bars) versus markup frequency (line)

25 Applications, 2.5 MLOC, 26K Dataflows

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

42

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

3.6.3 Markup Security

Pitfall density (bars) versus markup frequency (line)

25 Applications, 2.5 MLOC, 26K Dataflows

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

43

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

3.7 Example

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

Authenticated Remote Code Execution

phpMyAdmin < 4.6.3 CVE-2016-5734

44

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities
• 4. Second-order

Bug Detection

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

45

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

4.1 Second-order Vulnerabilities

write read

database application

user input

database

write

application

user input

!“*$()&/'\ !“*$()&/'\

read

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

46

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

4.2 Persistent Data Stores

• $_GET
• $_POST
• $_COOKIE
• $_FILES
• $_SERVER

...

• Databases
• File Names
• $_SESSION (File Content)

...

• Cross-Site Scripting
• SQL Injection
• Code Execution
• File Inclusion
• File Disclosure

... User input Persistent Data Store (PDS) Sensitive Sink 1. 2.

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

47

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

1 $name = $_POST['name']; 2 if(...) { 3 $role = 'admin'; 4 } 5 else { 6 $role = 'user'; 7 } 8 mysql_query("INSERT INTO users VALUES('$name', '$role')");

4.3 First-order Taint Analysis

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

48

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

1 $name = $_POST['name']; 2 if(...) { 3 $role = 'admin'; 4 } 5 else { 6 $role = 'user'; 7 } 8 mysql_query("INSERT INTO users VALUES('$name', '$role')");

4.3 First-order Taint Analysis

mysql_query("INSERT INTO users VALUES('$name', '$role')"); $role = 'admin'; $role = 'user'; $name = $_POST['name'];

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

49

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

1 $name = $_POST['name']; 2 if(...) { 3 $role = 'admin'; 4 } 5 else { 6 $role = 'user'; 7 } 8 mysql_query("INSERT INTO users VALUES('$name', '$role')");

4.3 First-order Taint Analysis

mysql_query("INSERT INTO users VALUES('$name', '$role')"); $role = 'admin'; $role = 'user'; $name = $_POST['name'];

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

50

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

1 $name = $_POST['name']; 2 if(...) { 3 $role = 'admin'; 4 } 5 else { 6 $role = 'user'; 7 } 8 mysql_query("INSERT INTO users VALUES('$name', '$role')");

4.3 First-order Taint Analysis

mysql_query("INSERT INTO users VALUES('$name', '$role')"); $role = 'admin'; $role = 'user'; $name = $_POST['name'];

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

51

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

1 $name = $_POST['name']; 2 if(...) { 3 $role = 'admin'; 4 } 5 else { 6 $role = 'user'; 7 } 8 mysql_query("INSERT INTO users VALUES('$name', '$role')");

4.3 First-order Taint Analysis

mysql_query("INSERT INTO users VALUES('$name', '$role')"); $role = 'admin'; $role = 'user'; $name = $_POST['name'];

SQLi

POST[name]

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

52

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

1 $name = addslashes($_POST['name']); 2 if(...) { 3 $role = 'admin'; 4 } 5 else { 6 $role = 'user'; 7 } 8 mysql_query("INSERT INTO users VALUES('$name', '$role')");

4.4 Second-order Taint Analysis

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

53

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

1 $name = addslashes($_POST['name']); 2 if(...) { 3 $role = 'admin'; 4 } 5 else { 6 $role = 'user'; 7 } 8 mysql_query("INSERT INTO users VALUES('$name', '$role')");

4.4 Second-order Taint Analysis

mysql_query("INSERT INTO users VALUES('$name', '$role')"); $role = 'admin'; $role = 'user'; $name = addslashes($_POST['name']); INSERT INTO users VALUES('$_POST[name]', 'admin') INSERT INTO users VALUES('$_POST[name]', 'user')

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

54

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

1 $name = addslashes($_POST['name']); 2 if(...) { 3 $role = 'admin'; 4 } 5 else { 6 $role = 'user'; 7 } 8 mysql_query("INSERT INTO users VALUES('$name', '$role')");

4.4 Second-order Taint Analysis

mysql_query("INSERT INTO users VALUES('$name', '$role')"); $role = 'admin'; $role = 'user'; $name = addslashes($_POST['name']); INSERT INTO users VALUES('$_POST[name]', 'admin') INSERT INTO users VALUES('$_POST[name]', 'user')

name role

users

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

55

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

1 $name = $_POST['name']; 2 if(...) { 3 $role = 'admin'; 4 } 5 else { 6 $role = 'user'; 7 } 8 mysql_query("INSERT INTO users VALUES('$name', '$role')");

4.4 Second-order Taint Analysis

mysql_query("INSERT INTO users VALUES('$name', '$role')"); $role = 'admin'; $role = 'user'; $name = $_POST['name']; INSERT INTO users VALUES('$_POST[name]', 'admin') INSERT INTO users VALUES('$_POST[name]', 'user')

SQLi

POST[name] users

name role

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

56

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

1 $r = mysql_query( 'SELECT name FROM users'); 2 if(...) { 3 $row = mysql_fetch_assoc($r); 4 } 5 else { 6 die('error'); 7 } 8 echo "Hi " . $row['name'];

4.4 Second-order Taint Analysis

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

57

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

1 $r = mysql_query( 'SELECT name FROM users'); 2 if(...) { 3 $row = mysql_fetch_assoc($r); 4 } 5 else { 6 die('error'); 7 } 8 echo "Hi " . $row['name'];

4.4 Second-order Taint Analysis

echo "Hi " . $row['name']; $row = mysql_fetch_assoc($r); $r = mysql_query( 'SELECT name FROM users');

Temp XSS

users[name]

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

58

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

4.5 Second-order Vulnerability Report

PDS *

Temp XSS users[name]

id name pass

PDS'

users

Reads Writes

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

59

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

4.5 Second-order Vulnerability Report

PDS *

Temp XSS users[name]

id name pass

PDS'

users

Reads Writes

tainted?

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

60

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

4.5 Second-order Vulnerability Report

PDS *

Temp XSS users[name]

id name pass

PDS'

users

Reads Writes

sanitized?

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

61

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

4.5 Second-order Vulnerability Report

PDS *

id name pass

PDS'

users

Second-Order XSS $_POST[name]

Reads Writes

Temp XSS users[name]

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

62

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

4.6 Example Multi-step Remote Code Execution

OpenConf <= 5.30

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

63

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

4.6 Example

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

/data/papers/1.pdf

• 1. upload
• 2. escalate
• 3. reconfigure

OC_headerFile

• 4. included

SQLi or XSS

Remote Code Execution

All issues are fixed in version 5.31 and 6.01

File Upload Second-Order LFI

64

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

4.6 Example

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

65

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities
• 5. Gadget Chain

Detection

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

66

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

5.1 PHP Object Injection + POP Chain

Chaining existing code (gadgets) Object PHP Object Injection

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

67

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

5.2 PHP Serialization

class Text { public function __construct($data) { $this->data = $data; } } $object1 = new Text('Syssec'); $tmp = serialize($object1); // O:4:"Text":1:{s:4:"data";s:6:"Syssec";} $object2 = unserialize($tmp); echo $object2->data;

Unified string representation

• f $object1
• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

68

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

5.3 PHP Object Injection (POI)

class Text { public function __construct($data) { $this->data = $data; } } $object1 = new Text('Syssec'); setcookie('tmp', serialize($object1)); // O:4:"Text":1:{s:4:"data";s:6:"Syssec";} $object2 = unserialize($_COOKIE['tmp']); echo $object2->data;

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

69

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

5.3 PHP Object Injection (POI)

class Text { public function __construct($data) { $this->data = $data; } } $object1 = new Text('Syssec'); setcookie('tmp', serialize($object1)); // O:4:"Text":1:{s:4:"data";s:6:"Syssec";} // O:8:"stdClass":1:{s:4:"data";s:3:"NDS";} $object2 = unserialize($_COOKIE['tmp']); echo $object2->data;

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

70

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

5.4 Magic Methods

class Text { public function __construct($d){ $this->data = $d; } } // O:4:"Text":1:{s:4:"data";s:6:"Syssec";} // O:4:"File":1:{s:8:"filename";s:10:"config.php";} $object2 = unserialize($_COOKIE['tmp']); echo $object2->data; class File { public function __destruct(){ unlink($this->filename); } }

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

71

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

5.5 Property-oriented Programming (POP)

class File { public function __destruct(){ $this->handler->close(); } } // O:4:"File":1:{s:7:"handler";O:3:"ABC":0:{};} $object2 = unserialize($_COOKIE['tmp']); echo $object2->data;

POP

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

72

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

5.5 Property-oriented Programming (POP)

class File { public function __destruct(){ $this->handler->close(); } } // O:4:"File":1:{s:7:"handler";O:7:"Process":0:{};} $object2 = unserialize($_COOKIE['tmp']); echo $object2->data; class Process { public function close() { system('kill '.$this->pid); } } Process

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

73

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

5.5 Property-oriented Programming (POP)

class File { public function __destruct(){ $this->handler->close(); } } // O:4:"File":1:{s:7:"handler";O:7:"Process":0:{};} $object2 = unserialize($_COOKIE['tmp']); echo $object2->data; class Process { public function close() { system('kill '.$this->pid); } } Process

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

74

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

5.5 Property-oriented Programming (POP)

Chaining existing code (gadgets) Object PHP Object Injection

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

75

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

5.5 Property-oriented Programming (POP)

class File { public function __destruct(){ $this->handler->close(); } } // O:4:"File":1:{s:7:"handler";O:7:"Process":1: {s:3:"pid";s:6:"0;calc";};} $object2 = unserialize($_COOKIE['tmp']); echo $object2->data; class Process { public function close() { system('kill '.$this->pid); } } >kill 0;calc

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

76

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

5.5 Property-oriented Programming (POP)

class File { public function __destruct(){ $this->handler->close(); } } // O:4:"File":1:{s:7:"handler";O:7:"Process":1: {s:3:"pid";s:6:"0;calc";};} $object2 = unserialize($_COOKIE['tmp']); echo $object2->data; class Process { public function close() { system('kill '.$this->pid); } } >kill 0;calc

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

77

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

5.6 POI Detection

• Backwards-directed

taint analysis for unserialize()

$tmp = $_COOKIE['tmp']; $obj = unserialize($tmp);

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

78

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

5.6 POI Detection

• Backwards-directed

taint analysis for unserialize()

• If argument is resolved to user

input, report POI vulnerability

$tmp = $_COOKIE['tmp']; $obj = unserialize($tmp);

POI

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

79

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

5.6 POI Detection

• Backwards-directed

taint analysis for unserialize()

• If argument is resolved to user

input, report POI vulnerability

• Vulnerable unserialize() call

returns tainted object

$tmp = $_COOKIE['tmp']; $obj = unserialize($tmp);

POI

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

80

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

5.6 POI Detection

• Backwards-directed

taint analysis for unserialize()

• If argument is resolved to user

input, report POI vulnerability

• Vulnerable unserialize() call

returns tainted object

• Propagate tainted object forward

$tmp = $_COOKIE['tmp']; $obj = unserialize($tmp); $obj

POI

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

81

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

5.6 POI Detection

• Backwards-directed

taint analysis for unserialize()

• If argument is resolved to user

input, report POI vulnerability

• Vulnerable unserialize() call

returns tainted object

• Propagate tainted object forward

XSS

$tmp = $_COOKIE['tmp']; $obj = unserialize($tmp); $obj echo $obj->data;

POI

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

82

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

5.7 POP Chain Detection

class File { public function __destruct(){ $this->handler->close(); } } class Process { public function close() { system('kill '.$this->pid); } } class Database { public function close() { mysql_close($this->db); } }

• Invoke inter-procedural analysis

for all magic methods on POI

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

83

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

5.7 POP Chain Detection

class File { public function __destruct(){ $this->handler->close(); } } class Process { public function close() { system('kill '.$this->pid); } } class Database { public function close() { mysql_close($this->db); } }

• Invoke inter-procedural analysis

for all magic methods on POI

• For unknown receivers, combine

analysis results of methods

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

84

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

5.7 POP Chain Detection

class File { public function __destruct(){ $this->handler->close(); } } class Process { public function close() { system('kill '.$this->pid); } } class Database { public function close() { mysql_close($this->db); } }

• Invoke inter-procedural analysis

for all magic methods on POI

• For unknown receivers, combine

analysis results of methods

• Arguments of a sensitive sink

that are resolved to object properties are stored as the method's sensitive properties

$this->pid

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

85

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

5.7 POP Chain Detection

• Invoke inter-procedural analysis

for all magic methods on POI

• For unknown receivers, combine

analysis results of methods

• Arguments of a sensitive sink

that are resolved to object properties are stored as the method's sensitive properties

• Sensitive properties are applied

to each receiver at call-site

class File { public function __destruct(){ $this->handler->close(); } } class Process { public function close() { system('kill '.$this->pid); } } class Database { public function close() { mysql_close($this->db); } }

$this->pid $this->handler->pid

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

86

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

$tmp = $_COOKIE['tmp']; $obj = unserialize($tmp); $obj->handler->pid

5.8 POP Chain Report

• Sensitive properties are applied to

the receiving object at call-site

$this->handler->pid

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

87

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

POP Chain (Remote Command Execution)

$tmp = $_COOKIE['tmp']; $obj = unserialize($tmp); $obj->handler->pid

5.8 POP Chain Report

• Sensitive properties are applied to

the receiving object at call-site

• If receiving object is tainted,

a POP gadget chain is reported and attached to the POI report

$this->handler->pid

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

88

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities

5.9 Example

• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains

POI to Remote Code Execution

Joomla < 3.3.4 CVE-2014-7228

89

Automatisierte Sicherheitsanalyse von Webapplikationen

Static Code Analysis

• f Complex PHP Application Vulnerabilities
• 6. Conclusion
• Requirements for SCA tools changed
• Diverse language features
• Applied security mechanisms
• Complex vulnerability types
• Growing code size
• SCA can automate bug detection
• Quickly identify traditional vulnerabilities
• Combine multiple bugs to detect complex bugs
• Challenges for frameworks (reflection, template engines)
• 1. Introduction
• 2. Static Code Analysis
• 3. First-order Bugs
• 4. Second-order Bugs
• 5. Gadget Chains