• DocumentCode
    3657099
  • Title

    phpSAFE: A Security Analysis Tool for OOP Web Application Plugins

  • Author

    Paulo Jorge Costa Nunes;José ;Marco Vieira

  • Author_Institution
    Polytech. Inst. of Guarda, Univ. of Coimbra, Guarda, Portugal
  • fYear
    2015
  • fDate
    6/1/2015 12:00:00 AM
  • Firstpage
    299
  • Lastpage
    306
  • Abstract
    There is nowadays an increasing pressure to develop complex Web applications at a fast pace. The vast majority is built using frameworks based on third-party server-side plugins that allow developers to easily add new features. However, as many plugin developers have limited programming skills, there is a spread of security vulnerabilities related to their use. Best practices advise the use of systematic code review for assure security, but free tools do not support OOP, which is how most Web applications are currently developed. To address this problem we propose phpSAFE, a static code analyzer that identifies vulnerabilities in PHP plugins developed using OOP. We evaluate phpSAFE against two well-known tools using 35 plugins for a widely used CMS. Results show that phpSAFE clearly outperforms other tools, and that plugins are being shipped with a considerable number of vulnerabilities, which tends to increase over time.
  • Keywords
    "Security","Software","Databases","Arrays","Filtering","Context","Measurement"
  • Publisher
    ieee
  • Conference_Titel
    Dependable Systems and Networks (DSN), 2015 45th Annual IEEE/IFIP International Conference on
  • Type

    conf

  • DOI
    10.1109/DSN.2015.16
  • Filename
    7266859