For over two decades, the web has been evo … For over two decades, the web has been evolving from a simple set of hypermedia documents to a complex ecosystem of web applications that are supported by various frameworks. This paradigm shift has been promoting a series of practices that lead to an
increasing number of vulnerabilities, which can compromise the security of web applications. One of the main contributing factors lies in vulnerable source code, written in unsafe languages such as PHP.
In order to mitigate the problem, a large research effort on web application security has occurred over the past years. Source code static analysis tools perform the task of finding program vulnerabilities in an automated fashion. These tools offer superior code
coverage, easier integration into the application development cycle, and do not require the actual code to be executed. They instead perform source code analysis, looking for potential bugs while inspecting the program code. However, the analysis performed by these tools depends on their knowledge of the classes of vulnerabilities and the implementation of analysis techniques, such as taint analysis. This means that, on one hand, the tools only search for vulnerabilities in the source code that they hold knowledge of, being unable to find other kinds of problems. On the other hand, the tools may generate false positives and false negatives, due to the limitations and incompleteness of implemented analysis techniques.
One of such tools is the Web Application Protection (WAP). The main objective of this dissertation is to identify problems with WAP and improve its vulnerability detection capabilities, when processing open source PHP code. Four static analysis tools - WAP, Pixy, phpSAFE and RIPS - are evaluated against a set of WordPress plugins that are known to be vulnerable, in order to collect examples of incorrect processing of the tools which lead, for instance, to false negatives. Additionally, we define and evaluate several use cases for a common found limitation, which consists in the identification and circumvention of circular dependencies (i.e., recursive inclusion of code) in the source code. If circular dependencies are not treated correctly, they may lead to unexpected tool behaviors and incorrect analyses. These assessments help reflecting upon new solutions to address WAP’s shortcomings. A new version of WAP is implemented, and evaluated with the same original WordPress plugins.
This dissertation offers the following contributions. A list of vulnerabilities is compiled through manual analysis of the plugins, in a format that allows comparison between the chosen tools, and the identification of common false negatives. An enhanced version of WAP is implemented, with improved detection capabilities that reduce both false positives and false negatives. Two evaluations concerning WAP and a set of WordPress plugins are present, comparing the results before and after the enhancements, respectively. and after the enhancements, respectively.