AppSec Europe 2016 has ended
Back To Schedule
Friday, July 1 • 16:15 - 17:00
Static Code Analysis of Complex PHP Application Vulnerabilities

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

PHP remains the most popular server-side language on the Web and the
favored language for Web attacks. Although developers become more aware
of traditional vulnerabilities types, such as XSS and SQLi, these flaws
still persist due to faulty security mechanisms or intricate language
features. Besides, more complex vulnerability types, such as
second-order vulnerabilities or PHP object injections, are comparatively
unknown and actively exploited by attackers.

The manual detection of such complex vulnerabilities in modern PHP
applications with hundreds of thousands lines of code is time-consuming
and expensive. With the help of static code analysis, security
vulnerabilities can be detected in an automated fashion and subsequently
remediated. However, previous research in this area focused only on the
shallow detection of traditional vulnerability types and dismissed more
complex occurrences or types of vulnerabilities.

This talk shows how to detect complex vulnerabilities automatically with
state-of-the-art code analysis techniques. The techniques are able to
precisely detect traditional security vulnerabilities in various markup
contexts, as well as second-order vulnerabilities and gadget chains for
PHP object injections. Further, open challenges and lessons learned
during the development and evaluation of the techniques are outlined.

avatar for Johannes Dahse

Johannes Dahse

CEO, RIPS Technologies
Dr. Johannes Dahse recently finished his Ph.D. in IT security at the Ruhr-University Bochum, Germany. In the past four years, he explored new static code analysis techniques in order to assist his work as a security consultant. Since then, he is co-founder and the CEO of RIPS Technologies... Read More →

Friday July 1, 2016 16:15 - 17:00 CEST
Room B (Tiziano Ballroom Sec. 1)