Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Friday, July 1 • 16:15 - 17:00
Static Code Analysis of Complex PHP Application Vulnerabilities

Sign up or log in to save this to your schedule and see who's attending!

PHP remains the most popular server-side language on the Web and the
favored language for Web attacks. Although developers become more aware
of traditional vulnerabilities types, such as XSS and SQLi, these flaws
still persist due to faulty security mechanisms or intricate language
features. Besides, more complex vulnerability types, such as
second-order vulnerabilities or PHP object injections, are comparatively
unknown and actively exploited by attackers.

The manual detection of such complex vulnerabilities in modern PHP
applications with hundreds of thousands lines of code is time-consuming
and expensive. With the help of static code analysis, security
vulnerabilities can be detected in an automated fashion and subsequently
remediated. However, previous research in this area focused only on the
shallow detection of traditional vulnerability types and dismissed more
complex occurrences or types of vulnerabilities.

This talk shows how to detect complex vulnerabilities automatically with
state-of-the-art code analysis techniques. The techniques are able to
precisely detect traditional security vulnerabilities in various markup
contexts, as well as second-order vulnerabilities and gadget chains for
PHP object injections. Further, open challenges and lessons learned
during the development and evaluation of the techniques are outlined.

Speakers
avatar for Johannes Dahse

Johannes Dahse

CEO, RIPS Technologies
Dr. Johannes Dahse recently finished his Ph.D. in IT security at the Ruhr-University Bochum, Germany. In the past four years, he explored new static code analysis techniques in order to assist his work as a security consultant. Since then, he is co-founder and the CEO of RIPS Technologies, a Bochum-based IT security company with focus on code analysis solutions for web applications.


Friday July 1, 2016 16:15 - 17:00
Room B (Tiziano Ballroom Sec. 1)

Attendees (25)