International Journal of Engineering Trends and Technology (IJETT) – Volume 21 Number 9 – March 2015
Improving RIPS for Dynamic Web Application
Security Assessment
Swapnil R Vaidya#1, Shweta K Bandekar*2, SwapnilS Khandekar#3
Department of Computer Engineering,
Rajendra Mane College of Engineering and Technology
Ambav, Devrukh, India
Abstract— PHP is the most popular scripting language on the
world wide web today hence it also brings a lot of security risks
when data supplied by a user is not handled carefully by the
application. Therefore a tool named RIPS is introduced that can
reduce the time of testing by automating the process of
identifying potential security flaws in PHP source code by using
static source code analysis. But there are some limitations to
static source code analysis. Particularly large PHP projects rely
on an interaction of several PHP scripts and a security flaw
might depend on several files to work and to get detected
correctly. Recent work in this area focused on the detection of
only a limited number of vulnerability types such as Cross-Site
Scripting (XSS) and SQL injection (SQLi). Our major aim is to
provide dynamicity to the current version of RIPS, such that it
can scan static as well as dynamic web applications. Also it
should be obvious that RIPS is only capable of finding security
vulnerabilities that are considered as bugs and not as intended
obfuscated backdoors which can easily be hidden with dynamic
function names. Therefore it is not possible to determine if
security measures taken by the developer are safe or not in each
scenario. This can lead us to scan false positives or negatives. The
proposed RIPS is subjected to fully support object oriented
programming. This includes addressing the problem regarding
variable variables and PVFs detected in class files.
Keywords— RIPS; vulnerabilities; static web page; dynamic web
page; security; threats
I. INTRODUCTION
PHP is the most popular scripting language. So most
vulnerabilities found over the web are PHP related. The task of
finding vulnerabilities can be automated which can minimize
time and cost for the vulnerability detection. There are lot of
free blackbox scanners available in the market. But there are
very few open source whitebox scanners for PHP and the
number of scanners for dynamic web pages will be even less.
RIPS is open source scanner for scanning vulnerabilities in
static web pages. However, it cannot handle dynamic web
pages. Thus we are improving RIPS for scanning sinks in static
as well as dynamic web pages.
A. Web Threat
A web threat is any threat that uses the World Wide Web to
facilitate cybercrime. Web threats use various types of
malware as well as fraud, all of which utilize HTTP and or
HTTPS protocols.
SQL Injection: SQL injection is a code injection technique,
used to attack database-driven applications, in which
ISSN: 2231-5381
maliciously intended SQL statements are inserted into an entry
field for execution. SQL injection is mostly known as an attack
vector for websites but can be used to attack any type of SQL
database.
Cross-site scripting: Cross-site scripting (XSS) is a type of
computer security vulnerability typically found in Web
applications. XSS enables attackers to inject local script into
Web pages viewed by other users.
B. Vulnerability Detection Tools
While the purpose of vulnerability detection is the
complete opposite to the tools that try to detect vulnerabilities,
statically they have many characteristics in common with a
potential vulnerability injection tool, mainly related to the
static analysis which needs to be performed and to the
vulnerability modelling that is required both to detect
vulnerabilities or to detect potential injection locations. It is
thus important to have analyzing tools that perform
vulnerability detection on PHP.
II. PROBLEM DEFINITION
A. Problem Statement
Since last decade more applications with dynamic content
appear as the result of user friendly scripting languages. PHP is
the most popular scripting language on the world wide web
today hence it also brings a lot of security risks. Hence there is
the need of a tool that can take into account the dynamicity of
the web pages and reduce the efforts of penetration tester.
B. Proposed System
The proposed system is an improved version of RIPS. This
system will overcome some major disadvantages in the current
system. The current RIPS is unable to scan dynamic web pages
as well as it cannot recognize the object oriented programming.
The system we are working on will overcome these two
deficiencies. The new system will also try to make the web
application more secure by suggesting some functions which
can reduce the attacks on the application.
Providing a Dynamic RIPS: The main limitation of static
source code analysis is the evaluation of dynamic strings. In
PHP the name of a included file can be generated dynamically
at runtime.Currently RIPS is only capable of recognizing
dynamic file names composed of strings and variables that are
holding strings. However if the file name is generated by
calling functions the name cannot be reconstructed. Precisely
large PHP projects rely on an interaction of several PHP scripts
http://www.ijettjournal.org
Page 430
International Journal of Engineering Trends and Technology (IJETT) – Volume 21 Number 9 – March 2015
and a security flaw might depend on several files to work and
to get detected correctly. Our work includes addressing this
problem. One option come forth is to combine dynamic and
static source code analysis to evaluate dynamic file names.
An Object Oriented Approach With RIPS: The main drawback
of current RIPS system is that it cannot handle object oriented
parameters like class, include or variable variable.
Theinclude(): This function takes all the text in a specified
file and copies it in the file that uses include() function.
The require(): This function takes all the text in a specified
file and copies it in the file that uses require() function. If
there is any problem in loading the file then require()
generates fatal error and haults the execution.
A class is a collection of variables and functions working
with these variables. Basic class definitions begin with the
keyword class which is followed by a class name which is
in turn followed by a pair of curly braces which enclose
the definitions of the properties and methods belonging to
the class.
A variable variable takes the value of the variable and
treats that as the name of variable.
III. METHODOLOGY AND ANALYSIS
A. Methodology
1) The Tokenizer
In order to analyze a PHP script correctly the code is split
into tokens. For this purpose the PHP function token_get_all()
is used. Each token is an array with a token identifier which
can be turned into a token name by calling token_name(), the
token value and the line number. A single character which
represents the codes semantic appear as string in the token list.
T_OPEN_TAG value : <?php
T_VARIABLE value : $a
T_WHITESPACE value : „ „
T_CONSTANT _ENCAPSED_STRING value : 'a'
T_CLOSE_TAG value : ?>
Once the token list of a PHP script is obtained there are
several improvements made to analyze the tokens correctly.
This includes replacing some of the special characters with
function names. Also all whitespaces, inline HTML and
comments are deleted from the token list to reduce the
overhead and to identify connected tokens correctly. Then the
source code can be analyzed token by token. The goal of RIPS
is to analyze the token list of each file only once to improve
the speed. It loops through the token list and identifies
important tokens by their name. Several actions are being
done to identify one of the following tokens.
T_INCLUDE If a file inclusion is found the tokens
of the included file will be inserted to the curetted
token list. If the file name consists of variables and
strings the file name can be reconstructed
dynamically.
T_FUNCTION If a new function is detected the
name and the parameters are analyzed.
T_RETURN If a user defined function returns a
variable, then this variable will get traced backwards
ISSN: 2231-5381
for source and is checked for securing actions. If the
return value is tainted by user input the function is
added to a list of functions that can taint other
variables when assigned to them.
T_VARIABLE When a variable declaration is
identified the current scope is checked and the
variable declaration is added either to a list of local
or a global variable list together with the according
line of the source code.
2) User Taint:
By doing source code audits over and over again it is
noticed that the same procedure of finding security flaws is
done frequently. First potentially vulnerable functions (PVF)
which can lead to certain vulnerabilities are detected and then
their parameters consisting of variables are bound to be traced
back to their origin. When the parameters of the function with
which the PVF has been called can be specified and or
modified by a user, then this parameter is marked as tainted
and the PVF call is treated as a potential security vulnerability.
The sources of user input in PHP can be the global variables
$ GET, $ POST, $ COOKIE and $ FILES as well as some
$ SERVER and $ENV variables. Also several functions that
read from databases, files or environment variables can return
user input and taint other variables.
In order to automate the process of finding security flaws a
large list of PVF is build consisting of PHP functions that can
lead to a security flaw when called with unsanitized user input.
This list includes quite unknown PVF. Once a PVF is detected
the next step is to identify its parameters. The variables are
compared to previously declared variables. If a parameter
originated from user input the PVF call is treated as a
potential vulnerability. The tree of the traced parameters is
then shown to the user in reversed order who can decide
between a correct vulnerability or a false positive.
It is important to trace only significant parameters to reduce
false positives. Any parameter of the function declaring the
return value of the command execution to the variable should
not get traced because a previously defined variable with user
input can lead to false positives. Other source for the false
positives is securing actions taken by the developer.
Certain functions prevents the attacker to inject arbitrary
commands to the system call. Also a typecast of a
variableassigned to another would prevent a command
execution vulnerability. Therefore a list of the securing
functions is assigned to each element in the PVF list as well as
a global list of securing or eliminating functions and actions is
defined. Because if securing is implemented wrongly the user
must have the option to review all found potential
vulnerabilities.
B. Analysis
This software lets you tracks the vulnerabilities in a
dynamic web application. Here is an overview of all the major
functions and tasks which can be performed by it.
http://www.ijettjournal.org
Page 431
International Journal of Engineering Trends and Technology (IJETT) – Volume 21 Number 9 – March 2015
Get aware of Potentially Vulnerable Function: Tracks
the potentially vulnerable functions in an application
using its vast library.
Identify a Sanitizing Function: It shows the sanitizing
functions i.e. the safe functions which sanitize data
before insertion into the database.
Mapping of the functionality: The RIPS after
scanning the program maps the links between the
functions so as to identify the source for the user
input which may lead to a vulnerability in the
application.
List of all functions in program: The list of all
functions used in the application is put forth. Thus
user can identify the functions along with there use.
Solutions to overcome vulnerable functions: The
RIPS after identifying the potentially vulnerable
functions dynamically generates a solution for these
functions. A list of replacement functions or
improved functions is displayed to the user.
IV. DESIGN DETAILS
V. CONCLUSION AND FUTURE WORK
RIPS is currently the most preferable source code scanner.
After the completion of our project it is expected to be more
dynamic than the current version. So hereby, our major aim
for the project is to give dynamicity to the current version of
RIPS, such that it can scan static as well as dynamic web
applications. Also it should be obvious that RIPS is only
capable of finding security vulnerabilities that are considered
as bugs and not as intended obfuscated backdoors which can
easily be hidden with dynamic function names. Additionally it
is planned to consider automatic typecasts. Our project will
fully support object oriented programming.
In future we can further improve the application to scan for
all hidden security vulnerabilities such as backdoors, Trojans
and worms. We can also fully automate the application that it
can replace vulnerable functions on its own and not just give
suggestions to the user.
ACKNOWLEDGMENT
It is an opportunity of immense pleasure for us to present
the project “Improving RIPS for Dynamic Web Applications
Security Assessment” expressing our heart left gratitude to all
those who have generously offered their valuable suggestions
towards the completion of the project.
It's rightly said that we are built on the shoulders of others
for all our achievements. The credit goes to our project guide
and Coordinator Prof. V. V. Parkar and H. O. D. COMPUTER
Prof. L. S. Naik whose positive attitude, moral support and
encouragement lead to the success of the project.
We are also thankful to our Principal Dr. G. V. Mulgund
for being very generous with his advice and encouragement.
REFERENCES
Johannes Dahse, “RIPS – A static source code analyser for
vulnerabilities in PHP scripts”.
[2]
Francisco José Marques Vieira, “Realistic Vulnerability Injections in
PHP Web Applications”.
[3]
Johannes Dahse, ThrostenHolz, “Simulation of Built-in PHP Features
for Precise Static Code Analysis”.
[4]
AnttijuhaniLantto, “Java Vs PHP: A Security Approach”.
[5]
W. Jason Gilmore, “Beginning PHP and MySQL, 4th Edition”.
[6]
Behrouz A. Forouzan, “Cryptography and Network Security”.
Kevin Yank, “PHP and MySQL made simple, 3 rd Edition”.
[1]
Fig. 1 Functional Diagram for Improved RIPS
ISSN: 2231-5381
http://www.ijettjournal.org
Page 432