Uquery: Static Security Analysis of PHP-Based Web Programs Using Graph Models

Authors

Jin Huang, Wright State University - Main CampusFollow
Junjie Zhang, Wright State University - Main CampusFollow
Jialun Liu, Wright State University
Chuang Li, Wright State University
Rui Dai, Shriners Hospitals for Children, University of Cincinnati

Document Type

Article

Publication Date

10-31-2024

Identifier/URL

41980656 (Pure)

Abstract

This paper introduces UQuery, a novel framework designed for agile security analysis of server-side web applications. UQuery employs a dependency graph, an innovative program representation that concurrently models data and control dependencies. This graph model facilitates efficient data- and control-flow analyses by converting them into intuitive graph queries. Currently, UQuery includes two security applications: one for detecting unrestricted file upload vulnerabilities and another for identifying information leakage through exploitable race conditions. It has detected vulnerabilities in 16 applications, resulting in the discovery of 6 previously unreported CVEs.

Comments

Publisher Copyright: © 2024 IEEE.

Repository Citation

Huang, J., Zhang, J., Liu, J., Li, C., & Dai, R. (2024). Uquery: Static Security Analysis of PHP-Based Web Programs Using Graph Models. 2024 IEEE Conference on Communications and Network Security, CNS 2024.
https://corescholar.libraries.wright.edu/cse/664

DOI

10.1109/CNS62487.2024.10735619