Skip to content

php漏洞挖掘相关论文调研 #4

Open
Open
php漏洞挖掘相关论文调研#4
@iohehe

Description

@iohehe
iohehe
opened on Nov 4, 2019

the empire of an area can find from a paper's relate work.

Discover of Vulnerabilities in PHP Code

2004(进入PHP5)

(这个人应该是最早研究动态网页漏洞自动化的,他的文章参考里很多文章可以看看,他是如何过渡过来的。)

  • Y.Huang et al - Securing web application code by static analysis and runtime protection.
  • Y.Huang et al - Verifying web applications using bounded model checking.

2005(引入PDO)

2006

(出现了两个工具,经常被提到, 尤其是Pixy)

  • Xie and Aiken - Static detection of security vulnerabilities in scripting languages.
  • Jovanovic et al - Pixy: A static analysis tool for detecting web application vulnerabilities.(Pixy)

2007

  • Wasserman and Z. Su - Sound and precise analysis of web applications for injection vulnerabilities.

2008(PHP5成熟)

  • Wassermann and Z.Su - Static detection of cross-site script in vulnerabilities.
  • D.Balzarotti et al - Saner: Composing static and dynamic analysis to validate sanitization in web applications.

2009

  • Fang Yu - Generating Vulnerability Signatures for String Manipulating Programs Using Automata-based Forward and Backward Symbolic Analyses

2010

  • F.Yu - STRANGER: An automata-based string analysis tool for PHP.
  • Jovanovic et al - Static analysis for detecting taint-style vulnerabilities in web applications.

2014

(Dash和他的RIPS出现了,这个时间点也是PHP5的出现)

  • Dash and Holz - Simulation of built-in PHP features for precise static code analysis.(RIPS)
  • Hauzar, D., & Kofron, J. (2014). WeVerca: Web Applications Verification for PHP. SEFM.

2015

  • Dash and Holz - Static detection of second-order vulnerabilities in web applications.(RIPS2)
  • O.Olivo et al - Detecting and exploiting second-order denial-of-service vulnerabilities in web applications.
  • Nunes, Paulo Jorge Costa et al. - phpSAFE: A Security Analysis Tool for OOP Web Application Plugins.(支持OOP)

2016

  • Fang Yu - Optimal Sanitization Synthesis for Web Application Vulnerability Repair

2017

  • Backes, M., Rieck, K., Skoruppa, M., Stock, B., & Yamaguchi, F. (2017). Efficient and Flexible Discovery of PHP Application Vulnerabilities. 2017 IEEE European Symposium on Security and Privacy (EuroS&P), 334-349.

2018

  • Alhuzali, Abeer et al. “NAVEX: Precise and Scalable Exploit Generation for Dynamic Web Applications.” USENIX Security Symposium (2018).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions