SpringerLink
Log in

Using Semgrep OSS to Find OWASP Top 10 Weaknesses in PHP Applications: A Case Study

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2024)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14828))

  • 8 Accesses

Abstract

Given PHP’s continuous success, it remains an important task to ensure security in its applications. While code reviews are a common measure to catch bugs during development, they lack scalability, are error-prone, and time-consuming [2, 38, 41]. Thus, static analysis tools like Semgrep emerged to provide programmatic feedback on code. But static analyses often show low precision, which can jeopardize utility.

In this case study, we investigate precision rates for Semgrep OSS for common web weaknesses from the OWASP Top 10 [35]. We explore method and tool limitations in weakness detection, OWASP classes, and Semgrep’s public PHP rule set. We apply the latter to 300 open source applications, invest 34 h in manual sample validation, and derive precision rates for each OWASP class.

Our validation shows that the rules correctly detected weaknesses for seven OWASP classes with 86% precision, demonstrating the tool’s utility. Yet, we estimate that most findings are not exploitable (81%). Thus, there is still considerable assessment overhead for users. Our work further highlights that only a subset of weaknesses are detectable, as dimensions such as runtime context and insecure design remain hidden. Finally, we advise practitioners to not exclusively rely on public rules, as translating application-specific business logic and design choices may open up to the detection of previously uncovered weaknesses.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
EUR 29.95
Price includes VAT (Germany)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
EUR 94.15
Price includes VAT (Germany)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
EUR 87.73
Price includes VAT (Germany)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free ship** worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://semgrep.dev/docs/semgrep-code/overview/#oss-versus-pro-engine.

  2. 2.

    https://cwe.mitre.org/data/definitions/1344.html, Accessed: 2024-04-15.

  3. 3.

    https://github.com/fkie-cad/2024-paper-owasp-weaknesses-in-php.

  4. 4.

    https://github.com/semgrep/semgrep-rules.

  5. 5.

    https://www.php.net/manual/de/function.unlink.php.

  6. 6.

    https://github.com/laravel/laravel/blob/10.x/config/session.php.

  7. 7.

    https://www.php.net/manual/en/function.unserialize.php.

References

  1. Algaith, A., Nunes, P., Jose, F., Gashi, I., Vieira, M.: Finding SQL injection and cross site scripting vulnerabilities with diverse static analysis tools. In: Proceedings of the 2018 14th European Dependable Computing Conference (EDCC), pp. 57–64. IEEE (2018)

    Google Scholar 

  2. Bacchelli, A., Bird, C.: Expectations, outcomes, and challenges of modern code review. In: 2013 35th International Conference on Software Engineering (ICSE), pp. 712–721 (2013)

    Google Scholar 

  3. Backes, M., Rieck, K., Skoruppa, M., Stock, B., Yamaguchi, F.: Efficient and flexible discovery of PHP application vulnerabilities. In: Proceedings of the 2017 IEEE European Symposium on Security and Privacy (Euro S&P), pp. 334–349. IEEE (2017)

    Google Scholar 

  4. Bandara, V., et al.: Fix that fix commit: a real-world remediation analysis of Javascript projects. In: 2020 IEEE 20th International Working Conference on Source Code Analysis and Manipulation (SCAM), pp. 198–202 (2020)

    Google Scholar 

  5. Borges, H., Tulio Valente, M.: What’s in a GitHub star? Understanding repository starring practices in a social coding platform. J. Syst. Softw. 146, 112–129 (2018)

    Article  Google Scholar 

  6. Coelho, J., Valente, M.T., Milen, L., Silva, L.L.: Is this GitHub project maintained? Measuring the level of maintenance activity of open-source projects. Inf. Softw. Technol. 122, 106274 (2020)

    Article  Google Scholar 

  7. Dahse, J., Holz, T.: Simulation of built-in PHP features for precise static code analysis. In: NDSS, vol. 14, pp. 23–26 (2014)

    Google Scholar 

  8. Dahse, J., Holz, T.: Static detection of second-order vulnerabilities in web applications. In: Proceedings of the 23rd USENIX Security Symposium (USENIX Security 2014), pp. 989–1003 (2014)

    Google Scholar 

  9. Dahse, J., Krein, N., Holz, T.: Code reuse attacks in PHP: automated pop chain generation. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 42–53 (2014)

    Google Scholar 

  10. Deepa, G., Thilagam, P.S.: Securing web applications from injection and logic vulnerabilities: approaches and challenges. Inf. Softw. Technol. 74, 160–180 (2016)

    Article  Google Scholar 

  11. Etemadi, K., et al.: Sorald: automatic patch suggestions for sonarqube static analysis violations. IEEE Trans. Dependable Secure Comput. 20(4), 2794–2810 (2023)

    Article  Google Scholar 

  12. Ferrara, P., Mandal, A.K., Cortesi, A., Spoto, F.: Static analysis for discovering IoT vulnerabilities. Int. J. Softw. Tools Technol. Transf. 23, 71–88 (2021)

    Article  Google Scholar 

  13. Florin, I.L., Bălan, T.: Vulnerability remediation in ICS infrastructure based on source code analysis. In: 2020 19th RoEduNet Conference: Networking in Education and Research (RoEduNet), pp. 1–6 (2020)

    Google Scholar 

  14. GitHub: Codeql (2023). https://codeql.github.com

  15. Google: The vulnerable code database (vulncode-db) (2019). https://www.vulncode-db.com/

  16. Hauzar, D., Kofron, J.: Framework for static analysis of PHP applications. In: Boyland, J.T. (ed.) 29th European Conference on Object-Oriented Programming (ECOOP 2015). Leibniz Int. Proc. in Informatics (LIPIcs), vol. 37, pp. 689–711. Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik, Dagstuhl (2015)

    Google Scholar 

  17. Hazimeh, A., Herrera, A., Payer, M.: Magma: a ground-truth fuzzing benchmark. Proc. ACM Meas. Anal. Comput. Syst. 4(3), 1–29 (2020)

    Google Scholar 

  18. Hu, Y., Zhang, J., Bai, X., Yu, S., Yang, Z.: Influence analysis of GitHub repositories. SpringerPlus 5(1), 1268 (2016)

    Article  Google Scholar 

  19. Johnson, B., Song, Y., Murphy-Hill, E., Bowdidge, R.: Why don’t software developers use static analysis tools to find bugs? In: 2013 35th International Conference on Software Engineering (ICSE), pp. 672–681 (2013)

    Google Scholar 

  20. Kluban, M., Mannan, M., Youssef, A.: On measuring vulnerable Javascript functions in the wild. In: 2022 ACM Asia Conference on Computer and Communications Security (ASIA CCS 2022), ASIA CCS 2022, pp. 917–930. Association for Computing Machinery, New York (2022). https://doi.org/10.1145/3488932.3497769

  21. Lenarduzzi, V., Lomio, F., Huttunen, H., Taibi, D.: Are sonarqube rules inducing bugs? In: 2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering (SANER), pp. 501–511 (2020)

    Google Scholar 

  22. Lerdorf, R., Morrison, A.: Phan. https://github.com/phan/phan

  23. Li, J.: Vulnerabilities map** based on OWASP-SANS: a survey for static application security testing (SAST). Ann. Emerg. Technol. Comput. 4 (2020)

    Google Scholar 

  24. Li, P., Meng, W.: LChecker: detecting loose comparison bugs in PHP. In: Proceedings of the 30th International Conference on World Wide Web (WWW 2021), pp. 2721–2732 (2021)

    Google Scholar 

  25. Li, X., Wei, Q., Wu, Z., Guo, W.: Finding taint-style vulnerabilities in lua application of iot firmware with progressive static analysis. Appl. Sci. 13(17) (2023)

    Google Scholar 

  26. Lipp, S., Banescu, S., Pretschner, A.: An empirical study on the effectiveness of static C code analyzers for vulnerability detection. In: Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2022, pp. 544–555. Association for Computing Machinery, New York (2022)

    Google Scholar 

  27. Luo, C., Li, P., Meng, W.: TChecker: precise static inter-procedural analysis for detecting taint-style vulnerabilities in PHP applications. In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, pp. 2175–2188 (2022)

    Google Scholar 

  28. Marcilio, D., Bonifácio, R., Monteiro, E., Canedo, E., Luz, W., Pinto, G.: Are static analysis violations really fixed? A closer look at realistic usage of sonarqube. In: 2019 IEEE/ACM 27th Int. Conference on Program Comprehension (ICPC), pp. 209–219 (2019). https://doi.org/10.1109/ICPC.2019.00040

  29. Medeiros, I., Neves, N.F., Correia, M.: Automatic detection and correction of web application vulnerabilities using data mining to predict false positives. In: Proceedings of the 23rd International Conference on World Wide Web (WWW 2014), pp. 63–74 (2014)

    Google Scholar 

  30. Medeiros, I., Neves, N., Correia, M.: Detecting and removing web application vulnerabilities with static analysis and data mining. IEEE Trans. Reliab. 65(1), 54–69 (2016)

    Article  Google Scholar 

  31. Mirtes, O.: PHPStan. https://phpstan.org/

  32. NIST: Software assurance and reference dataset. https://samate.nist.gov/SARD/

  33. Nunes, P.J.C., Fonseca, J., Vieira, M.: phpSAFE: a security analysis tool for OOP web application plugins. In: Proceedings of the 45th IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 299–306. IEEE (2015)

    Google Scholar 

  34. Olivo, O., Dillig, I., Lin, C.: Detecting and exploiting second-order denial-of-service vulnerabilities in web applications. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 616–628 (2015)

    Google Scholar 

  35. OWASP Foundation: OWASP top 10 2021 (2021). https://owasp.org/www-project-top-ten/

  36. OWASP Foundation: OWASP top 10 2021: A04:2021 - insecure design (2021). https://owasp.org/Top10/A04_2021-Insecure_Design/

  37. OWASP Foundation: How to use the OWASP top 10 as a standard (2023). https://owasp.org/Top10/A00_2021_How_to_use_the_OWASP_Top_10_as_a_standard/

  38. Paul, R., Turzo, A.K., Bosu, A.: Why security defects go unnoticed during code reviews? A case-control study of the chromium OS project. In: Proceedings of the 43rd International Conference on Software Engineering, ICSE 2021, pp. 1373–1385. IEEE Press (2021)

    Google Scholar 

  39. Pearce, H., Ahmad, B., Tan, B., Dolan-Gavitt, B., Karri, R.: Asleep at the keyboard? Assessing the security of GitHub copilot’s code contributions. In: 2022 IEEE Symposium on Security and Privacy (SP), pp. 754–768 (2022)

    Google Scholar 

  40. Dewhurst, R.: Static code analysis (2023). https://owasp.org/www-community/controls/Static_Code_Analysis

  41. dos Santos, E.W., Nunes, I.: Investigating the effectiveness of peer code review in distributed software development. In: Proceedings of the XXXI Brazilian Symposium on Software Engineering, SBES 2017, pp. 84–93. Association for Computing Machinery, New York (2017)

    Google Scholar 

  42. Seixas, N., Fonseca, J., Vieira, M., Madeira, H.: Looking at web security vulnerabilities from the programming language perspective: a field study. In: 2009 20th International Symposium on Software Reliability Engineering, pp. 129–135 (2009)

    Google Scholar 

  43. Semgrep: Project page (2023). https://semgrep.dev

  44. Shahriar, H., Zulkernine, M.: Mitigating program security vulnerabilities: approaches and challenges. ACM Comput. Surv. 44(3) (2012)

    Google Scholar 

  45. Snyk.io: Snyk Vulnerability DB. https://security.snyk.io/

  46. Sonar: Sonarqube (2023). https://www.sonarsource.com/products/sonarqube

  47. Statista: Most used web frameworks among developers worldwide, as of 2022 (2023). https://www.statista.com/statistics/1124699/worldwide-developer-survey-most-used-frameworks-web/

  48. Vimeo: Psalm. https://psalm.dev/

  49. W3Techs: Usage statistics of server-side programming languages for websites (2023). https://w3techs.com/technologies/overview/programming_language

Download references

Author information

Authors and Affiliations

  1. Fraunhofer FKIE, Bonn, Germany

    Lukas Kree, René Helmke & Eugen Winter

Authors
  1. Lukas Kree
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. René Helmke
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Eugen Winter
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Lukas Kree .

Editor information

Editors and Affiliations

  1. AWS, San Diego, CA, USA

    Federico Maggi

  2. Boston University, Boston, MA, USA

    Manuel Egele

  3. EPFL, Lausanne, Switzerland

    Mathias Payer

  4. Politecnico di Milano, Milan, Italy

    Michele Carminati

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kree, L., Helmke, R., Winter, E. (2024). Using Semgrep OSS to Find OWASP Top 10 Weaknesses in PHP Applications: A Case Study. In: Maggi, F., Egele, M., Payer, M., Carminati, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2024. Lecture Notes in Computer Science, vol 14828. Springer, Cham. https://doi.org/10.1007/978-3-031-64171-8_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-64171-8_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-64170-1

  • Online ISBN: 978-3-031-64171-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation