Abstract
Given PHP’s continuous success, it remains an important task to ensure security in its applications. While code reviews are a common measure to catch bugs during development, they lack scalability, are error-prone, and time-consuming [2, 38, 41]. Thus, static analysis tools like Semgrep emerged to provide programmatic feedback on code. But static analyses often show low precision, which can jeopardize utility.
In this case study, we investigate precision rates for Semgrep OSS for common web weaknesses from the OWASP Top 10 [35]. We explore method and tool limitations in weakness detection, OWASP classes, and Semgrep’s public PHP rule set. We apply the latter to 300 open source applications, invest 34 h in manual sample validation, and derive precision rates for each OWASP class.
Our validation shows that the rules correctly detected weaknesses for seven OWASP classes with 86% precision, demonstrating the tool’s utility. Yet, we estimate that most findings are not exploitable (81%). Thus, there is still considerable assessment overhead for users. Our work further highlights that only a subset of weaknesses are detectable, as dimensions such as runtime context and insecure design remain hidden. Finally, we advise practitioners to not exclusively rely on public rules, as translating application-specific business logic and design choices may open up to the detection of previously uncovered weaknesses.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
https://cwe.mitre.org/data/definitions/1344.html, Accessed: 2024-04-15.
- 3.
- 4.
- 5.
- 6.
- 7.
References
Algaith, A., Nunes, P., Jose, F., Gashi, I., Vieira, M.: Finding SQL injection and cross site scripting vulnerabilities with diverse static analysis tools. In: Proceedings of the 2018 14th European Dependable Computing Conference (EDCC), pp. 57–64. IEEE (2018)
Bacchelli, A., Bird, C.: Expectations, outcomes, and challenges of modern code review. In: 2013 35th International Conference on Software Engineering (ICSE), pp. 712–721 (2013)
Backes, M., Rieck, K., Skoruppa, M., Stock, B., Yamaguchi, F.: Efficient and flexible discovery of PHP application vulnerabilities. In: Proceedings of the 2017 IEEE European Symposium on Security and Privacy (Euro S&P), pp. 334–349. IEEE (2017)
Bandara, V., et al.: Fix that fix commit: a real-world remediation analysis of Javascript projects. In: 2020 IEEE 20th International Working Conference on Source Code Analysis and Manipulation (SCAM), pp. 198–202 (2020)
Borges, H., Tulio Valente, M.: What’s in a GitHub star? Understanding repository starring practices in a social coding platform. J. Syst. Softw. 146, 112–129 (2018)
Coelho, J., Valente, M.T., Milen, L., Silva, L.L.: Is this GitHub project maintained? Measuring the level of maintenance activity of open-source projects. Inf. Softw. Technol. 122, 106274 (2020)
Dahse, J., Holz, T.: Simulation of built-in PHP features for precise static code analysis. In: NDSS, vol. 14, pp. 23–26 (2014)
Dahse, J., Holz, T.: Static detection of second-order vulnerabilities in web applications. In: Proceedings of the 23rd USENIX Security Symposium (USENIX Security 2014), pp. 989–1003 (2014)
Dahse, J., Krein, N., Holz, T.: Code reuse attacks in PHP: automated pop chain generation. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 42–53 (2014)
Deepa, G., Thilagam, P.S.: Securing web applications from injection and logic vulnerabilities: approaches and challenges. Inf. Softw. Technol. 74, 160–180 (2016)
Etemadi, K., et al.: Sorald: automatic patch suggestions for sonarqube static analysis violations. IEEE Trans. Dependable Secure Comput. 20(4), 2794–2810 (2023)
Ferrara, P., Mandal, A.K., Cortesi, A., Spoto, F.: Static analysis for discovering IoT vulnerabilities. Int. J. Softw. Tools Technol. Transf. 23, 71–88 (2021)
Florin, I.L., Bălan, T.: Vulnerability remediation in ICS infrastructure based on source code analysis. In: 2020 19th RoEduNet Conference: Networking in Education and Research (RoEduNet), pp. 1–6 (2020)
GitHub: Codeql (2023). https://codeql.github.com
Google: The vulnerable code database (vulncode-db) (2019). https://www.vulncode-db.com/
Hauzar, D., Kofron, J.: Framework for static analysis of PHP applications. In: Boyland, J.T. (ed.) 29th European Conference on Object-Oriented Programming (ECOOP 2015). Leibniz Int. Proc. in Informatics (LIPIcs), vol. 37, pp. 689–711. Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik, Dagstuhl (2015)
Hazimeh, A., Herrera, A., Payer, M.: Magma: a ground-truth fuzzing benchmark. Proc. ACM Meas. Anal. Comput. Syst. 4(3), 1–29 (2020)
Hu, Y., Zhang, J., Bai, X., Yu, S., Yang, Z.: Influence analysis of GitHub repositories. SpringerPlus 5(1), 1268 (2016)
Johnson, B., Song, Y., Murphy-Hill, E., Bowdidge, R.: Why don’t software developers use static analysis tools to find bugs? In: 2013 35th International Conference on Software Engineering (ICSE), pp. 672–681 (2013)
Kluban, M., Mannan, M., Youssef, A.: On measuring vulnerable Javascript functions in the wild. In: 2022 ACM Asia Conference on Computer and Communications Security (ASIA CCS 2022), ASIA CCS 2022, pp. 917–930. Association for Computing Machinery, New York (2022). https://doi.org/10.1145/3488932.3497769
Lenarduzzi, V., Lomio, F., Huttunen, H., Taibi, D.: Are sonarqube rules inducing bugs? In: 2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering (SANER), pp. 501–511 (2020)
Lerdorf, R., Morrison, A.: Phan. https://github.com/phan/phan
Li, J.: Vulnerabilities map** based on OWASP-SANS: a survey for static application security testing (SAST). Ann. Emerg. Technol. Comput. 4 (2020)
Li, P., Meng, W.: LChecker: detecting loose comparison bugs in PHP. In: Proceedings of the 30th International Conference on World Wide Web (WWW 2021), pp. 2721–2732 (2021)
Li, X., Wei, Q., Wu, Z., Guo, W.: Finding taint-style vulnerabilities in lua application of iot firmware with progressive static analysis. Appl. Sci. 13(17) (2023)
Lipp, S., Banescu, S., Pretschner, A.: An empirical study on the effectiveness of static C code analyzers for vulnerability detection. In: Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2022, pp. 544–555. Association for Computing Machinery, New York (2022)
Luo, C., Li, P., Meng, W.: TChecker: precise static inter-procedural analysis for detecting taint-style vulnerabilities in PHP applications. In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, pp. 2175–2188 (2022)
Marcilio, D., Bonifácio, R., Monteiro, E., Canedo, E., Luz, W., Pinto, G.: Are static analysis violations really fixed? A closer look at realistic usage of sonarqube. In: 2019 IEEE/ACM 27th Int. Conference on Program Comprehension (ICPC), pp. 209–219 (2019). https://doi.org/10.1109/ICPC.2019.00040
Medeiros, I., Neves, N.F., Correia, M.: Automatic detection and correction of web application vulnerabilities using data mining to predict false positives. In: Proceedings of the 23rd International Conference on World Wide Web (WWW 2014), pp. 63–74 (2014)
Medeiros, I., Neves, N., Correia, M.: Detecting and removing web application vulnerabilities with static analysis and data mining. IEEE Trans. Reliab. 65(1), 54–69 (2016)
Mirtes, O.: PHPStan. https://phpstan.org/
NIST: Software assurance and reference dataset. https://samate.nist.gov/SARD/
Nunes, P.J.C., Fonseca, J., Vieira, M.: phpSAFE: a security analysis tool for OOP web application plugins. In: Proceedings of the 45th IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 299–306. IEEE (2015)
Olivo, O., Dillig, I., Lin, C.: Detecting and exploiting second-order denial-of-service vulnerabilities in web applications. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 616–628 (2015)
OWASP Foundation: OWASP top 10 2021 (2021). https://owasp.org/www-project-top-ten/
OWASP Foundation: OWASP top 10 2021: A04:2021 - insecure design (2021). https://owasp.org/Top10/A04_2021-Insecure_Design/
OWASP Foundation: How to use the OWASP top 10 as a standard (2023). https://owasp.org/Top10/A00_2021_How_to_use_the_OWASP_Top_10_as_a_standard/
Paul, R., Turzo, A.K., Bosu, A.: Why security defects go unnoticed during code reviews? A case-control study of the chromium OS project. In: Proceedings of the 43rd International Conference on Software Engineering, ICSE 2021, pp. 1373–1385. IEEE Press (2021)
Pearce, H., Ahmad, B., Tan, B., Dolan-Gavitt, B., Karri, R.: Asleep at the keyboard? Assessing the security of GitHub copilot’s code contributions. In: 2022 IEEE Symposium on Security and Privacy (SP), pp. 754–768 (2022)
Dewhurst, R.: Static code analysis (2023). https://owasp.org/www-community/controls/Static_Code_Analysis
dos Santos, E.W., Nunes, I.: Investigating the effectiveness of peer code review in distributed software development. In: Proceedings of the XXXI Brazilian Symposium on Software Engineering, SBES 2017, pp. 84–93. Association for Computing Machinery, New York (2017)
Seixas, N., Fonseca, J., Vieira, M., Madeira, H.: Looking at web security vulnerabilities from the programming language perspective: a field study. In: 2009 20th International Symposium on Software Reliability Engineering, pp. 129–135 (2009)
Semgrep: Project page (2023). https://semgrep.dev
Shahriar, H., Zulkernine, M.: Mitigating program security vulnerabilities: approaches and challenges. ACM Comput. Surv. 44(3) (2012)
Snyk.io: Snyk Vulnerability DB. https://security.snyk.io/
Sonar: Sonarqube (2023). https://www.sonarsource.com/products/sonarqube
Statista: Most used web frameworks among developers worldwide, as of 2022 (2023). https://www.statista.com/statistics/1124699/worldwide-developer-survey-most-used-frameworks-web/
Vimeo: Psalm. https://psalm.dev/
W3Techs: Usage statistics of server-side programming languages for websites (2023). https://w3techs.com/technologies/overview/programming_language
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Kree, L., Helmke, R., Winter, E. (2024). Using Semgrep OSS to Find OWASP Top 10 Weaknesses in PHP Applications: A Case Study. In: Maggi, F., Egele, M., Payer, M., Carminati, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2024. Lecture Notes in Computer Science, vol 14828. Springer, Cham. https://doi.org/10.1007/978-3-031-64171-8_4
Download citation
DOI: https://doi.org/10.1007/978-3-031-64171-8_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-64170-1
Online ISBN: 978-3-031-64171-8
eBook Packages: Computer ScienceComputer Science (R0)