Blending Static and Dynamic Analysis for Web Application Vulnerability Detection: Methodology and Case Study

Abstract

Read online

Static Analysis (SA) and Dynamic Analysis (DA) are complementary techniques for searching web application vulnerabilities. Typically, SA detects more vulnerabilities but reports a higher number of false positives, whereas DA finds less but with better precision. In this paper, we blend SA and DA to simultaneously improve the detection and decrease the false alarms. Our approach starts with SA to identify an initial set of potential vulnerabilities. Then, the target application is executed to obtain specific runtime information. These data are used to automatically configure the DA, improving its ability to confirm if the vulnerabilities reported by the SA are indeed exploitable. We evaluated the proposed approach using 49 WordPress plugins with more than 450 SQLi vulnerabilities. Our approach was able to confirm either as a vulnerability or a false alarm 76.7% of the results reported by the SA, decreasing tremendously the usual need for manual work, which is a huge improvement for security practitioners.

Keywords

• Static analysis
• dynamic analysis
• vulnerability detection
• execution traces
• SQLi
• blend analysis