上海科技大学知识管理系统

Server-side request forgeries (SSRFs) are inevitable in PHP web applications. Existing static taint analysis tools for PHP suffer from both high rates of false positives and false negatives in detecting SSRF because they do not incorporate application-specific sources and sinks, account for PHP's dynamic type characteristics, and include SSRF-specific taint analysis rules, leading to over-tainting and under-tainting. In this work, we propose a technique to accurately detect SSRF vulnerabilities in PHP web applications. First, we extract both PHP built-in and application-specific functions as candidate source and sink functions. Second, we extract explicit and implicit function calls to construct applications' call graphs. Third, we perform a taint analysis based on a set of rules that prevent over-tainting and under-tainting. We have implemented a prototype and evaluated it with different types of PHP web applications. Our preliminary experiment shows that we detect 24 SSRF vulnerabilities in 13 different types of applications. 20 of the vulnerabilities are known and 4 of the vulnerabilities are new.