Abstract
Aiming at detecting various vulnerabilities in Web application system based on PHP language, a semi-automatic code auditing system based on knowledge graph is proposed. Firstly, the abstract syntax tree of each file in the Web application system is constructed to extract the taint variables and function information from the abstract syntax tree and construct the global variable information. Secondly, the data flow information of each taint variable is analyzed accurately. Finally, the knowledge graph and code auditing technology are combined to construct and display the vulnerability information of the Web application system in the form of graph. Experiments and analysis results show that this detection method can well construct and display the data flow information of each taint variable and help auditors find common vulnerabilities in Web application systems more quickly.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
W3Techs: Usage of server-side programming languages for websites. https://w3techs.com/technologies/overview/programming_language/all
OWASP: OWASP Top 10 Most Critical Web Application Security Risks. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Huo, Z.P.: PHP Code Vulnerabilities Detection Based on Static Analysis. Beijing University of Posts and Telecommunications (2015)
Backes, M., Rieck, K., Skoruppa, M., Stock, B., Yamaguchi, F.: Efficient and flexible discovery of PHP application vulnerabilities. In: IEEE European Symposium on Security & Privacy (2017)
Yan, X.X., Ma, H.T., Wang, Q.A.: A static backward taint data analysis method for detecting web application vulnerabilities. In: ICCSN 2017 (2017)
Alhuzali, A., Eshete, B., Gjomemo, R., Venkatakrishnan, V.N.: Chainsaw: chained automated workflow-based exploit generation. In: 2016 ACM SIGSAC Conference (2016)
Gong, R.L.: Research and implementation of PHP Web Application Code Defect Detection. Beijing University of Posts and Telecommunications (2016)
PHP-Parser: A PHP parser written in PHP. https://github.com/nikic/PHP-Parser
Lin, Z.Q., Xie, B., Zou, Y.Z., Zhao, J.F., Li, X.D., Wei, J.: Intelligent development environment and software knowledge graph. J. Comput. Sci. Technol. 32(2), 242–249 (2017)
Liu, Q., Li, Y., Duan, H.: Knowledge graph construction techniques. J. Comput. Res. Dev. 32(2), 242–249 (2017)
Zhang, X., Liu, X.: MMKG: an approach to generate metallic materials knowledge graph based on DBpedia and Wikipedia. Comput. Phys. Commun. 211(February), 98–112 (2016)
Sun, X.B., Wang, L., Wang, J.W., et al.: Construct knowledge graph for exploratory bug issue searching. Acta Electron. Sin. 46(7), 1578–1583 (2018)
Lin, X., Liang, Y., Giunchiglia, F., et al.: Relation path embedding in knowledge graphs. Neural Comput. Appl. 31(9), 5629–5639 (2018)
DVWA: A PHP/MySQL web application that is damn vulnerable. http://www.dvwa.co.uk
Neo4j: A graph database platform. https://neo4j.com
Flask: A Python Micro-framework. http://flask.pocoo.org
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Hongji, Y., Wei, C. (2019). Knowledge Graph Based Semi-automatic Code Auditing System. In: Liu, F., Xu, J., Xu, S., Yung, M. (eds) Science of Cyber Security. SciSec 2019. Lecture Notes in Computer Science(), vol 11933. Springer, Cham. https://doi.org/10.1007/978-3-030-34637-9_17
Download citation
DOI: https://doi.org/10.1007/978-3-030-34637-9_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-34636-2
Online ISBN: 978-3-030-34637-9
eBook Packages: Computer ScienceComputer Science (R0)