Feras Al Kassar (SAP Security Research), Giulia Clerici (SAP Security Research), Luca Compagna (SAP Security Research), Davide Balzarotti (EURECOM), Fabian Yamaguchi (ShiftLeft Inc)

While static application security testing tools (SAST) have many known limitations, the impact of coding style on their ability to discover vulnerabilities remained largely unexplored. To fill this gap, in this study we experimented with a combination of commercial and open source security scanners, and compiled a list of over 270 different code patterns that, when present, impede the ability of state-of-the-art tools to analyze PHP and JavaScript code. By discovering the presence of these patterns during the software development lifecycle, our approach can provide important feedback to developers about the **testability** of their code. It can also help them to better assess the residual risk that the code could still contain vulnerabilities even when static analyzers report no findings. Finally, our approach can also point to alternative ways to transform the code to increase its testability for SAST.

Our experiments show that testability tarpits are very common. For instance, an average PHP application contains over 21 of them and even the best state of art static analysis tools fail to analyze more than 20 consecutive instructions before encountering one of them. To assess the impact of pattern transformations over static analysis findings, we experimented with both manual and automated code transformations designed to replace a subset of patterns with equivalent, but more testable, code. These transformations allowed existing tools to better understand and analyze the applications, and lead to the detection of 440 new potential vulnerabilities in 48 projects. We responsibly disclosed all these issues: 31 projects already answered confirming 182 vulnerabilities. Out of these confirmed issues-- that remained previously unknown due to the poor testability of the applications code-- there are 38 impacting popular Github projects (>1k stars), such as PHP Dzzoffice (3.3k), JS Docsify (19k), and JS Apexcharts (11k). 25 CVEs have been already published and we have others in-process.

View More Papers

Towards a TEE-based V2V Protocol for Connected and Autonomous...

Mohit Kumar Jangid (Ohio State University) and Zhiqiang Lin (Ohio State University)

Read More

Log4shell: Redefining the Web Attack Surface

Douglas Everson (Clemson University), Long Cheng (Clemson University), and Zhenkai Zhang (Clemson University)

Read More

V-Range: Enabling Secure Ranging in 5G Wireless Networks

Mridula Singh (CISPA - Helmholtz Center for Information Security), Marc Roeschlin (ETH Zurich), Aanjhan Ranganathan (Northeastern University), Srdjan Capkun (ETH Zurich)

Read More

Usability of Cryptocurrency Wallets Providing CoinJoin Transactions

Simin Ghesmati (Uni Wien, SBA Research), Walid Fdhila (Uni Wien, SBA Research), Edgar Weippl (Uni Wien, SBA Research)

Read More