What is Stranger?

Stranger is an Automata-Based Symbolic String Analysis Library. You can use stranger to solve string constraints and/or compute pre and post-images of string manipulation operations such as concatenation and replacement. It can handle complex regular-expression based replace operations such as PHP's preg_replace and approximate these operations in the presence of unbounded loops with high precision and smooth performance. It can also be used to do automatic repair for such bugs. Stranger stands for STRing AutomatoN GEneratoR.

Things Built on Top of Stranger Library
  • Detect security vulnerability in PHP.

    We built a tool based on Stranger to detect validation and sanitization bugs that may result in security vulnerabilities in PHP web applications. The tool takes a PHP program as input along with a policy (an attack pattern), specified as a PHP regular expression, and automatically analyzes it and outputs possible bugs. We successfully tested the tool to detect XSS , SQL Injection and MFE vulnerabilities in a number PHP web programs (OWASP Top 10).

  • Automatically Fix validation and sanitization problems in your code.

    SemRep is Semantic Differential Repair tool for input validation and sanitization code. The tool analyzes and repairs validation and sanitization functions against each other. The tool does not need any manual specification or intervention. It takes two functions as Dependency Graphs then it looks for differences in validation and sanitization operations for string variables. If a difference is found, the tool suggests a set of three patch functions that can be used to fix the difference.

Download
  • Download Stranger Library's source code from here.
  • Download SemRep source code from here.
  • Download PHP vulnerability detector from here.
Documentation
  • Know how to detect security vulnerabilities in PHP by reading the documentation and give us your valuable feed back.
  • Learn how to automatically fix validation and sanitization bugs in web applications from here.
  • Understand the theory behind stranger by reading the publications.
Acknowledgement
This material is based upon work supported by the National Science Foundation under Grant No. CCF-0916112. Any opinions, findings and conclusions or recomendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation (NSF).