Stranger is an Automata-Based Symbolic String Analysis Library. You can use
stranger to solve string constraints and/or compute pre and post-images of string
manipulation operations such as concatenation and replacement. It can handle
complex regular-expression based replace operations such as PHP's
preg_replace and approximate these operations in the presence of unbounded loops
with high precision and smooth performance.
It can also be used to do automatic repair for such bugs.
Stranger stands for STRing AutomatoN GEneratoR.
- Detect security vulnerability in PHP.
We built a tool based on Stranger to detect validation and sanitization bugs
that may result in security vulnerabilities in PHP web applications.
The tool takes a PHP program as input along with a policy (an attack
pattern), specified as a PHP regular expression, and automatically analyzes it
and outputs possible bugs. We successfully tested the tool
to detect XSS
, SQL Injection
and MFE vulnerabilities in
a number PHP web programs (OWASP
- Automatically Fix validation and sanitization problems in your code.
is Semantic Differential Repair tool for input validation and
sanitization code. The tool analyzes and repairs validation and sanitization
functions against each other. The tool does not need any manual specification or
intervention. It takes two functions as Dependency Graphs then it looks for
differences in validation and sanitization operations for string variables.
If a difference is found, the tool suggests a set of three patch functions that
can be used to fix the difference.
- Download Stranger Library's source code from here.
- Download SemRep source code from here.
- Download PHP vulnerability detector from here.
- Know how to detect security vulnerabilities in PHP by reading the documentation and give us your valuable feed
- Learn how to automatically fix validation and sanitization bugs in
web applications from here.
- Understand the theory behind stranger by reading the publications.
This material is based upon work supported by the National Science
Foundation under Grant No. CCF-0916112. Any opinions, findings and
conclusions or recomendations expressed in this material are those of
the author(s) and do not necessarily reflect the views of the National
Science Foundation (NSF).