PHP Vulnerability Detection using Forward Taint Data Analysis Method

  • Shyffa Ilmallia Noer Fhadillah Telkom University
  • Parman Sukarno Telkom University
  • Aulia Arif Wardana Telkom University


This research builds the detection of php scripts using the Forward Taint data analysis method. Research has been carried out to test this attack. However, the accuracy that has been inferred is still very low. This is getting higher because of the false positive generated. So in solving this problem, the forward taint data analysis method performs double checks that will reduce the positive false value generated. Accuracy resulting from this research reached 90%. These results outperform other existing methods.


[1] W3techs, " Usage statistics and market share of PHP for websites," 2019. [Online]. Available: [Diakses 29 Maret 2019].

[2] Risk Based Security, "lnerability QuickView 2016 Year End, " January 2017. [Online]. Available: nulnquickview. [Diakses 29 Maret 2019]

[3] Dimastrogiovanni, C., & Laranjeiro, N. (2016). Towards Understanding the Value of False Positives in Static Code Analysis. 2016 Seventh Latin- American Symposium on Dependable Computing (LADC).

[4] Nashaat, M., Ali, K., & Miller, J. (2017). Detecting Security Vulnerabilities in Object-Oriented PHP Programs. 2017 IEEE 17th International Working Conference on Source Code Analysis and Manipulation (SCAM).

[5] Cao, K., He, J., Fan, W., Huang, W., Chen, L., & Pan, Y. (2017). PHP
vulnerability detection based on taint analysis. 2017 6th International Conference on Reliability, Infocom Technologies and Optimization (Trends and Future Directions) (ICRITO).

[6] Yan, X., Ma, H., & Wang, Q. (2017). A static backward taint data analysis method for detecting web application vulnerabilities. 2017 IEEE 9th International Conference on Communication Software and Networks (ICCSN).
[7] Mohosina, A., & Zulkernine, M. (2012). DESERVE: A Framework for Detecting Program Security Vulnerability Exploitations. 2012 IEEE Sixth International Conference on Software Security and Reliability.

[8] Smith, M., & Dehlinger, J. (2014). Enabling static security vulnerability analysis in PHP applications for novice developers withSSVChecker. Proceedings of the 2014 Conference on Research in Adaptive and Convergent Systems - RACS 14.

[9] Damn Vulnerable Web Application (DVWA) [Online]. Available: (OWSP, 2018) [Accessed 20 September 2019].

[10] V. B. Livshits and M. S. Lam. Finding security errors in Java
programs with static analysis. In Proceedings of the 14th Usenix Security Symposium, 2005.

[11] N.Jovanovic, C.Kruegel, E.Kirda. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities(short paper). In Proceeding of IEEE Symposium on Security and Privacy, 2006.

[12] Y.W.Huang, F.Yu, C.Hang, C.H.Tsai, D.T.Lee, S,Y,Kuo. Securing Web Application Code by Static Analysis and Runtime Protection. In Proceedings of the 13th International World Wide Web Conference, 2004.

[13] Zheng, Yunhui, and X. Zhang. "Path sensitive static analysis of web applications for remote code execution vulnerability detection." International Conference on Software Engineering IEEE, 2013:652-661.

[14] Medeiros, Ibéria, N. Neves, and M. Correia. "Detecting and Removing Web Application Vulnerabilities with Static Analysis and Data Mining." IEEE Transactions on Reliability 65.1(2016):54-69.

[15] Jovanovic, N., C. Kruegel, and E. Kirda. "Pixy: a static analysis tool for detecting Web application vulnerabilities." IEEE, 2006:6pp.-263.