Jämförelse av statiska kodanalysverktyg : En fallstudie om statiska kodanalysverktygs förmåga att hitta sårbarheter i kod / Comparison of static code analysis tools: A case study of static code analysis tools ability to find code vulnerabilities

Holmberg, Anna

January 2020

Security deficiencies that occur in web applications can have major consequences. PHP is a language that is often used for web applications and it places high demands on how the language is used to ensure it is safe. There are several features in PHP that should be handled with care to avoid security flaws. Static code analysis can help find vulnerabilities in code, but there are some drawbacks that can occur with static code analysis tools. One disadvantage is false positives which means that the tool reports vulnerabilities that do not exist. There are also false negatives which means the tool cannot find the vulnerability at all which can lead to a false sense of security for the user of the tool. With the help of completed test cases, three tools have been investigated in a case study to find out if the tools differ in their ability to avoid false positives and false negatives. The study also examines whether the tools' rules consider the PHP language's vulnerable functions. To answer the research question, a document collection was conducted to obtain information about the tools and various vulnerabilities. The purpose of this study is to compare the ability of static code analysis tools to find PHP code vulnerabilities. The tools that were investigated were SonarQube, Visual Code Grepper (VCG) and Exakat. The study's analysis shows that VCG found the most vulnerabilities but failed to avoid false positive vulnerabilities. Exakat had zero false positives but could not avoid false negatives to the same extent as VCG. SonarQube avoided all false positives but did not find any of the vulnerabilities tested in the test cases. According to the rules of the tools, VCG had more consideration for the risky functions found in PHP. The study's results show that the tools' ability to avoid false positives and false negatives differed and their adaptation to the PHP language's vulnerable functions. / Säkerhetsbrister som förekommer i webbapplikationer kan leda till stora konsekvenser. PHP är ett språk som ofta används för webbapplikationer och det ställer höga krav på hur språket används för att det ska vara säkert. Det finns flera funktioner i PHP som bör hanteras varsamt för att inte säkerhetsbrister ska uppstå. Statisk kodanalys kan hjälpa till med att hitta sårbarheter i kod men det finns vissa nackdelar som kan uppkomma med statiska kodanalysverktyg. En nackdel är falska positiva vilket betyder att verktyget rapporterar in sårbarheter som inte finns. Det finns också falska negativa som betyder att verktyget inte hittar sårbarheten alls vilket kan leda till en falsk trygghetskänsla för användaren av verktyget. Med hjälp av färdiga testfall så har tre verktyg utretts i en fallstudie för att ta reda på om verktygen skiljer sig i sin förmåga till att undvika falska positiva och falska negativa. Studien undersöker också om verktygens regler tar PHP-språkets sårbara funktioner i beaktning. För att kunna besvara forskningsfrågan har en dokumentsinsamling genomförts för att få information om verktygen och olika sårbarheter. Studiens syfte är att jämföra statiska kodanalysverktygs förmåga att hitta sårbarheter i PHP-kod. De verktyg som utreddes var SonarQube, Visual Code Grepper (VCG) och Exakat. Studiens analys visar att VCG hittade mest sårbarheter men lyckades inte undvika falska positiva sårbarheter. Exakat hade noll falska positiva men kunde inte undvika falska negativa i lika stor utsträckning som VCG. SonarQube undvek alla falska positiva men hittade inte någon av de sårbarheter som testades i testfallen. Enligt verktygens regler visade sig VCG ta mest hänsyn till de riskfyllda funktioner som finns i PHP. Studiens resultat visar att verktygens förmåga att undvika falska positiva och falska negativa och deras anpassning för PHP språkets sårbara funktioner skiljde sig åt.

static code analysis

software tools

software vulnerabilities

PHP

false positives

false negatives

Statisk kodanalys

mjukvaruverktyg

programvarusårbarheter

PHP

falska positiva

falska negativa

Social Sciences Interdisciplinary

Webbaserat bokningssystem för grupprum : Utveckling av en prototyp

Nowak, Jesper, Ström Liljengård, Emma

January 2015

Open-plan offices are widely used by companies today. There is also secluded rooms in the form of group and meeting rooms, although these are often limited in numbers. Not being able to book these rooms when needed leads to problems planning for example customer meetings. Which is also a problem for students in the school world. Today there is a number of studie rooms at Royal Institute of Technology in Kista, school for information and communication technology, where none of them are bookable. Earlier there where bookable studie rooms in the library and in other parts of the school, but such a system is no longer available because of the new facilities. The result of this is that students at the school are not able to plan their studies in an effective way because they do not know if they have a suitable place to study at between lectures or exercises. Because of this there is a need for a system that can provide students the opportunity to book a studie room. The thesis documents the development of a booking system prototype for study rooms. The prototype have been developed with HTML, PHP, PostgreSQL, JavaScript och Ajax. The thesis contains a literature studie of the current booking systems available. An analysis and an evaluation of these systems have been used as a foundation for the development. Interviews of students have been used as a data collection method. Summarizing the students opinion gave an indication of what is required by the system in terms of functionality and the user interface. The project also describes the working methods that have been used. The project resulted in a prototype for the booking system, where users can see all the available study rooms, make a booking, confirm the booking and remove their bookings. The prototype uses a database that is fully modified. The result from an evaluation of the prototype indicates what aspects that needs to be improved in future work. / I dagsläget är öppna kontorslandskap vanligt förekommande hos företag. Det finns avskilda platser i form av grupp- och mötesrum, dessa är dock allt som oftast begränsade till antal. Att inte kunna boka dessa rum vid behov leder till svårigheter att planera till exempel kundmöten. Problemet att kunna boka ett avskilt rum vid behov finns även inom skolvärlden. På Kungliga Tekniska Högskolan (KTH) i Kista, skolan för information och kommuniktionsteknik, finns det ett antal grupprum där inga av dem är bokningsbara. Det har tidigare funnits bokningsbara grupprum i biblioteket och i andra delar av skolan men idag saknas ett sådant system på grund av nya lokaler. Detta resulterar i att studenter inte kan planera sina studier på ett effektivt sätt då de inte vet om de har en lämplig studieplats mellan föreläsningar. Därför finns det ett stort behov av ett system där studenterna kan boka grupprummen. Uppsatsen dokumenterar utvecklingen av en prototyp ett bokningssystem för grupprum som gjorts med hjälp av HTML, PHP, PostgreSQL, JavaScript och Ajax. Arbetet beskriver även de arbetsmetoder som använts under arbetets gång. Uppsatsen inkluderar en undersökning av bokningssystem som finns idag. Som datainsamlingsmetod har även intervjuer av studenter använts. Utvärderingen av bokningssystemen som finns idag tillsammans med resultatet av intervjuerna gav en indikation om vad som krävs av bokningssystemets användargränssnitt och funktionalitet. Arbetet resulterade i en prototyp av bokningssystemet där användaren kan se vilka grupprum som är lediga, boka grupprum, kvittera bokningar och ta bort bokningar. Prototypen använder en databas som modellerats och implementerats. En evaluering av prototypen resulterade i vad som kan förbättras i ett framtida arbete.

booking system

system development

study rooms

students

HTML

PHP

PostgreSQL

bokningssystem

systemutveckling

grupprum

student

HTML

PHP

PostgreSQL

Computer and Information Sciences

Data- och informationsvetenskap

Utveckling av ett online verktyg för beräkning av träkonstruktioner / Development of an online tool for the design of timber structures

Balladares, Yandra, Gomez, Matitas, Mehmeti, Melis

January 2019

I Sverige har byggsektorn en stor påverkan på miljön och nya metoder samt materialen behöver tas fram för att förbättra situationen. Ett online-verktyg kan användas som ett hjälpmedel vid inlärning och även öka kunskapen. Arbetet gick ut på att skapa ett online-verktyg men även att kontrollera hur andra befintliga verktyg fungerar och hur de är utformade.Syftet och målet med arbetet var att skapa ett online-verktyg för träkonstruktioner som kan användas i kursen Stål- och träkonstruktioner samt som kan hjälpa studenter vid inlärning och kontroller av beräkningar.Online-verktyget som tagits fram erbjuder möjligheten att beräkna bärförmågan hos träkonstruktioner i form av balkar, pelare och förband. Online-verktyget befinner sig i ett tidigt stadie och kräver mer utveckling, enkätundersökningar och intervjuer gav inblick till vad som behöver implementeras i framtiden. / The building sector in Sweden has a big impact on the environment and new methods as well as new technology need to be developed in order to improve the situation. An online tool can be used as an aid in learning and to improve the knowledge. The thesis work comprises the development of an online tool and furthermore an investigation of how other online tools work and how they are designed.The goal and the purpose of the thesis was to create an online tool that can be implemented in the course Steel and Timber Structural Engineering at Linnaeus University. In order to help students with learning and to check calculations.The program that has been developed offers the ability to calculate the load bearing capacity of beams, pillars and connections with metal fasteners. The online tool is in an early stage and needs further. The surveys and interviews gave an insight to what functions need to be implemented in the future.

online tool

learning

design of timber structures

PHP

online-verktyg

inlärning

dimensionering av träkonstruktioner

PHP

Other Civil Engineering

Annan samhällsbyggnadsteknik

Building Technologies

Husbyggnad

Balíček modulů pro tvorbu webových aplikací pomocí PHP / Module Package for Building Internet Applications in PHP

Rybák, Aleš

Unknown Date

Package of modules for development with PHP is project aimed on simplification and efficiency of programmer's work when developing web based applications in scripting language PHP. This project is continuation of PHP Modular Object framework and wants to extend its connectivity to new modules. Next goal is implementation of modules which allow programmers to use the development system.

Laravel CMS Starter Template : En blockeditor för Laravel

Wall Andersson, Björn

January 2024

The following degree report includes the theoretical information needed to understand the retelling of a project where this report's author had the goal of building a CMS-system in the form of a block editor using the framework Laravel. This was done on-site for the company Mina Bästa Polare AB, who found a need for a CMS-system to use within their Laravel projects. This need was found through their customers' administrators needing to contact the developers for changes that otherwise could be made by the administrators if they had a CMSsystem available. The work done that is retold in this report was done in the framework Laravel, a block editor was built to be used as a CMS-system for the developers at Mina Bästa Polare to implement within their Laravel-projects. Before the development of the block editor could start the work needed to be planned, with a Gantt scheme-alike document a time estimate was made for every step in the process. The block editor was visually designed with wireframes and the database architecture was designed with an ER-diagram. The development of this block editor was done within the frameworks Laravel, Inertia, Vue and Tailwind. These techniques were used to create a full stack website that can be shown as a first example of how this CMS-system can be used within Laravel-projects. With this system available to them both the developers and customers of Mina Bästa Polare will experience a smoother running workday / Föreliggande rapport presenterar den teoretiska information som behövs för att förstå efterkommande återberättande av ett projektarbete där målet var att rapportens författare skulle bygga ett CMS-system i form av en blockeditor inom ramverket Laravel. Projektarbetet utfördes på plats hos företaget Mina Bästa Polare AB, en webbyrå baserad i Östersund som upptäckt ett behov av ett CMS-system i form av en blockeditor till sina Laravel-projekt. tillgång till ett sådant CMS-system. Ett mål är att editorn skall bli så “decoupled“ som möjligt, vilket betyder att i högsta möjliga mån skall kunna implementeras i vilket Laravel-projekt som helst. Innan utvecklingen av blockeditorn påbörjades så strukturerades arbetet upp genom att det tidsplanerades med hjälp av en tidplan som liknar ett Gantt-schema vilket estimerar en tidsaspekt för varje steg i processen. Sedan påbörjades blockeditorns visuella design vilket gjordes med wireframes följt av att databasen arkitektur designades genom ett ER-diagram. Utvecklingen utfördes i ramverken Laravel, Inertia, Vue och Tailwind. Dessa tekniker användes för att i slutändan resultera i en fullstack webbplats som kan visas upp som ett första exempel på hur denna CMS-system kan användas inom Laravel-projekt. Med detta system tillgängligt kan nu inte bara Mina Bästa Polares utvecklare utan även deras kunder få en smidigare vardag när de använder detta system.

Laravel

PHP

Gutenbergblock

WordPress

HTML

CSS

Vue

Inertia

Tailwind

JSON.

Laravel

PHP

Gutenbergblock

WordPress

HTML

CSS

Vue

Inertia

Tailwind

JSON

Computer Engineering

Datorteknik

Database metadata requirements for automated web development : a case study using PHP

Mgheder, Mohamed Ahmed

January 2009

The Web has come a long way. It started as a distributed document repository and quickly became the spring board for a new type of application. Propped on top of the original HTML+HTTP architecture, this new application platform shifted the way the architecture was used so that commands and functionality were embedded in the form data of Web requests rather than in the HTTP command conveying the request. This approach enabled Web requests to convey any type of data, not just document operations. This is occurring because the Web provides such a powerful platform on which to create applications. This is occurring because web development methods are still evolving toward the structure and stability required taking on this enormous new role. As the needs of developers change, certain themes that arise more frequently than others become embedded into new environments to support those needs. Until recently, Web application programming has largely been done with a set of keywords and metaphors developed long before the Web became a popular place to program. APIs have been developed to support Web specific features, but they are no replacement for fundamental changes in the programming environment itself. The growth of Web applications requires a new type of programming designed specifically for the needs of the Web. This thesis aims to contribute towards the development of an abstract framework to generate abstract and dynamic Web user interfaces that are not developed to a specific platform. To meet this aim, this thesis suggests a general implementation of a prototype system that uses the information in database metadata in conjunction with PHP. Database metadata is richer in providing the information needed to build dynamic user interfaces. This thesis uses PHP and the abstract library ADOdb to provide us with a generalised database metadata based prototype. PHP does not have any restrictions on accessing and extracting database metadata from numerous database management systems. As a result, PHP and relational database were used to build the proposed framework. Additionally, ADOdb was used to link the two mentioned technologies. The implemented framework in this thesis demonstrates that it is possible to generate different automatic Web entry forms that are not specific at any platform.

004

LMSEngine API : Utveckling av en plattform för e-learning

Johansson, Fredrik

January 2010

<p>Arbetet handlar om utveckling av ett e-learningsystem och hur man kan säkra koden förframtiden. Dessutom handlar det om att undersöka en möjlig implementation av standardenSCORM samt att ta fram en ny databasmodell.Efter förundersökning togs beslutet att genomföra projektet som ett API i grunden medtestdriven utveckling och tillhörande dokumentation. De tekniker som användes var; HTML,CSS, XML, PHP, MySQL, Javascript, och Codeigniter.Resultatet blev som förväntat förutom att det inte gick att återanvända koden i den utsträckningsom först uppskattades utan istället återanvändes idéer och problemlösning.</p> / <p>This thesis is about an e-learning system and how to secure the code for future development. Inaddition, it is about a conceivable implemention of the SCORM standard and to develop a newdatabase model.After preliminary investigation it was decided to proceed with the project as an API and to usetest-driven development and also to write documentation. The techniques used were: HTML,CSS, XML, PHP, MySQL, Javascript, Codeigniter.The result was as expected except that it was not possible to reuse the code in the extent whichwas first estimated, but instead re-use ideas and how to solve problems.</p>

api

e-learning

scorm

databasmodell

php

ajax

javascript

mysql

codeigniter

xml

html

Computer science

Datavetenskap

Implementace rezoluce řízení toku v dynamickém jazyce / Implementing control flow resolution in dynamic language

Šindelář, Štěpán

January 2014

Dynamic programming languages allow us to write code without type information and types of variables can change during execution. Although easier to use and suitable for fast prototyping, dynamic typing can lead to error prone code and is challenging for the compilers or interpreters. Programmers often use documentation comments to provide the type information, but the correspondence of the documentation and the actual code is usually not checked by the tools. In this thesis, we focus on one of the most popular dynamic programming languages: PHP. We have developed a framework for static analysis of PHP code as a part of the Phalanger project -- the PHP to .NET compiler. The framework supports any kind of analysis, but in particular, we implemented type inference analysis with emphasis on discovery of possible type related errors and mismatches between documentation and the actual code. The implementation was evaluated on real PHP applications and discovered several real errors and documentation mismatches with a good ratio of false positives. Powered by TCPDF (www.tcpdf.org)

Securely Consume Web Services Using PHP

Vo, Sonny Tran-Hai

19 December 2008

The PHP: Hypertext Preprocessor language (PHP) has evolved to a sophisticated mainstream programming language for rapid development of significant Web applications at major sites including Facebook.com, Wikipedia.org and Yahoo.com. Leading software vendors such as Oracle and IBM are rushing in providing tools that bridge their products to PHP. However, we have observed a gap in facilitating PHP to utilize Web services efficiently. This thesis reports our efforts in design and implementation of PHP applications that consume Web services. In doing so, I have proposed a framework facilitating PHP programs to utilize Web services with high performance capability. In addition, a number of Web service standards including WS-Addressing and those in WS-Security are integrated into my PHP implementation. Examples of using various Amazon Web Services are provided with details.

PHP

SOA

SOAP

Web Services

XML

XPath

WSDL

UDDI

WS-Addressing

WS-Security

Amazon Web Services

Automation of the Client Side of Web Services Using PHP

Medjkane, Menad

20 December 2009

Web Services have been the dominant technology in business integration and implementation of service oriented architectures. PHP is a server-side language popular for development of applications. A significant advantage of PHP is its light weight development for feature-rich web applications. Typically, PHP is used for making good-looking front end user interfaces; Java or other programming languages are used to develop the back end application. A secure and robust way for PHP programs to call back-end services is by Web Services. However, when the Web Service operations have complex interfaces, writing PHP client code can be difficult and error-prone. This thesis research seeks to develop a Web service-PHP program middleware that automatically handles the client-side Web Service calls. Two Web Services are developed, as well as two Web applications that consume the two Web Services, and experiments that demonstrate the usage of the WS-PHP middleware component are conducted.

Web Services

PHP

DOM

XPATH

WSDL

SOAP

Ajax

Client Program

Automation