WHIP: Improving static vulnerability detection in web application by forcing tools to collaborate

Improving the accuracy of static application security testing (SAST) is key to fight critical vulnerabilities and increase the security of the Web. However, even state-ofthe-

art commercial tools have many blind spots that limit their ability to properly analyze modern code and therefore to discover complex inter-procedural vulnerabilities.

In this paper, we present WHIP, the first approach that enables SAST tools to ‘collaborate’ by sharing information that can help them to overcome each

other’s limitations. Our technique only operates on the application source code by using different tools as oracle to search for signs of interrupted data flows. When we

discover such obstacles we inject alternative paths that circumvent the piece of code that SAST tools were not able to handle correctly. We conducted extensive experiments by analyzing over 100 popular PHP projects with more than 1,000 stars on Github. Our experiments show that our approach enables two popular SAST tools to increase their coverage of the applications’ source code, resulting in an increase of up to 25% in the number of high-severity alerts. We manually inspected 30% of the novel 9,226 new alerts obtained by WHIP and responsibly disclosed 35 zero days injection vulnerabilities over 14 applications.