Weakly-typed languages such as PHP support loosely comparing two values. Such a language feature is widely used but can also pose severe security threats, because operand values can be implicitly converted into a different type or value. In certain conditions, buggy loose comparisons can cause unexpected results, leading to authentication bypass and other functionality problems. In this paper, we present the first in-depth study of such loose comparison bugs. We develop LChecker, a system to detect PHP loose comparison bugs. It employs a context-sensitive inter-procedural data-flow analysis together with several new techniques to precisely detect loose comparison bugs. We also enhance the execution engine to help validate loose comparison bugs dynamically. Our evaluation shows that LChecker can both effectively and efficiently detect bugs with reasonably low false-positive rate. LChecker has successfully detected all previously known bugs in our evaluation dataset with no false negative. Using LChecker, we have confirmed 50 loose comparison bugs, of which 42 are new bugs.

The Web Conference is announcing latest news and developments biweekly or on a monthly basis. We respect The General Data Protection Regulation 2016/679.