STaint: Detecting Second-Order Vulnerabilities in PHP Applications with LLM-Assisted Bi-Directional Static Taint Analysis

Second-Order vulnerabilities, such as second-order Cross-Site Scripting (XSS) and Server-Side Request Forgery (SSRF), occur when user-controlled inputs are stored in databases and later retrieved in different execution contexts, complicating static detection. Existing static analysis approaches struggle primarily with two challenges. First, they struggle in accurately identifying database-accessing functions defined by third-party libraries or custom data access layers, often leading to missed taint propagation paths. Second, they may fail to contextually model database operations when queries are dynamically constructed and depend on runtime parameters. To address these limitations, we propose STaint, a novel bi-directional static analysis method that integrates taint analysis with large language models (LLMs). Using semantic reasoning, STaint accurately identifies and models custom database reads and writes, effectively reconstructing comprehensive taint data flows in the database. Preliminary evaluations on ten real-world PHP applications show that STaint successfully detects 56 second-order vulnerability paths, including 7 previously unknown cases, outperforming existing techniques.