You need JAVA 1.6 to run stranger.
Stranger has been tested under Linux Ubuntu 8.04.
Currently it only supports PHP4

The best way to run stranger is using one of the two python scripts: test-php-script.py and test-php-app.py. The scripts - by default - will run string analysis to detect XSS, SQLI and MFE vulnerabilities against predefined attack patterns. Note that the two scripts provide the same functionality in terms of analysis and they only differ in the way they conduct the analysis.

If you want to analyze a single PHP script then run test-php-script.py as following:

./test-php-script.py [output-directory] name-of-php-script-file

You will get the result of the analysis in the standard output. If there is any vulnerability, then all automata related to this vulnerability will be output in a dot format to standard output. User can refer to the dependency graphs in the output directory (created in the current directory by default) to understand the vulnerability.
If you want to analyze a whole PHP web application then run test-php-app.py as following:

./test-php-app.py [output-directory] name-of-php-app-directory

This script will iterate recursively on the application directory and analyze each PHP script (following the same methodology as test-php-script.py). As in test-php-script.py the result of the analysis will be output to the standard output. If a vulnerability is found in one of the files, then you can refer to the application output directory to get more details. For each php script a directory named against it will be created and all the vulnerability analysis dependency graphs will be output to this directory.

Sample Run

Here we will go quickly on a sample run of vuln01.php which is the first PHP script in the benchmarks and explain briefly the output.

Here is the code for this PHP script:

<?php

/* simplified version of the vulnerability:
program: MyEasyMarket-4.1
file: buy.php:138, trans.php:218
*/

$www = $_GET["www"];
$limit = (int)$_GET["limit"];
$l_otherinfo = "URL";

$www = preg_replace("/[^A-Za-z0-9 .-@://]/","",$www);

echo "<td>" . $l_otherinfo . ": " . $www . "</td>";

?>

To run stranger on vuln01.php type:

./test-php-script.py vuln01.php

You will get the following output:

File: ../../benchmarks/vuln01.php

*** resolving literal includes ***

*** performing type analysis ***

inclusion iterations: 1
resolved literal includes: 0
resolved non-literal includes: 0
cyclic includes: 0
not found includes: 0
unresolved non-literal includes: 0

*** performing taint analysis ***

Finished.

Time: 0 seconds

*** detecting vulnerabilities ***

*****************
SQL Taint Analysis BEGIN
*****************

SQL Taint Analysis RESULT:
--------------------------
Number of analyzed sinks: 0
Number of tainted sinks: 0

*****************
SQL Stranger Sanit Analysis BEGIN
*****************

----------------------------
Total Vuln Count: 0
----------------------------

*****************
SQL Stranger Sanit Analysis END
*****************

============================================================================
Performance information
============================================================================
Time elapsed in seconds = 0.0
Forward analysis time in seconds = 0.0
Backward analysis time in seconds = 0.0
String length = 10
Number of concat = 2
Time of concat in seconds = 0.0040
Number of union = 2
Time of union in seconds = 0.0030
Number of replace = 0
Time of replace in seconds = 0.0
Number of preconcat = 0
Time of preconcat in seconds = 0.0
Number of constPreconcat = 0
Time of constPreconcat in seconds = 0.0
Total number of preConcat = 0
Total time of preconcat in seconds = 0.0
Number of prereplace = 0
Time of prereplace in seconds = 0.0

Memory consumption = 2437128 bytes
From MONA: total allocated memory = 1895672

------------- GRAPHS INFO -----------
============================================================================

*****************
XSS Taint Analysis BEGIN
*****************

XSS Taint Analysis RESULT:
--------------------------
Number of analyzed sinks: 1
Number of tainted sinks: 1

*****************
XSS Stranger Sanit Analysis BEGIN
*****************

-----------------------------------------------------------------------------------------------------------------
Starting analysis for SINK: _main._t0_0 (15)\n**/vuln01.php
-----------------------------------------------------------------------------------------------------------------

!!! A vulnerability has been found in SINK: !!!
_main._t0_0 (15) **/vuln01.php

digraph MONA_DFA {
rankdir = LR;
center = true;
size = "7.5,10.5";
edge [fontname = Courier];
node [height = .5, width = .5];
node [shape = doublecircle]; 15;
node [shape = circle]; 0; 1; 2; 3; 4; 5; 6; 7; 8; 9; 10; 11; 12; 13; 14;
node [shape = box];
init [shape = plaintext, label = ""];
init -> 0;
0 -> 1 [label="0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 X\n0 1 1 1 1 1 X X\nX 0 1 1 1 1 X X\nX X 0 1 1 1 X X\nX X X 0 1 1 X X\nX X X X 0 1 X X\nX,X,X,X,1,X,X,X"];
0 -> 2 [label="0\n0\n1\n1\n1\n1\n0\n0"];
1 -> 1 [label="X\nX\nX\nX\nX\nX\nX\nX"];
2 -> 1 [label="0 0 0 0 0 0 0 1\n0 1 1 1 1 1 1 X\nX 0 1 1 1 1 1 X\nX X 0 1 1 1 1 X\nX X X 0 0 0 1 X\nX X X 0 1 1 X X\nX X X X 0 1 X X\nX,X,X,X,1,X,X,X"];
2 -> 3 [label="0\n1\n1\n1\n0\n1\n0\n0"];
3 -> 1 [label="0 0 0 0 0 0 0 1\n0 1 1 1 1 1 1 X\nX 0 1 1 1 1 1 X\nX X 0 0 0 0 1 X\nX X 0 0 0 1 X X\nX X 0 1 1 X X X\nX X X 0 1 X X X\nX,X,X,1,X,X,X,X"];
3 -> 4 [label="0\n1\n1\n0\n0\n1\n0\n0"];
4 -> 1 [label="0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 X\n0 1 1 1 1 1 X X\nX 0 1 1 1 1 X X\nX X 0 1 1 1 X X\nX X X 0 1 1 X X\nX X X X 0 1 X X\nX,X,X,X,X,1,X,X"];
4 -> 5 [label="0\n0\n1\n1\n1\n1\n1\n0"];
5 -> 1 [label="0 0 0 0 0 0 0 1\n0 1 1 1 1 1 1 X\nX 0 0 0 0 0 1 X\nX 0 1 1 1 1 X X\nX X 0 0 0 1 X X\nX X 0 1 1 X X X\nX X X 0 1 X X X\nX,X,X,0,X,X,X,X"];
5 -> 6 [label="0\n1\n0\n1\n0\n1\n0\n1"];
6 -> 1 [label="0 0 0 0 0 0 0 1\n0 1 1 1 1 1 1 X\nX 0 0 0 0 0 1 X\nX 0 1 1 1 1 X X\nX X 0 0 0 1 X X\nX X 0 0 1 X X X\nX X 0 1 X X X X\nX,X,X,1,X,X,X,X"];
6 -> 7 [label="0\n1\n0\n1\n0\n0\n1\n0"];
7 -> 1 [label="0 0 0 0 0 0 0 1\n0 1 1 1 1 1 1 X\nX 0 0 0 0 0 1 X\nX 0 0 0 0 1 X X\nX 0 1 1 1 X X X\nX X 0 1 1 X X X\nX X X 0 1 X X X\nX,X,X,1,X,X,X,X"];
7 -> 8 [label="0\n1\n0\n0\n1\n1\n0\n0"];
8 -> 1 [label="0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 X\n0 1 1 1 1 1 X X\nX 0 1 1 1 1 X X\nX X 0 1 1 1 X X\nX X X 0 0 1 X X\nX X X 0 1 X X X\nX,X,X,X,1,X,X,X"];
8 -> 9 [label="0\n0\n1\n1\n1\n0\n1\n0"];
9 -> 1 [label="0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 X\n0 1 1 1 1 1 X X\nX 0 0 0 0 1 X X\nX 0 0 0 1 X X X\nX 0 0 1 X X X X\nX 0 1 X X X X X\nX,1,X,X,X,X,X,X"];
9 -> 10 [label="0\n0\n1\n0\n0\n0\n0\n0"];
10 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
10 -> 10 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X X 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,X,X,0,1,X,X,X,X,X,0"];
10 -> 11 [label="0\n0\n1\n1\n1\n1\n0\n0"];
11 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
11 -> 10 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X X 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X X 0 1 0 1 X X X 0 1\n0,0,X,X,1,X,X,X,X,0,1,X,X,X,X,X,0"];
11 -> 11 [label="0\n0\n1\n1\n1\n1\n0\n0"];
11 -> 12 [label="0\n0\n1\n0\n1\n1\n1\n1"];
12 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
12 -> 10 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 0 0 0 0 1 1 1 1 1\n0 1 0 1 1 1 X 0 1 1 0 0 0 1 0 0 0 1 1\n0 1 X 0 1 1 X X 0 0 0 0 1 X 0 1 1 0 0\n0 1 X X 0 1 X X 0 1 0 1 X X X 0 1 0 1\n0,X,X,X,1,X,X,X,X,0,1,X,X,X,X,1,X,X,0"];
12 -> 11 [label="0\n0\n1\n1\n1\n1\n0\n0"];
12 -> 13 [label="0\n1\n1\n1\n0\n1\n0\n0"];
13 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
13 -> 10 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 0 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 1 1 0 0 0 0 1 0 1 1\n0 1 X 0 1 1 X X 0 0 0 0 1 1 X X 0 0\n0 1 X X 0 1 X X 0 1 0 1 0 1 X X 0 1\n0,X,X,X,1,X,X,X,X,0,1,X,1,X,X,X,X,0"];
13 -> 11 [label="0\n0\n1\n1\n1\n1\n0\n0"];
13 -> 14 [label="0\n1\n1\n0\n0\n1\n0\n0"];
14 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
14 -> 10 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X X 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X X 0 1 0 1 X X X 0 1\n0,X,X,X,1,1,X,X,X,0,1,X,X,X,X,X,0"];
14 -> 11 [label="0\n0\n1\n1\n1\n1\n0\n0"];
14 -> 15 [label="0\n0\n1\n1\n1\n1\n1\n0"];
15 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
15 -> 10 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X X 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,X,X,0,1,X,X,X,X,X,0"];
15 -> 11 [label="0\n0\n1\n1\n1\n1\n0\n0"];
}
digraph MONA_DFA {
rankdir = LR;
center = true;
size = "7.5,10.5";
edge [fontname = Courier];
node [height = .5, width = .5];
node [shape = doublecircle]; 23;
node [shape = circle]; 0; 1; 2; 3; 4; 5; 6; 7; 8; 9; 10; 11; 12; 13; 14; 15; 16; 17; 18; 19; 20; 21; 22;
node [shape = box];
init [shape = plaintext, label = ""];
init -> 0;
0 -> 1 [label="0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 X\n0 1 1 1 1 1 X X\nX 0 1 1 1 1 X X\nX X 0 1 1 1 X X\nX X X 0 1 1 X X\nX X X X 0 1 X X\nX,X,X,X,1,X,X,X"];
0 -> 2 [label="0\n0\n1\n1\n1\n1\n0\n0"];
1 -> 1 [label="X\nX\nX\nX\nX\nX\nX\nX"];
2 -> 1 [label="0 0 0 0 0 0 0 1\n0 1 1 1 1 1 1 X\nX 0 1 1 1 1 1 X\nX X 0 1 1 1 1 X\nX X X 0 0 0 1 X\nX X X 0 1 1 X X\nX X X X 0 1 X X\nX,X,X,X,1,X,X,X"];
2 -> 3 [label="0\n1\n1\n1\n0\n1\n0\n0"];
3 -> 1 [label="0 0 0 0 0 0 0 1\n0 1 1 1 1 1 1 X\nX 0 1 1 1 1 1 X\nX X 0 0 0 0 1 X\nX X 0 0 0 1 X X\nX X 0 1 1 X X X\nX X X 0 1 X X X\nX,X,X,1,X,X,X,X"];
3 -> 4 [label="0\n1\n1\n0\n0\n1\n0\n0"];
4 -> 1 [label="0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 X\n0 1 1 1 1 1 X X\nX 0 1 1 1 1 X X\nX X 0 1 1 1 X X\nX X X 0 1 1 X X\nX X X X 0 1 X X\nX,X,X,X,X,1,X,X"];
4 -> 5 [label="0\n0\n1\n1\n1\n1\n1\n0"];
5 -> 1 [label="0 0 0 0 0 0 0 1\n0 1 1 1 1 1 1 X\nX 0 0 0 0 0 1 X\nX 0 1 1 1 1 X X\nX X 0 0 0 1 X X\nX X 0 1 1 X X X\nX X X 0 1 X X X\nX,X,X,0,X,X,X,X"];
5 -> 6 [label="0\n1\n0\n1\n0\n1\n0\n1"];
6 -> 1 [label="0 0 0 0 0 0 0 1\n0 1 1 1 1 1 1 X\nX 0 0 0 0 0 1 X\nX 0 1 1 1 1 X X\nX X 0 0 0 1 X X\nX X 0 0 1 X X X\nX X 0 1 X X X X\nX,X,X,1,X,X,X,X"];
6 -> 7 [label="0\n1\n0\n1\n0\n0\n1\n0"];
7 -> 1 [label="0 0 0 0 0 0 0 1\n0 1 1 1 1 1 1 X\nX 0 0 0 0 0 1 X\nX 0 0 0 0 1 X X\nX 0 1 1 1 X X X\nX X 0 1 1 X X X\nX X X 0 1 X X X\nX,X,X,1,X,X,X,X"];
7 -> 8 [label="0\n1\n0\n0\n1\n1\n0\n0"];
8 -> 1 [label="0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 X\n0 1 1 1 1 1 X X\nX 0 1 1 1 1 X X\nX X 0 1 1 1 X X\nX X X 0 0 1 X X\nX X X 0 1 X X X\nX,X,X,X,1,X,X,X"];
8 -> 9 [label="0\n0\n1\n1\n1\n0\n1\n0"];
9 -> 1 [label="0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 X\n0 1 1 1 1 1 X X\nX 0 0 0 0 1 X X\nX 0 0 0 1 X X X\nX 0 0 1 X X X X\nX 0 1 X X X X X\nX,1,X,X,X,X,X,X"];
9 -> 10 [label="0\n0\n1\n0\n0\n0\n0\n0"];
10 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
10 -> 10 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X X 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,X,X,0,1,X,X,X,X,X,0"];
10 -> 11 [label="0\n0\n1\n1\n1\n1\n0\n0"];
11 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
11 -> 10 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 0 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X 0 0 1 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X 0 1 X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,X,0,X,X,0,1,X,X,X,X,X,0"];
11 -> 11 [label="0\n0\n1\n1\n1\n1\n0\n0"];
11 -> 12 [label="0\n1\n0\n1\n0\n0\n1\n1"];
12 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
12 -> 10 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 0 0 0 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 0 0 0 1 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 0 0 1 X X 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 0 1 X X X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,0,X,X,X,X,0,1,X,X,X,X,X,0"];
12 -> 11 [label="0\n0\n1\n1\n1\n1\n0\n0"];
12 -> 13 [label="0\n1\n0\n0\n0\n0\n1\n1"];
13 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
13 -> 10 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 0 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X 0 0 1 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X 0 1 X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,X,1,X,X,0,1,X,X,X,X,X,0"];
13 -> 11 [label="0\n0\n1\n1\n1\n1\n0\n0"];
13 -> 14 [label="0\n1\n0\n1\n0\n0\n1\n0"];
14 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
14 -> 10 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 0 0 0 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 0 1 1 1 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X 0 0 1 X 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X 0 1 X X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,0,X,X,X,X,0,1,X,X,X,X,X,0"];
14 -> 11 [label="0\n0\n1\n1\n1\n1\n0\n0"];
14 -> 15 [label="0\n1\n0\n0\n1\n0\n0\n1"];
15 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
15 -> 10 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 0 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X 0 0 1 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X 0 1 X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,1,X,X,X,0,1,X,X,X,X,X,0"];
15 -> 11 [label="0\n0\n1\n1\n1\n1\n0\n0"];
15 -> 16 [label="0\n1\n0\n1\n0\n0\n0\n0"];
16 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
16 -> 10 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 0 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X 0 1 1 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X X 0 1 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,X,1,X,X,0,1,X,X,X,X,X,0"];
16 -> 11 [label="0\n0\n1\n1\n1\n1\n0\n0"];
16 -> 17 [label="0\n1\n0\n1\n0\n1\n0\n0"];
17 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
17 -> 10 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1\n0 1 1 1 1 0 1 1 1 0 0 0 0 1 1 1\n1 0 1 1 1 X 0 1 1 0 0 0 1 0 1 1\n1 X 0 1 1 X X 0 0 0 0 1 X X 0 0\n1 X X 0 1 X X 0 1 0 1 X X X 0 1\nX,X,X,1,X,X,X,X,0,1,X,X,X,X,X,0"];
17 -> 11 [label="0\n0\n1\n1\n1\n1\n0\n0"];
17 -> 18 [label="0\n0\n1\n0\n0\n0\n0\n0"];
18 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
18 -> 18 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X X 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,X,X,0,1,X,X,X,X,X,0"];
18 -> 19 [label="0\n0\n1\n1\n1\n1\n0\n0"];
19 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
19 -> 18 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X X 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X X 0 1 0 1 X X X 0 1\n0,0,X,X,1,X,X,X,X,0,1,X,X,X,X,X,0"];
19 -> 19 [label="0\n0\n1\n1\n1\n1\n0\n0"];
19 -> 20 [label="0\n0\n1\n0\n1\n1\n1\n1"];
20 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
20 -> 18 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 0 0 0 0 1 1 1 1 1\n0 1 0 1 1 1 X 0 1 1 0 0 0 1 0 0 0 1 1\n0 1 X 0 1 1 X X 0 0 0 0 1 X 0 1 1 0 0\n0 1 X X 0 1 X X 0 1 0 1 X X X 0 1 0 1\n0,X,X,X,1,X,X,X,X,0,1,X,X,X,X,1,X,X,0"];
20 -> 19 [label="0\n0\n1\n1\n1\n1\n0\n0"];
20 -> 21 [label="0\n1\n1\n1\n0\n1\n0\n0"];
21 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
21 -> 18 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 0 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 1 1 0 0 0 0 1 0 1 1\n0 1 X 0 1 1 X X 0 0 0 0 1 1 X X 0 0\n0 1 X X 0 1 X X 0 1 0 1 0 1 X X 0 1\n0,X,X,X,1,X,X,X,X,0,1,X,1,X,X,X,X,0"];
21 -> 19 [label="0\n0\n1\n1\n1\n1\n0\n0"];
21 -> 22 [label="0\n1\n1\n0\n0\n1\n0\n0"];
22 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
22 -> 18 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X X 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X X 0 1 0 1 X X X 0 1\n0,X,X,X,1,1,X,X,X,0,1,X,X,X,X,X,0"];
22 -> 19 [label="0\n0\n1\n1\n1\n1\n0\n0"];
22 -> 23 [label="0\n0\n1\n1\n1\n1\n1\n0"];
23 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
23 -> 18 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X X 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,X,X,0,1,X,X,X,X,X,0"];
23 -> 19 [label="0\n0\n1\n1\n1\n1\n0\n0"];
}

*** XSS Stranger Sanit Backward Analysis BEGIN ***

Backward analysis automaton result for input node ==> _superglobals.$_GET[www] (9)\n**/vuln01.php ID=19 :
----------------------------
digraph MONA_DFA {
rankdir = LR;
center = true;
size = "7.5,10.5";
edge [fontname = Courier];
node [height = .5, width = .5];
node [shape = doublecircle]; 9;
node [shape = circle]; 0; 1; 2; 3; 4; 5; 6; 7; 8;
node [shape = box];
init [shape = plaintext, label = ""];
init -> 0;
0 -> 0 [label="0 0 0 0 0 0 0 1 1 1 1 1 1\n0 0 0 0 0 0 1 0 1 1 1 1 1\n0 1 1 1 1 1 X X 0 1 1 1 1\nX 0 1 1 1 1 X X X 0 1 1 1\nX X 0 1 1 1 X X X X 0 1 1\nX X X 0 1 1 X X X X X 0 1\nX X X X 0 1 X X X X X X 0\nX,X,X,X,1,X,X,X,X,X,X,X,X"];
0 -> 1 [label="0\n0\n1\n1\n1\n1\n0\n0"];
0 -> 2 [label="1\n1\n1\n1\n1\n1\n1\nX"];
1 -> 0 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 0 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X 0 0 1 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X 0 1 X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,X,0,X,X,0,1,X,X,X,X,X,0"];
1 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1\n0 0 0 0 0 0 0 1 1 1 1 1 0 1 1 1 1 1\n0 1 1 1 1 1 1 0 0 1 1 1 X 0 1 1 1 1\nX 0 0 0 0 0 1 1 1 0 1 1 X X 0 1 1 1\nX 0 0 0 1 1 1 1 1 0 1 1 X X X 0 1 1\nX 0 0 1 0 1 1 0 1 0 0 1 X X X X 0 1\nX 0 1 X X 0 0 1 X 0 1 X X X X X X 0\nX,1,X,X,X,X,0,1,X,0,1,X,X,X,X,X,X,X"];
1 -> 2 [label="1\n1\n1\n1\n1\n1\n1\nX"];
1 -> 3 [label="0\n1\n0\n1\n0\n0\n1\n1"];
2 -> 2 [label="X\nX\nX\nX\nX\nX\nX\nX"];
3 -> 0 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 0 0 0 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 0 0 0 1 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 0 0 1 X X 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 0 1 X X X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,0,X,X,X,X,0,1,X,X,X,X,X,0"];
3 -> 1 [label="0\n0\n1\n1\n1\n1\n0\n0"];
3 -> 2 [label="1\n1\n1\n1\n1\n1\n1\nX"];
3 -> 3 [label="0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1\n0 0 0 0 0 0 1 1 1 1 1 0 1 1 1 1 1\n0 1 1 1 1 1 0 0 1 1 1 X 0 1 1 1 1\nX 0 0 0 0 0 1 1 0 1 1 X X 0 1 1 1\nX 0 0 0 1 1 1 1 0 1 1 X X X 0 1 1\nX 0 0 1 0 1 0 1 0 0 1 X X X X 0 1\nX 0 1 X X 0 1 X 0 1 X X X X X X 0\nX,1,X,X,X,X,1,X,0,1,X,X,X,X,X,X,X"];
3 -> 4 [label="0\n1\n0\n0\n0\n0\n1\n1"];
4 -> 0 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 0 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X 0 0 1 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X 0 1 X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,X,1,X,X,0,1,X,X,X,X,X,0"];
4 -> 1 [label="0\n0\n1\n1\n1\n1\n0\n0"];
4 -> 2 [label="1\n1\n1\n1\n1\n1\n1\nX"];
4 -> 4 [label="0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1\n0 0 0 0 0 0 1 1 1 1 1 0 1 1 1 1 1\n0 1 1 1 1 1 0 0 1 1 1 X 0 1 1 1 1\nX 0 0 0 0 0 1 1 0 1 1 X X 0 1 1 1\nX 0 0 0 1 1 1 1 0 1 1 X X X 0 1 1\nX 0 0 1 0 1 0 1 0 0 1 X X X X 0 1\nX 0 1 X X 0 1 X 0 1 X X X X X X 0\nX,1,X,X,X,X,1,X,0,1,X,X,X,X,X,X,X"];
4 -> 5 [label="0\n1\n0\n1\n0\n0\n1\n0"];
5 -> 0 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 0 0 0 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 0 1 1 1 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X 0 0 1 X 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X 0 1 X X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,0,X,X,X,X,0,1,X,X,X,X,X,0"];
5 -> 1 [label="0\n0\n1\n1\n1\n1\n0\n0"];
5 -> 2 [label="1\n1\n1\n1\n1\n1\n1\nX"];
5 -> 5 [label="0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1\n0 0 0 0 0 0 1 1 1 1 1 0 1 1 1 1 1\n0 1 1 1 1 1 0 0 1 1 1 X 0 1 1 1 1\nX 0 0 0 0 0 1 1 0 1 1 X X 0 1 1 1\nX 0 0 0 1 1 1 1 0 1 1 X X X 0 1 1\nX 0 0 1 0 1 0 1 0 0 1 X X X X 0 1\nX 0 1 X X 0 1 X 0 1 X X X X X X 0\nX,1,X,X,X,X,1,X,0,1,X,X,X,X,X,X,X"];
5 -> 6 [label="0\n1\n0\n0\n1\n0\n0\n1"];
6 -> 0 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 0 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X 0 0 1 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X 0 1 X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,1,X,X,X,0,1,X,X,X,X,X,0"];
6 -> 1 [label="0\n0\n1\n1\n1\n1\n0\n0"];
6 -> 2 [label="1\n1\n1\n1\n1\n1\n1\nX"];
6 -> 6 [label="0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1\n0 0 0 0 0 0 1 1 1 1 1 0 1 1 1 1 1\n0 1 1 1 1 1 0 0 1 1 1 X 0 1 1 1 1\nX 0 0 0 0 0 1 1 0 1 1 X X 0 1 1 1\nX 0 0 0 1 1 1 1 0 1 1 X X X 0 1 1\nX 0 0 1 0 1 0 1 0 0 1 X X X X 0 1\nX 0 1 X X 0 1 X 0 1 X X X X X X 0\nX,1,X,X,X,X,1,X,0,1,X,X,X,X,X,X,X"];
6 -> 7 [label="0\n1\n0\n1\n0\n0\n0\n0"];
7 -> 0 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 0 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X 0 1 1 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X X 0 1 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,X,1,X,X,0,1,X,X,X,X,X,0"];
7 -> 1 [label="0\n0\n1\n1\n1\n1\n0\n0"];
7 -> 2 [label="1\n1\n1\n1\n1\n1\n1\nX"];
7 -> 7 [label="0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1\n0 0 0 0 0 0 1 1 1 1 1 0 1 1 1 1 1\n0 1 1 1 1 1 0 0 1 1 1 X 0 1 1 1 1\nX 0 0 0 0 0 1 1 0 1 1 X X 0 1 1 1\nX 0 0 0 1 1 1 1 0 1 1 X X X 0 1 1\nX 0 0 1 0 1 0 1 0 0 1 X X X X 0 1\nX 0 1 X X 0 1 X 0 1 X X X X X X 0\nX,1,X,X,X,X,1,X,0,1,X,X,X,X,X,X,X"];
7 -> 8 [label="0\n1\n0\n1\n0\n1\n0\n0"];
8 -> 0 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1\n0 1 1 1 1 0 1 1 1 0 0 0 0 1 1 1\n1 0 1 1 1 X 0 1 1 0 0 0 1 0 1 1\n1 X 0 1 1 X X 0 0 0 0 1 X X 0 0\n1 X X 0 1 X X 0 1 0 1 X X X 0 1\nX,X,X,1,X,X,X,X,0,1,X,X,X,X,X,0"];
8 -> 1 [label="0\n0\n1\n1\n1\n1\n0\n0"];
8 -> 2 [label="1\n1\n1\n1\n1\n1\n1\nX"];
8 -> 8 [label="0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1\n0 0 0 0 0 0 1 1 1 1 1 0 1 1 1 1 1\n0 1 1 1 1 1 0 0 1 1 1 X 0 1 1 1 1\nX 0 0 0 0 0 1 1 0 1 1 X X 0 1 1 1\nX 0 0 0 1 1 1 1 0 1 1 X X X 0 1 1\nX 0 0 1 0 1 0 1 0 0 1 X X X X 0 1\nX 0 1 X X 0 1 X 0 1 X X X X X X 0\nX,1,X,X,X,X,1,X,0,1,X,X,X,X,X,X,X"];
8 -> 9 [label="0\n0\n1\n0\n0\n0\n0\n0"];
9 -> 2 [label="1\n1\n1\n1\n1\n1\n1\nX"];
9 -> 9 [label="0 1 1 1 1 1 1\nX 0 1 1 1 1 1\nX X 0 1 1 1 1\nX X X 0 1 1 1\nX X X X 0 1 1\nX X X X X 0 1\nX X X X X X 0\nX,X,X,X,X,X,X"];
}
----------------------------

*** XSS Stranger Sanit Backward Analysis End ***

----------------------------
Total Vuln Count: 1
----------------------------

*****************
XSS Stranger Sanit Analysis END
*****************

============================================================================
Performance information
============================================================================
Time elapsed in seconds = 0.622
Forward analysis time in seconds = 0.088
Backward analysis time in seconds = 0.531
String length = 9
Number of concat = 4
Time of concat in seconds = 0.0070
Number of union = 3
Time of union in seconds = 0.0050
Number of replace = 0
Time of replace in seconds = 0.0
Number of preconcat = 0
Time of preconcat in seconds = 0.0
Number of constPreconcat = 0
Time of constPreconcat in seconds = 0.0
Total number of preConcat = 0
Total time of preconcat in seconds = 0.0
Number of prereplace = 0
Time of prereplace in seconds = 0.0

Memory consumption = 3103352 bytes
From MONA: total allocated memory = 3854656

------------- GRAPHS INFO -----------
Sink: _main._t0_0 (15)\n**/vuln01.php
Number of nodes = 21, Number of edges = 20
------------------------
============================================================================

*****************
MFE Taint Analysis BEGIN
*****************

MFE Taint Analysis RESULT:
--------------------------
Number of analyzed sinks: 0
Number of tainted sinks: 0

*****************
MFE Stranger Sanit Analysis BEGIN
*****************

----------------------------
Total Vuln Count: 0
----------------------------

*****************
MFE Stranger Sanit Analysis END
*****************

============================================================================
Performance information
============================================================================
Time elapsed in seconds = 0.0
Forward analysis time in seconds = 0.0
Backward analysis time in seconds = 0.0
String length = 48
Number of concat = 6
Time of concat in seconds = 0.011
Number of union = 16
Time of union in seconds = 0.019
Number of replace = 1
Time of replace in seconds = 0.0040
Number of preconcat = 1
Time of preconcat in seconds = 0.348
Number of constPreconcat = 1
Time of constPreconcat in seconds = 0.058
Total number of preConcat = 2
Total time of preconcat in seconds = 0.406
Number of prereplace = 1
Time of prereplace in seconds = 0.0040

Memory consumption = 3103352 bytes
From MONA: total allocated memory = 3854656

------------- GRAPHS INFO -----------
============================================================================
Total Time: 0 seconds

The first part of the output is the result of prelimenary analysis which tells you that all included files has been found.

not found includes: 0
unresolved non-literal includes: 0.

Then there is the result of taint analysis for SQLI. It tells you that there are no tainted SQL sinks.

SQL Taint Analysis RESULT:
--------------------------
Number of analyzed sinks: 0
Number of tainted sinks: 0

As taint analysis result was negative, there is no need for string analysis here.

*****************
SQL Stranger Sanit Analysis BEGIN
*****************

----------------------------
Total Vuln Count: 0
----------------------------

*****************
SQL Stranger Sanit Analysis END
*****************

On the other hand, taint analysis for XSS shows that there is one tainted sink.

XSS Taint Analysis RESULT:
--------------------------
Number of analyzed sinks: 1
Number of tainted sinks: 1

This means that we need string analysis to do furhter more precise investigation. Here string forward analysis shows that the tainted sink is actually vulnerable against the specified attack pattern. It also outputs two automata. The first one represents all possible strings that may reach the tainted sink. The second one is the result of intersecting the first one the attack pattern automaton.

Here is the result of the forward analysis (we ommitted the automata here).

-----------------------------------------------------------------------------------------------------------------
Starting analysis for SINK: _main._t0_0 (15)\n**/vuln01.php
-----------------------------------------------------------------------------------------------------------------

!!! A vulnerability has been found in SINK: !!!
_main._t0_0 (15) **/vuln01.php

String backward analysis gives us an automaton in a dot format as shown here.

*** XSS Stranger Sanit Backward Analysis BEGIN ***

Backward analysis automaton result for input node ==> _superglobals.$_GET[www] (9)\n**/vuln01.php ID=19 :
----------------------------
digraph MONA_DFA {
rankdir = LR;
center = true;
size = "7.5,10.5";
edge [fontname = Courier];
node [height = .5, width = .5];
node [shape = doublecircle]; 9;
node [shape = circle]; 0; 1; 2; 3; 4; 5; 6; 7; 8;
node [shape = box];
init [shape = plaintext, label = ""];
init -> 0;
0 -> 0 [label="0 0 0 0 0 0 0 1 1 1 1 1 1\n0 0 0 0 0 0 1 0 1 1 1 1 1\n0 1 1 1 1 1 X X 0 1 1 1 1\nX 0 1 1 1 1 X X X 0 1 1 1\nX X 0 1 1 1 X X X X 0 1 1\nX X X 0 1 1 X X X X X 0 1\nX X X X 0 1 X X X X X X 0\nX,X,X,X,1,X,X,X,X,X,X,X,X"];
0 -> 1 [label="0\n0\n1\n1\n1\n1\n0\n0"];
0 -> 2 [label="1\n1\n1\n1\n1\n1\n1\nX"];
1 -> 0 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 0 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X 0 0 1 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X 0 1 X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,X,0,X,X,0,1,X,X,X,X,X,0"];
1 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1\n0 0 0 0 0 0 0 1 1 1 1 1 0 1 1 1 1 1\n0 1 1 1 1 1 1 0 0 1 1 1 X 0 1 1 1 1\nX 0 0 0 0 0 1 1 1 0 1 1 X X 0 1 1 1\nX 0 0 0 1 1 1 1 1 0 1 1 X X X 0 1 1\nX 0 0 1 0 1 1 0 1 0 0 1 X X X X 0 1\nX 0 1 X X 0 0 1 X 0 1 X X X X X X 0\nX,1,X,X,X,X,0,1,X,0,1,X,X,X,X,X,X,X"];
1 -> 2 [label="1\n1\n1\n1\n1\n1\n1\nX"];
1 -> 3 [label="0\n1\n0\n1\n0\n0\n1\n1"];
2 -> 2 [label="X\nX\nX\nX\nX\nX\nX\nX"];
3 -> 0 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 0 0 0 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 0 0 0 1 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 0 0 1 X X 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 0 1 X X X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,0,X,X,X,X,0,1,X,X,X,X,X,0"];
3 -> 1 [label="0\n0\n1\n1\n1\n1\n0\n0"];
3 -> 2 [label="1\n1\n1\n1\n1\n1\n1\nX"];
3 -> 3 [label="0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1\n0 0 0 0 0 0 1 1 1 1 1 0 1 1 1 1 1\n0 1 1 1 1 1 0 0 1 1 1 X 0 1 1 1 1\nX 0 0 0 0 0 1 1 0 1 1 X X 0 1 1 1\nX 0 0 0 1 1 1 1 0 1 1 X X X 0 1 1\nX 0 0 1 0 1 0 1 0 0 1 X X X X 0 1\nX 0 1 X X 0 1 X 0 1 X X X X X X 0\nX,1,X,X,X,X,1,X,0,1,X,X,X,X,X,X,X"];
3 -> 4 [label="0\n1\n0\n0\n0\n0\n1\n1"];
4 -> 0 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 0 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X 0 0 1 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X 0 1 X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,X,1,X,X,0,1,X,X,X,X,X,0"];
4 -> 1 [label="0\n0\n1\n1\n1\n1\n0\n0"];
4 -> 2 [label="1\n1\n1\n1\n1\n1\n1\nX"];
4 -> 4 [label="0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1\n0 0 0 0 0 0 1 1 1 1 1 0 1 1 1 1 1\n0 1 1 1 1 1 0 0 1 1 1 X 0 1 1 1 1\nX 0 0 0 0 0 1 1 0 1 1 X X 0 1 1 1\nX 0 0 0 1 1 1 1 0 1 1 X X X 0 1 1\nX 0 0 1 0 1 0 1 0 0 1 X X X X 0 1\nX 0 1 X X 0 1 X 0 1 X X X X X X 0\nX,1,X,X,X,X,1,X,0,1,X,X,X,X,X,X,X"];
4 -> 5 [label="0\n1\n0\n1\n0\n0\n1\n0"];
5 -> 0 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 0 0 0 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 0 1 1 1 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X 0 0 1 X 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X 0 1 X X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,0,X,X,X,X,0,1,X,X,X,X,X,0"];
5 -> 1 [label="0\n0\n1\n1\n1\n1\n0\n0"];
5 -> 2 [label="1\n1\n1\n1\n1\n1\n1\nX"];
5 -> 5 [label="0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1\n0 0 0 0 0 0 1 1 1 1 1 0 1 1 1 1 1\n0 1 1 1 1 1 0 0 1 1 1 X 0 1 1 1 1\nX 0 0 0 0 0 1 1 0 1 1 X X 0 1 1 1\nX 0 0 0 1 1 1 1 0 1 1 X X X 0 1 1\nX 0 0 1 0 1 0 1 0 0 1 X X X X 0 1\nX 0 1 X X 0 1 X 0 1 X X X X X X 0\nX,1,X,X,X,X,1,X,0,1,X,X,X,X,X,X,X"];
5 -> 6 [label="0\n1\n0\n0\n1\n0\n0\n1"];
6 -> 0 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 0 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X 0 0 1 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X 0 1 X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,1,X,X,X,0,1,X,X,X,X,X,0"];
6 -> 1 [label="0\n0\n1\n1\n1\n1\n0\n0"];
6 -> 2 [label="1\n1\n1\n1\n1\n1\n1\nX"];
6 -> 6 [label="0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1\n0 0 0 0 0 0 1 1 1 1 1 0 1 1 1 1 1\n0 1 1 1 1 1 0 0 1 1 1 X 0 1 1 1 1\nX 0 0 0 0 0 1 1 0 1 1 X X 0 1 1 1\nX 0 0 0 1 1 1 1 0 1 1 X X X 0 1 1\nX 0 0 1 0 1 0 1 0 0 1 X X X X 0 1\nX 0 1 X X 0 1 X 0 1 X X X X X X 0\nX,1,X,X,X,X,1,X,0,1,X,X,X,X,X,X,X"];
6 -> 7 [label="0\n1\n0\n1\n0\n0\n0\n0"];
7 -> 0 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 0 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X 0 1 1 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X X 0 1 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,X,1,X,X,0,1,X,X,X,X,X,0"];
7 -> 1 [label="0\n0\n1\n1\n1\n1\n0\n0"];
7 -> 2 [label="1\n1\n1\n1\n1\n1\n1\nX"];
7 -> 7 [label="0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1\n0 0 0 0 0 0 1 1 1 1 1 0 1 1 1 1 1\n0 1 1 1 1 1 0 0 1 1 1 X 0 1 1 1 1\nX 0 0 0 0 0 1 1 0 1 1 X X 0 1 1 1\nX 0 0 0 1 1 1 1 0 1 1 X X X 0 1 1\nX 0 0 1 0 1 0 1 0 0 1 X X X X 0 1\nX 0 1 X X 0 1 X 0 1 X X X X X X 0\nX,1,X,X,X,X,1,X,0,1,X,X,X,X,X,X,X"];
7 -> 8 [label="0\n1\n0\n1\n0\n1\n0\n0"];
8 -> 0 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1\n0 1 1 1 1 0 1 1 1 0 0 0 0 1 1 1\n1 0 1 1 1 X 0 1 1 0 0 0 1 0 1 1\n1 X 0 1 1 X X 0 0 0 0 1 X X 0 0\n1 X X 0 1 X X 0 1 0 1 X X X 0 1\nX,X,X,1,X,X,X,X,0,1,X,X,X,X,X,0"];
8 -> 1 [label="0\n0\n1\n1\n1\n1\n0\n0"];
8 -> 2 [label="1\n1\n1\n1\n1\n1\n1\nX"];
8 -> 8 [label="0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1\n0 0 0 0 0 0 1 1 1 1 1 0 1 1 1 1 1\n0 1 1 1 1 1 0 0 1 1 1 X 0 1 1 1 1\nX 0 0 0 0 0 1 1 0 1 1 X X 0 1 1 1\nX 0 0 0 1 1 1 1 0 1 1 X X X 0 1 1\nX 0 0 1 0 1 0 1 0 0 1 X X X X 0 1\nX 0 1 X X 0 1 X 0 1 X X X X X X 0\nX,1,X,X,X,X,1,X,0,1,X,X,X,X,X,X,X"];
8 -> 9 [label="0\n0\n1\n0\n0\n0\n0\n0"];
9 -> 2 [label="1\n1\n1\n1\n1\n1\n1\nX"];
9 -> 9 [label="0 1 1 1 1 1 1\nX 0 1 1 1 1 1\nX X 0 1 1 1 1\nX X X 0 1 1 1\nX X X X 0 1 1\nX X X X X 0 1\nX X X X X X 0\nX,X,X,X,X,X,X"];
}
----------------------------

*** XSS Stranger Sanit Backward Analysis End ***

This automaton represents a characterization of all possible attack strings that may exploit the discovered vulnerability.

A dependency graph is output (to the output directory) which shows you how string values flow from various input program points (such as $_GET here) to the tainted sink. This should help you to identify the cause of the vulnerability.

Understand Stranger: An Example of Analyzing a Benchmark Using Stranger

In this section we will give an overview of stranger and its architecture. Then we will give a detailed explanation of how to analyze a PHP script using stranger and understanding the output. The php script is called vuln01.php which is one of a number of benchmarks that have been used to test Stranger.

An Overview

Stranger is a string analysis tool for PHP web applications. You can use it to detect XSS, SQLI and MFE vulnerabilities (OWASP Top 10). It takes a PHP program as input and automatically analyzes it and outputs the possible XSS, SQLI and MFE vulnerabilities in the program. In addition to that, for each input that leads to a vulnerability, it outputs an automaton in a dot format that characterizes all possible string values for this input which may exploit the vulnerability, i.e., it outputs the vulnerability signature.

Stranger performs two types of static code analyses to detect vulnerabilities:

Taint analysis
Taint analysis is a static code analysis performed to detect tainted sinks which are program points that represent and instance of a sensitive PHP function argument to which the flow of an unsanitized malicious user input through any execution path may result in compromising the web application security by exploiting a certain type of web vulnerabilities such as XSS or SQLI. For example, if a user input from $_POST superglobal reaches an echo statement in a PHP script then echo may represent a tainted sink.
String analysis
String Analysis performs further investigation to decide - for all sensitive sinks that are found to be tainted by taint analysis - if they are vulnerable or not by computing all possible string values that may reach them and checking (against a specific attack pattern) wethear any of these string values represents a possible attack string. Stranger uses a symbolic automaton (an automaton that is stored in a BDD) to represent all possible string values for a string variable at a specific program point.

The following figure shows the architecture of stranger and its different components.

Analyzing the Benchmark

Here we will analyze the first benchmark vuln01.php which is a simple PHP script taken from MyEasyMarket-4.1 (a shopping cart program) and contains an XSS vulnerability.

Here is the code for this PHP script:

In this run we will try all three vulnerability analyses provided by stranger and stick with the default attack patterns provided for each one. (You can refer to fine tuning stranger for more information on how to change default analysis behaviour such as specifying different attack patterns). The first benchmark consists of two files vuln01.php which is the vulnerable PHP script, and vuln01-sanit.php which is the sanitized secure version. To run vuln01.php you type:

./test-php-script.py vuln01.php

This will analyze vuln01.php looking (by default) for XSS, SQLI and MFE vulnerabilities. It will use the following default attack patterns:

For XSS: /.*<SCRIPT .*>.*/
For SQLI: /.*' or 1=1 '.*/
For MFE: /.*/evil.*/

When you run vuln01.php you should get the following output:

The output consists of two parts corresponding to the two main components in stranger architecture Taint Analyzer and String Analyzer. We will give a quick overview for each of these two components and explain its output.

Taint Analyzer

This part shows you the result of a number of data flow analyses performed by stranger (Note:This part is inherited from Pixy with some modifications).
- Preliminary Analysis
  
  This part shows the result of the preliminary data flow analyses including literal analysis, type analysis,...etc. The important output here is the number of unresolved includes (i.e. include statements where the included file can not be resolved into a file name) and the values of these include statement parameters. This is important as stranger - before analysing a PHP script - needs to build a full Control Flow Graph for this script that contains the script itself along with all included files before analysing the script. If one of the include statements can not be resolved into a file, then this will cause the analysis to be less precise. In vuln01.php there is not any unresolved includes as shown by
  
  not found includes: 0
  unresolved non-literal includes: 0.
- Taint Analysis
  
  This shows you the number of sinks found in the script and the number of tainted sinks. A sink (formally referred to as sensitive sink) is a program point that represents and instance of a sensitive function argument. A sensitive function is a PHP function to which the flow of an unsanitized malicious user input through any execution path may result in compromising the web application security by exploiting a certain type of web vulnerabilities such as XSS or SQLI. As an example of a function that is sensitive to XSS attacks is echo function. If a malicious input can be "echoed" without any proper sanitization then the PHP script is considered to be vulnerable to XSS attacks. A tainted sink is a sink where a user input can reach without applying proper sanitization routines. In the previous example, we can see that there are 0 sinks and (consequently) 0 tainted sinks for both SQLI and MFE analysis.
  
  SQL Taint Analysis RESULT:
  --------------------------
  Number of analyzed sinks: 0
  Number of tainted sinks: 0
  
  MFE Taint Analysis RESULT:
  --------------------------
  Number of analyzed sinks: 0
  Number of tainted sinks: 0
  
  On the other hand we find that there is one sink for XSS analysis (the string parameter to the echo statement) and that this sink is tainted and needed to be passed to String Analyzer.
  
  XSS Taint Analysis RESULT:
  --------------------------
  Number of analyzed sinks: 1
  Number of tainted sinks: 1
  
  (Note that if a user input is sanitized before reaching a sink but the sanitization function is considered weak then the sink will be still considered as tainted sink.)
  If a sink is found to be tainted by taint analysis then its Dependency Graph is passed to String Analyzer. A Dependency Graph for a certain sink, shows all program points for inputs that this sink value depends on and how data flow through the program CFG from these program points towards this sink. To see these dependency graphs, user can refer to the output folder under the name vuln01.php_09-19-09_09:41:14 (the name contains the date and time when the experiment has been conducted so it should change). The dependency graphs will be output in dot format. The ones that result from taint analysis will have their names prefixed with type_of_analysissink. In our example, user should have one dependency graph output from taint analysis called xsssink_vuln01.php_1_depgraph.dot. The file name here means that this is the dependency graph for the first sink found to be tainted by taint analysis in PHP script vuln01.php. The recommended method to view this file is using Graphviz (available only on mac). User can also use the dot utility on Linux to convert this dot file into a PNG image as following:
  
  dot -Tpng -o xsssink_vuln01.php_1_depgraph.png xsssink_vuln01.php_1_depgraph.dot
  
  The previous command will result in a dependency graph for our example similar to the following:
  
  (Note:This is actually done automatically if you use the script test-php-script.py to run stranger as in our case here. It is also available in test-php-app.py but commented out as it consumes lots of execution time for large graphs.)
String Analyzer

If some sinks found to be vulnerable, more investigation will be conducted by String Analysis to find out if these sinks are really vulnerable. The output of this phase will be included between Stranger Sanit Analysis BEGIN and Stranger Sanit Analysis END. As you can see in our example above, SQLI and MFE do not have any tainted sinks so no need for string analysis in this case. It will only output Total Vuln Count: 0. Here is the output from MFE analysis:

*****************
MFE Stranger Sanit Analysis BEGIN
*****************

----------------------------
Total Vuln Count: 0
----------------------------

*****************
MFE Stranger Sanit Analysis END
*****************

On the other hand, XSS analysis has one tainted sink which needs more investigation by string analyzer. String analyzer will run two types of analysis on the tainted sink:
- Forward Analysis
  
  This analysis will calculate all possible string values that may reach the tainted sink node in its dependency graph. It will start from the input nodes in the sink's dependency graph, calculates all possible string values for each node (depending on child nodes) and propagate these values until it reaches the sink node. The string values for input nodes will be approximated as Σ^*. The possible string values at each node in the dependency graph are represented by an automaton using a symbolic representation with BDDs. The automaton that represents all possible values that may reach the sink node will be printed in a dot format to the standard output. Here is the automaton that represents all possible values that may reach the echo sink in vuln01.php from previous output.
  
  digraph MONA_DFA {
  rankdir = LR;
  center = true;
  size = "7.5,10.5";
  edge [fontname = Courier];
  node [height = .5, width = .5];
  node [shape = doublecircle]; 15;
  node [shape = circle]; 0; 1; 2; 3; 4; 5; 6; 7; 8; 9; 10; 11; 12; 13; 14;
  node [shape = box];
  init [shape = plaintext, label = ""];
  init -> 0;
  0 -> 1 [label="0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 X\n0 1 1 1 1 1 X X\nX 0 1 1 1 1 X X\nX X 0 1 1 1 X X\nX X X 0 1 1 X X\nX X X X 0 1 X X\nX,X,X,X,1,X,X,X"];
  0 -> 2 [label="0\n0\n1\n1\n1\n1\n0\n0"];
  1 -> 1 [label="X\nX\nX\nX\nX\nX\nX\nX"];
  2 -> 1 [label="0 0 0 0 0 0 0 1\n0 1 1 1 1 1 1 X\nX 0 1 1 1 1 1 X\nX X 0 1 1 1 1 X\nX X X 0 0 0 1 X\nX X X 0 1 1 X X\nX X X X 0 1 X X\nX,X,X,X,1,X,X,X"];
  2 -> 3 [label="0\n1\n1\n1\n0\n1\n0\n0"];
  3 -> 1 [label="0 0 0 0 0 0 0 1\n0 1 1 1 1 1 1 X\nX 0 1 1 1 1 1 X\nX X 0 0 0 0 1 X\nX X 0 0 0 1 X X\nX X 0 1 1 X X X\nX X X 0 1 X X X\nX,X,X,1,X,X,X,X"];
  3 -> 4 [label="0\n1\n1\n0\n0\n1\n0\n0"];
  4 -> 1 [label="0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 X\n0 1 1 1 1 1 X X\nX 0 1 1 1 1 X X\nX X 0 1 1 1 X X\nX X X 0 1 1 X X\nX X X X 0 1 X X\nX,X,X,X,X,1,X,X"];
  4 -> 5 [label="0\n0\n1\n1\n1\n1\n1\n0"];
  5 -> 1 [label="0 0 0 0 0 0 0 1\n0 1 1 1 1 1 1 X\nX 0 0 0 0 0 1 X\nX 0 1 1 1 1 X X\nX X 0 0 0 1 X X\nX X 0 1 1 X X X\nX X X 0 1 X X X\nX,X,X,0,X,X,X,X"];
  5 -> 6 [label="0\n1\n0\n1\n0\n1\n0\n1"];
  6 -> 1 [label="0 0 0 0 0 0 0 1\n0 1 1 1 1 1 1 X\nX 0 0 0 0 0 1 X\nX 0 1 1 1 1 X X\nX X 0 0 0 1 X X\nX X 0 0 1 X X X\nX X 0 1 X X X X\nX,X,X,1,X,X,X,X"];
  6 -> 7 [label="0\n1\n0\n1\n0\n0\n1\n0"];
  7 -> 1 [label="0 0 0 0 0 0 0 1\n0 1 1 1 1 1 1 X\nX 0 0 0 0 0 1 X\nX 0 0 0 0 1 X X\nX 0 1 1 1 X X X\nX X 0 1 1 X X X\nX X X 0 1 X X X\nX,X,X,1,X,X,X,X"];
  7 -> 8 [label="0\n1\n0\n0\n1\n1\n0\n0"];
  8 -> 1 [label="0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 X\n0 1 1 1 1 1 X X\nX 0 1 1 1 1 X X\nX X 0 1 1 1 X X\nX X X 0 0 1 X X\nX X X 0 1 X X X\nX,X,X,X,1,X,X,X"];
  8 -> 9 [label="0\n0\n1\n1\n1\n0\n1\n0"];
  9 -> 1 [label="0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 X\n0 1 1 1 1 1 X X\nX 0 0 0 0 1 X X\nX 0 0 0 1 X X X\nX 0 0 1 X X X X\nX 0 1 X X X X X\nX,1,X,X,X,X,X,X"];
  9 -> 10 [label="0\n0\n1\n0\n0\n0\n0\n0"];
  10 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X \nX,1,X,X,X,X,1,X,0,1,X,X"];
  10 -> 10 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X X 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,X,X,0,1,X,X,X,X,X,0"];
  10 -> 11 [label="0\n0\n1\n1\n1\n1\n0\n0"];
  11 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
  11 -> 10 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X X 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X X 0 1 0 1 X X X 0 1\n0,0,X,X,1,X,X,X,X,0,1,X,X,X,X,X,0"];
  11 -> 11 [label="0\n0\n1\n1\n1\n1\n0\n0"];
  11 -> 12 [label="0\n0\n1\n0\n1\n1\n1\n1"];
  12 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
  12 -> 10 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 0 0 0 0 1 1 1 1 1\n0 1 0 1 1 1 X 0 1 1 0 0 0 1 0 0 0 1 1\n0 1 X 0 1 1 X X 0 0 0 0 1 X 0 1 1 0 0\n0 1 X X 0 1 X X 0 1 0 1 X X X 0 1 0 1\n0,X,X,X,1,X,X,X,X,0,1,X,X,X,X,1,X,X,0"];
  12 -> 11 [label="0\n0\n1\n1\n1\n1\n0\n0"];
  12 -> 13 [label="0\n1\n1\n1\n0\n1\n0\n0"];
  13 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
  13 -> 10 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 0 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 1 1 0 0 0 0 1 0 1 1\n0 1 X 0 1 1 X X 0 0 0 0 1 1 X X 0 0\n0 1 X X 0 1 X X 0 1 0 1 0 1 X X 0 1\n0,X,X,X,1,X,X,X,X,0,1,X,1,X,X,X,X,0"];
  13 -> 11 [label="0\n0\n1\n1\n1\n1\n0\n0"];
  13 -> 14 [label="0\n1\n1\n0\n0\n1\n0\n0"];
  14 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
  14 -> 10 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X X 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X X 0 1 0 1 X X X 0 1\n0,X,X,X,1,1,X,X,X,0,1,X,X,X,X,X,0"];
  14 -> 11 [label="0\n0\n1\n1\n1\n1\n0\n0"];
  14 -> 15 [label="0\n0\n1\n1\n1\n1\n1\n0"];
  15 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
  15 -> 10 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X X 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,X,X,0,1,X,X,X,X,X,0"];
  15 -> 11 [label="0\n0\n1\n1\n1\n1\n0\n0"];
  }
  
  Here is the graph for the previous automaton (Note: the graph below came from a dot file with altered size property).
  
  You can also refer to the eps version for more details.
  
  The previous automaton for the tainted sink is intersected with the automaton that represents the attack pattern. If the intersection is empty then it is guaranteed to be secure with respect to the specified attack pattern. If intersection is not empty then the sink is considered to be vulnerable and a vulnerability will be reported. In our example output above the intersection was found to be not empty. A vulnerability is reported and the intersection resulted automaton is printed out in dot format.
  
  !!! A vulnerability has been found in SINK: !!!
  _main._t0_0 (15) **/vuln01.php
  
  This shows that a vulnerability has been found in sink _t0_0 in line 15 of script **/vuln01.php (** depends on the directory where the file is located). The automaton that represents this intersection is shown below:
  
  digraph MONA_DFA {
  rankdir = LR;
  center = true;
  size = "7.5,10.5";
  edge [fontname = Courier];
  node [height = .5, width = .5];
  node [shape = doublecircle]; 23;
  node [shape = circle]; 0; 1; 2; 3; 4; 5; 6; 7; 8; 9; 10; 11; 12; 13; 14; 15; 16; 17; 18; 19; 20; 21; 22;
  node [shape = box];
  init [shape = plaintext, label = ""];
  init -> 0;
  0 -> 1 [label="0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 X\n0 1 1 1 1 1 X X\nX 0 1 1 1 1 X X\nX X 0 1 1 1 X X\nX X X 0 1 1 X X\nX X X X 0 1 X X\nX,X,X,X,1,X,X,X"];
  0 -> 2 [label="0\n0\n1\n1\n1\n1\n0\n0"];
  1 -> 1 [label="X\nX\nX\nX\nX\nX\nX\nX"];
  2 -> 1 [label="0 0 0 0 0 0 0 1\n0 1 1 1 1 1 1 X\nX 0 1 1 1 1 1 X\nX X 0 1 1 1 1 X\nX X X 0 0 0 1 X\nX X X 0 1 1 X X\nX X X X 0 1 X X\nX,X,X,X,1,X,X,X"];
  2 -> 3 [label="0\n1\n1\n1\n0\n1\n0\n0"];
  3 -> 1 [label="0 0 0 0 0 0 0 1\n0 1 1 1 1 1 1 X\nX 0 1 1 1 1 1 X\nX X 0 0 0 0 1 X\nX X 0 0 0 1 X X\nX X 0 1 1 X X X\nX X X 0 1 X X X\nX,X,X,1,X,X,X,X"];
  3 -> 4 [label="0\n1\n1\n0\n0\n1\n0\n0"];
  4 -> 1 [label="0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 X\n0 1 1 1 1 1 X X\nX 0 1 1 1 1 X X\nX X 0 1 1 1 X X\nX X X 0 1 1 X X\nX X X X 0 1 X X\nX,X,X,X,X,1,X,X"];
  4 -> 5 [label="0\n0\n1\n1\n1\n1\n1\n0"];
  5 -> 1 [label="0 0 0 0 0 0 0 1\n0 1 1 1 1 1 1 X\nX 0 0 0 0 0 1 X\nX 0 1 1 1 1 X X\nX X 0 0 0 1 X X\nX X 0 1 1 X X X\nX X X 0 1 X X X\nX,X,X,0,X,X,X,X"];
  5 -> 6 [label="0\n1\n0\n1\n0\n1\n0\n1"];
  6 -> 1 [label="0 0 0 0 0 0 0 1\n0 1 1 1 1 1 1 X\nX 0 0 0 0 0 1 X\nX 0 1 1 1 1 X X\nX X 0 0 0 1 X X\nX X 0 0 1 X X X\nX X 0 1 X X X X\nX,X,X,1,X,X,X,X"];
  6 -> 7 [label="0\n1\n0\n1\n0\n0\n1\n0"];
  7 -> 1 [label="0 0 0 0 0 0 0 1\n0 1 1 1 1 1 1 X\nX 0 0 0 0 0 1 X\nX 0 0 0 0 1 X X\nX 0 1 1 1 X X X\nX X 0 1 1 X X X\nX X X 0 1 X X X\nX,X,X,1,X,X,X,X"];
  7 -> 8 [label="0\n1\n0\n0\n1\n1\n0\n0"];
  8 -> 1 [label="0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 X\n0 1 1 1 1 1 X X\nX 0 1 1 1 1 X X\nX X 0 1 1 1 X X\nX X X 0 0 1 X X\nX X X 0 1 X X X\nX,X,X,X,1,X,X,X"];
  8 -> 9 [label="0\n0\n1\n1\n1\n0\n1\n0"];
  9 -> 1 [label="0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 X\n0 1 1 1 1 1 X X\nX 0 0 0 0 1 X X\nX 0 0 0 1 X X X\nX 0 0 1 X X X X\nX 0 1 X X X X X\nX,1,X,X,X,X,X,X"];
  9 -> 10 [label="0\n0\n1\n0\n0\n0\n0\n0"];
  10 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
  10 -> 10 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X X 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,X,X,0,1,X,X,X,X,X,0"];
  10 -> 11 [label="0\n0\n1\n1\n1\n1\n0\n0"];
  11 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
  11 -> 10 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 0 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X 0 0 1 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X 0 1 X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,X,0,X,X,0,1,X,X,X,X,X,0"];
  11 -> 11 [label="0\n0\n1\n1\n1\n1\n0\n0"];
  11 -> 12 [label="0\n1\n0\n1\n0\n0\n1\n1"];
  12 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
  12 -> 10 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 0 0 0 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 0 0 0 1 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 0 0 1 X X 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 0 1 X X X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,0,X,X,X,X,0,1,X,X,X,X,X,0"];
  12 -> 11 [label="0\n0\n1\n1\n1\n1\n0\n0"];
  12 -> 13 [label="0\n1\n0\n0\n0\n0\n1\n1"];
  13 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
  13 -> 10 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 0 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X 0 0 1 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X 0 1 X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,X,1,X,X,0,1,X,X,X,X,X,0"];
  13 -> 11 [label="0\n0\n1\n1\n1\n1\n0\n0"];
  13 -> 14 [label="0\n1\n0\n1\n0\n0\n1\n0"];
  14 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
  14 -> 10 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 0 0 0 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 0 1 1 1 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X 0 0 1 X 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X 0 1 X X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,0,X,X,X,X,0,1,X,X,X,X,X,0"];
  14 -> 11 [label="0\n0\n1\n1\n1\n1\n0\n0"];
  14 -> 15 [label="0\n1\n0\n0\n1\n0\n0\n1"];
  15 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
  15 -> 10 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 0 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X 0 0 1 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X 0 1 X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,1,X,X,X,0,1,X,X,X,X,X,0"];
  15 -> 11 [label="0\n0\n1\n1\n1\n1\n0\n0"];
  15 -> 16 [label="0\n1\n0\n1\n0\n0\n0\n0"];
  16 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
  16 -> 10 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 0 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X 0 1 1 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X X 0 1 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,X,1,X,X,0,1,X,X,X,X,X,0"];
  16 -> 11 [label="0\n0\n1\n1\n1\n1\n0\n0"];
  16 -> 17 [label="0\n1\n0\n1\n0\n1\n0\n0"];
  17 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
  17 -> 10 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1\n0 1 1 1 1 0 1 1 1 0 0 0 0 1 1 1\n1 0 1 1 1 X 0 1 1 0 0 0 1 0 1 1\n1 X 0 1 1 X X 0 0 0 0 1 X X 0 0\n1 X X 0 1 X X 0 1 0 1 X X X 0 1\nX,X,X,1,X,X,X,X,0,1,X,X,X,X,X,0"];
  17 -> 11 [label="0\n0\n1\n1\n1\n1\n0\n0"];
  17 -> 18 [label="0\n0\n1\n0\n0\n0\n0\n0"];
  18 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
  18 -> 18 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X X 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,X,X,0,1,X,X,X,X,X,0"];
  18 -> 19 [label="0\n0\n1\n1\n1\n1\n0\n0"];
  19 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
  19 -> 18 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X X 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X X 0 1 0 1 X X X 0 1\n0,0,X,X,1,X,X,X,X,0,1,X,X,X,X,X,0"];
  19 -> 19 [label="0\n0\n1\n1\n1\n1\n0\n0"];
  19 -> 20 [label="0\n0\n1\n0\n1\n1\n1\n1"];
  20 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
  20 -> 18 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 0 0 0 0 1 1 1 1 1\n0 1 0 1 1 1 X 0 1 1 0 0 0 1 0 0 0 1 1\n0 1 X 0 1 1 X X 0 0 0 0 1 X 0 1 1 0 0\n0 1 X X 0 1 X X 0 1 0 1 X X X 0 1 0 1\n0,X,X,X,1,X,X,X,X,0,1,X,X,X,X,1,X,X,0"];
  20 -> 19 [label="0\n0\n1\n1\n1\n1\n0\n0"];
  20 -> 21 [label="0\n1\n1\n1\n0\n1\n0\n0"];
  21 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
  21 -> 18 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 0 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 1 1 0 0 0 0 1 0 1 1\n0 1 X 0 1 1 X X 0 0 0 0 1 1 X X 0 0\n0 1 X X 0 1 X X 0 1 0 1 0 1 X X 0 1\n0,X,X,X,1,X,X,X,X,0,1,X,1,X,X,X,X,0"];
  21 -> 19 [label="0\n0\n1\n1\n1\n1\n0\n0"];
  21 -> 22 [label="0\n1\n1\n0\n0\n1\n0\n0"];
  22 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
  22 -> 18 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X X 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X X 0 1 0 1 X X X 0 1\n0,X,X,X,1,1,X,X,X,0,1,X,X,X,X,X,0"];
  22 -> 19 [label="0\n0\n1\n1\n1\n1\n0\n0"];
  22 -> 23 [label="0\n0\n1\n1\n1\n1\n1\n0"];
  23 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 1\n0 0 0 0 0 0 1 1 1 1 1 X\n0 1 1 1 1 1 0 0 1 1 1 X\nX 0 0 0 0 0 1 1 0 1 1 X\nX 0 0 0 1 1 1 1 0 1 1 X\nX 0 0 1 0 1 0 1 0 0 1 X\nX 0 1 X X 0 1 X 0 1 X X\nX,1,X,X,X,X,1,X,0,1,X,X"];
  23 -> 18 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X X 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,X,X,0,1,X,X,X,X,X,0"];
  23 -> 19 [label="0\n0\n1\n1\n1\n1\n0\n0"];
  }
  
  Here is the graph for the previous automaton (Note: the graph below came from a dot file with altered size property).
  
  You can also refer to the eps version for more details.
- Backward Analysis
  
  After stranger discovers a vulnerability, it will run (an optional) backward analysis to characterize all possible input values that may result in this vulnerability. The result is an automaton for each input node in the dependency graph that represents (an over approximation of) all possible values that can be used at this input node to compromise the vulnerability in the vulnerable sink. This automaton will be output to the standard output in dot format.
  For our example above, we see that backward analysis has been run for the vulnerable sink and one automaton has been given for the only input that we have $_GET["www"] at line 9.
  
  *** XSS Stranger Sanit Backward Analysis BEGIN ***
  
  Backward analysis automaton result for input node ==> _superglobals.$_GET[www] (9)\n**/vuln01.php ID=19 :
  ----------------------------
  digraph MONA_DFA {
  rankdir = LR;
  center = true;
  size = "7.5,10.5";
  edge [fontname = Courier];
  node [height = .5, width = .5];
  node [shape = doublecircle]; 9;
  node [shape = circle]; 0; 1; 2; 3; 4; 5; 6; 7; 8;
  node [shape = box];
  init [shape = plaintext, label = ""];
  init -> 0;
  0 -> 0 [label="0 0 0 0 0 0 0 1 1 1 1 1 1\n0 0 0 0 0 0 1 0 1 1 1 1 1\n0 1 1 1 1 1 X X 0 1 1 1 1\nX 0 1 1 1 1 X X X 0 1 1 1\nX X 0 1 1 1 X X X X 0 1 1\nX X X 0 1 1 X X X X X 0 1\nX X X X 0 1 X X X X X X 0\nX,X,X,X,1,X,X,X,X,X,X,X,X"];
  0 -> 1 [label="0\n0\n1\n1\n1\n1\n0\n0"];
  0 -> 2 [label="1\n1\n1\n1\n1\n1\n1\nX"];
  1 -> 0 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 0 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X 0 0 1 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X 0 1 X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,X,0,X,X,0,1,X,X,X,X,X,0"];
  1 -> 1 [label="0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1\n0 0 0 0 0 0 0 1 1 1 1 1 0 1 1 1 1 1\n0 1 1 1 1 1 1 0 0 1 1 1 X 0 1 1 1 1\nX 0 0 0 0 0 1 1 1 0 1 1 X X 0 1 1 1\nX 0 0 0 1 1 1 1 1 0 1 1 X X X 0 1 1\nX 0 0 1 0 1 1 0 1 0 0 1 X X X X 0 1\nX 0 1 X X 0 0 1 X 0 1 X X X X X X 0\nX,1,X,X,X,X,0,1,X,0,1,X,X,X,X,X,X,X"];
  1 -> 2 [label="1\n1\n1\n1\n1\n1\n1\nX"];
  1 -> 3 [label="0\n1\n0\n1\n0\n0\n1\n1"];
  2 -> 2 [label="X\nX\nX\nX\nX\nX\nX\nX"];
  3 -> 0 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 0 0 0 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 0 0 0 1 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 0 0 1 X X 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 0 1 X X X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,0,X,X,X,X,0,1,X,X,X,X,X,0"];
  3 -> 1 [label="0\n0\n1\n1\n1\n1\n0\n0"];
  3 -> 2 [label="1\n1\n1\n1\n1\n1\n1\nX"];
  3 -> 3 [label="0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1\n0 0 0 0 0 0 1 1 1 1 1 0 1 1 1 1 1\n0 1 1 1 1 1 0 0 1 1 1 X 0 1 1 1 1\nX 0 0 0 0 0 1 1 0 1 1 X X 0 1 1 1\nX 0 0 0 1 1 1 1 0 1 1 X X X 0 1 1\nX 0 0 1 0 1 0 1 0 0 1 X X X X 0 1\nX 0 1 X X 0 1 X 0 1 X X X X X X 0\nX,1,X,X,X,X,1,X,0,1,X,X,X,X,X,X,X"];
  3 -> 4 [label="0\n1\n0\n0\n0\n0\n1\n1"];
  4 -> 0 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 0 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X 0 0 1 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X 0 1 X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,X,1,X,X,0,1,X,X,X,X,X,0"];
  4 -> 1 [label="0\n0\n1\n1\n1\n1\n0\n0"];
  4 -> 2 [label="1\n1\n1\n1\n1\n1\n1\nX"];
  4 -> 4 [label="0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1\n0 0 0 0 0 0 1 1 1 1 1 0 1 1 1 1 1\n0 1 1 1 1 1 0 0 1 1 1 X 0 1 1 1 1\nX 0 0 0 0 0 1 1 0 1 1 X X 0 1 1 1\nX 0 0 0 1 1 1 1 0 1 1 X X X 0 1 1\nX 0 0 1 0 1 0 1 0 0 1 X X X X 0 1\nX 0 1 X X 0 1 X 0 1 X X X X X X 0\nX,1,X,X,X,X,1,X,0,1,X,X,X,X,X,X,X"];
  4 -> 5 [label="0\n1\n0\n1\n0\n0\n1\n0"];
  5 -> 0 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 0 0 0 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 0 1 1 1 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X 0 0 1 X 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X 0 1 X X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,0,X,X,X,X,0,1,X,X,X,X,X,0"];
  5 -> 1 [label="0\n0\n1\n1\n1\n1\n0\n0"];
  5 -> 2 [label="1\n1\n1\n1\n1\n1\n1\nX"];
  5 -> 5 [label="0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1\n0 0 0 0 0 0 1 1 1 1 1 0 1 1 1 1 1\n0 1 1 1 1 1 0 0 1 1 1 X 0 1 1 1 1\nX 0 0 0 0 0 1 1 0 1 1 X X 0 1 1 1\nX 0 0 0 1 1 1 1 0 1 1 X X X 0 1 1\nX 0 0 1 0 1 0 1 0 0 1 X X X X 0 1\nX 0 1 X X 0 1 X 0 1 X X X X X X 0\nX,1,X,X,X,X,1,X,0,1,X,X,X,X,X,X,X"];
  5 -> 6 [label="0\n1\n0\n0\n1\n0\n0\n1"];
  6 -> 0 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 0 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X 0 0 1 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X 0 1 X 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,1,X,X,X,0,1,X,X,X,X,X,0"];
  6 -> 1 [label="0\n0\n1\n1\n1\n1\n0\n0"];
  6 -> 2 [label="1\n1\n1\n1\n1\n1\n1\nX"];
  6 -> 6 [label="0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1\n0 0 0 0 0 0 1 1 1 1 1 0 1 1 1 1 1\n0 1 1 1 1 1 0 0 1 1 1 X 0 1 1 1 1\nX 0 0 0 0 0 1 1 0 1 1 X X 0 1 1 1\nX 0 0 0 1 1 1 1 0 1 1 X X X 0 1 1\nX 0 0 1 0 1 0 1 0 0 1 X X X X 0 1\nX 0 1 X X 0 1 X 0 1 X X X X X X 0\nX,1,X,X,X,X,1,X,0,1,X,X,X,X,X,X,X"];
  6 -> 7 [label="0\n1\n0\n1\n0\n0\n0\n0"];
  7 -> 0 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 1 0 0 0 0 0 0 1 1 1 1 1 1 1\n0 0 1 1 1 1 0 1 1 1 1 1 0 0 0 0 1 1 1\n0 1 0 1 1 1 X 0 0 0 1 1 0 0 0 1 0 1 1\n0 1 X 0 1 1 X 0 1 1 0 0 0 0 1 X X 0 0\n0 1 X X 0 1 X X 0 1 0 1 0 1 X X X 0 1\n0,X,X,X,1,X,X,X,1,X,X,0,1,X,X,X,X,X,0"];
  7 -> 1 [label="0\n0\n1\n1\n1\n1\n0\n0"];
  7 -> 2 [label="1\n1\n1\n1\n1\n1\n1\nX"];
  7 -> 7 [label="0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1\n0 0 0 0 0 0 1 1 1 1 1 0 1 1 1 1 1\n0 1 1 1 1 1 0 0 1 1 1 X 0 1 1 1 1\nX 0 0 0 0 0 1 1 0 1 1 X X 0 1 1 1\nX 0 0 0 1 1 1 1 0 1 1 X X X 0 1 1\nX 0 0 1 0 1 0 1 0 0 1 X X X X 0 1\nX 0 1 X X 0 1 X 0 1 X X X X X X 0\nX,1,X,X,X,X,1,X,0,1,X,X,X,X,X,X,X"];
  7 -> 8 [label="0\n1\n0\n1\n0\n1\n0\n0"];
  8 -> 0 [label="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0\n0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1\n1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1\n0 1 1 1 1 0 1 1 1 0 0 0 0 1 1 1\n1 0 1 1 1 X 0 1 1 0 0 0 1 0 1 1\n1 X 0 1 1 X X 0 0 0 0 1 X X 0 0\n1 X X 0 1 X X 0 1 0 1 X X X 0 1\nX,X,X,1,X,X,X,X,0,1,X,X,X,X,X,0"];
  8 -> 1 [label="0\n0\n1\n1\n1\n1\n0\n0"];
  8 -> 2 [label="1\n1\n1\n1\n1\n1\n1\nX"];
  8 -> 8 [label="0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1\n0 0 0 0 0 0 1 1 1 1 1 0 1 1 1 1 1\n0 1 1 1 1 1 0 0 1 1 1 X 0 1 1 1 1\nX 0 0 0 0 0 1 1 0 1 1 X X 0 1 1 1\nX 0 0 0 1 1 1 1 0 1 1 X X X 0 1 1\nX 0 0 1 0 1 0 1 0 0 1 X X X X 0 1\nX 0 1 X X 0 1 X 0 1 X X X X X X 0\nX,1,X,X,X,X,1,X,0,1,X,X,X,X,X,X,X"];
  8 -> 9 [label="0\n0\n1\n0\n0\n0\n0\n0"];
  9 -> 2 [label="1\n1\n1\n1\n1\n1\n1\nX"];
  9 -> 9 [label="0 1 1 1 1 1 1\nX 0 1 1 1 1 1\nX X 0 1 1 1 1\nX X X 0 1 1 1\nX X X X 0 1 1\nX X X X X 0 1\nX X X X X X 0\nX,X,X,X,X,X,X"];
  }
  ----------------------------
  
  *** XSS Stranger Sanit Backward Analysis End ***
  
  Here is the graph for the previous automaton (Note: the graph below came from a dot file with altered size property).
  
  You can also refer to the eps version for more details.
  
  This automaton is equivalent to the following regular expression: Σ^*<α^*Sα^*Cα^*Rα^*Iα^*Pα^*TΣ^* where Σ is the ASCII alphabet and α is any character that is in the set accepted by the regular expression [A-Za-z .-@:/] e.g. !. This tells you that if you pass an input such as <!SCR@IPT> to vuln01.php then it will reach the echo sink as <SCRIPT>.

Fine Tuning Stranger

There are many options that can be used to fine tune the analysis performed by stranger. The best way to change these options is by editing the two provided python scripts. There are four important parameters that you can edit:

Types of Analyses

you can edit the value of script variable analyses to decide which analyses to run. analyses is a string variable that takes a list of names separated by colons. This list includes xssstranger for XSS analysis, sqlstranger for SQLI analysis and mfestranger for MFE analysis. For example, the default value for this variable in the provided script is xssstranger:sqlstranger:mfestranger and it is specified as following:

analyses = 'xssstranger:sqlstranger:mfestranger'

This means to run all the three types of analyses supported by stranger. If user wants to run only XSS analysis then she can change this variable to:

analyses = 'xssstranger'

If on the other hand she wants to run SQLI and MFE only then:

analyses = 'sqlstranger:mfestranger'

The value of this variable will be passed to stranger by the script through the command line option -y.
Attack Patterns

An attack pattern is a regular expression that specifies all problematic strings - that may result in a vulnerability - to check against. You can use string variable attackptrn to specify the attack patterns for the analyses you want to run. The regular expression has to be delimited at the beginning and the end by a forward slash /. It should also follow the syntax specified here. YOU MUST PROVIDE AN ATTACK PATTERN FOR EACH TYPE OF ANALYSIS SPECIFIED IN analyses VARIABLE MENTIONED PREVIOUSLY. These attack patterns should be specified in a colon separated list WITH THE SAME ORDER AS THEIR CORRESPONDING ANALYSIS TYPES SPECIFIED IN analyses. An empty attack pattern (just the delimiters //) may be specified if the user does not have one. Here is an example that specifies three attack patterns corresponding to the analyses xssstranger:sqlstranger:mfestranger specified by default in the script:

attackptrn = "/.*\\<SCRIPT .*\\>.*/:/.*' or 1=1 '.*/:/.*/evil.*/"

Note that < is a special character in our regular expression syntax so it needs to be escaped by a backslash \. Another backslash \ is needed to escape the first one in python string. Also note how every attack pattern is specified in between two forward slashes /.
Memory

there are two parts in stranger that consume memory. libstranger.so is the biggest consumer for memory which is used to store and manipulate strings through symbolic automata. The taint analyzer on the other hand consumes memory from JVM heap to run the preliminary analyses. Therefore, user should balance the amount of memory given to each of the two parts by controlling the amount of memory provided to JVM (the remaining should be left to libstranger.so along with the other running programs on the machine). You can change this by editing the following line in the provided python scripts.

os.system('java -Xms32m -Xmx256m -Dpixy.home="'+mypath+'" -Djna.library.path="'+strangerPath+'" -jar stranger.jar -o '+outputdir+' -a -g -W 5 -C 40 -B -y '+ analyses + ' -k "' + attackptrn + '" ' + scriptName)

In the previous code two parameters have been passed to JVM to control the its heap memory.
- -Xms: the least amount of memory given to JVM heap. Here we give it at least 32 MB.
- -Xmx: the largest amount of memory that can be consumed by JVM heap. Here we give it at most 256 MB.
Note that the amount of memory given here to Java part of stranger is small. That is because - by far - libstranger.so (stranger c library) is the biggest consumer of memory in stranger. This memory is used to manipulate automata that represent string values in analyzed PHP script. Only the pointers to these automata are exchanged back and forth between java part and libstranger.so through JNA.
Widening

Two widening operators are used by stranger to guarantee and accelerate the convergence of fixed-point computation for loops while analyzing PHP scripts.
- Precise widening operator
  This operator helps accelerating the convergence of the fixed-point computation. User can control the number of fixed-point computation iterations before starting using this operator through stranger option -W. (Note that before using widening, we only apply union).
- Coarse widening operator
  This operator guarantees the convergence of the fixed-point computation. User can control the number of fixed-point computation iterations before starting using this operator through stranger option -C.
User can change the default values for these two options by editing the following line in the python scripts

os.system('java -Xms32m -Xmx256m -Dpixy.home="'+mypath+'" -Djna.library.path="'+strangerPath+'" -jar stranger.jar -o '+outputdir+' -a -g -W 5 -C 40 -B -y '+ analyses + ' -k "' + attackptrn + '" ' + scriptName)

The default values used above are 5 iterations before applying the precise widening and 40 iterations before applying the coarse widening.