How to create a call graph for a PHP web application

The web has evolved into a full-fledged software delivery platform where users increasingly rely on web applications instead of traditional local applications[1]. The constant improvement of programming languages such as PHP and Javascript allows developers to provide a wide range of complicated applications for users. PHP web applications such as WordPress has been used on over 39% of all the servers around the world[2].

The increase in the features requires a more complicated source code for a web application. As a result, the expansion of the source code can lead to security vulnerabilities that need our attention. Debugging the code base of a web application can be time-consuming and tiresome. This is the place where the debugging tools help us by providing more information regarding the functionality of each section of the code in the web application. In the next few posts, I want to explain how we can implement our own simple static analysis to create the call graph of a web application.

A call graph represents a directed graph where each node indicates a function or a method in our program. The edges in a call graph are drawn between two nodes when the first node calls the second node in our graph. I am going to show this by example. Consider the following snippet of code:

A simple PHP script

In the above example, our script invokes the function “b” and function “b” calls the function “a”. Both function “a” and “b” invoke the PHP built-in function echo. The call graph for our example looks like this:

Call graph

To create a call graph of a PHP web application statically, we need to parse each script in the source code. By parsing the scripts, we will be able to differentiate between various statements written in each script. To do so, I am going to use php-parser which is written in the Go programming language. php-parser will generate an abstract syntax tree(AST) of each script which allows us to traverse this tree and identify function/method calls. The php-parser library will make our life easier to generate the call graph statically. In the next post, I am going to explain the first part of our static analysis which is identifying implemented functions, methods, and classes in a web application.


[1]Azad, Babak Amin, Pierre Laperdrix, and Nick Nikiforakis. “Less is more: quantifying the security benefits of debloating web applications.” 28th USENIX Security Symposium 2019.




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store