Static security analysis using a hybrid representation of string values

What is claimed is: 1. A method for creating a hybrid string representation, comprising: receiving string information as input; parsing the string information to produce one or more string components using a processor; determining string components that may be represented concretely by comparing the one or more components to a set of known concretizations, wherein the set of known concretizations includes string configurations that cannot be interfered with by an attacker; abstracting all string components that could not be represented concretely; and creating a hybrid string representation that includes at least one concrete string component and at least one abstracted string component. 2. The method of claim 1 , wherein the set of known concretizations includes strings that refer to a page's uniform resource location. 3. The method of claim 2 , wherein the set of known concretizations includes strings that include the JavaScript® object “document.location”. 4. The method of claim 1 , further comprising binding between an external configuration file and string variables to automatically concretize a string component. 5. The method of claim 4 , wherein said binding comprises monitoring framework interfaces used to retrieve string values from the configuration files. 6. The method of claim 1 , wherein abstracting string components comprises replacing a string component with one or more regular expressions. 7. The method of claim 1 , wherein creating a hybrid string representation comprises concatenating said at least one concrete string component and said at least one abstracted string component. 8. The method of claim 1 , wherein the string information comprises a combination of program code and markup code. 9. A method for static analysis, comprising: receiving string information comprising program code as input; parsing the string information to produce one or more string components using a processor; determining string components that may be represented concretely by comparing the one or more components to a set of known concretizations, wherein the set of known concretizations includes string configurations that cannot be interfered with by an attacker; abstracting all string components that could not be represented concretely; creating a hybrid string representation that includes at least one concrete string component and at least one abstracted string component; and performing a taint analysis on the hybrid string representation to locate potential vulnerabilities. 10. The method of claim 9 , wherein the set of known concretizations includes strings that refer to a page's uniform resource location. 11. The method of claim 10 , wherein the set of known concretizations includes strings that include the JavaScript® object “document.location”. 12. The method of claim 9 , further comprising binding between an external configuration file and string variables to automatically concretize a string component. 13. The method of claim 12 , wherein said binding comprises monitoring framework interfaces used to retrieve string values from the configuration files. 14. The method of claim 9 , wherein abstracting string components comprises replacing a string component with one or more regular expressions. 15. The method of claim 9 , wherein creating a hybrid string representation comprises concatenating said at least one concrete string component and said at least one abstracted string component. 16. The method of claim 9 , wherein the string information comprises a combination of program code and markup code. 17. A non-transitory computer readable storage medium comprising a computer readable program for creating a hybrid string representation, wherein the computer readable program when executed on a computer causes the computer to perform the steps of: receiving string information as input; parsing the string information to produce one or more string components using a processor; determining string components that may be represented concretely by comparing the one or more components to a set of known concretizations, wherein the set of known concretizations includes string configurations that cannot be interfered with by an attacker; abstracting all string components that could not be represented concretely; creating a hybrid string representation that includes at least one concrete string component and at least one abstracted string component. 18. A non-transitory computer readable storage medium comprising a computer readable program for static analysis, wherein the computer readable program when executed on a computer causes the computer to perform the steps of: receiving string information comprising program code as input; parsing the string information to produce one or more string components using a processor; determining string components that may be represented concretely by comparing the one or more components to a set of known concretizations, wherein the set of known concretizations includes string configurations that cannot be interfered with by an attacker; abstracting all string components that could not be represented concretely; creating a hybrid string representation that includes at least one concrete string component and at least one abstracted string component; performing a taint analysis on the hybrid string representation to locate potential vulnerabilities.