This is default featured slide 1 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 2 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 3 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 4 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 5 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

Showing posts with label PHP security testing. Show all posts
Showing posts with label PHP security testing. Show all posts

Web Application Protection - Tool to detect and correct vulnerabilities in PHP web applications

November 10, 2014  , , , , , , , , , ,  


WAP 2.0 is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) and with a low rate of false positives. WAP detects and corrects the following vulnerabilities:
  • SQL Injection (SQLI)
  • Cross-site scripting (XSS)
  • Remote File Inclusion (RFI)
  • Local File Inclusion (LFI)
  • Directory Traversal or Path Traversal (DT/PT)
  • Source Code Disclosure (SCD)
  • OS Command Injection (OSCI)
  • PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reaches some sensitive sink (PHP functions that can be exploited by malicious input). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected with the insertion of the fixes (small pieces of code) in the source code. WAP is written in Java language and is constituted by three modules:
  • Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

  • False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive. Then, the Logistic Regression algorithm receives them and classifies the instance as being a false positive or not (real vulnerability).

  • Code Corrector: Each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created.     

Read More

PHP Secure Configuration Checker - Check current PHP configuration for potential security flaws

September 08, 2014  , , , , ,  


Among the most tedious tasks of PHP security testing is the check for insecure PHP configuration. As a successor of our PHP Security Poster, we have created a script to help system administrators as well as security professionals to assess the state of php.ini and related topics as quickly and as thoroughly as possible. For later reference, the script is called "PHP Secure Configuration Checker" , or pcc.

Inspiration and previous work

  • phpinfo(): Just like phpinfo() the pcc is supposed to give a brief overview of security related configuration issues.
  • phpsecinfo: This is an alternative project that appears to have been discontinued in 2007.
  • SektionEins PHP Security Poster (2009-2011): Some text snippets and recommendations of our own work we put into the popular poster have been reused.


Ideas, Features and Software Design

  • One single file for easy distribution: In respect to an update process and access restrictions, a single file can be handled easier than a whole web application monster.
  • Simple tests for each security related ini entry: Testing php.ini on a live system is the main aspect of this project. Each entry is supposed to be checked or otherwise actively ignored.
  • A few other tests: pcc is not restricted to php.ini checks. Other ideas can be implemented as well.
  • Compatibility: PHP 5.4 is supposed to work. Older PHP versions are not supposed to be used in the wild anyway.
  • NO complicated/overengineered code, e.g. no classes/interfaces, test-frameworks, libraries, ...: In most cases, a recommendation is based on a simple boolean decision, e.g. is it 1 or is it 0. The corresponding code is supposed to reflect this simplicity. Also, simple code leads to fewer programming errors.
  • Novice factor: The result is supposed to help secure the PHP environment. There is no need to obfuscate, encrypt or hide the code. Even unexperienced developers or system administrators may take a glance at the code - free of charge.
  • NO (or very few) dependencies: pcc is supposed to run in the most simplistic (yet still realistically sane) PHP environment. Writing files and loading bloated library code should be avoided.
  • Safeguards: In order to prevent information disclosure, IP restrictions are implemented, as well as a lock-out mechanism based on the script's modification time.
  • Suhosin: pcc checks the correct configuration of the Suhosin extension.

Read More
Subscribe to: Posts (Atom)