Monday, July 09, 2007

PHP Code Scanners

PHP code scanners

Investigating source code for possible security flaws is an important part of a security assessment. Common source code flaws can include trusting untrustworthy input, allowing executable strings in data input, buffer overflows, timing flaws

There are code scanners for C, java and other common languages.

The growth in Web-based applications means that the focus of code flaws has shifted to common Web programming languages.

I've found two tools specifically designed for analyzing PHP code:

- PHP security scanner from http://securityscanner.lostfiles.de/

- Pixy from http://pixybox.seclab.tuwien.ac.at/pixy/

These tools can both provide some useful information, unfortunately both lack certain key functionality, and both look like fully-functioning prototypes that are no longer actively maintained.

The PHP Security Scanner tool requires that you install it under your Apache server's document root. It requires pre-existing MySQL service. In addition, two php modules, Smarty and Pear are required. Both should be installed in the same directory as the tool. Ideally, PHP Security Scanner would include these as part of the install process.

The PHP Security Scanner tool will automatically search for php source files, starting at a given document root. I like this feature - it allows reviewing an entire Web site in one execution. It also has the ability to force include or exclude of specific files via a black/white list filter. I did not review this feature (maybe in the future).

Flaws are found via a regex match - no parsing of PHP code is performed. It looks for "dangerous" operations with a variable (any variable) as an operand.

Results from PHP Security Scanner are displayed as a Web page. While very visually attractive, I question the sanity of displaying your Web server's vulnerabilities using that very same server. Advertising your vulnerabilities on a Web page is not very smart.

Some of the messages shown in the results are a bit generic. The regex patterns and the error messages are stored in a MySQL database, and thus are easily editable.

Pixy actually attempts to parse the PHP syntax, to determine the severity of a code flaw based on its role. Pixy attempts to track the flow of "tainted" (untrustworthy) values through the program using data flow analysis. A paper presented at the IEEE Security and Privacy conference describes the approach in more detail.

Pixy is written in Java, and specifically requires JRE 1.5 or more recent from Sun (it will NOT work with the Gnu version of Java). Installing Sun Java on my Ubuntu test system was more of a pain than I first realized.

The output from Pixy is plain text, not as visually stunning as the HTML from PHP Security Scanner. Interpreting the output seems challenging as well. I consider myself fairly well versed in security and had a tough time figuring out what the messages meant.