wrenhunt
Moderator
Moderator
| Posts: 1 |   |
Karma: 0
|
phpsecscan - 2005/09/11 14:48
PHP Security reminds me of a quote attributed
to Winston Churchill who, when asked if he thought the British Generals
were a match for German Generals replied, "I don't know about the enemy,
but they scare the hell out of me!" PHP Security (or rather lack
thereof) scares the hell out of me; I'm always afraid I'm going to miss
one small little thing and WHAM! major implications. To that end I've
been thinking of writing some tools to perform formal analysis of PHP
scripts *including* the environment that they're running on. Some of
this stuff is easy enough to automate - For instance, by checking
php.ini and scanning the Document Root of the PHP scripts to analyze one
should be able to infer if proper escaping, etc., is performed
explicitly or via 'magic_quotes', etc., Both reports and tools for
analyzing SQL Injection Attacks. Determination of include files
contained within the Document Root Directory etc., Simple stuff, but
packaged into one tool for a newbie or for a more experienced developer
blah, blah, blah.
I have done some cursory searches for a tool like this on Google and
SourceForge and so far have seen nothing. I'm interested in heading-up a
project (phpsecscan) to tackle this if anyone else in the group is interested as well. I'm a C/C++ hacker but I think any decent language would be
welcomed (Java, Perl, etc.).
Wren
wren [at] hunt [dot] org
|
Forums 
Wednesday, 07 January 2009
Home | Wiki | Search | Forums | Job Board | Newsletter | Latest News | Reservations | Classified Ads | Podcast Archive | MyAccount | 
