[Owasp-orizon] Php parser and Mirage per language skeleton brainstorm...

Stephen Craig Evans stephencraig.evans at gmail.com
Mon Feb 16 02:16:17 EST 2009 

Hey Paolo,

FINALLY, I have some time. I spent the weekend upgrading my Ubuntu &
Kubuntu 7.10 VMs to 8.10. Of course, it never works the first time
(KDE 4.2 is awesome, though).

I played around with your v.0.2 for a couple of hours. I got it to
build and run. Super-congrats!

I only had to modify freecc.home in build.xml; I used freecc 0.9.3,
and the other versions of software I put in the attached text file.

A couple of glitches and some might be easy for me to fix but I
haven't yet mastered Ant:
- I couldn't do "ant rebuild". The 'parser' action wasn't being done,
so I did 'ant clean', 'ant parser', then 'ant build'.
- the path for 'dangerous_php_call.txt' is hard-coded to '~/lib' (no
big deal; I only had to create the directory); and I had to rename it
from 'dangerous_call.txt'.

The attached text file also has a small Mirage session that I ran.

What's next? I'm going to look at your source and see what you have done.

Have you heard the OWASP podcast with Andrew van der Stock? He is
doing some very cool stuff; e.g. with the code guide and making an
ESAPI version for PHP.

I haven't coded a lot in PHP and it really interests me since Java &
.NET already have a lot of coverage vis-a-vis software security and
I've coded a lot in those languages.

Cheers,
Stephen


On Thu, Jan 29, 2009 at 5:03 PM, Paolo Perego <thesp0nge at owasp.org> wrote:
> Guys... in these days I'm code reviewing a huge PHP application. In
> order to help my tasks I started writing some code around the Mirage
> subsystem.
> I took the php.jj grammar from javacc project and with the help of the
> freecc author I made some minor changes in order to have a very basic
> parser build (thanks Stephen to pointed me out this fabulous project,
> freecc is amazing).
>
> The ant build file will create the parser in the
> org.owasp.orizon.mirage.php.parser package, meanwhile the php modeler
> engine is located in org.owasp.orizon.php package.
> I just uploaded some stuff over sourceforge. It's far from being
> useful by now but it's a starting point. I think that could be used as
> skeleton for Mirage "modelers".
>
> orizon_php_modeler v0.1:
> http://downloads.sourceforge.net/orizon/orizon_php_modeler_0.1.tar.gz?use_mirror=heanet
>
> It's a really work in progress so I'll modify every day. If you want
> to take a look on how Mirage can become, any feedback will be useful
> :)
>
> Cheers
> thesp0nge
> --
> "stay hungry, stay foolish"
>
> OWASP Orizon project, http://orizon.sourceforge.net
> "enjoy your code review experience"
> _______________________________________________
> Owasp-orizon mailing list
> Owasp-orizon at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-orizon
>



-- 
http://www.linkedin.com/in/stephencraigevans
-------------- next part --------------

steve at symartec:~/orizon/february_2009$ cat /etc/issue
Ubuntu 8.10 \n \l

steve at symartec:~/orizon/february_2009$ ant -version
Apache Ant version 1.7.0 compiled on August 29 2007
steve at symartec:~/orizon/february_2009$ java -version
java version "1.6.0_10"
Java(TM) SE Runtime Environment (build 1.6.0_10-b33)
Java HotSpot(TM) Client VM (build 11.0-b15, mixed mode, sharing)

################################################################

steve at symartec:~/lib$ mv dangerous_call.txt dangerous_php_call.txt 
steve at symartec:~/lib$ pwd
/home/steve/lib

#######################################

steve at symartec:~/orizon/february_2009/orizon_php_modeler_0.2/test$ java -jar ../lib/orizon-php-modeler.jar 
(mirage) $ help
(mirage) $ ^[[A^[[A
invalid command (Encountered " <FILENAME> " "" at line 1, column 1 in .
Was expecting one of:
    "inspect" ...
    "spider" ...
    "blind" ...
    "dump" ...
    "find" ...
    "open" ...
    "quit" ...
    "help" ...
    "info" ...
    "list" ...
    "show" ...
    "load" ...
    "crawl" ...
    "\n" ...
    )
(mirage) $ open foo.php
(mirage: foo.php) $ list
hello_world.php
comment_sample.php
empty.php
foo.php
upload.php
(mirage: foo.php) $ info 
Mirage v0.2 (C) 2009 - Owasp Orizon <thesp0nge at owasp.org>
(mirage: foo.php) $ crawl
No keyword database is loaded. Please use the "load" command.
(mirage: foo.php) $ load
using /home/steve/lib/dangerous_php_call.txt... something went wrong (/home/steve/lib/dangerous_php_call.txt (No such file or directory))
failed
(mirage: foo.php) $ load
using /home/steve/lib/dangerous_php_call.txt... something went wrong (/home/steve/lib/dangerous_php_call.txt (No such file or directory))
failed
(mirage: foo.php) $ load
using /home/steve/lib/dangerous_php_call.txt... done
(mirage: foo.php) $ crawl
Crawling: foo.php... failed

 - END -

More information about the Owasp-orizon mailing list