[OWASP_PHPSEC] Start work on scanner

rahul chaudhary rahul300chaudhary400 at gmail.com
Mon Aug 19 13:51:30 UTC 2013


aaahhhh.....I was pulling my hairs out that what is this file..... ;)

1) anyways...I see that you have divided things into different types:
"warning", "error" etc...so does the scanner need to categorize them ??

2) multi-line staements...(the last statement).....that is now already
being detected....

3) for vprintf line...if we just add "vprintf" to the blacklist, this whole
line is still detected....so this does not need any change..

4) if i use echof("this one {$x} is error");      then is this error ????


On Mon, Aug 19, 2013 at 7:16 PM, Abbas Naderi <abiusx at owasp.org> wrote:

> Ok this is an example to detect:
>
> $x="<p>yo</p>";
> echo "this should be just warning"; //safe stuff
> echo "this one {$x} is error";
> print "this is ".$x." unsafe too.";
> printf("warning here");
> vprintf("warn %s",array($x));
> vprintf("not ok ".$x." %s",array($x));
> echo "you
> cant detect this.";
>
> ______________________________________________________________
> *Notice:** *This message is *digitally signed*, its *source* and *
> integrity* are verifiable.
> If you mail client does not support S/MIME verification, it will display a
> file (smime.p7s), which includes the X.509 certificate and the signature
> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
> AbiusX.com
>
> On Mordad 28, 1392, at 6:15 PM, rahul chaudhary <
> rahul300chaudhary400 at gmail.com> wrote:
>
>
> https://github.com/OWASP/phpsec/commit/f0d6cc3e175eea232444e596c672f4a743102ea4
>
>
>
> On Mon, Aug 19, 2013 at 7:15 PM, rahul chaudhary <
> rahul300chaudhary400 at gmail.com> wrote:
>
>> I did that the day you told me to do so....I also pushed my codes back
>> then only and then I informed you..
>>
>>
>> On Mon, Aug 19, 2013 at 7:13 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>>
>>> Have you finished determining a whole statement? Please push the code
>>> and I will push my part.
>>> -A
>>>      ______________________________________________________________
>>> *Notice:** *This message is *digitally signed*, its *source* and *
>>> integrity* are verifiable.
>>> If you mail client does not support S/MIME verification, it will display
>>> a file (smime.p7s), which includes the X.509 certificate and the signature
>>> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
>>> AbiusX.com <http://abiusx.com/>
>>>
>>> On Mordad 28, 1392, at 6:10 PM, rahul chaudhary <
>>> rahul300chaudhary400 at gmail.com> wrote:
>>>
>>> Hello All,
>>>
>>> Abbas, you mentioned earlier that for scanner, once we have created
>>> support for multi-line statements....we will start work on "concatenated
>>> statements"...should I start working on it ???
>>>
>>> if yes, then can you give some examples of what kind of statements we
>>> are looking for ???
>>>
>>> --
>>> Regards,
>>> Rahul Chaudhary
>>> Ph - 412-519-9634
>>>  _______________________________________________
>>> OWASP_PHP_Security_Project mailing list
>>> OWASP_PHP_Security_Project at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>>
>>>
>>>
>>
>>
>> --
>> Regards,
>> Rahul Chaudhary
>> Ph - 412-519-9634
>>
>
>
>
> --
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634
>
>
>


-- 
Regards,
Rahul Chaudhary
Ph - 412-519-9634
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130819/2ce564f2/attachment-0001.html>


More information about the OWASP_PHP_Security_Project mailing list