[OWASP_PHPSEC] Start work on scanner

Abbas Naderi abiusx at owasp.org
Mon Aug 19 13:53:13 UTC 2013


1. indeed. it should act like a security compiler
2. k
3. we need to detect concatenations
4. yes it is insecure.

echof ("%s",$x) is secure, but the constant string (format string) is not safeguarded.
-A
______________________________________________________________
Notice: This message is digitally signed, its source and integrity are verifiable.
If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com

On Mordad 28, 1392, at 6:21 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:

> aaahhhh.....I was pulling my hairs out that what is this file..... ;)
> 
> 1) anyways...I see that you have divided things into different types: "warning", "error" etc...so does the scanner need to categorize them ??
> 
> 2) multi-line staements...(the last statement).....that is now already being detected....
> 
> 3) for vprintf line...if we just add "vprintf" to the blacklist, this whole line is still detected....so this does not need any change..
> 
> 4) if i use echof("this one {$x} is error");      then is this error ????
> 
> 
> On Mon, Aug 19, 2013 at 7:16 PM, Abbas Naderi <abiusx at owasp.org> wrote:
> Ok this is an example to detect:
> 
> 		$x="<p>yo</p>";
> 		echo "this should be just warning"; //safe stuff
> 		echo "this one {$x} is error";
> 		print "this is ".$x." unsafe too.";
> 		printf("warning here");
> 		vprintf("warn %s",array($x));
> 		vprintf("not ok ".$x." %s",array($x));
> 		echo "you
> 				cant detect this.";
> 
> ______________________________________________________________
> Notice: This message is digitally signed, its source and integrity are verifiable.
> If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com
> 
> On Mordad 28, 1392, at 6:15 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
> 
>> https://github.com/OWASP/phpsec/commit/f0d6cc3e175eea232444e596c672f4a743102ea4
>> 
>> 
>> 
>> On Mon, Aug 19, 2013 at 7:15 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
>> I did that the day you told me to do so....I also pushed my codes back then only and then I informed you..
>> 
>> 
>> On Mon, Aug 19, 2013 at 7:13 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>> Have you finished determining a whole statement? Please push the code and I will push my part.
>> -A
>> ______________________________________________________________
>> Notice: This message is digitally signed, its source and integrity are verifiable.
>> If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com
>> 
>> On Mordad 28, 1392, at 6:10 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
>> 
>>> Hello All,
>>> 
>>> Abbas, you mentioned earlier that for scanner, once we have created support for multi-line statements....we will start work on "concatenated statements"...should I start working on it ???
>>> 
>>> if yes, then can you give some examples of what kind of statements we are looking for ???
>>> 
>>> -- 
>>> Regards,
>>> Rahul Chaudhary
>>> Ph - 412-519-9634
>>> _______________________________________________
>>> OWASP_PHP_Security_Project mailing list
>>> OWASP_PHP_Security_Project at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>> 
>> 
>> 
>> 
>> -- 
>> Regards,
>> Rahul Chaudhary
>> Ph - 412-519-9634
>> 
>> 
>> 
>> -- 
>> Regards,
>> Rahul Chaudhary
>> Ph - 412-519-9634
> 
> 
> 
> 
> -- 
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130819/8caf5a11/attachment-0001.html>


More information about the OWASP_PHP_Security_Project mailing list