[OWASP_PHPSEC] Start work on scanner

rahul chaudhary rahul300chaudhary400 at gmail.com
Mon Aug 19 14:00:04 UTC 2013


lets first keep aside the categorization...that I will do...

for the other problem we can do this....we also check each token for
strings...basically T_STRING...then in that string, we check for
concatenation...concatenation start from "." and replacement starts from
"{"...whatever the case,,,it is followed by the character "$"...this would
tell us that a variable has been concatenated...suppose we detect that $x
is the variable...now in the whole document we can again search for $x and
check the nature of this code...e.g numeric strings such as "45" is no harm
I guess....if it contains some "JS code...or some other bad code"...then we
can flag a warning...


On Mon, Aug 19, 2013 at 7:23 PM, Abbas Naderi <abiusx at owasp.org> wrote:

> 1. indeed. it should act like a security compiler
> 2. k
> 3. we need to detect concatenations
> 4. yes it is insecure.
>
> echof ("%s",$x) is secure, but the constant string (format string) is not
> safeguarded.
> -A
> ______________________________________________________________
> *Notice:** *This message is *digitally signed*, its *source* and *
> integrity* are verifiable.
> If you mail client does not support S/MIME verification, it will display a
> file (smime.p7s), which includes the X.509 certificate and the signature
> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
> AbiusX.com
>
> On Mordad 28, 1392, at 6:21 PM, rahul chaudhary <
> rahul300chaudhary400 at gmail.com> wrote:
>
> aaahhhh.....I was pulling my hairs out that what is this file..... ;)
>
> 1) anyways...I see that you have divided things into different types:
> "warning", "error" etc...so does the scanner need to categorize them ??
>
> 2) multi-line staements...(the last statement).....that is now already
> being detected....
>
> 3) for vprintf line...if we just add "vprintf" to the blacklist, this
> whole line is still detected....so this does not need any change..
>
> 4) if i use echof("this one {$x} is error");      then is this error ????
>
>
> On Mon, Aug 19, 2013 at 7:16 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>
>> Ok this is an example to detect:
>>
>>  $x="<p>yo</p>";
>>  echo "this should be just warning"; //safe stuff
>>  echo "this one {$x} is error";
>>  print "this is ".$x." unsafe too.";
>>  printf("warning here");
>>  vprintf("warn %s",array($x));
>>  vprintf("not ok ".$x." %s",array($x));
>>  echo "you
>> cant detect this.";
>>
>>      ______________________________________________________________
>> *Notice:** *This message is *digitally signed*, its *source* and *
>> integrity* are verifiable.
>> If you mail client does not support S/MIME verification, it will display
>> a file (smime.p7s), which includes the X.509 certificate and the signature
>> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
>> AbiusX.com <http://abiusx.com/>
>>
>> On Mordad 28, 1392, at 6:15 PM, rahul chaudhary <
>> rahul300chaudhary400 at gmail.com> wrote:
>>
>>
>> https://github.com/OWASP/phpsec/commit/f0d6cc3e175eea232444e596c672f4a743102ea4
>>
>>
>>
>> On Mon, Aug 19, 2013 at 7:15 PM, rahul chaudhary <
>> rahul300chaudhary400 at gmail.com> wrote:
>>
>>> I did that the day you told me to do so....I also pushed my codes back
>>> then only and then I informed you..
>>>
>>>
>>> On Mon, Aug 19, 2013 at 7:13 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>>>
>>>> Have you finished determining a whole statement? Please push the code
>>>> and I will push my part.
>>>> -A
>>>>      ______________________________________________________________
>>>> *Notice:** *This message is *digitally signed*, its *source* and *
>>>> integrity* are verifiable.
>>>> If you mail client does not support S/MIME verification, it will
>>>> display a file (smime.p7s), which includes the X.509 certificate and the
>>>> signature body.  Read more at Certified E-Mail with Comodo and
>>>> Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
>>>> AbiusX.com <http://abiusx.com/>
>>>>
>>>> On Mordad 28, 1392, at 6:10 PM, rahul chaudhary <
>>>> rahul300chaudhary400 at gmail.com> wrote:
>>>>
>>>> Hello All,
>>>>
>>>> Abbas, you mentioned earlier that for scanner, once we have created
>>>> support for multi-line statements....we will start work on "concatenated
>>>> statements"...should I start working on it ???
>>>>
>>>> if yes, then can you give some examples of what kind of statements we
>>>> are looking for ???
>>>>
>>>> --
>>>> Regards,
>>>> Rahul Chaudhary
>>>> Ph - 412-519-9634
>>>>  _______________________________________________
>>>> OWASP_PHP_Security_Project mailing list
>>>> OWASP_PHP_Security_Project at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Regards,
>>> Rahul Chaudhary
>>> Ph - 412-519-9634
>>>
>>
>>
>>
>> --
>> Regards,
>> Rahul Chaudhary
>> Ph - 412-519-9634
>>
>>
>>
>
>
> --
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634
>
>
>


-- 
Regards,
Rahul Chaudhary
Ph - 412-519-9634
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130819/67a94916/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list