[OWASP_PHPSEC] Start work on scanner

Abbas Naderi abiusx at owasp.org
Mon Aug 19 14:01:42 UTC 2013


Almost right,
you don't need to track the taint of the variable. Concatenation in the format string and in unsafe functions is not allowed, as simple as that.
-A
______________________________________________________________
Notice: This message is digitally signed, its source and integrity are verifiable.
If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com

On Mordad 28, 1392, at 6:30 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:

> lets first keep aside the categorization...that I will do...
> 
> for the other problem we can do this....we also check each token for strings...basically T_STRING...then in that string, we check for concatenation...concatenation start from "." and replacement starts from "{"...whatever the case,,,it is followed by the character "$"...this would tell us that a variable has been concatenated...suppose we detect that $x is the variable...now in the whole document we can again search for $x and check the nature of this code...e.g numeric strings such as "45" is no harm I guess....if it contains some "JS code...or some other bad code"...then we can flag a warning...
> 
> 
> On Mon, Aug 19, 2013 at 7:23 PM, Abbas Naderi <abiusx at owasp.org> wrote:
> 1. indeed. it should act like a security compiler
> 2. k
> 3. we need to detect concatenations
> 4. yes it is insecure.
> 
> echof ("%s",$x) is secure, but the constant string (format string) is not safeguarded.
> -A
> ______________________________________________________________
> Notice: This message is digitally signed, its source and integrity are verifiable.
> If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com
> 
> On Mordad 28, 1392, at 6:21 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
> 
>> aaahhhh.....I was pulling my hairs out that what is this file..... ;)
>> 
>> 1) anyways...I see that you have divided things into different types: "warning", "error" etc...so does the scanner need to categorize them ??
>> 
>> 2) multi-line staements...(the last statement).....that is now already being detected....
>> 
>> 3) for vprintf line...if we just add "vprintf" to the blacklist, this whole line is still detected....so this does not need any change..
>> 
>> 4) if i use echof("this one {$x} is error");      then is this error ????
>> 
>> 
>> On Mon, Aug 19, 2013 at 7:16 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>> Ok this is an example to detect:
>> 
>> 		$x="<p>yo</p>";
>> 		echo "this should be just warning"; //safe stuff
>> 		echo "this one {$x} is error";
>> 		print "this is ".$x." unsafe too.";
>> 		printf("warning here");
>> 		vprintf("warn %s",array($x));
>> 		vprintf("not ok ".$x." %s",array($x));
>> 		echo "you
>> 				cant detect this.";
>> 
>> ______________________________________________________________
>> Notice: This message is digitally signed, its source and integrity are verifiable.
>> If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com
>> 
>> On Mordad 28, 1392, at 6:15 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
>> 
>>> https://github.com/OWASP/phpsec/commit/f0d6cc3e175eea232444e596c672f4a743102ea4
>>> 
>>> 
>>> 
>>> On Mon, Aug 19, 2013 at 7:15 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
>>> I did that the day you told me to do so....I also pushed my codes back then only and then I informed you..
>>> 
>>> 
>>> On Mon, Aug 19, 2013 at 7:13 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>>> Have you finished determining a whole statement? Please push the code and I will push my part.
>>> -A
>>> ______________________________________________________________
>>> Notice: This message is digitally signed, its source and integrity are verifiable.
>>> If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com
>>> 
>>> On Mordad 28, 1392, at 6:10 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
>>> 
>>>> Hello All,
>>>> 
>>>> Abbas, you mentioned earlier that for scanner, once we have created support for multi-line statements....we will start work on "concatenated statements"...should I start working on it ???
>>>> 
>>>> if yes, then can you give some examples of what kind of statements we are looking for ???
>>>> 
>>>> -- 
>>>> Regards,
>>>> Rahul Chaudhary
>>>> Ph - 412-519-9634
>>>> _______________________________________________
>>>> OWASP_PHP_Security_Project mailing list
>>>> OWASP_PHP_Security_Project at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>> 
>>> 
>>> 
>>> 
>>> -- 
>>> Regards,
>>> Rahul Chaudhary
>>> Ph - 412-519-9634
>>> 
>>> 
>>> 
>>> -- 
>>> Regards,
>>> Rahul Chaudhary
>>> Ph - 412-519-9634
>> 
>> 
>> 
>> 
>> -- 
>> Regards,
>> Rahul Chaudhary
>> Ph - 412-519-9634
> 
> 
> 
> 
> -- 
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130819/debb36c4/attachment-0001.html>


More information about the OWASP_PHP_Security_Project mailing list