[OWASP_PHPSEC] Start work on scanner

rahul chaudhary rahul300chaudhary400 at gmail.com
Mon Aug 19 14:04:55 UTC 2013


so concatenation is bad in general or bad only in unsafe functions such as
"echo"??? Because we have used concatenation in several places in our
library too....


On Mon, Aug 19, 2013 at 7:31 PM, Abbas Naderi <abiusx at owasp.org> wrote:

> Almost right,
> you don't need to track the taint of the variable. Concatenation in the
> format string and in unsafe functions is not allowed, as simple as that.
> -A
> ______________________________________________________________
> *Notice:** *This message is *digitally signed*, its *source* and *
> integrity* are verifiable.
> If you mail client does not support S/MIME verification, it will display a
> file (smime.p7s), which includes the X.509 certificate and the signature
> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
> AbiusX.com
>
> On Mordad 28, 1392, at 6:30 PM, rahul chaudhary <
> rahul300chaudhary400 at gmail.com> wrote:
>
> lets first keep aside the categorization...that I will do...
>
> for the other problem we can do this....we also check each token for
> strings...basically T_STRING...then in that string, we check for
> concatenation...concatenation start from "." and replacement starts from
> "{"...whatever the case,,,it is followed by the character "$"...this would
> tell us that a variable has been concatenated...suppose we detect that $x
> is the variable...now in the whole document we can again search for $x and
> check the nature of this code...e.g numeric strings such as "45" is no harm
> I guess....if it contains some "JS code...or some other bad code"...then we
> can flag a warning...
>
>
> On Mon, Aug 19, 2013 at 7:23 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>
>> 1. indeed. it should act like a security compiler
>> 2. k
>> 3. we need to detect concatenations
>> 4. yes it is insecure.
>>
>> echof ("%s",$x) is secure, but the constant string (format string) is not
>> safeguarded.
>> -A
>>       ______________________________________________________________
>> *Notice:** *This message is *digitally signed*, its *source* and *
>> integrity* are verifiable.
>> If you mail client does not support S/MIME verification, it will display
>> a file (smime.p7s), which includes the X.509 certificate and the signature
>> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
>> AbiusX.com <http://abiusx.com/>
>>
>> On Mordad 28, 1392, at 6:21 PM, rahul chaudhary <
>> rahul300chaudhary400 at gmail.com> wrote:
>>
>> aaahhhh.....I was pulling my hairs out that what is this file..... ;)
>>
>> 1) anyways...I see that you have divided things into different types:
>> "warning", "error" etc...so does the scanner need to categorize them ??
>>
>> 2) multi-line staements...(the last statement).....that is now already
>> being detected....
>>
>> 3) for vprintf line...if we just add "vprintf" to the blacklist, this
>> whole line is still detected....so this does not need any change..
>>
>> 4) if i use echof("this one {$x} is error");      then is this error ????
>>
>>
>> On Mon, Aug 19, 2013 at 7:16 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>>
>>> Ok this is an example to detect:
>>>
>>>  $x="<p>yo</p>";
>>>  echo "this should be just warning"; //safe stuff
>>>  echo "this one {$x} is error";
>>>  print "this is ".$x." unsafe too.";
>>>  printf("warning here");
>>>  vprintf("warn %s",array($x));
>>>  vprintf("not ok ".$x." %s",array($x));
>>>  echo "you
>>> cant detect this.";
>>>
>>>      ______________________________________________________________
>>> *Notice:** *This message is *digitally signed*, its *source* and *
>>> integrity* are verifiable.
>>> If you mail client does not support S/MIME verification, it will display
>>> a file (smime.p7s), which includes the X.509 certificate and the signature
>>> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
>>> AbiusX.com <http://abiusx.com/>
>>>
>>> On Mordad 28, 1392, at 6:15 PM, rahul chaudhary <
>>> rahul300chaudhary400 at gmail.com> wrote:
>>>
>>>
>>> https://github.com/OWASP/phpsec/commit/f0d6cc3e175eea232444e596c672f4a743102ea4
>>>
>>>
>>>
>>> On Mon, Aug 19, 2013 at 7:15 PM, rahul chaudhary <
>>> rahul300chaudhary400 at gmail.com> wrote:
>>>
>>>> I did that the day you told me to do so....I also pushed my codes back
>>>> then only and then I informed you..
>>>>
>>>>
>>>> On Mon, Aug 19, 2013 at 7:13 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>>>>
>>>>> Have you finished determining a whole statement? Please push the code
>>>>> and I will push my part.
>>>>> -A
>>>>>      ______________________________________________________________
>>>>> *Notice:** *This message is *digitally signed*, its *source* and *
>>>>> integrity* are verifiable.
>>>>> If you mail client does not support S/MIME verification, it will
>>>>> display a file (smime.p7s), which includes the X.509 certificate and the
>>>>> signature body.  Read more at Certified E-Mail with Comodo and
>>>>> Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
>>>>> AbiusX.com <http://abiusx.com/>
>>>>>
>>>>> On Mordad 28, 1392, at 6:10 PM, rahul chaudhary <
>>>>> rahul300chaudhary400 at gmail.com> wrote:
>>>>>
>>>>> Hello All,
>>>>>
>>>>> Abbas, you mentioned earlier that for scanner, once we have created
>>>>> support for multi-line statements....we will start work on "concatenated
>>>>> statements"...should I start working on it ???
>>>>>
>>>>> if yes, then can you give some examples of what kind of statements we
>>>>> are looking for ???
>>>>>
>>>>> --
>>>>> Regards,
>>>>> Rahul Chaudhary
>>>>> Ph - 412-519-9634
>>>>>  _______________________________________________
>>>>> OWASP_PHP_Security_Project mailing list
>>>>> OWASP_PHP_Security_Project at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Regards,
>>>> Rahul Chaudhary
>>>> Ph - 412-519-9634
>>>>
>>>
>>>
>>>
>>> --
>>> Regards,
>>> Rahul Chaudhary
>>> Ph - 412-519-9634
>>>
>>>
>>>
>>
>>
>> --
>> Regards,
>> Rahul Chaudhary
>> Ph - 412-519-9634
>>
>>
>>
>
>
> --
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634
>
>
>


-- 
Regards,
Rahul Chaudhary
Ph - 412-519-9634
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130819/0842a5d9/attachment-0001.html>


More information about the OWASP_PHP_Security_Project mailing list