[OWASP_PHPSEC] Start work on scanner

Abbas Naderi abiusx at owasp.org
Mon Aug 19 14:06:07 UTC 2013


Only in unsafe functions which are blacklisted. Keep in mind that phpsec\printf for exmaple, is blacklisted and does not allow concatenation, but allows other parameters.

Also make sure that the first argument to any of these functions is a string literal, and not a variable.
-A
______________________________________________________________
Notice: This message is digitally signed, its source and integrity are verifiable.
If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com

On Mordad 28, 1392, at 6:34 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:

> so concatenation is bad in general or bad only in unsafe functions such as "echo"??? Because we have used concatenation in several places in our library too....
> 
> 
> On Mon, Aug 19, 2013 at 7:31 PM, Abbas Naderi <abiusx at owasp.org> wrote:
> Almost right,
> you don't need to track the taint of the variable. Concatenation in the format string and in unsafe functions is not allowed, as simple as that.
> -A
> ______________________________________________________________
> Notice: This message is digitally signed, its source and integrity are verifiable.
> If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com
> 
> On Mordad 28, 1392, at 6:30 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
> 
>> lets first keep aside the categorization...that I will do...
>> 
>> for the other problem we can do this....we also check each token for strings...basically T_STRING...then in that string, we check for concatenation...concatenation start from "." and replacement starts from "{"...whatever the case,,,it is followed by the character "$"...this would tell us that a variable has been concatenated...suppose we detect that $x is the variable...now in the whole document we can again search for $x and check the nature of this code...e.g numeric strings such as "45" is no harm I guess....if it contains some "JS code...or some other bad code"...then we can flag a warning...
>> 
>> 
>> On Mon, Aug 19, 2013 at 7:23 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>> 1. indeed. it should act like a security compiler
>> 2. k
>> 3. we need to detect concatenations
>> 4. yes it is insecure.
>> 
>> echof ("%s",$x) is secure, but the constant string (format string) is not safeguarded.
>> -A
>> ______________________________________________________________
>> Notice: This message is digitally signed, its source and integrity are verifiable.
>> If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com
>> 
>> On Mordad 28, 1392, at 6:21 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
>> 
>>> aaahhhh.....I was pulling my hairs out that what is this file..... ;)
>>> 
>>> 1) anyways...I see that you have divided things into different types: "warning", "error" etc...so does the scanner need to categorize them ??
>>> 
>>> 2) multi-line staements...(the last statement).....that is now already being detected....
>>> 
>>> 3) for vprintf line...if we just add "vprintf" to the blacklist, this whole line is still detected....so this does not need any change..
>>> 
>>> 4) if i use echof("this one {$x} is error");      then is this error ????
>>> 
>>> 
>>> On Mon, Aug 19, 2013 at 7:16 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>>> Ok this is an example to detect:
>>> 
>>> 		$x="<p>yo</p>";
>>> 		echo "this should be just warning"; //safe stuff
>>> 		echo "this one {$x} is error";
>>> 		print "this is ".$x." unsafe too.";
>>> 		printf("warning here");
>>> 		vprintf("warn %s",array($x));
>>> 		vprintf("not ok ".$x." %s",array($x));
>>> 		echo "you
>>> 				cant detect this.";
>>> 
>>> ______________________________________________________________
>>> Notice: This message is digitally signed, its source and integrity are verifiable.
>>> If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com
>>> 
>>> On Mordad 28, 1392, at 6:15 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
>>> 
>>>> https://github.com/OWASP/phpsec/commit/f0d6cc3e175eea232444e596c672f4a743102ea4
>>>> 
>>>> 
>>>> 
>>>> On Mon, Aug 19, 2013 at 7:15 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
>>>> I did that the day you told me to do so....I also pushed my codes back then only and then I informed you..
>>>> 
>>>> 
>>>> On Mon, Aug 19, 2013 at 7:13 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>>>> Have you finished determining a whole statement? Please push the code and I will push my part.
>>>> -A
>>>> ______________________________________________________________
>>>> Notice: This message is digitally signed, its source and integrity are verifiable.
>>>> If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com
>>>> 
>>>> On Mordad 28, 1392, at 6:10 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
>>>> 
>>>>> Hello All,
>>>>> 
>>>>> Abbas, you mentioned earlier that for scanner, once we have created support for multi-line statements....we will start work on "concatenated statements"...should I start working on it ???
>>>>> 
>>>>> if yes, then can you give some examples of what kind of statements we are looking for ???
>>>>> 
>>>>> -- 
>>>>> Regards,
>>>>> Rahul Chaudhary
>>>>> Ph - 412-519-9634
>>>>> _______________________________________________
>>>>> OWASP_PHP_Security_Project mailing list
>>>>> OWASP_PHP_Security_Project at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>>> 
>>>> 
>>>> 
>>>> 
>>>> -- 
>>>> Regards,
>>>> Rahul Chaudhary
>>>> Ph - 412-519-9634
>>>> 
>>>> 
>>>> 
>>>> -- 
>>>> Regards,
>>>> Rahul Chaudhary
>>>> Ph - 412-519-9634
>>> 
>>> 
>>> 
>>> 
>>> -- 
>>> Regards,
>>> Rahul Chaudhary
>>> Ph - 412-519-9634
>> 
>> 
>> 
>> 
>> -- 
>> Regards,
>> Rahul Chaudhary
>> Ph - 412-519-9634
> 
> 
> 
> 
> -- 
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130819/c1d2fd82/attachment-0001.html>


More information about the OWASP_PHP_Security_Project mailing list