[OWASP_PHPSEC] Start work on scanner

rahul chaudhary rahul300chaudhary400 at gmail.com
Mon Aug 19 14:08:46 UTC 2013


ok...starting to work on this...will inform you my
progress/doubts..thanks...


On Mon, Aug 19, 2013 at 7:36 PM, Abbas Naderi <abiusx at owasp.org> wrote:

> Only in unsafe functions which are blacklisted. Keep in mind that
> phpsec\printf for exmaple, is blacklisted and does not allow concatenation,
> but allows other parameters.
>
> Also make sure that the first argument to any of these functions is a
> string literal, and not a variable.
> -A
> ______________________________________________________________
> *Notice:** *This message is *digitally signed*, its *source* and *
> integrity* are verifiable.
> If you mail client does not support S/MIME verification, it will display a
> file (smime.p7s), which includes the X.509 certificate and the signature
> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
> AbiusX.com
>
> On Mordad 28, 1392, at 6:34 PM, rahul chaudhary <
> rahul300chaudhary400 at gmail.com> wrote:
>
> so concatenation is bad in general or bad only in unsafe functions such as
> "echo"??? Because we have used concatenation in several places in our
> library too....
>
>
> On Mon, Aug 19, 2013 at 7:31 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>
>> Almost right,
>> you don't need to track the taint of the variable. Concatenation in the
>> format string and in unsafe functions is not allowed, as simple as that.
>> -A
>>      ______________________________________________________________
>> *Notice:** *This message is *digitally signed*, its *source* and *
>> integrity* are verifiable.
>> If you mail client does not support S/MIME verification, it will display
>> a file (smime.p7s), which includes the X.509 certificate and the signature
>> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
>> AbiusX.com <http://abiusx.com/>
>>
>> On Mordad 28, 1392, at 6:30 PM, rahul chaudhary <
>> rahul300chaudhary400 at gmail.com> wrote:
>>
>> lets first keep aside the categorization...that I will do...
>>
>> for the other problem we can do this....we also check each token for
>> strings...basically T_STRING...then in that string, we check for
>> concatenation...concatenation start from "." and replacement starts from
>> "{"...whatever the case,,,it is followed by the character "$"...this would
>> tell us that a variable has been concatenated...suppose we detect that $x
>> is the variable...now in the whole document we can again search for $x and
>> check the nature of this code...e.g numeric strings such as "45" is no harm
>> I guess....if it contains some "JS code...or some other bad code"...then we
>> can flag a warning...
>>
>>
>> On Mon, Aug 19, 2013 at 7:23 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>>
>>> 1. indeed. it should act like a security compiler
>>> 2. k
>>> 3. we need to detect concatenations
>>> 4. yes it is insecure.
>>>
>>> echof ("%s",$x) is secure, but the constant string (format string) is
>>> not safeguarded.
>>> -A
>>>       ______________________________________________________________
>>> *Notice:** *This message is *digitally signed*, its *source* and *
>>> integrity* are verifiable.
>>> If you mail client does not support S/MIME verification, it will display
>>> a file (smime.p7s), which includes the X.509 certificate and the signature
>>> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
>>> AbiusX.com <http://abiusx.com/>
>>>
>>> On Mordad 28, 1392, at 6:21 PM, rahul chaudhary <
>>> rahul300chaudhary400 at gmail.com> wrote:
>>>
>>> aaahhhh.....I was pulling my hairs out that what is this file..... ;)
>>>
>>> 1) anyways...I see that you have divided things into different types:
>>> "warning", "error" etc...so does the scanner need to categorize them ??
>>>
>>> 2) multi-line staements...(the last statement).....that is now already
>>> being detected....
>>>
>>> 3) for vprintf line...if we just add "vprintf" to the blacklist, this
>>> whole line is still detected....so this does not need any change..
>>>
>>> 4) if i use echof("this one {$x} is error");      then is this error
>>> ????
>>>
>>>
>>> On Mon, Aug 19, 2013 at 7:16 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>>>
>>>> Ok this is an example to detect:
>>>>
>>>>  $x="<p>yo</p>";
>>>>  echo "this should be just warning"; //safe stuff
>>>>  echo "this one {$x} is error";
>>>>  print "this is ".$x." unsafe too.";
>>>>  printf("warning here");
>>>>  vprintf("warn %s",array($x));
>>>>  vprintf("not ok ".$x." %s",array($x));
>>>>  echo "you
>>>> cant detect this.";
>>>>
>>>>      ______________________________________________________________
>>>> *Notice:** *This message is *digitally signed*, its *source* and *
>>>> integrity* are verifiable.
>>>> If you mail client does not support S/MIME verification, it will
>>>> display a file (smime.p7s), which includes the X.509 certificate and the
>>>> signature body.  Read more at Certified E-Mail with Comodo and
>>>> Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
>>>> AbiusX.com <http://abiusx.com/>
>>>>
>>>> On Mordad 28, 1392, at 6:15 PM, rahul chaudhary <
>>>> rahul300chaudhary400 at gmail.com> wrote:
>>>>
>>>>
>>>> https://github.com/OWASP/phpsec/commit/f0d6cc3e175eea232444e596c672f4a743102ea4
>>>>
>>>>
>>>>
>>>> On Mon, Aug 19, 2013 at 7:15 PM, rahul chaudhary <
>>>> rahul300chaudhary400 at gmail.com> wrote:
>>>>
>>>>> I did that the day you told me to do so....I also pushed my codes back
>>>>> then only and then I informed you..
>>>>>
>>>>>
>>>>> On Mon, Aug 19, 2013 at 7:13 PM, Abbas Naderi <abiusx at owasp.org>wrote:
>>>>>
>>>>>> Have you finished determining a whole statement? Please push the code
>>>>>> and I will push my part.
>>>>>> -A
>>>>>>      ______________________________________________________________
>>>>>> *Notice:** *This message is *digitally signed*, its *source* and *
>>>>>> integrity* are verifiable.
>>>>>> If you mail client does not support S/MIME verification, it will
>>>>>> display a file (smime.p7s), which includes the X.509 certificate and the
>>>>>> signature body.  Read more at Certified E-Mail with Comodo and
>>>>>> Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
>>>>>> AbiusX.com <http://abiusx.com/>
>>>>>>
>>>>>> On Mordad 28, 1392, at 6:10 PM, rahul chaudhary <
>>>>>> rahul300chaudhary400 at gmail.com> wrote:
>>>>>>
>>>>>> Hello All,
>>>>>>
>>>>>> Abbas, you mentioned earlier that for scanner, once we have created
>>>>>> support for multi-line statements....we will start work on "concatenated
>>>>>> statements"...should I start working on it ???
>>>>>>
>>>>>> if yes, then can you give some examples of what kind of statements we
>>>>>> are looking for ???
>>>>>>
>>>>>> --
>>>>>> Regards,
>>>>>> Rahul Chaudhary
>>>>>> Ph - 412-519-9634
>>>>>>  _______________________________________________
>>>>>> OWASP_PHP_Security_Project mailing list
>>>>>> OWASP_PHP_Security_Project at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Regards,
>>>>> Rahul Chaudhary
>>>>> Ph - 412-519-9634
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Regards,
>>>> Rahul Chaudhary
>>>> Ph - 412-519-9634
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Regards,
>>> Rahul Chaudhary
>>> Ph - 412-519-9634
>>>
>>>
>>>
>>
>>
>> --
>> Regards,
>> Rahul Chaudhary
>> Ph - 412-519-9634
>>
>>
>>
>
>
> --
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634
>
>
>


-- 
Regards,
Rahul Chaudhary
Ph - 412-519-9634
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130819/b4b5fb22/attachment-0001.html>


More information about the OWASP_PHP_Security_Project mailing list