RIPS

RIPS is a relatively quick to install and easy to use program. The RIPS files are simply uploaded to the webserver running the application you want to test. You can then go to http://website.com/rips/ and enter the root folder of the application you want to test and configure the verbosity of the output. You can chose to either scan only a certain file, or to scan all the subdirectories as well, giving RIPS a better overview of the application. It would however, automatically resolve includes from the top level directory of the application if this option were omitted.

The code analysis isn't very fast, but it is very thorough. For instance: analysis for all server-side vulnerabilities using verbosity level 4 and topdown settings including subdirs gives:

Results:

• Scanned files: 149
• Code Execution: 127
• Command Execution: 1
• Header Injection: 2
• File Disclosure: 34
• File Inclusion: 313
• File Manipulation: 33
• SQL Injection: 26
• Possible Flow Control: 205
• Unserialize: 18
• Total: 759

Actual output sample here: [1]

RATS

RATS is an extremely quick command line program for source code analysis. It gives a good highlevel overview of some possible problems with the code. It's great for a rough estimate of where to look, but this tool only statically checks for potentially dangerous functions. It is like an automatic grep script that searches the source code for 'dangerous' functions.

Example HTML-formatted output here: [2]

YASCA

We only used the core YASCA installation, since we already tested some of the plugins separately. The core version is very fast when performing a scan and provides a report in the form of an HTML file.

Yasca provided the following results:

CodeSecure

We ran in to several problems and were limited by the license (see Code Scanning Reflection). We might still try CodeSecure on a different system to hopefully reduce or least confirm the amount of false positives.

For our second attempt with CodeSecure we minified the source code of FluxBB by removing almost all the line breaks in the code. This resulted in going from approximately 43924 lines of code to only 5619. We were then able to zip the source code and upload it to the CodeSecure interface. The minified source is available here: [3] as it might also be useful for other groups.

CodeSecure was capable of scanning the complete source code when run in linux, and it identified 35 suspected vulnerabilities, of which 34 were rated High Severity and 1 was Low Severity. We uploaded the webpage with results here: [4] and an example of one such errors description here: [5]. As you can see, the errors are mostly all SQL injections or XSS and the actual vulnerability report is not really helpful, especially if the source code is unformatted it makes it almost impossible to find the error CodeSecure is referring to.

PHPLint

Unfortunately PHPLint is only able to scan a single file at a time thus we started with the index.php. PHPLint issues two types of alerts, warnings and errors, totaling 132 for this particular PHP file.

Augmenting the PHP file with the following comment made it aware of the standard PHP functions and as such it helped reduce the number of warnings and errors significantly. Many of the undefined function warnings disappeared.

<source lang="php"> /*. require_module 'standard'; .*/ </source>

For some PHP files, login.php for example, PHPLint issued a fatal error as it was unable to handle a new style of notation. The scanning results can be found at Bestand:PHPLint.pdf, Bestand:PHPLint augmented.pdf and Bestand:PHPLint fatal.pdf.

Pixy

Pixy is only able to scan a single file at a time too thus we started with index.php again. This resulting in a 24 second scan which found 53 alerts.

Most of the XSS vulnerabilities were conditional on register_globals being enabled though. The scanning results can be found at Bestand:Pixy.pdf.