Re: PHP security analysis

["Nikhil Wagholikar" <visitnikhil () gmail com>]

Hi Umut Arus,

There are many tools out in market for security analysis of PHP codes.
Some of them are mentioned below:

1. PHP Security Scanner:

Desc: PHP Security Scanner is a tool written in PHP intended to search
PHP code for vulnarabilities. MySQL DB stores patterns to search for
as well as the results from the search. The tool can scan any
directory on the file system.

License: GPL

More Information: http://securityscanner.lostfiles.de/

2. Pixy

Desc: Pixy is a Java program that performs automatic scans of PHP 4
source code, aimed at the detection of XSS and SQL injection
vulnerabilities. Pixy takes a PHP program as input, and creates a
report that lists possible vulnerable points in the program, together
with additional information for understanding the vulnerability.

License: Open Source (not sure!!)

More Information: http://pixybox.seclab.tuwien.ac.at/pixy/documentation.php

3. PHP-Stat

Desc: PHP-Sat is a Static Analysis Tool which can perform several
static checks on PHP source code. Each check is described by a
bug-pattern which explains why the pattern is recognized and what one
can do to fix it. There are checks for correctness, style and
security.

License: LGPL (GNU Lesser General Public License)

More Information: http://www.program-transformation.org/PHP/PhpSat

4. PHP String Analyzer

Desc: PHP string analyzer is a static program analyzer that
approximates the string output of a PHP program with a context-free
grammar. The analyzer can be used to check properties of a PHP
program. For example, it can be used to validate dynamically generated
Web pages by a PHP program.

License: Open Source (not sure!!)

More Information: http://www.score.is.tsukuba.ac.jp/~minamide/phpsa/

----
Nikhil Wagholikar
Practice Lead | Security Assessment Team
NII Consulting
Web: http://www.niiconsulting.com/
Security Products: http://www.niiconsulting.com/products.html


On Fri, May 9, 2008 at 1:05 AM, Umut Arus <umuta () sabanciuniv edu> wrote:
> Hi,
>
> I'm looking for the best web application analysis which is the tool especially PHP. I want to analyse the written PHP 
> codes for security holes. It is not important the way of scanning. It may be a command tool or URL scanning. It 
> should be a free or one time tool.
>
> Which tool gives the most detailed information?
>
> Regards,
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------