During the past month I spend a lot of time improving RIPS – my static analysis tool for PHP vulnerabilities. You can download the new version 0.40 here. In this post I will give a short project status report.
Whats new
There has been a couple of bugfixes and improving especially regarding file inclusions which are vital for correct analysis. Also RIPS now tries to analyse SQL queries on quotes before a decision on correct securing is made. However this feature is still not 100% working correctly in all cases.
// safe
$name = mysql_real_escape_string($_GET['name']);
mysql_query("SELECT * FROM users WHERE name = '$name'");
// vulnerable
$id = mysql_real_escape_string($_GET['id']);
mysql_query("SELECT * FROM users WHERE id = $id");
The main new visible features are graphs. Besides the list of all scanned files RIPS now gives a nice overview on how files are connected to eachother, what files accept sources (userinput) and what files have sensitive sinks or vulnerabilities. It also splits the scanned files in main files (blue) and included files (red) so that entry points can be spotted easily.
Also all function calls are visible in a connected graph. Red lines are highlighting the code flow of each vulnerability. With these features it is very easy to spot in which file a vulnerability exists and which functions have to be called to reach the sensitive sink before you actually look at the code.
Another important feature is that code snippets that belong to the same vulnerability are now grouped and titled with the vulnerability category. In earlier versions they were unconnected and one had to jump between several snippets. With this it is now possible to look at specific vulnerability categories and to hide unimportant ones. This can be done by clicking on the categories name in the statistics window that also has been improved with a pie chart (HTML5 for the win ;)).
Also a new vulnerability type “Unserialize / POP” has been added that allows you to search for unserialize() sinks and interesting POP gadget functions (more info here). For more changes have a look at the changelog.
Whats missing
The main drawback of RIPS is still the missing support of Object-Oriented Programming (OOP). That means that almost all large code projects can not be scanned sufficiently and vulnerabilities will not be detected correctly. RIPS also still has problems with large non-OOP projects with complicated include structures. The new version improves the include strategie a lot, however if the filename is fetched from a database or build over several userdefined functions it is hard to reconstruct a string with static analysis. Also, a big block on my todo-list includes several bugs with the detection of proper and inproper securing that is also hard to detect with static analysis. So RIPS 0.40 remains being a good tool for small to bigger non-OOP apps but fails if you seriously want to scan WordPress or phpBB.
Whats coming
Scanning large OOP apps is still the main goal. After fixing currently known bugs (which are decreasing but finally increasing again every day ;)) it will be time for implementing basic OOP features. At the same time a complete rewrite is planned to improve development and contain new bugs. Also some basic behavior of RIPS needs to be changed to detect vulnerabilities more correctly. This includes the line-by-line reading which should be replaced by codeblocks and the handling of different data types, especially arrays. There has been some interests lately for a joint development so I am looking forward to how RIPS will evolve.
If you are aware of a bug in the new version or have a feature request please leave a comment or issue a request at sourceforge.
Reiners' Weblog 
It seems a delicious project but when i run with a given recursive path to scan, after some minutes it prints this error message:
Network error (500) Could not access main.php. Make sure you copied all files and your webserver is running.
But i have extracted the zip and my apache is running π
hi,
your webserver returned a HTTP 500 (Internal server error). Because it took “some minutes” I guess you started with a large code base, maybe even OOP code? Check if it works with smaller code (PoC: <?php system($_GET[‘a’]); ?> ). If you have a large project causing that error a minimal reproducable code would be nice to have to fix the problem.
If you still have problems let me know. Thank you for your feedback!
You are right, the project was too big. If i scan to smaller directory it works like a charm. Thank you π
ok perfect π if you want to scan more code at once you can change the set_time_limit() setting in config/general.php but I highly recommend to only select on entry point file at once for really large applications.
thanks very much… nice sharing.. I like it..
Thanks for doing this project – I like it a lot and I’m really looking forward to OOP-analysis being implemented. Good job so far!
I get error:
Fatal error: Maximum function nesting level of ‘100’ reached, aborting! in C:\wamp\www\rips\functions\scan.php on line 558
when I scan a folder with several PHP files. I guess it’s because the include tree structure is big?
the error is in the getmultiline() function that tries to detect and catch all tokens belonging to one instruction, when written over several lines. this function (and concept) is buggy and has been removed in the new version that does not handle php scripts line by line but instruction by instruction. However the version is not public available yet.
Thank you for your feedback π
Hi , nice updated , I’ve been continually followed your blog since two years ago …
I’m php programmer and very interested to your blog and your RIP project ….
thank you ;D
Hi Reiners,
Been playing with RIPS for a while. I am thinking about rewriting the front-end part to use as a cli application with out continuous integration server. One thing I stumbled upon is that php threw 300s timeout errors even though the script was run from terminal. Looking at the source it appeared the error was appearing when you are using array_merge(array_slice(), array_slice(), …) constructions.
While I’m still a bit puzzled about the 300 second timeout, rewriting it this way solved the problem:
$slice1 = array_slice(…);
$slice2 = array_slice(…);
array_merge($slice1, $slice2);
Errors are triggered in functions/scan.php
hi,
thank you for your hint. which php version did you use? I have seen several cli implementations, however a lot of work is and will be put in the auditing interface so I see no reason why one should use RIPS as cli π however this can easily be done by just calling the main.php, modify the output() function as whished and call it at the end of the main.php.
cheers
Reiners
Running it on Debian with php 5.3.3-7+squeeze3 with suhosin patch v0.9.32.1.
The idea behind the cli app is to integrate it with the development process and automate the task of code analysis. That would create i.e. nightly build, analyze the code and send an email alert in case something has been found.
Hi,
I just wanted to know how many files can RIPS handle at a time, because i keep getting the error when i try to generate a graph “Graphs have been disable for high file amount”.
Thanks.
Hi Mayur,
the amount of files RIPS can handle is not limited at all. however, because the graphs are very basic (not planar) it doesn’t make sense to display graphs for 50 files or more because they are very confusing and take a lot of time to render in your browser (all javascript). thats why I disabled them for a large file amount. however, you can go to /config/general.php and set the WARNFILES value to whatever you want to enable graphs for larger file amounts. I am planning to work on the graphs btw, so they should become planar one day similar to IDA Pro or something.
Best regards,
Reiners