New RIPS brings an Advent full of PHP Application Vulnerabilities

The year is coming to an end and many things have changed. In the past three years, I have researched new static code analysis techniques and finished the development of a complete new generation of RIPS. The new generation is a state-of-the-art SAST tool for the automated detection of security issues in PHP code and it’s based on a fundamentally different engine than the previous versions. With its strong focus on all subtlenesses and security pitfalls of the PHP language and with new code analysis techniques it clearly outperforms any other solution for PHP security analysis I have seen. Together with a passionate team of experts, we founded the RIPS Technologies company and released the next generation of RIPS as a standalone product and also as a cloud service. Although personally it was a difficult decision to commercialize a project I have been working on since 7 years, it is a great opportunity to continue working full-time on RIPS and to advance it together (join us!).

Due to all these changes there was little time left for research and new blog posts. Nonetheless, our team and customers have been using the next generation of RIPS daily throughout the year and as a result have discovered many interesting security bugs in PHP applications. In order to sweeten your Christmas time, we will publish a technical description for some of these bugs in form of an advent calendar at the RIPS Technologies Blog. Each day until Christmas, a new post will uncover a new security vulnerability or provide insights into the new RIPS engine and its cool features. I hope you will enjoy the posts and I wish you all a Merry Christmas!

Open the Advent of PHP Application Vulnerabilities (APAV) calendar

Project RIPS v0.54 – Status

I just updated RIPS and fixed some JavaScript errors that came up due to the latest browser updates (thank you for the reports). You can download it here. Now the code viewer and other window features should work again. At the same time I am announcing that the current version of RIPS will not be enhanced. The current engine does not allow further enhancement and suffers from bad language parsing. This leads to an inacceptable rate of false positives. Further, the current engine can not be extended to support OOP.

The good news is that I have rewritten RIPS completely during the past 6 month during my final master thesis at the Ruhr-University Bochum. RIPS 1.0 now uses Abstract Syntax Trees, Control Flow Graphs, and Context-Sensitive String Analysis doing it the academic way ;). The result looks very promising, but its worthless to share any results/numbers without sharing the tool. It is still under development and a release date is unknown, but already in its current state it is way better than RIPS 0.5. In the end, full OOP support is planned. Any updates will be released here or via twitter.

The project continues … =)

Project RIPS v0.50 – Status

I just released a new version of RIPS, my static analysis tool for vulnerabilities in PHP applications. You can find it at www.phpscan.net or www.phpscanner.net. A lot of things have changed and got improved but still a lot of things have to be done. Anyway, the new version is a huge step towards scanning large PHP projects.

Whats new

A major change is that RIPS now parses PHP code by instructions and not by lines anymore. This is much much more effective and accurate. Parsing code line by line worked out well for the most projects but also introduced a lot of bugs that are now fixed. RIPS is now even able to parse obfuscated PHP code and PHP backdoors.
Also I put a lot of work into the handling of arrays. In detail: [indexes] behind a variable are now removed and added to the variable token seperatly which allows much more accurate semantic parsing of connected tokens. The index value can now be reconstructed recursively and compared to other index values.
Finally RIPS is able to scan large open source projects (non-OOP). A new feature showing the current scan status and the current file that is scanned as well as a approximated timeleft supports this.
A new feature called leakscan is added that is able to detect if the output of a sensitive sink is returned to the user. In example this helps to detect where the result of your SQL Injection is printed or embedded to a header or if you have to use blind SQL Injection techniques.

Whats coming

A new release will ship a lot more documentation what RIPS has actually found and why this is a vulnerability. By now RIPS helps to understand the vulnerability type but a lot of vulnerabilities are very special so that a description for every single sensitive sink makes sense.
The next big step is to implement a initial preparsing phase where functions and their properties are indexed. After this phase all function calls can be interpreted correctly. By now, RIPS still scans top down and misses functions that are called before they are actually declared in the code. With this new structure several bugs regarding securing and quote analysis can be fixed. Then the support of object oriented programming (OOP) code can be added. Also the graphs have to be improved a lot.

Again, if you have any feedback, feature requests, false positives/negatives or code that will make RIPS struggle/hang please contact me.

Happy new year everyone !!! 🙂

Project RIPS – Status

During the past month I spend a lot of time improving RIPS – my static analysis tool for PHP vulnerabilities. You can download the new version 0.40 here. In this post I will give a short project status report.

Whats new

There has been a couple of bugfixes and improving especially regarding file inclusions which are vital for correct analysis. Also RIPS now tries to analyse SQL queries on quotes before a decision on correct securing is made. However this feature is still not 100% working correctly in all cases.

// safe
$name = mysql_real_escape_string($_GET['name']);
mysql_query("SELECT * FROM users WHERE name = '$name'");

// vulnerable
$id = mysql_real_escape_string($_GET['id']);
mysql_query("SELECT * FROM users WHERE id = $id");

The main new visible features are graphs. Besides the list of all scanned files RIPS now gives a nice overview on how files are connected to eachother, what files accept sources (userinput) and what files have sensitive sinks or vulnerabilities. It also splits the scanned files in main files (blue) and included files (red) so that entry points can be spotted easily.

Also all function calls are visible in a connected graph. Red lines are highlighting the code flow of each vulnerability. With these features it is very easy to spot in which file a vulnerability exists and which functions have to be called to reach the sensitive sink before you actually look at the code.

Another important feature is that code snippets that belong to the same vulnerability are now grouped and titled with the vulnerability category. In earlier versions they were unconnected and one had to jump between several snippets. With this it is now possible to look at specific vulnerability categories and to hide unimportant ones. This can be done by clicking on the categories name in the statistics window that also has been improved with a pie chart (HTML5 for the win ;)).

Also a new vulnerability type “Unserialize / POP” has been added that allows you to search for unserialize() sinks and interesting POP gadget functions (more info here). For more changes have a look at the changelog.

Whats missing

The main drawback of RIPS is still the missing support of Object-Oriented Programming (OOP). That means that almost all large code projects can not be scanned sufficiently and vulnerabilities will not be detected correctly. RIPS also still has problems with large non-OOP projects with complicated include structures. The new version improves the include strategie a lot, however if the filename is fetched from a database or build over several userdefined functions it is hard to reconstruct a string with static analysis. Also, a big block on my todo-list includes several bugs with the detection of proper and inproper securing that is also hard to detect with static analysis. So RIPS 0.40 remains being a good tool for small to bigger non-OOP apps but fails if you seriously want to scan WordPress or phpBB.

Whats coming

Scanning large OOP apps is still the main goal. After fixing currently known bugs (which are decreasing but finally increasing again every day ;)) it will be time for implementing basic OOP features. At the same time a complete rewrite is planned to improve development and contain new bugs. Also some basic behavior of RIPS needs to be changed to detect vulnerabilities more correctly. This includes the line-by-line reading which should be replaced by codeblocks and the handling of different data types, especially arrays. There has been some interests lately for a joint development so I am looking forward to how RIPS will evolve.

If you are aware of a bug in the new version or have a feature request please leave a comment or issue a request at sourceforge.

RIPS – A static source code analyser for vulnerabilities in PHP scripts

In the last years I have been working on my PHP Scanner (now called RIPS) which has been released recently during the Month Of PHP Security and was awarded as the 2nd best external submission.
RIPS is a tool written in PHP itself and designed to easily detect, review and exploit PHP vulnerabilities by static source code and taint analysis. It is open source and freely available at SourceForge (yey!).

Before using it I recommend reading the paper (HTML, PDF) I submitted to be aware of the limitations RIPS has, either due to static source code analysis or because of my implementation of it.
In short: RIPS is not ready yet for firing it on big code trees like wordpress, but I think it does a good job for home-made or smaller open source apps and in assisting code reviews. I hope I will find time in the future to improve RIPS and I am honestly thankful for any feedback, bugreports, code improvements or feature requests.

[download RIPS]

Update 04.07.10: A new version 0.31 has been released.
Update 13.08.10: A new version 0.32 has been released.
Update 11.09.10: A new version 0.33 has been released.

Book recommendation

I know its hard to find the right gifts for christmas, so here is my recommendation. This book by Mario Heiderich, Christian Matthies, fukami and myself covers everything you ever wanted to know about securing webapplications.

The book is in german and guides you through writing secure webapplications (including flash) giving plenty examples for common problems, how to solve them and how to maintain your webapp. You will also learn everything about encoding and other basics, as well as the german law situation regarding webappsec. In the second part of the book we describe all common vulnerabilites in detail, including XSS, CSRF, SQLi, RCE, LFI and much more.
I can honestly recommend this book for beginners as well as for advanced developers and I’m sure even experts will learn some new tricks. It’s available in the next few days and should not be missing on your wish list ! 😉

Interview on PHP-IDS

Since I’m too lazy to write something on my about page atm, you can get some info about me at the PHP-IDS website, a webapplication IDS project I really like and supported with some SQLi vectors.