December 31, 2011
I just released a new version of RIPS, my static analysis tool for vulnerabilities in PHP applications. You can find it at www.phpscan.net or www.phpscanner.net. A lot of things have changed and got improved but still a lot of things have to be done. Anyway, the new version is a huge step towards scanning large PHP projects.
A major change is that RIPS now parses PHP code by instructions and not by lines anymore. This is much much more effective and accurate. Parsing code line by line worked out well for the most projects but also introduced a lot of bugs that are now fixed. RIPS is now even able to parse obfuscated PHP code and PHP backdoors.
Also I put a lot of work into the handling of arrays. In detail: [indexes] behind a variable are now removed and added to the variable token seperatly which allows much more accurate semantic parsing of connected tokens. The index value can now be reconstructed recursively and compared to other index values.
Finally RIPS is able to scan large open source projects (non-OOP). A new feature showing the current scan status and the current file that is scanned as well as a approximated timeleft supports this.
A new feature called leakscan is added that is able to detect if the output of a sensitive sink is returned to the user. In example this helps to detect where the result of your SQL Injection is printed or embedded to a header or if you have to use blind SQL Injection techniques.
A new release will ship a lot more documentation what RIPS has actually found and why this is a vulnerability. By now RIPS helps to understand the vulnerability type but a lot of vulnerabilities are very special so that a description for every single sensitive sink makes sense.
The next big step is to implement a initial preparsing phase where functions and their properties are indexed. After this phase all function calls can be interpreted correctly. By now, RIPS still scans top down and misses functions that are called before they are actually declared in the code. With this new structure several bugs regarding securing and quote analysis can be fixed. Then the support of object oriented programming (OOP) code can be added. Also the graphs have to be improved a lot.
Again, if you have any feedback, feature requests, false positives/negatives or code that will make RIPS struggle/hang please contact me.
Happy new year everyone !!! 🙂
4 Comments | PHP, Projects, Web Security | Tagged: PHP Analyser, PHP Scanner, RIPS, static analysis | Permalink
Posted by Reiners
June 4, 2011
During the past month I spend a lot of time improving RIPS – my static analysis tool for PHP vulnerabilities. You can download the new version 0.40 here. In this post I will give a short project status report.
There has been a couple of bugfixes and improving especially regarding file inclusions which are vital for correct analysis. Also RIPS now tries to analyse SQL queries on quotes before a decision on correct securing is made. However this feature is still not 100% working correctly in all cases.
$name = mysql_real_escape_string($_GET['name']);
mysql_query("SELECT * FROM users WHERE name = '$name'");
$id = mysql_real_escape_string($_GET['id']);
mysql_query("SELECT * FROM users WHERE id = $id");
The main new visible features are graphs. Besides the list of all scanned files RIPS now gives a nice overview on how files are connected to eachother, what files accept sources (userinput) and what files have sensitive sinks or vulnerabilities. It also splits the scanned files in main files (blue) and included files (red) so that entry points can be spotted easily.
Also all function calls are visible in a connected graph. Red lines are highlighting the code flow of each vulnerability. With these features it is very easy to spot in which file a vulnerability exists and which functions have to be called to reach the sensitive sink before you actually look at the code.
Another important feature is that code snippets that belong to the same vulnerability are now grouped and titled with the vulnerability category. In earlier versions they were unconnected and one had to jump between several snippets. With this it is now possible to look at specific vulnerability categories and to hide unimportant ones. This can be done by clicking on the categories name in the statistics window that also has been improved with a pie chart (HTML5 for the win ;)).
Also a new vulnerability type “Unserialize / POP” has been added that allows you to search for unserialize() sinks and interesting POP gadget functions (more info here). For more changes have a look at the changelog.
The main drawback of RIPS is still the missing support of Object-Oriented Programming (OOP). That means that almost all large code projects can not be scanned sufficiently and vulnerabilities will not be detected correctly. RIPS also still has problems with large non-OOP projects with complicated include structures. The new version improves the include strategie a lot, however if the filename is fetched from a database or build over several userdefined functions it is hard to reconstruct a string with static analysis. Also, a big block on my todo-list includes several bugs with the detection of proper and inproper securing that is also hard to detect with static analysis. So RIPS 0.40 remains being a good tool for small to bigger non-OOP apps but fails if you seriously want to scan WordPress or phpBB.
Scanning large OOP apps is still the main goal. After fixing currently known bugs (which are decreasing but finally increasing again every day ;)) it will be time for implementing basic OOP features. At the same time a complete rewrite is planned to improve development and contain new bugs. Also some basic behavior of RIPS needs to be changed to detect vulnerabilities more correctly. This includes the line-by-line reading which should be replaced by codeblocks and the handling of different data types, especially arrays. There has been some interests lately for a joint development so I am looking forward to how RIPS will evolve.
If you are aware of a bug in the new version or have a feature request please leave a comment or issue a request at sourceforge.
14 Comments | PHP, Projects, Web Security | Tagged: PHP Analyser, PHP Scanner, RIPS, static analysis | Permalink
Posted by Reiners
June 11, 2010
In the last years I have been working on my PHP Scanner (now called RIPS) which has been released recently during the Month Of PHP Security and was awarded as the 2nd best external submission.
RIPS is a tool written in PHP itself and designed to easily detect, review and exploit PHP vulnerabilities by static source code and taint analysis. It is open source and freely available at SourceForge (yey!).
Before using it I recommend reading the paper (HTML, PDF) I submitted to be aware of the limitations RIPS has, either due to static source code analysis or because of my implementation of it.
In short: RIPS is not ready yet for firing it on big code trees like wordpress, but I think it does a good job for home-made or smaller open source apps and in assisting code reviews. I hope I will find time in the future to improve RIPS and I am honestly thankful for any feedback, bugreports, code improvements or feature requests.
Update 04.07.10: A new version 0.31 has been released.
Update 13.08.10: A new version 0.32 has been released.
Update 11.09.10: A new version 0.33 has been released.
26 Comments | PHP, Projects, Web Security | Tagged: PHP Analyser, PHP Scanner, RIPS | Permalink
Posted by Reiners