NYCPHP Meetup

NYPHP.org

[nycphp-talk] Web app security scanners

max max at neuropunks.org
Wed Apr 19 11:49:43 EDT 2006


Well, i personally use switch() to filter main input (like index.php?section=about)
and then everything thats GET or POST goes into addslashes and either has html/script things stripped, or converted to htmlentities.
if you look at preg_replace on php.net manual, you'll find some examples on how to strip html/script tags easily.
This audit was still usefull in my opinion. Its good to be able to see what someone who charges, and apparently successfully, for their scanning software would do to simulate real attacks.
Obviously, i can google for XSS, and I have, but another set of eyes is always great.


2c...


On Wed, Apr 19, 2006 at 09:29:35AM +0530, Anirudh Zala wrote:
> I have 1 small comment on this issue. Instead of using any other software  
> to scan all these, can't we scan all our get and post variable for  
> validity of data using regular expressions?
> 
> For example, we can 3 numeric variables that we receive via GET method.  
> Before using them for further operations in our script, we can design a  
> function that can check data associated with those 3 variables. If data of  
> any of that variable seems invalid you can through 400 error (Bad request).
> 
> I assume we can control 90% of our data by scanning them ourselves since  
> we most of time know what data is going to arrive with those variables.  
> Similarly we can do for POST variables as well.
> 
> <?php
> 
> include_once 'some_function.inc'
> 
> scanGetVars($_GET);
> 
> ...
> ...
> rest of code.
> rest of code.
> ...
> ...
> 
> ?>
> 
> Thanks
> Anirudh Zala
> 
> On Wed, 19 Apr 2006 07:39:27 +0530, <max at neuropunks.org> wrote:
> 
> >
> > Yup, it was this http://www.acunetix.com/vulnerability-scanner/audit.aspx
> > They do verify if your email address matches the site though.
> > In my case, the IP block the dev site was on is owned by our company, so  
> > I emailed them from my work email, and they queued it up. The email  
> > about verification did come from a real human too.
> > If you\'d like, I can email you off list the logfiles from the webserver  
> > so you can see the queries they make.
> >
> >
> >
> >
> >
> > --- Original Message ---
> > From: inforequest <1j0lkq002 at sneakemail.com>
> > Sent: Tue, 18 Apr 2006 10:41:14 -0700
> > To: talk at lists.nyphp.org
> > Subject: Re: [nycphp-talk] Web app security scanners
> >
> >>
> >> Thanks Max. Did you go for the \"free website audit\" because I dl\'ed  
> >> the
> >> free scanner and it says it only runs against their test sites, not your
> >> own sites. Thanks.
> >>
> >> -=john andrews
> >> http://www.seo-fun.com
> >>
> >>
> >> max max-at-neuropunks.org |nyphp dev/internal group use| wrote:
> >>
> >> >Well, heres a short followup on this.
> >> >I used the acunetix free web based scanner, and it seems to be pretty  
> >> thourough.
> >> >The free report of course has no details in it, only number of  
> >> potentials problems.
> >> >However, looking at the webserver logs, you can see what they were  
> >> checking for, and it looks serious.
> >> >They try 13 different XSS attacks, 3 sql injections, cookie rewriter,  
> >> all kinds of dir traversal, and
> >> >trace/track/connect http request issues.
> >> >I still dont think im going to dish out 3 something K for the full  
> >> version, but at least from their brief report you can check the logs  
> >> for their requests, and see your server\'s response, and try it  
> >> yourself.
> >> >Pretty educational overall actually.
> >> >
> >> >
> >> >On Sat, Apr 15, 2006 at 01:09:38PM -0500, Max Gribov wrote:
> >> >
> >> >
> >> >>Hello all,
> >> >>does anyone know of any opensource/free web app security scanner?
> >> >>Basically, I just want something (else besides me) to go through all  
> >> the
> >> >>GET\'s and POST\'s on my PHP site and see if XSS/sql injection/etc is
> >> >>possible.
> >> >>I certainly did an audit of my own code, but another pair of eyes,
> >> >>especially automated, would never hurt.
> >> >>Something down the lines of Nessuss only for web apps basically.
> >> >>I\'ve seen this: www.acunetix.com, and signed up for a trial audit,  
> >> but
> >> >>am wondering if there is something I can actually download.
> >> >>I havent seen anything on freshmeat or even google, most things are
> >> >>either tutorials or non-free.
> >> >>
> >> >>thanks!
> >> >>
> >> >>max
> >> >>_______________
> >> >>
> >>
> >> _______________________________________________
> >> New York PHP Community Talk Mailing List
> >> http://lists.nyphp.org/mailman/listinfo/talk
> >> New York PHP Conference and Expo 2006
> >> http://www.nyphpcon.com
> >> Show Your Participation in New York PHP
> >> http://www.nyphp.org/show_participation.php
> >>
> >>
> > _______________________________________________
> > New York PHP Community Talk Mailing List
> > http://lists.nyphp.org/mailman/listinfo/talk
> > New York PHP Conference and Expo 2006
> > http://www.nyphpcon.com
> > Show Your Participation in New York PHP
> > http://www.nyphp.org/show_participation.php
> 
> 
> 
> -- 
> -----------------------------------------------
> Anirudh Zala (Project Manager)
> ASPL, http://www.aspl.in
> Ph: +91 281 245 1894
> arzala at gmail.com
> -----------------------------------------------
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
> New York PHP Conference and Expo 2006
> http://www.nyphpcon.com
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
> 



More information about the talk mailing list