6

I've been looking for some time now and have come up short. The most promising I found was Spike PHP, which seems to no longer work. I'm looking to scan my code for potential risks of SQL Injection, XSS, etc. I've gone through most of my code manually, but with a few hundred thousand lines of code, I'm sure I missed things. If possible, are there any tools that can be downloaded and analyze code on my local machine rather than installing to the live server (this isn't a requirement if not)?

AviD
  • 72,138
  • 22
  • 136
  • 218
James Simpson
  • 161
  • 1
  • 3
  • Take a look at skipfish from Google. It doesn't focus on PHP but it will attack your code. –  Mar 12 '11 at 23:59
  • From what I was reading it would run on the server and could disrupt service, which isn't an option since this isn't something that is in development, it is on a live site. –  Mar 13 '11 at 00:09
  • Voted to close as duplicate. Really, there are a lot of similar items here: http://security.stackexchange.com/questions/10/how-to-perform-a-security-audit-for-a-php-application, http://security.stackexchange.com/questions/1088/scripting-a-search-through-php-files-for-dangerous-calls-for-manual-review, http://security.stackexchange.com/questions/32/what-tools-are-available-to-assess-the-security-of-a-web-application –  Mar 13 '11 at 10:03
  • I do think this is a duplicate, however as it has been migrated across I think leaving it open for a while but moving @Ams comment to an answer might help the original poster see the other questions. – Rory Alsop Mar 13 '11 at 12:15
  • Sorry, I didn't realize one had been opened for security until this question got moved from Server Fault. – James Simpson Mar 15 '11 at 05:43
  • Skipfish can destroy your server. It can be run from any command line against any command line. You can also throttle it so that it doesn't beat up your server. I still think you should try skipfish – Stewart Robinson Mar 15 '11 at 20:23

6 Answers6

5

There's a static code analysis tool for PHP called RIPS. I've not had the chance to use it as yet, but it sounds like it's in the right kind of area for what you're looking to do.

On the commercial tool side of things, Fortify SCA has support for PHP, as far as I know.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
3

Check out YASCA. From their own site: it's a "glorified grep script" plus an aggregator of other open-source tools". I've had some success with this discovering security issues is the past, although I'd have to agree with the previous post that the commerical alternatives I've tried really are a couple of moves ahead.

TobyS
  • 1,597
  • 1
  • 12
  • 17
2

Unfortunately, the free tools aren't that great; they're pretty limited, not so easy to use for a security novice, and/or have only limited coverage of potential security issues.

You could look at free web pentesting tools, e.g., Burp Suite. For more recommendations, see, e.g., the following questions on this site: security assessment, pen testing tools. However realize that they have limited coverage and will miss many vulnerabilities.

Community
  • 1
D.W.
  • 98,420
  • 30
  • 267
  • 572
2

AppScan Source, a commercial tool from IBM, also has support for PHP.

Aaron
  • 71
  • 2
  • The original question asks for *free* tools. – D.W. Mar 21 '11 at 07:20
  • Since the general consensus had covered the free PHP analysis tools as not being great, and another commenter had mentioned commercial tools, I though I would throw it in for completeness. I'm happy to delete it, though. – Aaron Mar 21 '11 at 18:28
0

The Spike PHP Security Audit Tool is another static analysis tool to scan for security problems in PHP code.

D.W.
  • 98,420
  • 30
  • 267
  • 572
0
  • Acunetix
  • Nikto
  • Nessus
  • Wapiti
  • QualysGuard WAS
  • w3af

These will scan and audit your server/website and return insecurities. They are very useful.

h00j
  • 756
  • 1
  • 7
  • 18