Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

SitePoint PHP Blog:
How to Scan Fingerprints with Async PHP and React Native
Jun 07, 2017 @ 11:52:09

The SitePoint PHP blog has posted a tutorial from Christopher Pitt with another interesting use of PHP: using it and React to scan fingerprints to aid in multi-factor authentication.

We live in interesting times. A short while ago, a company called OfferZen announced a new, programmable credit card. It’s been a long time since I was this excited to get my hands on a piece of tech. My mind has been brimming with ideas ever since.

So, I decided to write about one of them!

I’m going to describe the process of building custom multi-factor authentication for all transactions. I don’t want to do the usual (and boring on its own) SMS or push notification one-time-password stuff. I want to build a fingerprint scanner right into my phone. [...] In this tutorial, we’re going to look at how to set up a simple iOS app using React Native. We will also set up an asynchronous HTTP server, with a web socket connection to the app.

He starts by taking some time to introduce React Native for those not familiar with it and what it brings to the table. He then walks through the installation of React Native and how to install the TouchID package using yarn. He also includes some simple JS code you can use to ensure it's all working. Next up he uses PHP to create an asynchronous server with the amphp/aerys package (this code). He creates the server with a "scan" endpoint handlers for opening the connection, performing the handshake and reacting to incoming data. Then he brings them together, connecting React and PHP, and sets up a script to wait for fingerprints. Code is included to perform the validation of the fingerprint and the end result should look something like this.

tagged: react reactnative fingerprint scanner mobile asynchronous tutorial

Link: https://www.sitepoint.com/scan-fingerprints-async-php-react-native/

Exakat Blog:
Up and running exakat in 15 mins
Jun 01, 2017 @ 11:32:41

On the Eakat blog they've written up a post showing you how to get the scanner up and running quickly on your system and start performing scans of the code based on their ruleset.

Exakat is a smart static analysis engine for PHP. It reviews the code fast and produces reports tailored for every needs : issues and code smell for programmers, inventories and maps for architect ; compilation and configurations lists for sys admins ; dashboards for team leaders. Including over 320 analysis and spanning versions from 5.2 to currently WIP 7.2, it helps you audit your code and keep it under control. Let’s see how to get up and running exakat in 15 mins.

The post then walks you through the installation process and defines some prerequisites you'll need before getting started. The Exakat installation is basically just grabbing a phar archive from the exakat.io server. Once it's installed they show you how to run your first scans and view the resulting output. The guide also shows you how to add additional options to the reporting and the command to update Exakat itself.

tagged: exakat scanner tool setup configuration quickstart tutorial

Link: https://www.exakat.io/up-and-running-with-exakat/

Community News:
Exakat - Static analysis tools for PHP
Feb 27, 2017 @ 14:25:25

On the Exakat GitHub account Damien Seguy has put together a pretty complete list of static analyzers you can use for your PHP applications.

The list is broken down into the types of scanners:

  • Bugs finders
  • Coding standards
  • DIY
  • Fixers
  • Metrics
  • SaaS
  • Misc

Each section includes a good list of tools and links to each of them (usually just to other GitHub repositories but some go to actual project pages). There's a lot of them to look through but be careful to evaluate the current state of the project. Just because it's linked here doesn't mean it's a complete tool.

tagged: static scanner tool language bug standard metrics saas list

Link: https://github.com/exakat/php-static-analysis-tools

Viva64.com:
Analysis of PHP7
Apr 29, 2016 @ 12:15:56

On the Viva64.com site they've posted the results of their own evaluation of PHP 7 in terms of both the source of the language itself and the libraries it makes use of.

Sometimes checking a project one more time can be quite amusing. It helps to see which errors were fixed, and which ones got into the code since the time it was last checked. My colleague has already written an article about PHP analysis. As there was a new version released, I decided to check the source code of the interpreter once again, and I wasn't disappointed - the project had a lot of interesting fragments to look at.

They start with a brief look at PHP 7 including when it was released, some of the features/functionality included and the tool they used to do the analysis. They talk about some of the difficulties in the analysis process and how the widespread user of macros tripped it up a bit. They includes some code examples from PHP's source and the warnings that their PVS-Studio returned. The post ends with a brief look at the third-party libraries PHP uses and the responsibility the project takes in including them.

tagged: php7 analysis language source scanner pvsstudio results

Link: http://www.viva64.com/en/b/0392/#ID0EWECK

Infosec Institute:
SQL Injection through HTTP Headers
Apr 04, 2012 @ 10:17:08

While not specific to PHP, security is something that all developers need to think about in their applications. To that end, the Infosec Institute has published this guide to helping you prevent SQL injection attacks that could come in via the HTTP headers of requests to your site.

During vulnerability assessment or penetration testing, identifying the input vectors of the target application is a primordial step. Sometimes, when dealing with Web application testing, verification routines related to SQL injection flaws discovery are restricted to the GET and POST variables as the unique inputs vectors ever. What about other HTTP header parameters? Aren’t they potential input vectors for SQL injection attacks? How can one test all these HTTP parameters and which vulnerability scanners to use in order to avoid leaving vulnerabilities undiscovered in parts of the application?

They start by describing the different kinds of headers that the attacks could come in on - GET, POST, cookies and the other HTTP headers. According to some results, the HTTP headers option is the least protected in most common applications. He includes some good examples of headers that might contain malicious data such as:

  • X-Forwarded-For
  • User-agent
  • Referer

Techniques are also included showing you tools and methods to help test your own applications including some in-browser tools and external applications (like Sqlmap, Nessus, WebInspect, SkipFish and Wapiti) with some average scores from running them on various coverage scores.

tagged: sql injection http headers security prevention scanner

Link:

Greg Beaver's Blog:
Quick review of Pixy vulnerability scanner for PEAR users
Jun 25, 2007 @ 07:30:27

Greg Bever has a (very) quick post about his experiences with the Pixy XSS and SQLI Scanner running against PEAR files.

I tried out the Pixy XSS and SQLI Scanner (http://pixybox.seclab.tuwien.ac.at/pixy/index.php) on a few simple PEAR files. On the first, I got a java exception, on the second it was unable to resolve the simplest of includes (no ability to resolve include_path). In short, the thing is useless for anything written using PEAR. Fun!

The Pixy XSS and SQLI Scanner is made to find SQL and XSS injection issues in scripts. It runs as a Java application and scans PHP4 source code to try to find problems. For more information on the scanner or to try it out for yourself, check out the project's homepage for documentation and downloads.

tagged: review pixy vulnerability scanner pear xss sqlinjection review pixy vulnerability scanner pear xss sqlinjection

Link:

Greg Beaver's Blog:
Quick review of Pixy vulnerability scanner for PEAR users
Jun 25, 2007 @ 07:30:27

Greg Bever has a (very) quick post about his experiences with the Pixy XSS and SQLI Scanner running against PEAR files.

I tried out the Pixy XSS and SQLI Scanner (http://pixybox.seclab.tuwien.ac.at/pixy/index.php) on a few simple PEAR files. On the first, I got a java exception, on the second it was unable to resolve the simplest of includes (no ability to resolve include_path). In short, the thing is useless for anything written using PEAR. Fun!

The Pixy XSS and SQLI Scanner is made to find SQL and XSS injection issues in scripts. It runs as a Java application and scans PHP4 source code to try to find problems. For more information on the scanner or to try it out for yourself, check out the project's homepage for documentation and downloads.

tagged: review pixy vulnerability scanner pear xss sqlinjection review pixy vulnerability scanner pear xss sqlinjection

Link:

ThinkPHP Blog:
SQL injections for dummies - and how to fix them
Sep 15, 2006 @ 07:38:15

On the ThinkPHP Blog, there's a look at how to handle SQL injections, including a video showing how their product, Chorizo handles their discovery in your application.

Well, database operations are bread-and-butter work for most PHP applications. PHP and MySQL, for example, have been like brother and sister for many years. You may have heard about "SQL injections", a bad taste from the outside world of $_GET, $_POST, $_COOKIE and the like.

They mention the obvious - not accepting unfiltered input from users - and how the Chorizo and Morcilla software work to identify and comabt them in an application. You can even check out a Flash video of the process you'd need to take.

tagged: sql injection chorizo morcilla scanner security input filter sql injection chorizo morcilla scanner security input filter

Link:

ThinkPHP Blog:
SQL injections for dummies - and how to fix them
Sep 15, 2006 @ 07:38:15

On the ThinkPHP Blog, there's a look at how to handle SQL injections, including a video showing how their product, Chorizo handles their discovery in your application.

Well, database operations are bread-and-butter work for most PHP applications. PHP and MySQL, for example, have been like brother and sister for many years. You may have heard about "SQL injections", a bad taste from the outside world of $_GET, $_POST, $_COOKIE and the like.

They mention the obvious - not accepting unfiltered input from users - and how the Chorizo and Morcilla software work to identify and comabt them in an application. You can even check out a Flash video of the process you'd need to take.

tagged: sql injection chorizo morcilla scanner security input filter sql injection chorizo morcilla scanner security input filter

Link:

Think-PHP Blog:
Detect and fix security vulnerabilities on server side within seconds
Sep 07, 2006 @ 07:12:27

From the group that brings you Chorizo! and Morcilla, the latest in PHP security tools, is a video showing how to find and correct the issues that your script might have on the server side (with the help of Morcilla).

This video shows you how Morcilla, our brand new PHP extension, lets Chorizo! have a look inside your application on the server.

We are able to hook into every PHP function and trace the payloads of Chorizo!. By default, Morcilla hooks into the whole MySQL function family, fopen, mail, include/require/include_once/require_once, preg_* and others. With a ZendEngine patch, we are able to trace unset variables and a lot more.

The video (basically a screen capture of the process) is a bit hard to read in the smaller version, so it's recommended to view the larger size if you want to see the options. It's interesting, though, to see how it picks out the errors and tells what they are and where you can go to fix them (like a file inclusion issue, as they demonstrate).

tagged: chorizo security scanner morcilla serverside video example chorizo security scanner morcilla serverside video example

Link: