RIPS - static code analyzer for vulnerabilities in PHP

4,940 views

Published on

RIPS

Published in: Education, Technology

RIPS - static code analyzer for vulnerabilities in PHP

  1. 1. RIPS Sorina-Georgiana CHIRILĂ Software Security - 2013
  2. 2. General Information ● ● ● ● ● ● ● ● ● ● PHP static source code analyzer, Based on PIXY, Author: Johannes Dahse, Released: 24 May 2010, Last version: 0.54, Open source, http://sourceforge.net/projects/rips-scanner/, Requires a Web server and a browser(Firefox), Languages: PHP(partial support for object oriented), Vulnerabilities: SQL Injection, Cross-Site Scripting, File Inclusion and more.
  3. 3. Web application security ● “A web application security vulnerability can occur when data supplied by the user (e.g. GET, POST parameters) is not sanitized correctly and used in critical operations of the dynamic script. Then an attacker might be able to inject code that changes the behaviour and result of the operation during the script execution in an unexpected way.” Johannes Dahse - RIPS A static source code analyser for vulnerabilities in PHP scripts
  4. 4. RIPS context(1) ● ● ● Taint-style vulnerabilities = tainted data + sensitive sinks, Tainted data - untrusted sources such as user supplied data: GET or POST parameters, cookie values, user agent, database entries or files. Sensitive sinks - vulnerable parts of the program, - potential vulnerable functions(PVF), - should be called with trusted or sanitized data, - executes critical operations. ● An attacker may influence the data that is passed to the PVF and read, modify, delete data or attack web server or a client.
  5. 5. RIPS context (2) Johannes Dahse - RIPS A static source code analyser for vulnerabilities in PHP scripts
  6. 6. Technical details ● Tokens - the code is split into tokens(e.g. opening tag, closing tag, string) which are analyzed, ● PVF - Functions where can be introduced vulnerabilities, current 287, ● RIPS traces back, whether the suitable parameters of the PVFs could be tainted by the user, ● Verbosity levels - 5 levels( the default is 1) 1 - traces tainted PVFs without any securing actions applied, 2 - files and local DBs treated as potentially malicious, 3 - shows PVFs even if securing actions have been applied , 4 - displays additional information about code structure, 5 - shows all PFVs calls and associated traces.
  7. 7. Usage ● ● Easy to understand with a great simple web interface, Mechanism : prepare a local web site and run in a web server.
  8. 8. Case studies 1. Cross-site scripting, 2. SQL injection, 3. Deprecated function, 4. Remote File Inclusion, 5. Remote Command Execution, 6. File Inclusion.
  9. 9. Demo
  10. 10. Future work ● ● ● full object-oriented programming support, all PHP code semantics such as variable aliases, evaluation of dynamic strings at runtime (e.g. name of the included files).
  11. 11. Resources ● ● ● ● ● ● ● ● ● ● ● , https://www.owasp.org/index.php/Static_Code_Analysis https://www.owasp.org/index.php/Source_Code_Analysis_Tools, http://www.php-security.org/2010/05/24/mops-submission-09-rips-a-static-source-code-analyser-for-vulnerabilities-in-phpscripts/index.html, http://holisticinfosec.org/toolsmith/pdf/july2011.pdf, http://sourceforge.net/projects/rips-scanner, https://websec.wordpress.com/category/projects/, http://rips-scanner.sourceforge.net, http://www.phpfreaks.com/tutorial/php-security/page6, http://www.php-security.org/downloads/rips.pdf, Secure coding training - Review of source code analyzers - Gerard Frankowski,Tomasz Nowak, RIPS - A static source code analyser for vulnerabilities in PHP scripts - Johannes Dahse.
  12. 12. Questions ? THANK YOU!

×