A group of researchers from MIT, Stanford and Syracuse have developed a new program, named “Ardilla”, which can analyze PHP code for Cross-Site Scripting (XSS) and SQL injection attack vulnerabilities.
Rather than just static analysis, this program actually traces the data through the software to determine whether the threat is real. This decreases false-positives significantly, compared to simple static analysis.
Here’s the technical paper for all us serious geeks…
Automatic Creation of SQL Injection and Cross Site Scripting Attacks
A summary of the results is available here, along with the specifications for the XSS and SQL Injection attacks they used in the tests:
The tool was built from a modified version of the Zend Interpreter, based on licensed work done at IBM. Unfortuantely, due to the license issues, it cannot be released as open source. This would be a great tool in the arsenal of professional developers (especially those that inherit and refactor code from other developers). Hopefully it or an open-source version will find its way into the wild somehow.
The team is looking for help making the changes to the Zend Interpreter code so that the program can be released as Open Source. Interested? Talk to Michael Earnst.
(Via DarkReading)
PHP Security Checker…
We did a post on ten security checks for PHP, and pointed to a PHP security guide as well. On a more recent, related note, you might want to take a look at Rkrishardy.com regarding researchers from MIT, Stanford and Syracuse having developed “Ardilla…
Trackback by Digital Media Minute — June 20, 2009 @ 2:04 am
[...] MIT/Stanford/Syracuse Team Develop New PHP Intepreter-Based XSS and SQL Security Tester [...]
Pingback by Wayne State Web Communications Blog » Blog Archive » [Friday Links] The Summer Edition — June 21, 2009 @ 8:15 am
Pretty nice post. I just found your blog and wanted to say
that I have really liked reading your blog posts. Anyway
I’ll be subscribing to your feed and I hope you write again soon!
Comment by Katy — June 23, 2009 @ 10:43 pm
Loved your latest post, by the way.
Comment by How I Make $5000 a Month Posting Links on Google — June 25, 2009 @ 7:43 pm
Wow, really smart idea.
Any updates on whether this will be released? I’ve got some large codebases that I would love to try it on.
Comment by Breck — August 17, 2009 @ 6:13 pm
I’ve talked with the guys at Washington about this, and they are interested in making it Open Source, but it doesn’t look like it has moved forward yet. I’m keeping an eye on this, and may have a go on my own, because I would love to use it too.
Comment by Kris — August 18, 2009 @ 11:29 am
Hi, I’m interested too, is there any know alternatives ? This would be very useful..
Comment by Nicolae Nmaolovan — September 28, 2009 @ 1:29 pm
A quick update… Acunetix WVS can do this, so it doesn’t look like Ardilla is the only way. However, Acunetix is very expensive (close to $10,000 a license, last time I checked). This may be a project for my Java Certified Developer certification.
I talked to the guys at Acunetix about how their query taint tracking works, and they were a little tight lipped. I haven’t had a chance to look at the code, although a reputable source tells me that it needs some work…
I found this link to a list of web vulnerability scanners. I’m working through them when I get the time.
http://sectools.org/web-scanners.html
Comment by Kris — November 16, 2009 @ 1:54 pm