R. Kris Hardy » sql injection http://www.rkrishardy.com Software Development, Web Applications and Business Analytics Tue, 19 Jul 2011 17:58:57 +0000 en hourly 1 http://wordpress.org/?v=3.2.1 MIT/Stanford/Syracuse Team Develop New PHP Intepreter-Based XSS and SQL Security Tester http://www.rkrishardy.com/2009/06/new-php-interpreter-based-xss-and-sql-security-tester/ http://www.rkrishardy.com/2009/06/new-php-interpreter-based-xss-and-sql-security-tester/#comments Fri, 19 Jun 2009 10:55:18 +0000 Kris http://www.rkrishardy.com/?p=181 Ardilla PaperA group of researchers from MIT, Stanford and Syracuse have developed a new program, named “Ardilla”, which can analyze PHP code for Cross-Site Scripting (XSS) and SQL injection attack vulnerabilities.

Rather than just static analysis, this program actually traces the data through the software to determine whether the threat is real. This decreases false-positives significantly, compared to simple static analysis.

Here’s the technical paper for all us serious geeks…

Automatic Creation of SQL Injection and Cross Site Scripting Attacks

A summary of the results is available here, along with the specifications for the XSS and SQL Injection attacks they used in the tests:

Ardilla Results

The tool was built from a modified version of the Zend Interpreter, based on licensed work done at IBM.  Unfortuantely, due to the license issues, it cannot be released as open source.  This would be a great tool in the arsenal of professional developers (especially those that inherit and refactor code from other developers).  Hopefully it  or an open-source version will find its way into the wild somehow.

The team is looking for help making the changes to the Zend Interpreter code so that the program can be released as Open Source.  Interested?  Talk to Michael Earnst.

(Via DarkReading)

Technorati Tags: , , , ,

]]> http://www.rkrishardy.com/2009/06/new-php-interpreter-based-xss-and-sql-security-tester/feed/ 8