PHP Source Code Security Scanners basic test

For quite a long time now, I've been playing with lots of different black-box tools: commercial or not, mine or not. Months ago, I developed Crystal, a plugin for Grabber which does the link between the black-box engine in Grabber and a PHP Source Code Security Analyzer: PHP-SAT . At the time, it was the only advanced PHP SCSA I could find on the web, so I used it without really testings I admit.
That's for the story, few days ago, on #webappsec (irc.freenode.org), Larholm told me about SWAAT a new (at least, for me) PHP SCSA (and not only PHP actually). At the time, I didn't have time to try it; but today, I took the time to compare PHP-SAT and SWAAT with a test which can be view as a quite-exhaustive-basic-flaw-checker (it means that there is maybe 6 different vulnerabilities with variants and false positive/true positive check implementation).
You can see the PHP test file here: tests.php

The result of the two runs can be find here: php-sat-test-output.phps and swaat-output.html
How to read the reports:

SWAAT: HTML file with table for each type of vulnerabilities, it will report multiple lines (each line is a vulnerability). If there is a /* fase */ in that line, then, this is a false positive.
PHP-SAT: PHP-SAT takes the PHP source code and transform it by adding some information. For the vulnerability report you will have to look for the Malicious Code Vulnerability (MCV). Other report are more quality oriented.

I will not spend time to explain the difference of the tools but the tools don't really have the same goal (even if we can use them for the same utilization). Well, with the default configuration of both tools, SWAAT is really better! But as for many Source Code Security Analyzers, the configuration is really important, so I would mitigate my conclusion on these tools, I really need to dive into the configuration of that two tools and redo the tests.

Comments

1. On Thursday, July 26 2007, 18:22 UTC by Kender

Automated static source analysis still has a long way to go.

I did a test of PHP-Sat, SWAAT and Pixy (http://pixybox.seclab.tuwien.ac.at/...)
The target was a php forum called Bitboard, which has many XSS holes, at least one arbitrary file upload and one php code inclusion vulnerability.

PHP-Sat won't work on windows at all due to faulty stratego libs (devs are aware)
I like the way it works with bug-patterns, but not the way it ouputs results.

SWAAT detected no vulnerabilities but had *lots* of warnings about text 'that may indicate security sensitive functionality' In it's current state it doesn't do much more than some regexes against your source.

Pixy found every hole I could find, indicating whether register_globals=on was a prerequisite for them and plotted function call graphs.(It marked the file and php inclusion holes as XSS though.)
However, the outputted .dot files require external tools to view them.

2. On Sunday, July 29 2007, 15:00 UTC by Romain

You're absolutely right, even in general (Java/C++) the source code security scanners are not that good: it's really easy to make them fail some test...
So for PHP, where we start observing the first new ones, they still have a long journey to become mature projects.

Your testing looks really interesting to me, do you have the results public somehow? Did you cross-reference with the knowns vulnerabilities in that forum?

Last comments

Last entries

Blog:tech

Tags

Categories

Links

Web Security

General Sec.

Other

Sitemap

Comments

Add a comment