Description

Some days ago, I really start thinking about the hybridization of the web apps scanners.
I'm pretty sure this is the key since this kind of tools should be used not only by the security experts but the web developers.

So, at the question How a developer can really test his code there is lots of possible answer from classical test to source code analysis and application analysis. Because I'm a developer and I really want to have a tool that can do what I want and doesn't give me that much errors or "this page is susceptible to xss in the parameter..." when there can be lots of instance of this parameter in the code... I decided to add the feature to test the code then, with the results test the application itself. This is a crystal box tester/scanner.
The only real interest of this kind of tool is to decrease the number of false-positive.
I mean, you cannot say at all that a website is secure... but you can report some real vulnerabilities.

The creation process was the following (hum.. to much work in a day cause people - me - writing idiots descriptions).

Crystal Module Cooking Book

Make-ahead Tip: Prepare lots of coffee before starting...

Preparation: 24 hours

Ingredients:

• PHP-Sat
• Grabber Modules lambda
  

Tools:

• Context editor
• Python 2.4
• Nice music (Opera is not needed but you should listen this)

Directions:

0/ Read the configuration file (with boolean operator in patterns)

1/ Scan the PHP sources with PHP-Sat handler (which copy everything in the '/local/crystal/' directory).

2/ Make a kind of diff then:

If the diff results, check for the patterns (given in the configuration file) Parse the PHP line under the end of the pattern Try to get a variable value

<after-hypothetical-stuff-toussa>
If no direct variable... backtrack sequentially or in the AST
</after-hypothetical-stuff-toussa>

3/ Generate the XML report of "the crystal-static-analysis" module
4/ Build a database of:

transformed_into_URL(hypothetical flawed files)  = [list of "flawed" params]

5/ Run the classical tools against the only parameters given buy the SwA tool

The results ?

Because I use Grabber to do the black box testing and PHP-Sat for the white box testing, the limitations is coming from the both sides.
First Grabber, because of the vector, the detection techniques and all flavors of Web Apps Scanners, and PHP-Sat... which is not finished yet and seems to only report the possible Cross-Site Scripting.

The configuration file

I'm quite proud of this, a good configuration file can make people happy :) to see that they can plug/do whatever they want with this. Let's see:

<?xml version="1.0"?>
<!-- Grabber configuration file -->
<crystal version="0.1">
  <!-- Give some information, distant/local files -->
  <url >http://192.168.1.2/bank</url>
  <files>\\192.168.1.2\htdocs\bank</files>
    <!-- Analyzer information, here PHP-Sat -->
    <analyzer>
      <path input="-i" output="-o">C:\msys\1.0\bin\php-sat.exe</path>
      <extension>php</extension>
      <!--
        Typical pattern block:
        
        11: not flagged php line
        12: /**
        13: 	pattern content...
        14: */
        15: php line with the flaw +- FLAGGED!
      -->
      <patterns start="/**" end="*/">
        <!-- Analyze with the pattern -->
        <pattern module="xss">
        PHP-SAT check (Malicious Code CodeVulnerability) __OR__ Pattern ID: MCV000
        </pattern>
        <pattern module="sql,bsql">
        PHP-SAT check (Malicious Code CodeVulnerability) __AND__ Pattern ID: MCV001
        </pattern>
      </patterns>
  </analyzer>
</crystal>

The configuration will support binary operators for combining some patterns, and later regular expressions in the XML.