RIPS - static code analyzer for vulnerabilities in PHP
2 likes5,761 views
RIPS is a PHP static source code analyzer based on PIXY that detects vulnerabilities like SQL injection and cross-site scripting. It works by splitting code into tokens and tracing whether user-supplied data reaches sensitive sinks like vulnerable functions. RIPS has a simple web interface and detects vulnerabilities through case studies by preparing a local web site and running analysis. Future work includes improving support for object-oriented code and dynamic runtime analysis.
RIPS - static code analyzer for vulnerabilities in PHP
- 2. General Information ● ● ● ● ● ● ● ● ● ● PHP static source code analyzer, Based on PIXY, Author: Johannes Dahse, Released: 24 May 2010, Last version: 0.54, Open source, http://sourceforge.net/projects/rips-scanner/, Requires a Web server and a browser(Firefox), Languages: PHP(partial support for object oriented), Vulnerabilities: SQL Injection, Cross-Site Scripting, File Inclusion and more.
- 3. Web application security ● “A web application security vulnerability can occur when data supplied by the user (e.g. GET, POST parameters) is not sanitized correctly and used in critical operations of the dynamic script. Then an attacker might be able to inject code that changes the behaviour and result of the operation during the script execution in an unexpected way.” Johannes Dahse - RIPS A static source code analyser for vulnerabilities in PHP scripts
- 4. RIPS context(1) ● ● ● Taint-style vulnerabilities = tainted data + sensitive sinks, Tainted data - untrusted sources such as user supplied data: GET or POST parameters, cookie values, user agent, database entries or files. Sensitive sinks - vulnerable parts of the program, - potential vulnerable functions(PVF), - should be called with trusted or sanitized data, - executes critical operations. ● An attacker may influence the data that is passed to the PVF and read, modify, delete data or attack web server or a client.
- 5. RIPS context (2) Johannes Dahse - RIPS A static source code analyser for vulnerabilities in PHP scripts
- 6. Technical details ● Tokens - the code is split into tokens(e.g. opening tag, closing tag, string) which are analyzed, ● PVF - Functions where can be introduced vulnerabilities, current 287, ● RIPS traces back, whether the suitable parameters of the PVFs could be tainted by the user, ● Verbosity levels - 5 levels( the default is 1) 1 - traces tainted PVFs without any securing actions applied, 2 - files and local DBs treated as potentially malicious, 3 - shows PVFs even if securing actions have been applied , 4 - displays additional information about code structure, 5 - shows all PFVs calls and associated traces.
- 7. Usage ● ● Easy to understand with a great simple web interface, Mechanism : prepare a local web site and run in a web server.
- 8. Case studies 1. Cross-site scripting, 2. SQL injection, 3. Deprecated function, 4. Remote File Inclusion, 5. Remote Command Execution, 6. File Inclusion.
- 9. Demo
- 10. Future work ● ● ● full object-oriented programming support, all PHP code semantics such as variable aliases, evaluation of dynamic strings at runtime (e.g. name of the included files).
- 11. Resources ● ● ● ● ● ● ● ● ● ● ● , https://www.owasp.org/index.php/Static_Code_Analysis https://www.owasp.org/index.php/Source_Code_Analysis_Tools, http://www.php-security.org/2010/05/24/mops-submission-09-rips-a-static-source-code-analyser-for-vulnerabilities-in-phpscripts/index.html, http://holisticinfosec.org/toolsmith/pdf/july2011.pdf, http://sourceforge.net/projects/rips-scanner, https://websec.wordpress.com/category/projects/, http://rips-scanner.sourceforge.net, http://www.phpfreaks.com/tutorial/php-security/page6, http://www.php-security.org/downloads/rips.pdf, Secure coding training - Review of source code analyzers - Gerard Frankowski,Tomasz Nowak, RIPS - A static source code analyser for vulnerabilities in PHP scripts - Johannes Dahse.