Current performance:
2022/05/28 12:41:35 Scanned 4981 files Found 428 vulns In time 25.159522618s
Input is filenames or URLs of PHP files.
Output is the PHP representation of the vertex of the assignment or sink and it's line:char position, along with the traced stack for each step in the path.
To do:
- HTML context awareness
- Don't traverse tree multiple times (and dont traverse dead code)
- Scan whole repos instead of files (this will require more WP research)
Example:
$ echo test.php | php-analyzer -yaml
file: test.php
type: xss
path:
- stack: '[assign] $user_input <- [taint] $_GET'
code: $user_input = $_GET['input'] 11:194
- stack: '[assign] $improperly_filtered <- [filter] MAGICQUOTES <- [taint] $user_input'
code: $improperly_filtered = "$user_input" 12:224
- stack: '[sink] echo <- [taint] $improperly_filtered'
code: |-
// this does alert because magic quotes dont stop xss
echo $improperly_filtered; 20:444
file: test.php
type: sqli
path:
- stack: '[assign] $t <- [assign] $param <- [taint] $_GET'
code: $d->dangerous($_GET) 14:282
- stack: '[assign] $temp <- [filter] unknown_filter_func <- [taint] $param'
code: $temp = unknown_filter_func($param) 4:51
- stack: '[assign] dangerous <- [taint] $temp'
code: return $temp; 7:174
- stack: '[assign] $t <- [taint] dangerous'
code: $t = $d->dangerous($_GET) 14:277
- stack: '[sink] query <- [taint] $t'
code: |-
// alerts because taint follows through method call into $t
query($t) 23:532
2022/06/01 18:42:23 Scanned 1 files Found 2 vulns In time 4.785042ms
Help:
$ ./php-analyzer -h
Usage of ./php-analyzer:
-d int
Number of times to traverse the tree (Tracing through function calls requires multiple passes) (default 10)
-f string
Specify a data file of sources, sinks, and filters (default "data.yaml")
-t int
Number of goroutines to use (default 100)
-yaml
Output as YAML, (JSON by default)