There are three types of attack that come up often
in the PHP world:
* File inclusion erorrs.
* XSS attacks.
* SQL Injection attacks.
The first and the last should be simple to detect
via a simple script, just by looking for patterns
such as:
include( $ );
and :
mysql_query( $ .. );
I've not seen anything like this around so far, but
I've made a simple attempt at it with the attached Perl
script.
Ideally I real parser would be nice, but i've not found
an appropriate grammer for the languae - any pointers would
be appreciated.
Sample output, searching within the package 'svnweb'
(all false positives)
skx_at_lappy:~/tmp$ perl scan-php.pl
./websvn-1.61/wsvn.php ["$locwebsvnreal/form.php"] include("$locwebsvnreal/form.php");
./websvn-1.61/wsvn.php ["$locwebsvnreal/index.php"] include("$locwebsvnreal/index.php");
./websvn-1.61/wsvn.php ["$locwebsvnreal/$file"] include("$locwebsvnreal/$file");
Format is 'filename' [what's included] 'complete matching line'
Steve
-- # The Debian Security Audit Project. http://www.debian.org/security/audit