NYCPHP Meetup

NYPHP.org

[nycphp-talk] Web app security scanners

Anirudh Zala arzala at gmail.com
Tue Apr 18 23:59:35 EDT 2006


I have 1 small comment on this issue. Instead of using any other software  
to scan all these, can't we scan all our get and post variable for  
validity of data using regular expressions?

For example, we can 3 numeric variables that we receive via GET method.  
Before using them for further operations in our script, we can design a  
function that can check data associated with those 3 variables. If data of  
any of that variable seems invalid you can through 400 error (Bad request).

I assume we can control 90% of our data by scanning them ourselves since  
we most of time know what data is going to arrive with those variables.  
Similarly we can do for POST variables as well.

<?php

include_once 'some_function.inc'

scanGetVars($_GET);

...
...
rest of code.
rest of code.
...
...

?>

Thanks
Anirudh Zala

On Wed, 19 Apr 2006 07:39:27 +0530, <max at neuropunks.org> wrote:

>
> Yup, it was this http://www.acunetix.com/vulnerability-scanner/audit.aspx
> They do verify if your email address matches the site though.
> In my case, the IP block the dev site was on is owned by our company, so  
> I emailed them from my work email, and they queued it up. The email  
> about verification did come from a real human too.
> If you\'d like, I can email you off list the logfiles from the webserver  
> so you can see the queries they make.
>
>
>
>
>
> --- Original Message ---
> From: inforequest <1j0lkq002 at sneakemail.com>
> Sent: Tue, 18 Apr 2006 10:41:14 -0700
> To: talk at lists.nyphp.org
> Subject: Re: [nycphp-talk] Web app security scanners
>
>>
>> Thanks Max. Did you go for the \"free website audit\" because I dl\'ed  
>> the
>> free scanner and it says it only runs against their test sites, not your
>> own sites. Thanks.
>>
>> -=john andrews
>> http://www.seo-fun.com
>>
>>
>> max max-at-neuropunks.org |nyphp dev/internal group use| wrote:
>>
>> >Well, heres a short followup on this.
>> >I used the acunetix free web based scanner, and it seems to be pretty  
>> thourough.
>> >The free report of course has no details in it, only number of  
>> potentials problems.
>> >However, looking at the webserver logs, you can see what they were  
>> checking for, and it looks serious.
>> >They try 13 different XSS attacks, 3 sql injections, cookie rewriter,  
>> all kinds of dir traversal, and
>> >trace/track/connect http request issues.
>> >I still dont think im going to dish out 3 something K for the full  
>> version, but at least from their brief report you can check the logs  
>> for their requests, and see your server\'s response, and try it  
>> yourself.
>> >Pretty educational overall actually.
>> >
>> >
>> >On Sat, Apr 15, 2006 at 01:09:38PM -0500, Max Gribov wrote:
>> >
>> >
>> >>Hello all,
>> >>does anyone know of any opensource/free web app security scanner?
>> >>Basically, I just want something (else besides me) to go through all  
>> the
>> >>GET\'s and POST\'s on my PHP site and see if XSS/sql injection/etc is
>> >>possible.
>> >>I certainly did an audit of my own code, but another pair of eyes,
>> >>especially automated, would never hurt.
>> >>Something down the lines of Nessuss only for web apps basically.
>> >>I\'ve seen this: www.acunetix.com, and signed up for a trial audit,  
>> but
>> >>am wondering if there is something I can actually download.
>> >>I havent seen anything on freshmeat or even google, most things are
>> >>either tutorials or non-free.
>> >>
>> >>thanks!
>> >>
>> >>max
>> >>_______________
>> >>
>>
>> _______________________________________________
>> New York PHP Community Talk Mailing List
>> http://lists.nyphp.org/mailman/listinfo/talk
>> New York PHP Conference and Expo 2006
>> http://www.nyphpcon.com
>> Show Your Participation in New York PHP
>> http://www.nyphp.org/show_participation.php
>>
>>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
> New York PHP Conference and Expo 2006
> http://www.nyphpcon.com
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php



-- 
-----------------------------------------------
Anirudh Zala (Project Manager)
ASPL, http://www.aspl.in
Ph: +91 281 245 1894
arzala at gmail.com
-----------------------------------------------



More information about the talk mailing list