RIPSSorina-Georgiana CHIRILĂSoftware Security - 2013

General Information● PHP static source code analyzer,● Based on PIXY,● Author: Johannes Dahse,● Released: 24 May 2010,● Last version: 0.54,● Open source, ● http://sourceforge.net/projects/rips-scanner/,● Requires a Web server and a browser(Firefox),● Languages: PHP(partial support for object oriented),● Vulnerabilities: SQL Injection, Cross-Site Scripting, File Inclusion and

more.

Web application security● “A web application security

vulnerability can occur when datasupplied by the user (e.g. GET, POSTparameters) is not sanitized correctlyand used in critical operations of thedynamic script. Then an attacker might be able to inject code that changes the behaviour and result of the operation during the scriptexecution in an unexpected way.”

Johannes Dahse - RIPS A static source code analyser for vulnerabilities in PHP scripts

RIPS context(1)● Taint-style vulnerabilities = tainted data + sensitive sinks,● Tainted data - untrusted sources such as user supplied data:

GET or POST parameters, cookie values, user agent, database entries or files. ● Sensitive sinks - vulnerable parts of the program,

- potential vulnerable functions(PVF), - should be called with trusted or sanitized data, - executes critical operations. ● An attacker may influence the data that is passed to the PVF and

read, modify, delete data or attack web server or a client.

RIPS context (2)

Johannes Dahse - RIPS A static source code analyser for vulnerabilities in PHP scripts

Technical details● Tokens - the code is split into tokens(e.g. opening tag, closing tag,

string) which are analyzed,● PVF - Functions where can be introduced vulnerabilities,

current 287,● RIPS traces back, whether the suitable parameters of the PVFs could be

tainted by the user,● Verbosity levels - 5 levels( the default is 1)

1 - traces tainted PVFs without any securing actions applied, 2 - files and local DBs treated as potentially malicious, 3 - shows PVFs even if securing actions have been applied , 4 - displays additional information about code structure, 5 - shows all PFVs calls and associated traces.

Usage● Easy to understand with a great simple web interface,● Mechanism : prepare a local web site and run in a web server.

Case studies1. Cross-site scripting,2. SQL injection,3. Deprecated function,4. Remote File Inclusion,5. Remote Command Execution,6. File Inclusion.

Demo

Future work● full object-oriented programming support,● all PHP code semantics such as variable aliases,● evaluation of dynamic strings at runtime (e.g. name of the included files).

Resources● https://www.owasp.org/index.php/Static_Code_Analysis,● https://www.owasp.org/index.php/Source_Code_Analysis_Tools,● http://www.php-security.org/2010/05/24/mops-submission-09-rips-a-static-source-code-analyser-for-vulnerabilities-in-php-

scripts/index.html,● http://holisticinfosec.org/toolsmith/pdf/july2011.pdf,● http://sourceforge.net/projects/rips-scanner,● https://websec.wordpress.com/category/projects/,● http://rips-scanner.sourceforge.net,● http://www.phpfreaks.com/tutorial/php-security/page6,● http://www.php-security.org/downloads/rips.pdf,● Secure coding training - Review of source code analyzers - Gerard Frankowski,Tomasz Nowak,● RIPS - A static source code analyser for vulnerabilities in PHP scripts - Johannes Dahse.

Questions ?

THANK YOU!