Pixy: Application vulnerability scanner for PHP code

Cross-site scripting (XSS) and SQL injection (SQLI) vulnerabilities are present in many modern web applications, and are reported continuously on pages such as BugTraq. In the past, finding such vulnerabilities usually involved manual source code audits. Unfortunately, this manual vulnerability search is a very tiresome and error-prone task.

More about Pixy here

Zend Framework Webinar From Zend

Zend is going to offer a Webinar this week for the Zend Framework

Zend-Webinar-Wednesdays-Zend-Framework-1.0—An-Overview

From the site:

Tunein to learn more about the value Zend Framework can offer your web
project. You will leave having learned:

* Three ways you can use Zend Framework to make your applications more secure
* Four ways Zend Framework promotes software development best practices
* Five ways Zend Framework can free you from reinventing the wheel – so you can focus on your area of innovation

February Meeting Notes: cryptography and simple histograms

For this month’s meeting, Joel and I talked about simple cryptography theory, and followed it up with discussing how a histogram can be used to help analyze and break certain types of cryptography schemes.

Histograms are just a way to graphically represent data. This can be color data from an image, or data in a text or binary file. Really, histograms are just simple bar graphs.

Read on for the rest of the details.

Without posting everything that Joel and I said in the meeting, it’d pretty difficult for me to convey exactly how histograms can be used for cryptanalysis. Simply put, the histogram shows the number of times each character appears in a file. In a simple letter-substitution scheme, it would be easy to see what letters show up most often in natural language and in the encrypted text. There’s a fairly good chance that you can start replacing letters that have similar frequency. Once you’ve accurately substituted enough letters in the encrypted text to form a few whole words or easily-guessed partial words, it becomes no more difficult to completely decrypt the message than playing a game of hangman that’s already half-solved.

Here are a few histograms I generated for large text files. This is useful for analyzing the frequency that certain characters appear in a file:

As you can see, the charts both top out at the same place. That’s a space character. Spaces are easily the most common character found in written text. All the bars to the left of the tall bar are “control characters” such as carriage returns. Directly to the right of the tall bar are symbols, numbers, upper-case and lower-case letters respectively.

Notice the whole right side of the above graphs are empty, because those are called “high ascii” characters that aren’t commonly found in written text, but are common in binary files.

This is a histogram of a file containing only random data:

And finally, a histogram of an OpenBSD binary executable file (which has a lot of nulls on the far left) throwing off the curve. Nulls are very common on executable files on almost any platform.

Finally, you can take a look at my code. It was a pretty quick hack for personal research reasons, but I decided to bring it up in the meeting today. I made sure to document most of the important logic in the code.

http://churchofpuffy.com:7080/histogram.phps

Thanks to everyone who showed up for this month’s meeting!

Security From The Inside

This interview with Stefan Esser was recently posted on Security Focus.

Stefan Esser is the founder of both the Hardened-PHP Project and the PHP Security Response Team (which he recently left). Federico Biancuzzi discussed with him how the PHP Security Response Team works, why he resigned from it, what features he plans to add to his own hardening patch, the interaction between Apache and PHP, the upcoming “Month of PHP bugs” initiative, and common mistakes in the design of well-known applications such as WordPress.

Full Interview via Security Focus –>

January 2007 :: 2 new Firefox Extensions for Developers

For those of you who haven’t been able to join us recently, we are still meeting. 😉 While we have not had any formal presentations in some time; this month saw some great discussion.

  • two companies looking to hire some talent
  • a request for volunteers to develop an XSL based templating layer
  • and a host of other great topics that I’m sure others will add in the comments of this post.

We did discuss two Firefox Extensions that may be very interesting to Web Application developers out there.

The first one is called Firebug. I’m a HUGE fan of the Web Developer tool bar, but seriously; If you haven’t used Firebug, please go get it now. Think of it as a JavaScript / CSS IDE built into the browser.

The second one is more of a complete package with a FireFox extension. If you have ever wanted to generate a testing harness on your user-interface itself, or you have wanted to automate any functional testing; Selenium may be the tool for you.

Selenium (from OpenQA) comes in two parts, the Selenium-IDE and the Selenium-core. Grab the IDE and kick the tires, or just watch the movie. If you want to see how take your single test and start building an automated suite; go check out Selenium-Core.

Again, I hope you all had a great time! See you again next month!