20 ways to php Source code fuzzing (Auditing)

Hello .

This article is only for who attend php as well and really knowing how to program In PHP.

When we talk about PHP Vulnerability discovery, we forget this Question:
What types of bugs?

When we can answer this Question, we will gain to find vulnerability as well as drink some water.

Reading in  this article :

Section 1 : (20 ways to PHP source code Auditing – PHP Fuzzing)
1- Cross Site Scripting
2- SQL Injection [medium]
3- HTTP Response Splitting [Medium]
4- Dynamic Evaluation Vulnerabilities [High]
5- Process Control / PHP Code Injection (HIGH)
6- Local / Remote file inclusion (High)
7 – File Management (HIGH)
8- Buffer overflows (High, But Hard Usage)
9- Cookie / Session injection / Fixation / [High]
10 – Denial Of service [Medium, But Hard Assessment]:
11 – XPath Injection [XML Functions]
12 – Often Misused: File Uploads (High)
13 – Un-Authorize summon of Functionality / File (Medium)
14 – Authentication Bypass with Brute Force (Low)
15 – Insecure Randomness Session / Cookie / Backup files (Medium)
16 – Informative details in HTML Comments (Low)
17 – Default unnecessary installation files (medium)
18 – Regular Expression Vulnerability (High)
19 – Resource Injection (Medium)
20 – Week Password / Encryption: (Low)

Section 2:
Automatic PHP Auditor source code

This article is not a full reference about PHP source code security review (a.k.a auditing) but I tried to do this work in my short time as well. So please take my apology about all of mistakes (maybe) I made during completing this article.  I’m not sure but maybe I’ve release future version of this article that contain a few more advanced methods.

Here is some of future talk and topics may I add this article in next version:
1-    More Real world Attack with Description
2-    PHPIDS Defense.
3-    More Dangerous Functions: CURL – socket – creat_function & ….
4-    Talk About pear functions and security of used.
5-     Information About Books of PHP Securea Coding.
6-     And ETC

Download :





Get Adobe Flash player