Pixy is a source
code scanner for PHP 4 that tries to detect two major types of web
application vulnerabilities. Cross-site
scripting (XSS) and SQL injection are two
of the most commonly reported security problems in web applications; any
help in detecting and fixing them is welcome. In addition, for those who
want to try before they install, the project offers a web
interface to upload PHP code for XSS checking.
Pixy is a java program written by folks at the Secure Systems Lab at the
Vienna University of Technology. It is roughly a year old, with at least
report attributed to it. The project homepage has extensive documentation
that will get the impatient going quickly but also satisfy the curiosity
of those interested in the guts of the tool.
Once you get past the "quick start", the Pixy documentation guides you
through the concept of "tainted" values, which underly both XSS and SQL
injection vulnerabilities. The basic idea is that unfiltered input can
enter the program in various ways, which is considered to be a tainted
value. In order to determine if the tainted value is used in a way that
could be exploited, you must follow the data through assignments and
function calls. If the data is then used in a way that could cause an XSS
(via echo() for example), Pixy will flag it. Similarly, if it is
used in a mysql_query(), a possible SQL injection will be flagged.
Using htmlentities() on data that is eventually output, will
remove the taint on that data for the purposes of XSS analysis. Using
addslashes() on arguments to SQL queries, changes their status to
"weakly tainted", which means they are not a problem when used inside
single quotes in the query, but are still dangerous when just interpolated
into the string.
The program produces two kinds of output, a textual report that lists the
line numbers as well as output that can be used with graphviz. The graphical output shows
a dependency graph describing the flow from the taint source to the
Pixy is geared towards the most common usage of PHP and currently only
analyzes PHP 4. If a program uses its own, specialized filtering that is
even more cautious than the PHP built-ins, Pixy will not see that filtering
and will still consider the data to be tainted. In addition, checking for
SQL injection in any database other than MySQL seems to be lacking.
There are endless arguments about the PHP language and whether its
constructs and practices foster secure programs, but it is clear that many,
if not most, PHP projects have had security problems along the way.
Removing XSS and SQL injection problems would take care of a significant
fraction of the problems reported daily on BugTraq. Anyone working with
PHP code, especially when using MySQL via the mysql_query() call,
should seriously consider running Pixy while giving a careful look at
anything suspicious that it reports.
to post comments)