Scanning for PHP vulnerabilities with Pixy

Pixy is a source code scanner for PHP 4 that tries to detect two major types of web application vulnerabilities. Cross-site scripting (XSS) and SQL injection are two of the most commonly reported security problems in web applications; any help in detecting and fixing them is welcome. In addition, for those who want to try before they install, the project offers a web interface to upload PHP code for XSS checking.

Pixy is a java program written by folks at the Secure Systems Lab at the Vienna University of Technology. It is roughly a year old, with at least one vulnerability report attributed to it. The project homepage has extensive documentation that will get the impatient going quickly but also satisfy the curiosity of those interested in the guts of the tool.

Once you get past the "quick start", the Pixy documentation guides you through the concept of "tainted" values, which underly both XSS and SQL injection vulnerabilities. The basic idea is that unfiltered input can enter the program in various ways, which is considered to be a tainted value. In order to determine if the tainted value is used in a way that could be exploited, you must follow the data through assignments and function calls. If the data is then used in a way that could cause an XSS (via echo() for example), Pixy will flag it. Similarly, if it is used in a mysql_query(), a possible SQL injection will be flagged.

Using htmlentities() on data that is eventually output, will remove the taint on that data for the purposes of XSS analysis. Using addslashes() on arguments to SQL queries, changes their status to "weakly tainted", which means they are not a problem when used inside single quotes in the query, but are still dangerous when just interpolated into the string.

The program produces two kinds of output, a textual report that lists the line numbers as well as output that can be used with graphviz. The graphical output shows a dependency graph describing the flow from the taint source to the dangerous use.

Pixy is geared towards the most common usage of PHP and currently only analyzes PHP 4. If a program uses its own, specialized filtering that is even more cautious than the PHP built-ins, Pixy will not see that filtering and will still consider the data to be tainted. In addition, checking for SQL injection in any database other than MySQL seems to be lacking.

There are endless arguments about the PHP language and whether its constructs and practices foster secure programs, but it is clear that many, if not most, PHP projects have had security problems along the way. Removing XSS and SQL injection problems would take care of a significant fraction of the problems reported daily on BugTraq. Anyone working with PHP code, especially when using MySQL via the mysql_query() call, should seriously consider running Pixy while giving a careful look at anything suspicious that it reports.