14

Is there any easy to use PHP Security Scanner?

Brock Adams
  • 90,639
  • 22
  • 233
  • 295
TheNone
  • 5,684
  • 13
  • 57
  • 98
  • 1
    PHP Security Scanner: http://sourceforge.net/projects/securityscanner/ – mcandre Jun 16 '10 at 18:39
  • 1
    [PHP Security Consortium](http://phpsec.org/): Founded in January 2005, the PHP Security Consortium (PHPSC) is an international group of PHP experts dedicated to promoting secure programming practices within the PHP community. Members of the PHPSC seek to educate PHP developers about security through a variety of resources, including documentation, tools, and standards.... – jww Jun 01 '16 at 11:28

4 Answers4

16

Please be aware that NO automated security scanner will be able to detect all vulnerabilities in the code base. The best way to protect your code is to learn about how to write secure software, and do diligent code reviews.

Note, I'm not saying NOT to use a scanner. I'm saying use a scanner as a second line of defense only. Don't rely on it to make up for poor coding practices...

ircmaxell
  • 163,128
  • 34
  • 264
  • 314
  • Im agree with you. But there are always hackers that smarter than us!! – TheNone Jun 16 '10 at 18:45
  • 2
    Well, the hackers (the smarter ones that you allude to at least) would likely be using something that they wrote to scan for vulnerabilities that check for things that the generic ones don't (or have different/better/newer methods). So even a commercial scanner may not save you there... – ircmaxell Jun 16 '10 at 18:50
  • @ircmaxell, Thanks for advise. Im try to write code secure but I dont want to to be exposed to 14 years old kids :) BTW I cant pay $ 1445 for this! I will try mcandre's link. – TheNone Jun 16 '10 at 18:58
  • @phpExe Sounds like you need to hire that 14 year old kid ;) – Rowland Shaw Jun 20 '10 at 11:01
  • @Rowland Shaw; Can you give address of the kid that you "hire", please? Sounds like that you have experience about hiring hackers ;) – TheNone Jun 20 '10 at 20:07
  • @phpExe My point is more that if you're not confident in your abilities to be hacker proof, then it's probably worthwhile hiring someone with more experience, either proven in industry with a CV, or otherwise. – Rowland Shaw Jun 21 '10 at 08:02
  • @Rowland Shaw, Im confident in my abilities to be hacker proof shortly. BTW, This is not related with my topic. I can see attacks in very big sites. No body is untouchable, even you or any hacker or any "king of programmers" ;) – TheNone Jun 21 '10 at 09:08
  • 1
    The first thing you must understand, is there is no such thing as a perfectly secure computer. If someone wants it bad enough, they can get in. Whether it involves kidnapping you to get the passwords, physically stealing the server or getting through a trusted computer, it's always possible. The whole point of security isn't to make it hacker proof, but make it hard enough that "hackers" don't want to put forth the effort necessary (unless they are really motivated). – ircmaxell Jun 21 '10 at 11:02
5

An old topic, but I notice no-one has mentioned the RIPS Scanner yet (see also the related project page on Sourceforge)

"RIPS is a free static source code analyser for vulnerabilities in PHP scripts"

I haven't tried it yet (just downloading it now), but it sounds like the kind of thing the question is looking for. And it's free (GPL licenced). (interesting to note that it was first released in June 2010, pretty much the same time this question was asked)

Sourceforge also threw up a few other projects:

RIPS looks like it's a lot more well used than any of those others, but it might be worth trying them all, just to see.

Hope that helps

SDC
  • 14,192
  • 2
  • 35
  • 48
3

Yes, very good one:

Acunetix Web Security Scanner

Acunetix WVS automatically checks your web applications for SQL Injection, XSS & other web vulnerabilities.

Sarfraz
  • 377,238
  • 77
  • 533
  • 578
2

Try the following scanners to detect potentially malicious PHP files:

  • phpscanner;

    PHP scanner written in Python for identifying PHP backdoors and php malicious code. This tool is mainly reusing below mentioned tools. To use this tool, you need to install yara library for Python from the source.

  • php-malware-finder;

    Does its very best to detect obfuscated/dodgy code as well as files using PHP functions often used in malwares/webshells. Detection is performed by crawling the filesystem and testing files against a set of YARA rules.

  • php-malware-scanner;

    Scans the current working directory and display results with the score greater than the given value. Released under the MIT license.

For more tools, check: Malware scanner for websites code.

Community
  • 1
  • 1
kenorb
  • 155,785
  • 88
  • 678
  • 743