How can I test PHP site security for most common security flaws?

Question

I need to make sure that PHP sites that I administrate, don't have any common PHP flaws, like SQL injection, wrongly configured permissions to files and folders etc. By site I mean for example Joomla site with plugins and modules. Making this security check manually can be time consuming and automated test could be run on daily basis to just make sure nothing has changed.

So my question is that is there any good automated software for this or do I have to code one myself?

Would be nice to have a script to test common security flaws — Phill Pafford, Sep 29 '10 at 13:37

score 9 · Accepted Answer · answered Sep 29 '10 at 15:42

9

Using a fuzzer is a good idea. But, you could also try coding an automated system yourself, as this will boost your knowledge about php and security issues/loop holes in your php sites.

I would personally use Google's Skipfish and find out for yourself if there are problems, then build your own just for your needs and ease of use. Good luck!

answered Sep 29 '10 at 15:42

ryryan

3,890
13
43
72

The link to Skipfish is dead now, according to their [downloads page](https://code.google.com/archive/p/skipfish/downloads) the last (beta..) version seems to be 2.10 dated 2012. – Code4R7 Nov 11 '17 at 08:01

score 4 · Answer 2 · answered Sep 29 '10 at 11:36

4

This can be done with a fuzzer or a web vulnerability scanner.

answered Sep 29 '10 at 11:36

Sjoerd

74,049
16
131
175

score 4 · Answer 3 · answered Sep 30 '10 at 03:32

4

I've been using netsparker http://www.mavitunasecurity.com/

Not exactly what you need but it can help a lot :)

answered Sep 30 '10 at 03:32

DiogoNeves

1,727
2
17
36

score 2 · Answer 4 · answered Sep 29 '10 at 11:37

2

You should do both. Review your code and look for possible SQL-Injections etc.

Google released a very nice tool named "Skipfish" that scans your application for common security holes / attack patterns.

answered Sep 29 '10 at 11:37

halfdan

33,545
8
78
87

rook · Answer 5 · 2011-11-21T15:59:01.163

1

I recommend using the open source project wapiti which will test for XSS, SQLi, LFI/RFI and many more. There is also the commercial product Sitewatch($), and the best is NTOSpider($$$$$).

edited Nov 21 '11 at 15:59

answered Sep 29 '10 at 16:42

rook

66,304
38
162
239

score 1 · Answer 6 · answered Sep 29 '10 at 18:46

1

To familiarize yourself with common web security flaws, you may also wish to explore Webgoat

answered Sep 29 '10 at 18:46

Visionary Software Solutions

3,825
2
29
35

Johannes · Answer 7 · 2017-11-05T12:07:15.317

1

You can use a static code analysis tool, e.g. RIPS for PHP, to analyze your complete source code for security flaws. Fuzzing your website from the outside may not cover all code paths and overlook issues.

edited Nov 05 '17 at 12:07

answered Aug 26 '16 at 07:08

Johannes

11
2

score 0 · Answer 8 · answered Apr 08 '15 at 13:44

0

This is a new and good tool fot testing,it can be used, from web developers, penetration testers or even security researchers to test web applications with the view to find bugs, errors or vulnerabilities. It worths to give a try Commix

answered Apr 08 '15 at 13:44

Stefano

59
4

score 0 · Answer 9 · edited May 23 '17 at 11:46

0

I doubt there's anything -good (so, 100% reliable)- that's automated. But a nice topic to go through might be this one on SO, as it lists "historical security flaws".

Historical security flaws of popular PHP CMS's?

edited May 23 '17 at 11:46

Community

1
1

answered Sep 29 '10 at 11:37

CharlesLeaf

3,201
19
16

score 0 · Answer 10 · answered Sep 29 '10 at 11:40

0

RFI, LFI, SQL Injection, too many to discuss, and probably too boring to read one by one. I suggest you use a fuzzer instead. There many free ones and here's a wiki article about it: http://en.wikipedia.org/wiki/Fuzz_testing

answered Sep 29 '10 at 11:40

Ruel

15,438
7
38
49

How can I test PHP site security for most common security flaws?

10 Answers10