PHP-Sat-AnalyzingPHP
Stc
Date: 2006-11-09
Time: 11:45
Room: BBL room 471
Speaker: Eric Bouwers
Title: PHP-Sat - Analyzing PHP
Abstract
PHP is a general-purpose scripting language that is widely-used to
implement the server-side logic of web applications. Learning the
basics of PHP is not very difficult, but understanding all of the
(security)-issues involved in developing web-applications in PHP is
very hard. There are techniques for statically finding suspicious
patterns and vulnerable places in source code, but until recently
there was no useful tool for analyzing PHP source code.
In this talk we will take a look at PHP-Sat, an extensible analyzer
for PHP. We will dive into the rattling world of PHP and discuss some
of the challenges that are involved in analyzing this scripting
language. We will take a look at some patterns that indicate
suspicious constructs and examine an algorithm for statically finding
(XSS)-vulnerabilities. The current status of the tool will be
discussed together with some of the results that are already
available.
