RIPS - A static source code analyser for
vulnerabilities in PHP scripts
Johannes Dahse
Seminar Work
at
Chair for Network and Data Security
Prof. Dr. Jörg Schwenk
advised through Dominik Birk
23.08.2010
Horst Görtz Institute Ruhr-University Bochum
2
3
Contents
1 Introduction 1
2 Motivation 2
3 Web application security 3
3.1 Cross-Site Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.2 SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.3 Other vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4 Static source code analysis 7
4.1 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.2 Model construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.3 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4.3.1 Taint analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4.3.2 Intraprocedural and interprocedural analysis . . . . . . . . . . . . . . . 9
4.4 Results processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
5 RIPS implementation 11
5.1 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
5.2 Model construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
5.2.1 Lexical and semantic analysis . . . . . . . . . . . . . . . . . . . . . . 12
5.2.2 Parsing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
5.2.3 Control flow analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
5.3 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
5.3.1 Taint analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
5.3.2 Intraprocedural and interprocedural analysis . . . . . . . . . . . . . . . 16
5.4 Web interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
5.5 Scan results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
5.6 Limitations and future work . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
6 Related work 22
7 Summary 24
i
1 Introduction
The amount of websites has increased rapidly during the last years. While websites consisted
mostly of static HTML files in the last decade, more and more web applications with dynamic
content appeared as a result of easy to learn scripting languages such as PHP and the growing
availability and speed of the internet. Almost all web servers support some sort of scripting
environment today to deploy dynamic web applications.
Besides a huge amount of new possibilities, the new web 2.0 also brings a lot of new security
risks when data supplied by a user is not handled carefully enough by the application. Differ-
ent types of vulnerabilities can lead to data leakage, modification or even server compromise.
Oftenly one single unfiltered character can have a huge security impact. Because of limited pro-
gramming skills, lacking security awareness and time constraints vulnerabilities can occur very
often and put the whole web server at risk due to the easy accessibility on the internet.
In order to contain the risks of vulnerable webapplications source code has to be reviewed by the
developer or by penetration testers. Given the fact that large applications can have thousands of
codelines and time is limited by costs, a manual source code review might be incomplete. Tools
can help penetration testers to minimize time and costs by automating time intense processes
while reviewing a source code.
In this seminar work the concept of web application vulnerabilities is introduced and how
they can be detected by static source code analysis automatically. Also a new tool named
RIPS is introduced which automates the process of identifying potential security flaws in PHP
source code. RIPS is open source and freely available at http://www.sourceforge.
net/projects/rips-scanner/. The result of the analysis can easily be reviewed by
the penetration tester in its context without reviewing the whole source code again. This semi-
nar work will describe how RIPS is implemented and which kind of problems are faced when
building a static source code analysis tool for PHP.
1