47

I have a PHP application that I would like to have audited for security. I'm familiar with most of the general security issues, but want to make sure I didn't miss anything.

What steps should I take to perform a self-audit? What tools are available? What is the best way to find a 3rd-party auditor? Any recommendations?

Interested in both whitebox/codereview audit and blackbox/pentest?

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
VirtuosiMedia
  • 3,232
  • 3
  • 27
  • 32
  • [tools for security Audits for PHP](http://www.hotscripts.com/blog/6-free-php-security-auditing-tools/) –  Feb 13 '12 at 07:37

5 Answers5

27

I suggest taking a look at the following links:

Sadeq Dousti
  • 1,514
  • 17
  • 23
  • 5
    All but one of these links no longer provide content (and the 6 free tools reference Spike, which is no loner available). Is there a modern day list? (Sad that 'modern day' is merely 40 months later...) – Wild Bill Mar 28 '14 at 00:58
11

You should start with any interactive web proxy, such as burp proxy, paros, etc.
Myself, I'm partial to Fiddler. Whichever tool you choose, this lets you examine all the request/response flow, and interact with the requests post-javascript. Great place to start.

Eventually, I imagine OWASP's code crawler will support PHP too... though right now I'm not familiar with any free automated tool for this. Just manual eyeballs for now...
Of course you can go for one of the big vendors, e.g. Fortify, Ounce Labs, etc - but thats quite expensive and another can of worms...

AviD
  • 72,708
  • 22
  • 137
  • 218
6

Give Google's Skipfish a look: http://code.google.com/p/skipfish/wiki/SkipfishDoc

Nev Stokes
  • 458
  • 3
  • 10
6

There are tons of tools and it's really a personal preference on what will one use for a pentest. So try all of those mentioned by me and others and choose ones that fit you best.

For security code review (whitebox test), I'd recommend using RIPS. It's the best among those I tried.

For doing some blackbox testing, you certainly need some intercepting proxy. There's a lot of those, but I'd suggest you take a look at Fiddler if you're on Windows. Burp / WebScarab / Zed Attack Proxy are great too. If you want to automate some of the injection tests, grab some common payloads from fuzzdb.

Also, make yourself familiar with browser addons like Firebug and Chrome Developer Tools, they are a great help.

Finally, try bookmarks from Open Penetration Testing Bookmarks Collection. It's a huge list (just so that you know how many tools are there), but there are many gems inside.

Krzysztof Kotowicz
  • 4,068
  • 20
  • 30
3

If you want to make sure you don't miss anything, the best way is to get an actual expert to look at it. Too many problems arise in websites where a developer simply isn't aware that they aren't following best practices, or fail to understand that common "secure" practices aren't actually secure at all! (e.g. "I don't need to parameterize my SQL so long as I replace single quotes with backslash single-quotes, right!?").

If you're a company, hire an external pentesting company to do a test of your application. They're not very expensive, and they'll find most of the issues. It's certainly cheaper for a company to hire a pentesting firm than to waste days of time training staff members on full salary how to find some bugs, and it's certainly cheaper than trying to rebuild your company after a major breach of customer data.

SecurityMatt
  • 131
  • 3