Features

Next generation code analysis

Sophisticated RIPS Engine

The new RIPS engine is armed with innovative code analysis algorithms that are specifically dedicated to the intricate features of the PHP language. It is capable of analyzing modern PHP applications for complex security vulnerabilities within minutes. The full feature stack of the PHP language is supported, including object-oriented code, pitfall-prone security mechanisms, and PHP built-in functions. Security vulnerabilities are accurately detected by analyzing the data flow from user-controlled input parameters to sensitive operations in your application with 100% code coverage. By evaluating the interaction of applied security mechanisms with the different input types, markup contexts, and sensitive operations, false alarms are prevented and detailed remediation instructions are presented.

Technical Summary

Supported Language
PHP (3-7)
Maximum Code Size
unlimited
Vulnerability Types
40+
Vulnerability Reports
Dashboard, PDF, CSV
Hosted Solution
Yes
On-Premise Solution
Yes
Scripting API
Yes
Continuous Integration
Yes
Supported Standards
OWASP, CWE, SANS

Supported Vulnerability Types

OWASP Top 10

The OWASP Top 10 provides a list of the 10 most critical security risks that occur frequently in web applications. It is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, and FTC.

RIPS is able to identify 9 out of the 10 risks and it helps you to quickly locate them in your project!

  See examples in our
Vulnerability Database

Many more

RIPS is not limited to the common vulnerabilities though. Its sophisticated analysis engine is able to detect highly specific and very complex PHP vulnerabilities that are not found by any other product. Vulnerability types include Cross-Site Scripting, Code Execution, Command Execution, Denial of Service, Directory Listing, Environment Manipulation, Execution After Redirect, File Create, File Delete, File Inclusion, File Upload, File System Manipulation, File Write, HTTP Response Splitting, Information Leakage, Library Injection, LDAP Injection, Log Forgery, Mass Assignment, Memcached Injection, MongoDB Injection, NoSQL Injection, Open Redirect, Path Traversal, PHP Object Injection/Instantiation, Reflection/Autoload Injection, Resource Injection, Server-Side JavaScript Injection, Server-Side Request Forgery, Session Fixation, SQL Injection, Variable Manipulation, Weak Cryptography, XML/XXE Injection, Xpath Injection, Xquery Injection, ...


Real-time Results

All detected security issues are available in real-time when your application is scanned. You can follow the current risk assessment of your application and directly begin to review the first issues - even if the scan is not complete yet.

Our risk heatmap shows the overall security state of your application, based on the severity and quantity of detected security vulnerabilities. These are categorized into critical, high, medium, and low issues in order to prioritize the urgency to review.

Real-time screenshot
Info screenshot

Security Guide

For each detected security vulnerability, detailed information about the type of vulnerability in general, as well as the specific occurrence is given. RIPS explains the root cause of the issue and what impact a successful attack can cause.

Additionally, RIPS offers a detailed guide to the solution - even for unexperienced developers. This provides users with reliable information at hand in order to quickly resolve the problem without the need for further research.



Review System

When investigating a detected issue, you can update the review status of each vulnerability and add a comment. This helps to prioritize issues and to manage the workflow within your team.

For example, already patched issues can be marked as fixed or currently investigated issues can be marked as in progress in order to avoid duplicate work.

Review screenshot
Summary screenshot

Code Summary

The code summary highlights only the relevant code lines in order to make understanding the vulnerability quick and easy.

Security issues can span over multiple files and functions, making it difficult to keep track of vulnerable code. RIPS summarizes and connects code lines related to the issue and speeds up the process of applying a security patch at the right spot.

Executed Context

Unvalidated input from an application's user is the root cause for almost all security issues in modern web applications. Depending on how this user input is used in which sensitive operation of your application, different types of vulnerabilities can occur.

Our context view instantly shows which sensitive operation is affected and how exactly malicious input can tamper its execution. This is extremely valuable to abstract from the affected code lines and to understand the vulnerability's impact.

Markup screenshot
Analysis Settings Screenshot

Analysis Settings

The comprehensive analysis settings make it possible to tailor RIPS specifically to your application.

Our analysis settings include the definition of new sources, sinks, sanitizers, validators, and ignores with full OOP support. In addition to that, it is possible to specify PHP related settings such as magic_quotes, register_globals, and the PHP version itself.

Application Rescan

Rescan your application to check if the security vulnerabilities were resolved, newly added or still remain in the source code.

Rescanning an application multiple times during the development lifecycle is an important step towards continous integration of static code analysis. You are able to test different analysis settings, test new code, or check if issues were resolved by your team.

Application Rescan

Stay current
about our latest features