Modern websites evolved to interactive applications which process confidential user data, such as credit card numbers, passwords and private messages. This sensitive data requires reliable protection from cyber criminals who exploit vulnerabilities in the applications' source code. A single line of faulty code can lead to data theft, website infection with malicious software, a complete takeover of the underlying web server, or to the infiltration of the company's internal network. According to Symantec, 500.000 attacks are registered and 50.000 websites are hacked - every day.
|Year||Target||Data Breach||Attack Vector|
|2016||DailyMotion||85 M accounts||PHP website|
|2016||AdultFriendFinder||412 M accounts||LFI in PHP website|
|2016||Linux Mint||ISO backdoored||PHP CMS Wordpress|
|2015||Panama Papers||11.5 M documents||PHP CMS Drupal|
|2015||AshleyMadison||32 M accounts||PHP website|
|2014||GammaGroup||40 GB data||SQLi in PHP website|
Particulary web applications developed in PHP, the most popular server-side scripting language on the Web, are prone to security vulnerabilities. Due to its dynamic and weak typing, as well as a variety of intricate built-in functions and settings, subtle security bugs are easily introduced into PHP code. Although the developers' awareness is rising for the traditional types of vulnerabilities, they still persist due to faulty security mechanisms or misleading language features. Besides, more complex and PHP-specific vulnerability types are comparatively unknown and actively exploited by attackers. Find out more about diverse vulnerabilities in popular open-source applications that were detected by RIPS in our vulnerability database.
The manual detection of vulnerabilities in modern PHP applications with hundreds of thousands lines of code is expensive, time-consuming and requires deep security knowledge. With the help of static code analysis, security vulnerabilities can be detected in an automated fashion and subsequently remediated.
Static analysis is performed solely on the source code of an application without execution. The complete source code is transformed into an abstract model that is then analyzed for security vulnerabilities. This enables an efficient analysis with full code coverage which can be even applied to incomplete applications and different environments. As a result, static application security testing (SAST) tools are attractive for the integration into the standard testing and code review process in order to detect security issues as early as possible. Further, complex security vulnerabilities can be detected that likely remain undetected without knowledge of the source code.
Dynamic analysis monitors the execution of an application. Thus, it can only detect software defects within the current executed program path and suffers from incompleteness and low performance. Typically, for web applications, a light-weight approach is performed on the client-side of a web application. Multiple malicious input patterns for common web attacks are submitted to a deployed application in an automated fashion. At the same time the application's responses are evaluated for abnormal behavior. This fuzzing approach suffers from fundamental limitations, such as limited test coverage, few supported vulnerability types with a low accuracy, and the missing ability to crawl a given website deep enough.