The State of PHP security.

Web Application Security

Websites today are interactive applications that process confidential user data. This data includes credit card numbers, user passwords, and health care information. Cyber criminals try to exploit vulnerabilities in the application source code. A single line of faulty code can lead to data theft, website infection with malicious software, a complete takeover of the underlying web server, or the infiltration of the company's internal network. According to Symantec, 500,000 attacks are registered, and 50,000 websites are hacked every day. Sensitive customer data has to be protected at all costs.

84% websites have
at least one

Popular PHP related Data Breaches

YearTargetBreachAttack Vector
2017Cex2 M accountsPHP website
2017Deep HostingTakeoverPHP Shell
2017Coachella1 M accountsPHP CMS Wordpress
2017Supercell1 M accountsPHP Forum vBulletin
2016DailyMotion85 M accountsPHP website
2016AdultFriendFinder412 M accountsLFI in PHP website
2016Linux MintISO backdooredPHP CMS Wordpress

PHP Security

Web applications developed in PHP, the most popular server-side scripting language on the Web, are prone to security vulnerabilities. PHP code utilizes dynamic and weak typing, as well as a variety of intricate built-in functions and settings. As a result, subtle security bugs can be easily introduced into the code. Although developer awareness of traditional types of vulnerabilities is growing, vulnerabilities continue to be created and exploited on account of faulty security mechanisms or misleading language features in PHP code bases. More complex and PHP-specific vulnerability types are relatively unknown and are exploited by attackers at an increasing rate. Find out more about the broad vulnerabilities in popular open-source applications that RIPS is able to detect in its vulnerability database.

Why Static Code Analysis

Manual detection of vulnerabilities in modern PHP applications with hundreds of thousands of lines of code is expensive, time-consuming, and requires deep security knowledge. With the help of static code analysis, security vulnerabilities can be detected automatically and can be remediated quickly.
Static analysis is performed on the source code of an application without executing the application. The complete source code is transformed into an abstract model that is analyzed for security vulnerabilities. The outcome is an efficient analysis of the entire code regardless of the applications running environment or completeness. Static application security testing (SAST) tools should be part of necessary code testing and review processes, so that security issues can be detected and remediated as early as possible. This allows code developers and security analysts to ensure complex security vulnerabilities do not remain undetected in the source code.

Comparison to
Dynamic Code Analysis

Dynamic code analysis monitors an application after it is complete and has been executed. Using this method, you are only able to detect software defects within the currently executed program path. As a result, code scans will be incomplete, and fewer security vulnerabilities will be detected.

For web applications, blackbox tools perform a lightweight scan on the client-side of the given web application. This is done by submitting multiple malicious input patterns for common web attacks to a deployed application. The application's responses are evaluated for abnormal behavior. This approach, known as fuzzing, does not provide sufficient results and is unable to crawl a website deep enough. Overall, fuzzing suffers from several fundamental weaknesses, including limited test coverage, a lack of support for many vulnerability types, and low vulnerability detection accuracy.