PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Sun Dec 10, 2017 7:31 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: Expose_PHPSecurity
PostPosted: Mon Nov 06, 2017 4:49 am 
Offline
Forum Newbie

Joined: Mon Nov 06, 2017 4:47 am
Posts: 2
Hi everyone ,
Do you know Expose library (based on PHPids), it is an Intrusion Detection System for PHP, i want to know if this one is usefull to protect a web application ? if it does do anyone have more infromation about how to use it (install, use). If not do you know any other library that can help detecting intrusion (XSS, SQL Injection, ..)

I need your help
Thank you very much :D


Top
 Profile  
 
 Post subject: Re: Expose_PHPSecurity
PostPosted: Mon Nov 06, 2017 5:14 am 
Offline
DevNet Master
User avatar

Joined: Wed Jun 27, 2007 9:44 am
Posts: 4302
Location: Sofia, Bulgaria
I made a lot of research once and currently I use http://www.arachni-scanner.com/ for security pent-tests - easy configurable, low false positives rate, test automation friendly, nice reports.

_________________
There are 10 types of people in this world, those who understand binary and those who don't


Top
 Profile  
 
 Post subject: Re: Expose_PHPSecurity
PostPosted: Mon Nov 06, 2017 6:03 am 
Offline
Forum Newbie

Joined: Mon Nov 06, 2017 4:47 am
Posts: 2
Thank you very much

VladSun wrote:
I made a lot of research once and currently I use http://www.arachni-scanner.com/ for security pent-tests - easy configurable, low false positives rate, test automation friendly, nice reports.


Top
 Profile  
 
 Post subject: Re: Expose_PHPSecurity
PostPosted: Mon Nov 20, 2017 6:52 am 
Offline
DevNet Master
User avatar

Joined: Wed Jun 27, 2007 9:44 am
Posts: 4302
Location: Sofia, Bulgaria
Syntax: [ Download ] [ Hide ]
 

<project name="pen-test" default="build">

  <property name="scan.url" value="http://pen-test.testing.jenkins" />

  <property name="scan.report.file" value="${basedir}/reports/pen-test.afr" />
  <property name="scan.report.html.file" value="${scan.report.file}.html.zip" />
  <property name="scan.report.json.file" value="${scan.report.file}.json" />

  <property name="scan.parameter.scope-auto-redundant" value="10" />
  <property name="scan.parameter.scope-dom-depth-limit" value="100" />
  <property name="scan.parameter.browser-cluster-pool-size" value="10" />
  <property name="scan.parameter.http-response-max-size" value="5000000" />
  <property name="scan.parameter.http-request-timeout" value="10000" />
  <property name="scan.parameter.platforms" value="linux,apache,php,sql,mysql" />
  <property name="scan.parameter.http-request-queue-size" value="255" />

  <property name="scan.login.url" value="${scan.url}/login" />
  <property name="scan.login.parameters" value="user=${scan.username}&amp;pass=${scan.password}&amp;action=login" />
  <property name="scan.login.check" value="Penetration testing user" />

  <target name="full-scan-members-area" description="Run all attacks to members area">
    <exec executable="${arachni.home.dir}/bin/arachni">
      <arg value="${scan.url}" />
      <arg value="--output-verbose" />
      <arg value="--scope-exclude-pattern" />
      <arg value="\/en\/" />
      <arg value="--scope-exclude-pattern" />
      <arg value="\/nl\/" />
      <arg value="--scope-exclude-pattern" />
      <arg value="\/bg\/" />
      <arg value="--scope-exclude-pattern" />
      <arg value="logout" />
      <arg value="--browser-cluster-pool-size=${scan.parameter.browser-cluster-pool-size}" />
      <arg value="--scope-auto-redundant=${scan.parameter.scope-auto-redundant}" />
      <arg value="--scope-dom-depth-limit=${scan.parameter.scope-dom-depth-limit}" />
      <arg value="--http-response-max-size=${scan.parameter.http-response-max-size}" />
      <arg value="--http-request-timeout=${scan.parameter.http-request-timeout}" />
      <arg value="--http-request-queue-size=${scan.parameter.http-request-queue-size}" />
      <arg value="--platforms=${scan.parameter.platforms}" />
      <arg value="--checks=*" />
      <arg value="--plugin=autologin:url=${scan.login.url},parameters=${scan.login.parameters},check=${scan.login.check}" />
      <arg value="--plugin=metrics" />
      <arg value="--session-check-pattern=${scan.login.check}" />
      <arg value="--session-check-url=${scan.url}" />
      <arg value="--report-save-path=${scan.report.file}" />
    </exec>
  </target>

  <target name="generate-reports" description="Generate reports">

    <exec executable="${arachni.home.dir}/bin/arachni_reporter">
      <arg path="${scan.report.file}" />
      <arg value="--reporter=html:outfile=${scan.report.html.file}" />
    </exec>

    <exec executable="${arachni.home.dir}/bin/arachni_reporter">
      <arg path="${scan.report.file}" />
      <arg value="--reporter=json:outfile=${scan.report.json.file}" />
    </exec>

    <exec executable="/usr/bin/unzip" failonerror="true" >
      <arg path="${scan.report.html.file}" />
      <arg value="-d" />
      <arg path="${basedir}/reports/html" />
    </exec>

  </target>

</project>
 


An Ant build file example (run by Jenkins, Linux env)

_________________
There are 10 types of people in this world, those who understand binary and those who don't


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group