Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Moderator: General Moderators
chemseddine
Forum Newbie
Posts: 2 Joined: Mon Nov 06, 2017 3:47 am
Post
by chemseddine » Mon Nov 06, 2017 3:49 am
Hi everyone ,
Do you know Expose library (based on PHPids), it is an Intrusion Detection System for PHP, i want to know if this one is usefull to protect a web application ? if it does do anyone have more infromation about how to use it (install, use). If not do you know any other library that can help detecting intrusion (XSS, SQL Injection, ..)
I need your help
Thank you very much
VladSun
DevNet Master
Posts: 4313 Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria
Post
by VladSun » Mon Nov 06, 2017 4:14 am
I made a lot of research once and currently I use
http://www.arachni-scanner.com/ for security pent-tests - easy configurable, low false positives rate, test automation friendly, nice reports.
There are 10 types of people in this world, those who understand binary and those who don't
chemseddine
Forum Newbie
Posts: 2 Joined: Mon Nov 06, 2017 3:47 am
Post
by chemseddine » Mon Nov 06, 2017 5:03 am
Thank you very much
VladSun wrote: I made a lot of research once and currently I use
http://www.arachni-scanner.com/ for security pent-tests - easy configurable, low false positives rate, test automation friendly, nice reports.
VladSun
DevNet Master
Posts: 4313 Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria
Post
by VladSun » Mon Nov 20, 2017 5:52 am
Code: Select all
<project name="pen-test" default="build">
<property name="scan.url" value="http://pen-test.testing.jenkins" />
<property name="scan.report.file" value="${basedir}/reports/pen-test.afr" />
<property name="scan.report.html.file" value="${scan.report.file}.html.zip" />
<property name="scan.report.json.file" value="${scan.report.file}.json" />
<property name="scan.parameter.scope-auto-redundant" value="10" />
<property name="scan.parameter.scope-dom-depth-limit" value="100" />
<property name="scan.parameter.browser-cluster-pool-size" value="10" />
<property name="scan.parameter.http-response-max-size" value="5000000" />
<property name="scan.parameter.http-request-timeout" value="10000" />
<property name="scan.parameter.platforms" value="linux,apache,php,sql,mysql" />
<property name="scan.parameter.http-request-queue-size" value="255" />
<property name="scan.login.url" value="${scan.url}/login" />
<property name="scan.login.parameters" value="user=${scan.username}&pass=${scan.password}&action=login" />
<property name="scan.login.check" value="Penetration testing user" />
<target name="full-scan-members-area" description="Run all attacks to members area">
<exec executable="${arachni.home.dir}/bin/arachni">
<arg value="${scan.url}" />
<arg value="--output-verbose" />
<arg value="--scope-exclude-pattern" />
<arg value="\/en\/" />
<arg value="--scope-exclude-pattern" />
<arg value="\/nl\/" />
<arg value="--scope-exclude-pattern" />
<arg value="\/bg\/" />
<arg value="--scope-exclude-pattern" />
<arg value="logout" />
<arg value="--browser-cluster-pool-size=${scan.parameter.browser-cluster-pool-size}" />
<arg value="--scope-auto-redundant=${scan.parameter.scope-auto-redundant}" />
<arg value="--scope-dom-depth-limit=${scan.parameter.scope-dom-depth-limit}" />
<arg value="--http-response-max-size=${scan.parameter.http-response-max-size}" />
<arg value="--http-request-timeout=${scan.parameter.http-request-timeout}" />
<arg value="--http-request-queue-size=${scan.parameter.http-request-queue-size}" />
<arg value="--platforms=${scan.parameter.platforms}" />
<arg value="--checks=*" />
<arg value="--plugin=autologin:url=${scan.login.url},parameters=${scan.login.parameters},check=${scan.login.check}" />
<arg value="--plugin=metrics" />
<arg value="--session-check-pattern=${scan.login.check}" />
<arg value="--session-check-url=${scan.url}" />
<arg value="--report-save-path=${scan.report.file}" />
</exec>
</target>
<target name="generate-reports" description="Generate reports">
<exec executable="${arachni.home.dir}/bin/arachni_reporter">
<arg path="${scan.report.file}" />
<arg value="--reporter=html:outfile=${scan.report.html.file}" />
</exec>
<exec executable="${arachni.home.dir}/bin/arachni_reporter">
<arg path="${scan.report.file}" />
<arg value="--reporter=json:outfile=${scan.report.json.file}" />
</exec>
<exec executable="/usr/bin/unzip" failonerror="true" >
<arg path="${scan.report.html.file}" />
<arg value="-d" />
<arg path="${basedir}/reports/html" />
</exec>
</target>
</project>
An Ant build file example (run by Jenkins, Linux env)
There are 10 types of people in this world, those who understand binary and those who don't