Expose_PHPSecurity

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
chemseddine
Forum Newbie
Posts: 2
Joined: Mon Nov 06, 2017 3:47 am

Expose_PHPSecurity

Post by chemseddine »

Hi everyone ,
Do you know Expose library (based on PHPids), it is an Intrusion Detection System for PHP, i want to know if this one is usefull to protect a web application ? if it does do anyone have more infromation about how to use it (install, use). If not do you know any other library that can help detecting intrusion (XSS, SQL Injection, ..)

I need your help
Thank you very much :D
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Expose_PHPSecurity

Post by VladSun »

I made a lot of research once and currently I use http://www.arachni-scanner.com/ for security pent-tests - easy configurable, low false positives rate, test automation friendly, nice reports.
There are 10 types of people in this world, those who understand binary and those who don't
chemseddine
Forum Newbie
Posts: 2
Joined: Mon Nov 06, 2017 3:47 am

Re: Expose_PHPSecurity

Post by chemseddine »

Thank you very much
VladSun wrote:I made a lot of research once and currently I use http://www.arachni-scanner.com/ for security pent-tests - easy configurable, low false positives rate, test automation friendly, nice reports.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Expose_PHPSecurity

Post by VladSun »

Code: Select all

  

<project name="pen-test" default="build">

  <property name="scan.url" value="http://pen-test.testing.jenkins" />

  <property name="scan.report.file" value="${basedir}/reports/pen-test.afr" />
  <property name="scan.report.html.file" value="${scan.report.file}.html.zip" />
  <property name="scan.report.json.file" value="${scan.report.file}.json" />

  <property name="scan.parameter.scope-auto-redundant" value="10" />
  <property name="scan.parameter.scope-dom-depth-limit" value="100" />
  <property name="scan.parameter.browser-cluster-pool-size" value="10" />
  <property name="scan.parameter.http-response-max-size" value="5000000" />
  <property name="scan.parameter.http-request-timeout" value="10000" />
  <property name="scan.parameter.platforms" value="linux,apache,php,sql,mysql" />
  <property name="scan.parameter.http-request-queue-size" value="255" />

  <property name="scan.login.url" value="${scan.url}/login" />
  <property name="scan.login.parameters" value="user=${scan.username}&pass=${scan.password}&action=login" />
  <property name="scan.login.check" value="Penetration testing user" />

  <target name="full-scan-members-area" description="Run all attacks to members area">
    <exec executable="${arachni.home.dir}/bin/arachni">
      <arg value="${scan.url}" />
      <arg value="--output-verbose" />
      <arg value="--scope-exclude-pattern" />
      <arg value="\/en\/" />
      <arg value="--scope-exclude-pattern" />
      <arg value="\/nl\/" />
      <arg value="--scope-exclude-pattern" />
      <arg value="\/bg\/" />
      <arg value="--scope-exclude-pattern" />
      <arg value="logout" />
      <arg value="--browser-cluster-pool-size=${scan.parameter.browser-cluster-pool-size}" />
      <arg value="--scope-auto-redundant=${scan.parameter.scope-auto-redundant}" />
      <arg value="--scope-dom-depth-limit=${scan.parameter.scope-dom-depth-limit}" />
      <arg value="--http-response-max-size=${scan.parameter.http-response-max-size}" />
      <arg value="--http-request-timeout=${scan.parameter.http-request-timeout}" />
      <arg value="--http-request-queue-size=${scan.parameter.http-request-queue-size}" />
      <arg value="--platforms=${scan.parameter.platforms}" />
      <arg value="--checks=*" />
      <arg value="--plugin=autologin:url=${scan.login.url},parameters=${scan.login.parameters},check=${scan.login.check}" />
      <arg value="--plugin=metrics" />
      <arg value="--session-check-pattern=${scan.login.check}" />
      <arg value="--session-check-url=${scan.url}" />
      <arg value="--report-save-path=${scan.report.file}" />
    </exec>
  </target>

  <target name="generate-reports" description="Generate reports">

    <exec executable="${arachni.home.dir}/bin/arachni_reporter">
      <arg path="${scan.report.file}" />
      <arg value="--reporter=html:outfile=${scan.report.html.file}" />
    </exec>

    <exec executable="${arachni.home.dir}/bin/arachni_reporter">
      <arg path="${scan.report.file}" />
      <arg value="--reporter=json:outfile=${scan.report.json.file}" />
    </exec>

    <exec executable="/usr/bin/unzip" failonerror="true" >
      <arg path="${scan.report.html.file}" />
      <arg value="-d" />
      <arg path="${basedir}/reports/html" />
    </exec>

  </target>

</project>
An Ant build file example (run by Jenkins, Linux env)
There are 10 types of people in this world, those who understand binary and those who don't
Post Reply