Page 1 of 1
Expose_PHPSecurity
Posted: Mon Nov 06, 2017 3:49 am
by chemseddine
Hi everyone ,
Do you know Expose library (based on PHPids), it is an Intrusion Detection System for PHP, i want to know if this one is usefull to protect a web application ? if it does do anyone have more infromation about how to use it (install, use). If not do you know any other library that can help detecting intrusion (XSS, SQL Injection, ..)
I need your help
Thank you very much

Re: Expose_PHPSecurity
Posted: Mon Nov 06, 2017 4:14 am
by VladSun
I made a lot of research once and currently I use
http://www.arachni-scanner.com/ for security pent-tests - easy configurable, low false positives rate, test automation friendly, nice reports.
Re: Expose_PHPSecurity
Posted: Mon Nov 06, 2017 5:03 am
by chemseddine
Thank you very much
VladSun wrote:I made a lot of research once and currently I use
http://www.arachni-scanner.com/ for security pent-tests - easy configurable, low false positives rate, test automation friendly, nice reports.
Re: Expose_PHPSecurity
Posted: Mon Nov 20, 2017 5:52 am
by VladSun
Code: Select all
<project name="pen-test" default="build">
<property name="scan.url" value="http://pen-test.testing.jenkins" />
<property name="scan.report.file" value="${basedir}/reports/pen-test.afr" />
<property name="scan.report.html.file" value="${scan.report.file}.html.zip" />
<property name="scan.report.json.file" value="${scan.report.file}.json" />
<property name="scan.parameter.scope-auto-redundant" value="10" />
<property name="scan.parameter.scope-dom-depth-limit" value="100" />
<property name="scan.parameter.browser-cluster-pool-size" value="10" />
<property name="scan.parameter.http-response-max-size" value="5000000" />
<property name="scan.parameter.http-request-timeout" value="10000" />
<property name="scan.parameter.platforms" value="linux,apache,php,sql,mysql" />
<property name="scan.parameter.http-request-queue-size" value="255" />
<property name="scan.login.url" value="${scan.url}/login" />
<property name="scan.login.parameters" value="user=${scan.username}&pass=${scan.password}&action=login" />
<property name="scan.login.check" value="Penetration testing user" />
<target name="full-scan-members-area" description="Run all attacks to members area">
<exec executable="${arachni.home.dir}/bin/arachni">
<arg value="${scan.url}" />
<arg value="--output-verbose" />
<arg value="--scope-exclude-pattern" />
<arg value="\/en\/" />
<arg value="--scope-exclude-pattern" />
<arg value="\/nl\/" />
<arg value="--scope-exclude-pattern" />
<arg value="\/bg\/" />
<arg value="--scope-exclude-pattern" />
<arg value="logout" />
<arg value="--browser-cluster-pool-size=${scan.parameter.browser-cluster-pool-size}" />
<arg value="--scope-auto-redundant=${scan.parameter.scope-auto-redundant}" />
<arg value="--scope-dom-depth-limit=${scan.parameter.scope-dom-depth-limit}" />
<arg value="--http-response-max-size=${scan.parameter.http-response-max-size}" />
<arg value="--http-request-timeout=${scan.parameter.http-request-timeout}" />
<arg value="--http-request-queue-size=${scan.parameter.http-request-queue-size}" />
<arg value="--platforms=${scan.parameter.platforms}" />
<arg value="--checks=*" />
<arg value="--plugin=autologin:url=${scan.login.url},parameters=${scan.login.parameters},check=${scan.login.check}" />
<arg value="--plugin=metrics" />
<arg value="--session-check-pattern=${scan.login.check}" />
<arg value="--session-check-url=${scan.url}" />
<arg value="--report-save-path=${scan.report.file}" />
</exec>
</target>
<target name="generate-reports" description="Generate reports">
<exec executable="${arachni.home.dir}/bin/arachni_reporter">
<arg path="${scan.report.file}" />
<arg value="--reporter=html:outfile=${scan.report.html.file}" />
</exec>
<exec executable="${arachni.home.dir}/bin/arachni_reporter">
<arg path="${scan.report.file}" />
<arg value="--reporter=json:outfile=${scan.report.json.file}" />
</exec>
<exec executable="/usr/bin/unzip" failonerror="true" >
<arg path="${scan.report.html.file}" />
<arg value="-d" />
<arg path="${basedir}/reports/html" />
</exec>
</target>
</project>
An Ant build file example (run by Jenkins, Linux env)