Let’s be honest – the guys over at bugtraq, full-disclosure and others make fun of us PHP people. Not only do we provide the dramatis personae – be it phpBB, the Nuke family or XMLRPC, we also deliver remote code execution, XSS or SQL injections right to the security peoples‘ doorstep.
Why does this happen? Are we all dumbnuts? That’s not the explanation – at least not all of it. If you take an easy-to-learn language, lots of people with only a basic grasp of it, as well as a hostile environment, you get a guaranteed number of exploits (or US foreign politics). Although it’s rarely a problem with PHP itself, this spoils PHP’s image quite a bit.
Can we live with that? Yeah, of course. There’s a lot of killer applications for PHP that make up for this little PR problem.
The downside is, that neither our users nor our ISPs can live with it. A vast number of security breaches are provided courtesy of PHP applications – think the phpBB bugs or a nice little XMLRPC worm. Basically, any PHP host is forced to implement a huge gateway for crackers of any kind.
In the history of PHP, users and ISPs have always been nice and friendly like our grandma. Their continued support even in rough times ensures PHP’s ongoing success, so we shouldn’t let them down and ignore everything they say (like we do with our grandmas).
Securing applications, the php way
Easy to learn, fast results, no special knowledge needed – now put that together with security. Mission Impossible? Well, maybe, but we try to get pretty close.
Easy to learn: Chorizo! has friendly colors and a funny logo, just like Skype, so it should be easy. The professional version walks you through the whole process.
Fast results: the developers don’t have to install anything. You don’t have to pay anything. Just register and configure your browser to use chorizo as a proxy
No special knowledge needed: you don’t have to know how to audit software, how to look for sql injections or xss. Chorizo! will tell you. if you want to know how to audit software, ask the hardened-php guys, and say goodbye to limited knowledge.
Why a scanner alone is not enough
Chorizo! is a proxy, not a scanner. And we got a reason to do this, besides the fact that we wanted to have fun by writing a proxy in PHP.
Vulnerabilities happen where web applications get interactive. Stupid spidering or entering arbitrary values into a form does not get you there. You have to login, fill out registration forms, and walk thru a whole lot of forms to reach the page with "Thanks for buying swedish dvds", where the actual security vulnerability is. Most of the security scanners are pretty unsure about what your ZIP-code is and as soon as they’re asked for a valid e-mail adress, they are clueless. Using a proxy all this happens automagically, and every request you do is checked in the background. It even tests your AJAX requests. Scanning is included, too – you can scan recursively from every page you are looking at.
What the sausage checks
Every typical exploit we know. XSS, SQL Injections (i.e. when accessing MySQL), Code Inclusions, Code Executions, CSRF, HTTP Response Splitting, Information Disclosures, and more. Chorizo uses some pretty clever methods to look at things like XSS, from a sausage point of view. Of course, you can only check sites that you actually own – the sausage won’t let you find holes in your english teacher’s web site.
Chorizo! is for free, so why should someone pay for the server and for the development work? Well, we are nice and friendly guys, we even pay taxes from time to time, but we are not that nice. There is a commercial version that actually explains and what you might want to fix. There is even a commercial intranet version – just scan everything you want from within your own network.
More to come
Our legion of mad scientists in the secret labs below the alps is already working on other cool stuff. Watch out for codename "Morcilla".
What’s the reason for the name?
It’s too embarrassing to tell. Please don’t ask, we blush easily.