Leveraging Security to PHP (using sausages)

Avatar von Johann-Peter Hartmann

Let’s be honest – the guys over at bugtraq, full-disclosure and others make fun of us PHP people. Chorizo ScreenshotNot only do we provide the dramatis personae – be it phpBB, the Nuke family or XMLRPC, we also deliver remote code execution, XSS or SQL injections right to the security peoples‘ doorstep.
Why does this happen? Are we all dumbnuts? That’s not the explanation – at least not all of it. If you take an easy-to-learn language, lots of people with only a basic grasp of it, as well as a hostile environment, you get a guaranteed number of exploits (or US foreign politics). Although it’s rarely a problem with PHP itself, this spoils PHP’s image quite a bit.
Can we live with that? Yeah, of course. There’s a lot of killer applications for PHP that make up for this little PR problem.
The downside is, that neither our users nor our ISPs can live with it. A vast number of security breaches are provided courtesy of PHP applications – think the phpBB bugs or a nice little XMLRPC worm. Basically, any PHP host is forced to implement a huge gateway for crackers of any kind.

In the history of PHP, users and ISPs have always been nice and friendly like our grandma. Their continued support even in rough times ensures PHP’s ongoing success, so we shouldn’t let them down and ignore everything they say (like we do with our grandmas).

Securing applications, the php way

Easy to learn, fast results, no special knowledge needed – now put that together with security. Mission Impossible? Well, maybe, but we try to get pretty close.
Easy to learn: Chorizo! has friendly colors and a funny logo, just like Skype, so it should be easy. The professional version walks you through the whole process.
Fast results: the developers don’t have to install anything. You don’t have to pay anything. Just register and configure your browser to use chorizo as a proxy
No special knowledge needed: you don’t have to know how to audit software, how to look for sql injections or xss. Chorizo! will tell you. if you want to know how to audit software, ask the hardened-php guys, and say goodbye to limited knowledge.

Why a scanner alone is not enough

Chorizo! is a proxy, not a scanner. And we got a reason to do this, besides the fact that we wanted to have fun by writing a proxy in PHP.
Vulnerabilities happen where web applications get interactive. Stupid spidering or entering arbitrary values into a form does not get you there. You have to login, fill out registration forms, and walk thru a whole lot of forms to reach the page with "Thanks for buying swedish dvds", where the actual security vulnerability is. Most of the security scanners are pretty unsure about what your ZIP-code is and as soon as they’re asked for a valid e-mail adress, they are clueless. Using a proxy all this happens automagically, and every request you do is checked in the background. It even tests your AJAX requests. Scanning is included, too – you can scan recursively from every page you are looking at.

What the sausage checks

Every typical exploit we know. XSS, SQL Injections (i.e. when accessing MySQL), Code Inclusions, Code Executions, CSRF, HTTP Response Splitting, Information Disclosures, and more. Chorizo uses some pretty clever methods to look at things like XSS, from a sausage point of view. Of course, you can only check sites that you actually own – the sausage won’t let you find holes in your english teacher’s web site.


Chorizo! is for free, so why should someone pay for the server and for the development work? Well, we are nice and friendly guys, we even pay taxes from time to time, but we are not that nice. There is a commercial version that actually explains and what you might want to fix. There is even a commercial intranet version – just scan everything you want from within your own network.

More to come

Our legion of mad scientists in the secret labs below the alps is already working on other cool stuff. Watch out for codename "Morcilla".

What’s the reason for the name?

It’s too embarrassing to tell. Please don’t ask, we blush easily.

Avatar von Johann-Peter Hartmann


8 Antworten zu „Leveraging Security to PHP (using sausages)“

  1. Because of the ability to mis-use such a tool for malicious purposes (which is why others have not released theirs) I’d like to suggest the following:

    Each time Chorizo is used to check a site, a publicly accessibly file should be placed on the server which should contain a unique ID for the site/client. If Chorizo cannot find this data, then it doesn’t have permission to perform the scans.

    – Davey

    1. Hi Davey,

      that is exactly how it works :-) , unique filename with unique content in the document root.
      – johann

  2. Laut einer Pressemitteilung und einem Bericht von Golem, hat die Mayflower GmbH einen Security Scanner namens Chorizo entwickelt.Das Tool fungiert als Proxy. Der Benutzer besucht ganz normal (s)eine Website, während Chorizo diese auf Schwachstellen wie

  3. My wonder about something like this, is how likely is it to get that one circumstance and find the issue compared to looking at the code alone?

    I have seen many scanners and items of the sort that absolutely fail at this. Also if you hit it on a production site, if error reporting and all items are configured correctly without the actual source code being read it would be hard to actually know for sure if there still isn’t a security related issue in an obscure area.

    1. Hi Mike,
      of course there are a lot of bugs that are found within an audit that chorizo can’t find.
      Nevertheless we found a good number of bugs in well known (and, according to bugtraq advisories, audited) open source tools already.

  4. Avatar von Gustavo Narea
    Gustavo Narea

    And because of the ability of mis-understand such a name for malicious purposes, I’d sugget you not to use that word in Spanish. ;-)

  5. Is registration closed at the moment? I tried with Firefox ( and IE6, both times I just get the read „Loading“ info on the top left, but nothing happens. Javascript is enabled. Do I miss something maybe?


Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Für das Handling unseres Newsletters nutzen wir den Dienst HubSpot. Mehr Informationen, insbesondere auch zu Deinem Widerrufsrecht, kannst Du jederzeit unserer Datenschutzerklärung entnehmen.