Understanding successful tracing of security vulnerabilities

Web applications can easily become very complex. Several hundreds of thousands of lines of code (no HTML templates!) is usual at larger corporate solutions. This also means that your PHP applications follows the standards like object oriented programming, nested classes etc.

When it comes down to detect security vulnerabilities, a lot of tools are available. In a previous post I told you that we developed Chorizo! mainly because we needed a tool that checks for security vulnerabilities (both XSS issues and server side issues) very easily. I think our GUI is very nice :-)

In a previous post I introduced Morcilla to you (see video here and here and feature list here). The server side extension enable Chorizo! to have a look inside your server. Unlike other tools, you can now detect and eliminate security vulnerabilities very easily – the videos showed how to fix a local file inclusion bug within an instant.

But sometimes it’s not very easy to check if a vulnerability occured where Morcilla told you it occured. Take, for example, MySQL’s mysql_query() function. If we detect a SQL injection in the line where mysql_query happened, it may lead to irritation if you imagine the mysql_query()/pdo_query() function was called inside your SQL abstraction layer you’re using – modern applications use that. So you probably don’t know at first sight where the call was made that enabled an attacker to slip in.

In order to pinpoint this issue, it is neccessary that you get a deeper look to the callstack of all the functions that were involved calling the SQL abstraction layer. Here’s a screenshot how it looks in the upcoming version of our PHP extension:

As you can see, the mysql_query() call in this example was made at /home/www/morcilla/sqlinject/test2.php on line 10. But there were previous function and class method calls that may have led to this SQL injection because they didn’t filter the input value properly.

If you’re interested which further features the PHP extension brings to you in combination with the security scanner or if you have comments and suggestions, just write us an e-mail!

Detect and fix security vulnerabilities on server side within seconds.

(See bigger version with better quality at https://chorizo-scanner.com/flash_morcilla )

This video shows you how Morcilla, our brand new PHP extension, lets Chorizo! have a look inside your application on the server.

We are able to hook into every PHP function and trace the payloads of Chorizo!. By default, Morcilla hooks into the whole MySQL function family, fopen, mail, include/require/include_once/require_once, preg_* and others. With a ZendEngine patch, we are able to trace unset variables and a lot more.

See the video how it works (Google Video, YouTube). Check out the plugin help page. And finally, register for the Standard Version which includes Morcilla at no extra costs.

Garvin Hicking from s9y weblog project says:

„Chorizo features a large ruleset for virtually all ‚usual suspects‘ of
web application security issues. Being able to run background checks
while developing an application is an immense timesaver – especially for
open-source developers like me, who are already swamped with support and
bugfixing, we can now enjoy discovering possible security issues while

Methods to reduce the load of your webserver by caching content: using lighttpd, MySQL UDF, LUA and speed everything up.

The method I would like to describe is based on the webserver

Lighttpd is a single process webserver written for high traffic sites.
It supports fast-cgi out of the box which makes it ideal for hosting PHP applications.
There are lots of nice modules for the daily
work like mod_access or mod_rewrite.
For more infos see the internals

There are also some benchmarks there.
Lighty´s home is always worth having a look at.


MAYFLOWER first company to certify all its employees for MySQL

Munich/Würzburg, 2006-05-30: MAYFLOWER, internationally reknown with its brand ThinkPHP in the PHP/LAMP world, is proud to announce that it has certified all its developers for MySQL Core and is the first ISV worldwide that has achieved this.

Read the official press release (German only) at mysql.de.