Understanding successful tracing of security vulnerabilities

Web applications can easily become very complex. Several hundreds of thousands of lines of code (no HTML templates!) is usual at larger corporate solutions. This also means that your PHP applications follows the standards like object oriented programming, nested classes etc.

When it comes down to detect security vulnerabilities, a lot of tools are available. In a previous post I told you that we developed Chorizo! mainly because we needed a tool that checks for security vulnerabilities (both XSS issues and server side issues) very easily. I think our GUI is very nice :-)

In a previous post I introduced Morcilla to you (see video here and here and feature list here). The server side extension enable Chorizo! to have a look inside your server. Unlike other tools, you can now detect and eliminate security vulnerabilities very easily – the videos showed how to fix a local file inclusion bug within an instant.

But sometimes it’s not very easy to check if a vulnerability occured where Morcilla told you it occured. Take, for example, MySQL’s mysql_query() function. If we detect a SQL injection in the line where mysql_query happened, it may lead to irritation if you imagine the mysql_query()/pdo_query() function was called inside your SQL abstraction layer you’re using – modern applications use that. So you probably don’t know at first sight where the call was made that enabled an attacker to slip in.

In order to pinpoint this issue, it is neccessary that you get a deeper look to the callstack of all the functions that were involved calling the SQL abstraction layer. Here’s a screenshot how it looks in the upcoming version of our PHP extension:

As you can see, the mysql_query() call in this example was made at /home/www/morcilla/sqlinject/test2.php on line 10. But there were previous function and class method calls that may have led to this SQL injection because they didn’t filter the input value properly.

If you’re interested which further features the PHP extension brings to you in combination with the security scanner or if you have comments and suggestions, just write us an e-mail!

SQL injections for dummies – and how to fix them (Update)

Well, database operations are bread-and-butter work for most PHP applications. PHP and MySQL, for example, have been like brother and sister for many years. You may have heard about „SQL injections“, a bad taste from the outside world of $_GET, $_POST, $_COOKIE and the like.

Everybody should know that you shouldn’t pass variables from outside unfiltered to i.e. mysql_query. Of course, sometimes this can slip through because we are human and humans make errors. The initial development of Chorizo! was driven by our own need to make it easier for our developers to detect potential security issues and fix them in a second. With Morcilla, our server-side PHP extension, life will be much easier, especially when you turn display_errors = Off in your php.ini settings which won’t give a hint to potential attackers that a modified GET variable produced a SQL error. With Morcilla, we look inside the server and can detect SQL injection possibilities although display_errors was set to off. Oh, and yes, we display the line and name of the file on the server where the error has happened.

Check out the following video (or directly on chorizo-scanner.com) to see how it can detect SQL injections in seconds.

Furthermore, we produced a short video that explains the XSS plugin to detect XSS vulnerabilities inside the HTML code, HTML attributes and CSS.

Detect and fix security vulnerabilities on server side within seconds.

(See bigger version with better quality at https://chorizo-scanner.com/flash_morcilla )

This video shows you how Morcilla, our brand new PHP extension, lets Chorizo! have a look inside your application on the server.

We are able to hook into every PHP function and trace the payloads of Chorizo!. By default, Morcilla hooks into the whole MySQL function family, fopen, mail, include/require/include_once/require_once, preg_* and others. With a ZendEngine patch, we are able to trace unset variables and a lot more.

See the video how it works (Google Video, YouTube). Check out the plugin help page. And finally, register for the Standard Version which includes Morcilla at no extra costs.

Garvin Hicking from s9y weblog project says:

„Chorizo features a large ruleset for virtually all ‚usual suspects‘ of
web application security issues. Being able to run background checks
while developing an application is an immense timesaver – especially for
open-source developers like me, who are already swamped with support and
bugfixing, we can now enjoy discovering possible security issues while

The proxy mode of Chorizo – and a sneak peak to Morcilla, Chorizo’s little sister.

Morcilla, the server side PHP extension for Chorizo!Web applications nowadays use AJAX features to provide a very comfortable interface to their users. XmlHttpRequest is the technique that is used to pull data from the server in the background.

Have you ever asked yourself how to track down security issues in your XmlHttpRequests without losing too much time? Well, Chorizo gives you the answer: the proxy mode. By using Chorizo! in this (preferred) mode, you can assure that every request your application makes (whether it is a XmlHttpRequest call or a Flash client that pulls data from a PHP script in the background) will be tracked by Chorizo! and thus scanned for security flaws.

There’s also a so-called „CGI browsing mode“ where you just enter the start URL of your site and then Chorizo! tries to rewrite all the links it can find in the HTML page, this CGI mode doesn’t give you the full advantage. Imagine you have JavaScript in your page that is building the links with variables etc. – Chorizo! can’t successfully rewrite all those links. If you combine the proxy mode together with the „Scan while browsing“ background scanning mode, you unlock the full potential with the application.

It might be interesting to note that the proxy itself was written in PHP :-) We measured it is able to make up to 100 scans/second. In order to secure your server for a DOS attack ;-), we implemented a heuristic that automatically reduces the number of parallel scans if the server doesn’t respond fast enough.

If you want to give it a try, here’s a sneak peak (screenshots!) about Morcilla, our upcoming server-side PHP extension which will only be available in the commercial accounts.

To be one step ahead with AppArmor in your web server’s environment

first experiences with Novell’s AppArmor

you plan to offer an application service hosted on a common LINUX
box. That is not very difficult at all, so you have to go on and
choose your favourite distribution, installing and configuring some
servers (e.g. web- and database servers) and finally adding your web
based application itself. Sooner or later the project was announced,
you’ll have to face with security issues, depending hardly on the
fact, that Internet web applications are always a good target for
possible offences. Right now you are in the circuit of fixing bugs,
upgrading software and closing „open doors“.


Stacking up the free accounts: recursive scans

Chorizo’s standard account already contains recursive scans from the current URL. This means that Chorizo! is able to follow URLs from forms etc. automatically until a recursive level that you are able to set.

From now on, the free accounts also benefit from this feature which makes it very handy to scan sites more deeply. However, we limited the recursion depth to 1, so Chorizo! is able to follow all links etc. on the current page. The standard account is able to scan up to a depth of 3.

To give you a number: some time ago I scanned a popular PHP OpenSource CRM application with one scan through „Scan the current page“. With a recursion depth of 3, this lead to more than 10,000 scan requests.

If you want to give it a try, just register on the webpage for the free account.

Improving Usability on „My Chorizo“ page: the host signature file

In the spirit of Web2.0 applications, we constantly improve Chorizo! and silently update the application with the newest features. In order to scan a host, you have to prove that you are the owner of the host by uploading a unique signature file to your host’s document root. Some of our users had trouble uploading it into the docroot, some accidently put it into the wrong directory.

So we enhanced the „My Chorizo“ page: if you click on one of your products which will then show on the right the registered hosts, it gives you a status if the signature file is available or not. See the screenshot on the right.

3,500 users in 2 days. Awaiting the birth of the bloody alien sausage.

Geez! What a week. Right after the announces at several newstickers and websites (on heise security German and heise Security English, an extensive German review at dynamic-webpages.de and one in French at nexen.net) on Monday, more than 3,500 users (and counting) registered at our small security sausage tool and created hundreds of thousands security scans on their servers! We try to commoditize PHP security by providing you with free accounts – just go to the Chorizo homepage and register for a free acount. The train is rolling… and we’re ready to stack up the commercial accounts with some more features soon.

Finally, one spoiler: Let’s wait for the birth of Morcilla (link to Wikipedia), Chorizo!’s small sister. You wanna know what’s behind Morcilla? Imagine if Chorizo! would be able to look "behind the scenes" on your server during a security scan …

Stay tuned! There’s more coming up.

Commoditizing PHP security

We think it’s time to commoditize PHP web application security. You may have heard of Chorizo!. We’re proud to announce that from now on it’s
possible to register for a free account on chorizo-scanner.com.

With this free account, it’s possible to use the Chorizo! application service as a proxy and scan 1 host. All scan datas are encrypted, your data is only visible to you. There are also some valuable help documents available that explain the whole process from registering up to uploading the signature file onto your host and how to analyze the results. Please note: as Chorizo! is an application service, you can only scan your hosts that are publicly available or their firewall has the chorizo-scanner.com IP configured. For those of you who want to scan non-public websites, there will be a solution soon.

Furthermore, there’s an enhanced commercial version available which includes the Advisor (a guide that explains you what issue was found and how to solve it exactly), a detailed report analyzer and a PDF export of the reports for maximizing development productivity (please click on the small image to display the large version):

We think that everyone should be able to find usual security bugs like XSS (especially with nowadays Web2.0 applications), SQL injection (i.e. in MySQL queries), Remote Code inclusion/execution, Session injection, PHP vulnerabilities and the like. As Chorizo! is based on a plugin architecture, it is likely that we’ll add more and more plugins for detecting new vulnerabilites.

If you have any questions, feel free to e-mail us at: chorizo at mayflower dot de

Web2.0 (In)Security

On the webmontag.de gathering at Munich, Johann gave a session about „Web2.0 (In)Security“. With the emerge of more and more Web2.0 applications Security is a must for every developer. Johann explained for example why XSS hurts more in Web2.0 than in Web1.0.

You can download the slides here (attention, German language).

Web2.0 also seems to become a more and more popular topic here in Germany, see sevenload.de and the „Next 10 Years“ conference about Web2.0, hosted by SinnerSchrader. There’s some live blogging about it, see sichelputzer, beissholz.de, Oliver Gassner (see soso blog), fischmarkt.de and others.