

PHP Interpreter Detects SQL Injection and XSS Vulnerabilities - TallGuyShort
http://www.rkrishardy.com/2009/06/new-php-interpreter-based-xss-and-sql-security-tester/

======
tptacek
_Comparison to black-box fuzzing. We compared Ardilla’s ability to ﬁnd ﬁrst-
order XSS attacks to that of a black-box fuzzer for ﬁnding XSS attacks: Burp
Intruder (listed in the 10 most popular Web-vulnerability scanners). We
conﬁgured the fuzzer according to its documentation. The fuzzer requires
manual setting up of HTTP request pat- terns to send to the Web application
(and requires manual indication of variables to mutate). We ran the fuzzer
using the same attack pattern library that Ardilla uses, and on the same
subject programs. (We have not been able to success- fully conﬁgure webchess
to run with the fuzzer.) We ran the fuzzer until completion (up to 8 hours).
The fuzzer found 1 ﬁrst-order XSS vulnerability in schoolmate, 3 ﬁrst-order in
faqforge, 0 in EVE, and 0 in geccbblite. We examined all vulnerabilities
reported by the fuzzer and determined that they were a subset of those
discovered by Ardilla._

Ardilla looks like awesome work, but this is a specious metric. Burp Intruder
isn't a fire-and-forget platform for finding XSS and SQLI; it's a tool to
accelerate manual testing. The authors (wisely) aren't making the claim that
manual testing couldn't have found the schoolmate flaws; if manual testing can
find something, it's tricky to propose that Burp Intruder couldn't have helped
them.

------
DanHulton
In a similar vein, anyone interested in this should also check out:
<http://php-ids.org/>

------
jcsalterego
Here's another take on SQL injection detection, which delves into the query
language a bit more, including a formal analysis:

<http://www.cs.uiuc.edu/~madhu/tissec09.pdf>

------
ilyak
Avoiding SQL injections is so easy that I don't understand why this topic
still lives on.

~~~
coolnewtoy
there's a real disconnect between the academic literature and tradebooks on
using web application frameworks.

I fell into writing about it this way:

me: I want to write about securing databases from attack via the web front end

prof: go find me the most common vulnerability

me: that's sql injection

prof: that's your topic

