You will need PHP and Composer.
cd php-analyzer
composer install
php artisan serveNow, you can go to http://localhost:8000 and upload files to analyze!
I like to read lines of code and try to understand how it work to find vulnerabilities.
It's me, trying to develop another sast tool.
- Understand how sast tools works
- Get better at finding vulns in php code
- Code Review Automation
- Finding sinks is great, associated with sources will be better (i will try)
Env: PHP with Laravel, because I am more comfortable developing with this framework and what is better than php to analyze php!
We need to create a list of dangerous functions in PHP, such as:
eval()exec()system()shell_exec()passthru()popen()proc_open()include()andrequire()(when dealing with dynamic paths)- Database functions like
mysqli_query()if you want to detect SQL injection vulnerabilities.
- Parse PHP Files: We will use a parser to convert PHP files into an Abstract Syntax Tree (AST).
- Analyze Function Calls: Walk through the AST nodes to identify calls to dangerous functions.
- Trace Parameter Sources: Check where the parameters of these functions are coming from. We need to trace variables back to their origin to detect if they come from user input (
$_GET,$_POST, etc.) or other tainted sources.
PHP-Parser by Nikita Popov is a library that can parse PHP code into an Abstract Syntax Tree (AST).
token_get_all parses the given code string into PHP language tokens using the Zend engine's lexical scanner (Token list).
Tracing where parameters come from requires a bit more complexity:
- Variable Tracking: Track assignments to variables to trace their origins. If a variable is assigned a value from
$_GET,$_POST, or any other user-controlled input, we need to mark it as tainted. - Function Parameter Propagation: When functions pass parameters, we need to propagate taint status through function calls.
- Complex Flows: We need to handle conditional statements, loops, and include/require statements to accurately track the flow of data.
Once we have a list of dangerous functions and their tainted parameters, we can generate a report:
- Output Format: JSON, HTML, or plain text.
- Details to Include:
- File name and line number;
- Function name and parameters;
- The source of each parameter (e.g.,
$_GET['id']); - Example of payload.
-
Test Cases: We need some PHP files with known vulnerabilities to test the tool against them.
-
Improve Detection: Add more advanced features, like detecting SQL injections beyond simple cases, and handling more complex data flows.
- Sandbox: Use sandbox to test vulnerable code**;
- PHP Framework: Adapt the tool to analyse PHP framework (Laravel, Symfony) to retrieve routing and parameters;
- IAST: Maybe one day;
- Config file: Personalize dangerous function to retrieve, score, label and message.

