Application security

RIPS – Finding vulnerabilities in PHP application

Chiragh Dewan
March 20, 2017 by
Chiragh Dewan

The biggest fear of any developer has always been that their site may get hacked and occasionally it does end up being hacked. For a very long time, the most popular stack being used for the development of website has been the LAMP Stack (Linux, MySQL, PHP/Perl/Python). Out of which, the most frequently used language was PHP. Many major websites such as Facebook (early version), Wikipedia, Yahoo, MailChimp, WordPress, etc. have been built on PHP.

Although, many measures have been taken by various developers to make their PHP application as secure as possible. However, PHP when used raw, can be vulnerable. Considering that these mistakes cannot always be avoided, come RIPS to our rescue.

11 courses, 8+ hours of training

11 courses, 8+ hours of training

Learn cybersecurity from Ted Harrington, the #1 best-selling author of "Hackable: How to Do Application Security Right."

RIPS is a source code scanner that detects possible vulnerabilities in a PHP code. RIPS tokenizes and parses the entire source code by transforming the PHP code into programs models and detects the possible vulnerable functions that can be compromised by a user input. It also offers an integrated code audit framework for further manual analysis.

RIPS covers a vast range of vulnerabilities, such as

  • Code Execution
  • Command Execution
  • Cross-Site Scripting (XSS)
  • Header Injection
  • File Disclosure
  • File Inclusion
  • File Manipulation
  • LDAP Injection
  • SQL Injection
  • XPath Injection
  • Unserialize with POP
  • A Few details about the Code Audit Interface:

    • Scan and vulnerability Stats
    • Grouped vulnerable code lines (bottom up or top down)
    • Vulnerability description with example code, PoC, patch
    • Exploit creator
    • File list and graph
    • Function list and graph
    • User Input list
    • Source code viewer with highlighting
    • Active jumping between function calls
    • Searching via Regular Expression (regex)
    • Eight syntax highlighting designs

    A Few details about its static code analysis:

    • It is fast
    • Tokenizing with PHP tokenizer extension
    • Taint analysis for 232 sensitive sinks
    • Inter- and Intra-Procedural analysis
    • Handles very PHP-specific behavior
    • Handles user-defined securing
    • Reconstruct file inclusions
    • Detecting blind/non-blind exploitation
    • Detecting Backdoors

    The latest version of RIPS can be downloaded from https://sourceforge.net/projects/rips-scanner/files/

    Note: You will require a local web server, such as MAMP/WAMP/XWAMP (depending on your Operating System), installed on the system you want to run RIPS on. Once downloaded, extract the file to your web server. Usually, the path is /var/www/rips or in the htdocs folder.

    Once done, you can access at http://localhost/rips/

    This is what RIPS looks like when started:

    RIPS gives us the ability to scan a single PHP file or a complete PHP application folder. We start by entering the path of our project or file (marked in red) and select if we enter the path of a folder, the subdirs checkbox (marked in yellow) if we want RIPS to scan the sub-directories of that folder as well.

    Next, we start to select the vulnerability we want to scan for (marked in green). In this case, RIPS gives us a few options:

    • All the vulnerabilities present in RIPS
    • All Server-Side vulnerabilities
    • All Client-Side Vulnerabilities
    • A particular vulnerability

    Note: More vulnerabilities we select and bigger the application we are scanning; the more time RIPS will take to do its job.

    Next, we select the verbosity level (marked in purple). RIPS gives us five different levels:

    1. User tainted – It scans only for PVF calls which are tainted with user input.
    2. File/DB tainted +1 – This also factors file and database content as potentially malicious user input.
    3. Show Secured +1,2 – It will also output secured PVF calls. This is important to detect insufficient securing's which are sometimes hard to detect by a static code analyzer automatically.
    4. Untainted +1,2,3 – It shows additional information RIPS collected during the scan such as exists, notes about the success of analyzing, included files and calls of functions.
    5. Debug Mode – It shows all PVF calls and its traces whether to not tainted by user input. However, this level can lead to a lot of false positives.

    I have written a small PHP file which is vulnerable to XSS. Let's see if RIPS can figure that out or not:

    We can see that RIPS tells us that our code in "test.php" is vulnerable to XSS. Let's see if this is actually the case or if it is a false positive:

    As we can see, the code is vulnerable to XSS. By pressing the small help icon (marked in black) on the left-hand side will show us more information on XSS:

    So as we can see, the concept of XSS in that if we use a $_GET source and directly print it using echo, it results in XSS. Let's see if this is what our code looks like or not:

    Yep, that is exactly what our code looks like. Hence, the vulnerability. We can also see that RIPS has marked our user input as tainted:

    For a further test, we will be using Damn Vulnerable Web Application (DVWA). It is an open source application on which we can practice various security tests at various levels. It can be downloaded from https://github.com/ethicalhack3r/DVWA. Installation instructions and setup is present with it.

    Let's try a different vulnerability, say File Inclusion:

    First, we will search the file to see if that vulnerability exists or not:

    As we can see, it shows that this is vulnerable to File Inclusion. In the graph generated by RIPS, we can also see the source of the vulnerability:

    In the code viewer, we can also the highlighted vulnerable piece of code:

    We can also use its exploit creator to create a PoC:

    Now that we have so much information, let's see if it is actually vulnerable or not:

    Yes, this confirms that the code is vulnerable to File Inclusion.

    The same way, we can test for various other vulnerabilities as listed above.

    Conclusion

    There are various other open source web application scanners that are used to find vulnerabilities in a black box testing. However, a source code review in a white box case can lead to much better results, but only a handful of open source PHP source code analyzers are out there. Due to the limitations of a static code analyzer, some false positives can occur, and a manual review of the result is recommended. Overall, RIPS is a good analyzing tool, but you cannot solely rely on it.

    Chiragh Dewan
    Chiragh Dewan

    A creative problem-solving full-stack web developer with expertise in Information Security Audit, Web Application Audit, Vulnerability Assessment, Penetration Testing/ Ethical Hacking as well as previous experience in Artificial Intelligence, Machine Learning, and Natural Language Processing. He has also been recognised by various companies such as Facebook, Google, Microsoft, PayPal, Netflix, Blackberry, etc for reporting various security vulnerabilities. He has also given various talks on Artificial Intelligence and Cyber Security including at an TEDx event.