Hi guys, I am the new one in PHP audit and recently, I have read the book "php|Architects Guide To Security", but when I get the source code of a php project I don't know how to start with it.

I know about the XSS, CSRF and SQLi, and I have been a web application penetration tester for a long while, but I just know how to test in a black box.

I just got a new job about php and java source code audit, I need some suggestions, thans

umm.. maybe throw the code you're supposed to review on a web server and pen test it the way you 'know' how to 'pen test'?

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

sounds like you never really knew what you were doing. look for unfiltered userinput in vulnerable functions, like file functions for file inclusion/path traversal, database functions for SQLi and so on.

@Joel:
I don't think you are really familiar with what you are doing. White Box Testing is the test where you are familiar with the source codes, and u look at them to find interesting vulnerable functions and methods. Black Box Testing is the one where you do not know anything about source code and test it like a person who is just using it and you try to find flaws in the program by using it.

http://en.wikipedia.org/wiki/White-box_testing
http://en.wikipedia.org/wiki/Black-box_testing

So if u are really doing black box than run them on webserver as thrill said and test them.

I always test my pens before writing, highly recommend.

What is this test thing you all keep talking about? Some new hot website? I want free Viagra too!

Ok, a relatively sensible answer.. but if you don't know this already.. please tell me who's given you a job, I want one too!

Basically, it's exactly like black-box testing in many ways. In both, you look for every available opportunity for a 'malicious user' to interact with the system, and examine those for vulnerabilities.

Personally I would suggest a user input/output module with functions that handle every single interaction with the client.. that makes securing the whole thing a lot easier.. but that means you're designing for security, not just building it and checking for leaks.. which I think is actually illegal in most states (or people develop as if it were!). Not always practical or perfect, but often a very good place to start; even if you never actually write the module, the process of understanding every input and output is key to a good white box test.


J

or maybe just run ./whisker

:)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Firstly you must understand how appears common types of vulnerabilies:
* SQL-injection
* fopen/fileread
* LFI/RFI
* PHP-Code execution
* File uploading
* XSS
and so on.
Then put your apache configuration to max "unprotected" (magic_quotes=off, safe_mode=off, allow_fopen_url=on and so on)
and search in code for functions that are able to raise vulnerabilies (mysql_query(), include(), eval(), system() and so on...), check where function parameters come from, do they filtered enough.
Paralelly you can apply "black-box" testing with tools like Acunetix scanner, they may help you to find bugs faster.

or... just run ./whisker

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill