This page features a few common examples of vulnerable PHP code that Syhunt can find and PHP scanning capabilities that are available in the product.
Note: This page covers results obtained via SyHybridCS. Syhunt Suite's graphical interface and reports offer identical but more detailed results.
Table of contents
Syhunt performs intelligent PHP code scanning and includes the ability to identify the lack of input filtering:
<? $a = htmlentities($_GET['a']); $b = $_GET['b']; $c = $_GET['c']; $d = htmlentities($b); echo ($a); // safe echo (htmlentities($b)); // safe echo ($c); // XSS vulnerability echo ($d); // safe echo (htmlentities($_GET['id']); // safe ?>
The code above is using output filtering but a single variable ($c) is vulnerable to XSS due to lack of filtering. Syhunt scan results for this example code will reveal just the vulnerable code:
Found: 1 vulnerability In /entxss.php (source code, locally), affecting parameter "c", on lines 4,9: Possible XSS Vulnerability
Syhunt is not affected by false negatives produced by incorrect code understanding like this one:
<html> <? $name = $_GET['name']; // Comment ?><? echo($name); // XSS 1 ?> <script> document.write('<? echo($_GET['city']); // XSS 2 ?>'); </script> </html>
Could this example code be vulnerable? Yes, it is, but the web application (not designed by us) we used to highlight the code in this page is faulty and mistakenly thinks that:
'
is found
This image taken from a PHP editor shows what it would be like if the above code was properly assimilated:
A code scanner could easily make similar mistakes when scanning web applications and analyzing their code, resulting in false negative. But Syhunt does what it should do (correctly understands the code) and detects the flaws:
Found: 2 vulnerabilities In /commentbug.php (source code, locally), affecting parameter "name", on line 2: Possible XSS Vulnerability In /commentbug.php (source code, locally), on line 4: Possible XSS Vulnerability
Syhunt will, whenever possible, avoid triggering false positive results. Example - this will not be reported:
<? /* This was a XSS vulnerability. I commented it out echo($_GET['name']); */ $name = $_GET['name']; // echo($name); Same here! ?>
The code above is not vulnerable anymore since it has been commented out. Syhunt scan results for this example code will consequently reveal no flaws:
No vulnerabilities found.
These are difficult to find if there are many code lines. Syhunt is also able to detect them
<html> <?php $name = $_GET['name']; $msg = 'Welcome '.$name; ?> <head> <title><? echo($name); /* XSS 1 */ ?></title> </head> <body> <? echo($msg); /* XSS 2 */ ?> </body> </html>
Syhunt scan results for this example code:
Found: 2 vulnerabilities In /vars.php (source code, locally), affecting parameter "name", on lines 3,4,7: Possible XSS Vulnerability In /vars.php (source code, locally), on line 10: Possible XSS Vulnerability
Syhunt includes support for the echo shorthand:
<? $name = $_GET['name']; ?> <?=$_GET['name']; //XSS 1 ?> <?=$name // XSS 2 ?>
Syhunt scan results for this example code:
Found: 2 vulnerabilities In /xss_shorthand.php (source code, locally), on line 4: Possible XSS Vulnerability In /xss_shorthand.php (source code, locally), affecting parameter "name", on lines 2,5: Possible XSS Vulnerability
Suhunt also supports PHP inside <script> tags:
<html> <script language="php"> $d = $_GET['d']; echo($d); // XSS </script> </html>
Syhunt scan results for this example code:
Found: 1 vulnerability In /inscript.php (source code, locally), affecting parameter "d", on lines 3,4: Possible XSS Vulnerability
See: Cross-Site Scripting (XSS)
These are very basic XSS examples.
<? echo($_GET['name']); // XSS 1 echo($_POST['name']); // XSS 2 echo($_REQUEST['name']); // XSS 3 ?>
Syhunt scan results for this example code:
Found: 3 vulnerabilities In /xss_basic.php (source code, locally), on line 2: Possible XSS Vulnerability In /xss_basic.php (source code, locally), on line 3: Possible XSS Vulnerability In /xss_basic.php (source code, locally), on line 4: Possible XSS Vulnerability
See: File Inclusion
<?php $incfile = $_REQUEST['file']; include($incfile.'.php'); ?>
Syhunt scan results for this example code:
Found: 1 vulnerability In /rfi_sample.php (source code, locally), affecting parameter "file", on lines 2,3: Possible File Inclusion Vulnerability
See: SQL Injection
<? $username = $_GET['username']; $result=mysql_query('SELECT * FROM users WHERE username="'.$username.'"'); ?>
Syhunt scan results for this example code:
Found: 1 vulnerability In /sqli_basic.php (source code, locally), affecting parameter "username", on lines 2,3: Possible SQL Injection Vulnerability
See: Command Execution
<? $cmd = $_GET['command']; passthru('SomeApp.exe '.$cmd); ?>
Syhunt scan results for this example code:
Found: 1 vulnerability In /rce_basic.php (source code, locally), affecting parameter "command", on lines 2,3: Possible Command Execution Vulnerability
While Syhunt contains checks for many vulnerability variants, this page doesn't cover them all. In addition to the vulnerability classes covered in this page, Syhunt detects HTTP Response Splitting, arbitrary file manipulation and weak validation issues.