Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
How do I run PHP Security Scanner and SpikePHPSecAudit?
I’ve already extracted them at the root of my website and thought it could be run like phpSecInfo where you just navigate to
www.mySite.com/phpsecinfo/index.php
Any assistance will be appreciated.
ps I am using Windows XP and XAMPP
Spike PHP SecAudit does static analysis of the files, its also very old. Pixy and RATS are also static analysis tools for php, but I think Rats is the only one the three that is still maintained. These tools will produce a lot of false positives and it takes skill to tell the difference between a real problem and meaningless output.
In terms of scanners you are best off with Wapiti, which will produce very few false positives. Wapiti also very easy to use
python wapiti.py http://localhost/vulnerable_app/. I recommend downloading “Hackme Blog” from The Whitebox. Many apps aren’t immediately vulnerable, sometimes you have to use the app a bit before the vulnerability can be reached. Try scanning the blog after a fresh install, then login as the admin and create a blog entry and then scan it again.If all goes well I’ll see an exploit of yours on BugTraq, Give a shout out to “The Rook” ;).