I'm interested in finding open-source tools for auditing some PHP code I didn't write, before putting it into production. I'll need black-box HTTP-probing scanners as well as static code parsers/analyzers.
Where can I find a good comprehensive list of all such tools, and a smaller list of which ones are actually worth trying?
Here's a start. I haven't tried any of them:
- ratproxy http://code.google.com/p/ratproxy/
- pixy http://www.dragoslungu.com/2007/10/30/pixy-is-a-free-php-code-audit-tool/
- Spike PHP http://developer.spikesource.com/projects/phpsecaudit
-
Backtrack 4 has a bunch of web app testing and fuzzing tools included with it. So I tend to start with the tool found on it. In the past I have had good luck with W3AF identifying problems in apache and php.ini configurations as well as the PHP apps that I've inherited.
From 3dinfluence -
Having done both source and blackbox auditing before, I'm inclined to recommend Acunetix or IBM's Hailstorm. As previously mentioned, W3AF is a very good piece of software. But none of these pieces of software are nearly as good as doing it yourself.
From Zephyr Pellerin
0 comments:
Post a Comment