Web applications can easily become very complex. Several hundreds of thousands of lines of code (no HTML templates!) is usual at larger corporate solutions. This also means that your PHP applications follows the standards like object oriented programming, nested classes etc.

When it comes down to detect security vulnerabilities, a lot of tools are available. In a previous post I told you that we developed Chorizo! mainly because we needed a tool that checks for security vulnerabilities (both XSS issues and server side issues) very easily. I think our GUI is very nice :-)

In a previous post I introduced Morcilla to you (see video here and here and …

Well, database operations are bread-and-butter work for most PHP applications. PHP and MySQL, for example, have been like brother and sister for many years. You may have heard about "SQL injections", a bad taste from the outside world of $_GET, $_POST, $_COOKIE and the like.

Everybody should know that you shouldn't pass variables from outside unfiltered to i.e. mysql_query. Of course, sometimes this can slip through because we are human and humans make errors. The initial development of Chorizo! was driven by our own need to make it easier for our developers to detect potential security issues and fix them in a second. With Morcilla, our server-side PHP extension, life will be much easier, especially when you turn display_errors = Off in your php.ini settings which won't give a hint to potential attackers that a modified GET variable produced a SQL error. With Morcilla, we look inside the server and can detect SQL injection …

(See bigger version with better quality at https://chorizo-scanner.com/flash_morcilla )

This video shows you how Morcilla, our brand new PHP extension, lets Chorizo! have a look inside your application on the server.

We are able to hook into every PHP function and trace the payloads of Chorizo!. By default, Morcilla hooks into the whole MySQL function family, fopen, mail, include/require/include_once/require_once, preg_* and others. With a ZendEngine patch, we are able to trace unset variables and a lot more.

See the video how it works (Google Video, YouTube). Check out the …

We think it's time to commoditize PHP web application security. You may have heard of Chorizo!. We're proud to announce that from now on it's possible to register for a free account on chorizo-scanner.com.

With this free account, it's possible to use the Chorizo! application service as a proxy and scan 1 host. All scan datas are encrypted, your data is only visible to you. There are also some valuable help documents available that explain the whole process from registering up to uploading the signature file onto your host and how to analyze the results. Please note: as Chorizo! is an application service, you can only scan your hosts that are publicly available or their firewall has the chorizo-scanner.com IP configured. For those of you who want to …

to generate a gpg key, run the following:

gpg --gen-key

when that completes, run

gpg --list-keys

for instance, to get the key information from my pub key, I run:

$ gpg --list-keys cjcollier@mysql.com
pub 1024D/6CC27EA8 2001-04-27
uid C.J. Collier
uid C.J. Collier
uid C.J. Collier
uid [jpeg image of size 9187]

After you generate it, you should publish your public key:

gpg --keyserver pgp.mit.edu --send-keys

mine looks like this:

$ gpg --keyserver pgp.mit.edu --send-keys 6CC27EA8
gpg: sending key 6CC27EA8 to hkp server pgp.mit.edu

You can get my GnuPG key with the following command:

$ gpg --keyserver pgp.mit.edu --recv-keys 6CC27EA8

Let me know what your ID is when you complete this. When I see you
next, I'll sign your …

So, Markus Popp’s recent blog entry about trying to give a user permissions to all databases except one got me thinking.

MySQL has grown immensely, and like many products, new features are compatible with old features. . . somewhat.

Review/baseline:

For current versions of MySQL, permissions are granted and revoked by the GRANT and REVOKE commands. In older versions, administrators had to muck with the access control tables by hand, and then FLUSH PRIVILEGES to enable the new access controls.

The blog entry got me thinking. Currently, if you want to remove all rights from a user, including the ability to login, you have to REVOKE privileges and then DELETE from the mysql.user table. And then, of course, FLUSH PRIVILEGES because you manually …

With some inspiration from Ben Ramsey i created a little demo for using my md5 database during the signup process on a website.

This example demonstrates the use of the MD5 database at http://md5.rednoize.com and AJAX to check password strength during signup on a website. After supplying a username and a password, a md5 hash of the password is generated using Paul Johnston's md5 javascript library.

The hash of the password (not the password itself) is then sent to http://md5.rednoize.com. If the website returns a result for the given password (hence the hash password combination is stored in the md5 database) it can be regarded as …