Do You PHP はてブロ

Do You PHPはてなからはてブロに移動しました



Pixy is a Java program that performs automatic scans of PHP source code, aimed at the detection of XSS and SQL injection vulnerabilities. Pixy takes a PHP program as input, and creates a report that lists possible vulnerable points in the program, together with additional information for understanding the vulnerability.


$ pwd
$ ls
build      config  getstarted.php  lib  src   testfiles
build.xml  doc     graphs          run-all.bat  scripts     test  transducers
$ cat getstarted.php

// a VERY simple demo file for getting started;
// see doc/readme.txt for usage instructions;
// for more complex demos, take a look into the "testfiles" folder

$a = 'hi';
$b = $_GET['evil'];

echo $a;    // this one is OK
echo $b;    // XSS vulnerability

$ ./ getstarted.php
Error occurred during initialization of VM
Could not reserve enough space for object heap

動きません orz

$ ./ getstarted.php
File: getstarted.php

*** resolving literal includes ***

*** performing type analysis ***

inclusion iterations:            1
resolved literal includes:       0
resolved non-literal includes:   0
cyclic includes:                 0
not found includes:              0
unresolved non-literal includes: 0

*** performing taint analysis ***


Time: 0 seconds

*** detecting vulnerabilities ***

XSS Analysis BEGIN

Number of sinks: 2

XSS Analysis Output

Vulnerability detected!
- unconditional
- /home/shimooka/Pixy/getstarted.php:11
- Graph: xss2

Total Vuln Count: 1

XSS Analysis END

SQL Analysis BEGIN

Number of sinks: 0

SQL Analysis Output

Total Vuln Count: 0

SQL Analysis END

Total Time: 0 seconds



  • PHP4スタイルのコード専用
    • try文やprivate宣言や関数のstatic宣言、PDO::xxxxx定数が「Syntax error」
  • require/includeしているPHPファイルもチェック対象になる
  • 外部extensionで提供されているクラス・メソッドはうまく解析できない
    • 「Warning: can't resolve method call (no definition found)」となる