DevBug – PHP Static Code Analysis
My final year university dissertation was on the topic of Static Code Analysis, specifically the integration of IDEs (Integrated Development Environments) with Static Code Analysis. The idea was to make Static Code Analysis accesible to the developer, without them having to install and use additional specialist Static Code Analysis software.
Due to my familiarity with PHP and its lack of interpreter taint analysis I decided that I would write a PHP Static Code Analysis application. The PHP Static Code Analysis tool I developed is called DevBug, it is an online PHP Static Code Analysis tool written mostly in JavaScript (jQuery). The Static Code Analysis engine uses the sources, securing functions and sinks data from the awesome RIPS Static Code Analysis tool to identify specific PHP functions that can cause or remediate user input caused vulnerabilities. DevBug uses Taint Analysis to identify tainted variables, follows the tainted variables through the code, untaints the variables if they are secured and finally detects whether or not tainted variables end up in in sensitive sinks.
The IDE used is called CodeMirror that provides a code editing area, syntax highlighting, line numbering and an API. CodeMirror was slightly modified to detect deprecated PHP functions and highlight them.
Old School hacking
Back in the late nineties, around 1999, my mother bought me my first computer. Around this time The Matrix movie was released which as a young boy with a new computer had me Yahoo’ing (Google was largely unknown) for the term ‘hacking’. Back then Yahoo! Chat was still around and had a chat room called the ‘Hackers Lounge’, everyone in there was talking about all sorts of cool things you could do with computers that I had never heard of before. With hindsight, most of the people in the chat room were script kiddies who knew how to run a few Windows GUI ‘hacking’ tools and largely acting like they were the kings of the Internet. At the time I wanted to learn about all of the cool things they knew. I started downloading and learning how to use these ‘hacking’ tools by the use of my guinea pig friends and family (my siblings soon grew tired of me remotely opening and closing their CD-ROM drives).
Some of these tools are still actively developed and used today, invaluable to conducting modern Penetration Testing and security audits. For the sake of nostalgia, I present to you some of the coolest most 1337 ‘hacking’ tools that I and others used ‘back in the day’. Warning: Download links not verified.
Legion by Rhino9
Use: Windows Null Session share scanner.
Released: 1999
Platform: Windows
Further Info: http://www.informit.com/articles/article.aspx?p=26263&seqNum=5
Download: http://packetstormsecurity.org/files/14711/legion.zip.html
