PHP TAINT – A extension used to detect XSS vulnerabilities

Before, Xiaon and I mentioned an idea, it was analyzed from the PHP language level to find some possible XSS vulnerabilities. At that time, I didn’t know where to start ..

Until last week, I saw this RFC: RFC: taint.

However, the problem of this RFC is that it needs to play PATCH for PHP, modify the data structure of the PHP itself, which is very inconvenient for future maintenance, upgrade PHP, and there will be some hidden dangers.

Although this, this RFC has given me a inspiration, so I finished this extension: Taint Extension

This extension uses, it is very simple (currently only 5.2.6 ~ 5.3.10):

After downloading the source code, compile, installation. Then in php.ini to open this extension (suggestions do not open this extension in the production environment):

ExtensionTaint.sotaint.enable

After enabling this extension, if you are in some key functions (or statements: echo, print, system, exec, etc.), or the output is directly * (without escape, secure filtering processing) from $ _get, $ _POST or $ _COOKIE data, Taint will prompt you:

PHP $ A $ _GET ['a']; $ file_name '/ tmp'. $ a; $ output "Welcome, {$ A} !!!"; $ VAR "output"; $ sql "select * from" $ a; $ sql. "ooxx"; echo $ output; // Warning: main (): attempt to echo a string Which might be tainted in xxx.php on line xprint $$ var; // Warning: main () : Attempt to print a string which might be taintedin xxx.php on line xinclude ($ file_name); // Warning: include () [function.include]: File path contains data that might be tainted in xxx.php on xmysql_query ($ SQL); // Warning: mysql_Query () [Function.Mysql-query]: First Argument Contains Data That Might Be Tainted In xxx.php on line x?> span

At present, because there is no support 5.4 (5.4 implementation method, it is necessary to rely on a new demand I will discuss with Dmitry), so there is currently no download package, you can download directly from the source code from the source code: Taint on GitHub.

The above example shows a simple usage, and I will improve the following document.