PHP security scanner [closed]

Answer 1

Please be aware that NO automated security scanner will be able to detect all vulnerabilities in the code base. The best way to protect your code is to learn about how to write secure software, and do diligent code reviews.

Note, I'm not saying NOT to use a scanner. I'm saying use a scanner as a second line of defense only. Don't rely on it to make up for poor coding practices...

Answer 2

An old topic, but I notice no-one has mentioned the RIPS Scanner yet (see also the related project page on Sourceforge)

"RIPS is a free static source code analyser for vulnerabilities in PHP scripts"

I haven't tried it yet (just downloading it now), but it sounds like the kind of thing the question is looking for. And it's free (GPL licenced). (interesting to note that it was first released in June 2010, pretty much the same time this question was asked)

Sourceforge also threw up a few other projects:

• http://sourceforge.net/projects/securityscanner/
• http://sourceforge.net/projects/phpsecaudit/
• http://sourceforge.net/projects/yasca/

RIPS looks like it's a lot more well used than any of those others, but it might be worth trying them all, just to see.

Hope that helps

Answer 3

Yes, very good one:

Acunetix Web Security Scanner

Acunetix WVS automatically checks your web applications for SQL Injection, XSS & other web vulnerabilities.

Answer 4

Try the following scanners to detect potentially malicious PHP files:

• phpscanner;

  PHP scanner written in Python for identifying PHP backdoors and php malicious code. This tool is mainly reusing below mentioned tools. To use this tool, you need to install yara library for Python from the source.

• php-malware-finder;

  Does its very best to detect obfuscated/dodgy code as well as files using PHP functions often used in malwares/webshells. Detection is performed by crawling the filesystem and testing files against a set of YARA rules.

• php-malware-scanner;

  Scans the current working directory and display results with the score greater than the given value. Released under the MIT license.

For more tools, check: Malware scanner for websites code.