Hi,
Correction: Paros Proxy is owned and copyrighted by Chinotec Technologies Co. OWASP provides another usefull tool: WebScarab (http://www.owasp.org/index.php/OWASP_WebScarab_Project) I you look for PHP security resources, http://www.owasp.org/index.php/Category:OWASP_PHP_Project can also be of help. Regards, Sebastien Belgium OWASP Chapter Leader _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J. M. Seitz Sent: woensdag 21 maart 2007 17:03 To: 'Indrek Saar'; 'Secure Coding' Subject: Re: [SC-L] statical analysis tools: language supports... RATS will do PHP as well there is a plugin for Eclipse that will do static analysis on PHP code which is called Pixy. The next step would be to investigate some of the tools from SPI Dynamics, a few of them are black-box but if you combine some black-box testing with some static analysis, add some fuzzing with Paros Proxy or JBrofuzz (both from OWASP) you should see some success. The other thing to consider are some of the settings in the .ini file, configuration in PHP speaks volumes about security, kill register_globals, check the magic_quotes value, etc. Be aware that calls to include() have to be 100% correctly sanitized or you are asking for local|remote file includes, etc. ad nauseum. Anyways, hopefully this points you in the right direction. JS _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Indrek Saar Sent: Wednesday, March 21, 2007 4:49 AM To: Secure Coding Subject: [SC-L] statical analysis tools: language supports... Hi guys, I have question about source-code statical analysis tools that are available at the market now. Are there tools that support C/C++, Java, PHP, Flash (actionscript) all in one? Most of the tools support C/C++ and Java, but I have not found any that can handle also PHP. Do you know some? Or have some information that some tool provider has plan for supporting PHP. And Flash. Indrek Saar.
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________