Slashdot Mirror

← Back to Stories (view on slashdot.org)

New PHP Interpreter Finds XSS, Injection Holes

Posted by kdawson on from the double-edged-sword dept.

rkrishardy writes "A group of researchers from MIT, Stanford, and Syracuse has developed a new program, named 'Ardilla,' which can analyze PHP code for cross-site scripting (XSS) and SQL injection attack vulnerabilities. (Here is the paper, in PDF, and a table of results from scanning six PHP applications.) Ardilla uses a modified Zend interpreter to analyze the code, trace the data, and determine whether the threat is real or not, significantly decreasing false positives." Unfortunately, license issues prevent the tool in its current form from being released as open source.

3 of 66 comments (clear)

  1. Looks Like We Have A New Champion... by bhunachchicken · · Score: -1, Offtopic

    Things I'd like to get my hands on...

    1. That Shiny New PHP Interpreter
    2. Megan Fox's Tits
    3. A Winning Lottery Ticket
    4. True Happiness
    --
    THE HONOUR OF THE KNIGHTS - CC Licensed Sci-Fi Novel
  2. Re:This somehow ... by Anonymous Coward · · Score: -1, Offtopic

    Reminds me of CmdrTaco's taint: hairy, sweaty, and cakes in shit, semen, and blood.

  3. Re:Already made one by moderatorrater · · Score: -1, Offtopic

    I find it deliciously ironic that you're using perl to mock php on the same day that the slashcode team apparently decided that they hadn't fucked this site up enough in the past few months. Of course, just because slashdot can't write perl worth a shit doesn't mean that all perl is bad, but if we were to take that attitude, I'm guessing the majority of the criticisms against php would dry up as well.

    Did I mention that I'm really, really fucking tired of having slashdot render badly because they can't do a half-decent job of quality control or even, you know, click through the damn site with the new code before pushing it to the live servers? Seriously, slashdot coders, this is unacceptable. If my team released half the mistakes that you have in the past few months, we'd all be fired and probably end up committing suicide because we'd be forced to admit that we were terrible coders who'd never amount to anything in life.