RIPS

1. RIPS
Sorina-Georgiana CHIRILĂ
Software Security - 2013

2. General Information
●
●
●
●
●
●
●
●
●
●
PHP static source code analyzer,
Based on PIXY,
Author: Johannes Dahse,
Released: 24 May 2010,
Last version: 0.54,
Open source,
http://sourceforge.net/projects/rips-scanner/,
Requires a Web server and a browser(Firefox),
Languages: PHP(partial support for object oriented),
Vulnerabilities: SQL Injection, Cross-Site Scripting, File Inclusion and
more.

3. Web application security
● “A web application security
vulnerability can occur when data
supplied by the user (e.g. GET, POST
parameters) is not sanitized correctly
and used in critical operations of the
dynamic script. Then an attacker
might be able to inject code that
changes the behaviour and result of
the operation during the script
execution in an unexpected way.”
Johannes Dahse - RIPS A static source code analyser
for vulnerabilities in PHP scripts

4. RIPS context(1)
●
●
●
Taint-style vulnerabilities = tainted data + sensitive sinks,
Tainted data - untrusted sources such as user supplied data:
GET or POST parameters, cookie values, user agent,
database entries or files.
Sensitive sinks - vulnerable parts of the program,
- potential vulnerable functions(PVF),
- should be called with trusted or sanitized data,
- executes critical operations.
● An attacker may influence the data that is passed to the PVF and
read, modify, delete data or attack web server or a client.

5. RIPS context (2)
Johannes Dahse - RIPS A static source code analyser for vulnerabilities in PHP scripts

6. Technical details
●
Tokens
- the code is split into tokens(e.g. opening tag, closing tag,
string) which are analyzed,
● PVF
- Functions where can be introduced vulnerabilities,
current 287,
● RIPS traces back, whether the suitable parameters of the PVFs could be
tainted by the user,
● Verbosity levels - 5 levels( the default is 1)
1 - traces tainted PVFs without any securing actions applied,
2 - files and local DBs treated as potentially malicious,
3 - shows PVFs even if securing actions have been applied ,
4 - displays additional information about code structure,
5 - shows all PFVs calls and associated traces.

7. Usage
●
●
Easy to understand with a great simple web interface,
Mechanism : prepare a local web site and run in a web server.

8. Case studies
1. Cross-site scripting,
2. SQL injection,
3. Deprecated function,
4. Remote File Inclusion,
5. Remote Command Execution,
6. File Inclusion.

9. Demo

10. Future work
●
●
●
full object-oriented programming support,
all PHP code semantics such as variable aliases,
evaluation of dynamic strings at runtime (e.g. name of the included files).

11. Resources
●
●
●
●
●
●
●
●
●
●
●
,
https://www.owasp.org/index.php/Static_Code_Analysis
https://www.owasp.org/index.php/Source_Code_Analysis_Tools,
http://www.php-security.org/2010/05/24/mops-submission-09-rips-a-static-source-code-analyser-for-vulnerabilities-in-phpscripts/index.html,
http://holisticinfosec.org/toolsmith/pdf/july2011.pdf,
http://sourceforge.net/projects/rips-scanner,
https://websec.wordpress.com/category/projects/,
http://rips-scanner.sourceforge.net,
http://www.phpfreaks.com/tutorial/php-security/page6,
http://www.php-security.org/downloads/rips.pdf,
Secure coding training - Review of source code analyzers - Gerard Frankowski,Tomasz Nowak,
RIPS - A static source code analyser for vulnerabilities in PHP scripts - Johannes Dahse.

12. Questions ?
THANK YOU!