Tool checks PHP applications for errors

Hardly a day goes by now without a new security problem for web-based applications. Error classes like "SQL Injection", "Cross Site Scripting" and "Remote Code Injection" are simply a part of the daily rhythm for security-minded web developers. Chorizo, a webapp security scanner from the PHP development house Mayflower has released a new tool to help programmers and administrators to check their own web projects for vulnerabilities.

The scanner, named after the Argentinean salami, is available as an ASP application instead of as a download. It can either be entered as a proxy into the browser to be used for inspection or can be called up using a web-based formula with URLs. If the user wants to check no more than one single host name – his own private home page, for example – then it costs nothing to use, albeit in a restricted form: several of the performance benchmarks are not available. Before testing, customers must first copy a small text file into the root directory of the domain to prove that they actually own the website to be tested. Google uses a similar process for testing ownership of sitemaps.

If the test turns up any of several hundred SQL, code injection, or cross-site scripting holes, or any other frequent attack scenarios, then paying customers can view a PDF report diagnosing the holes and offering potential solutions for them. This even includes a check list for development teams. Short code fragments – up to now unfortunately only in PHP – are intended to help resolve security bugs. Mayflower claims to put a strong emphasis on privacy. Connection and usage data for the proxy server is stored in encrypted form on the Chorizo servers and cannot be viewed by its employees or third parties. For 289 euro, clients can arrange for up to 5 hosts to be tested for one year. (Christopher Kunz)

(ehe)