PHP is the most widely used programming language for powering websites. With over 75% of websites running on this technology, it is no wonder that PHP continues to enjoy the preferred status as the top language for web development. At the same time, its popularity makes it vulnerable to cyber-attacks.
Hackers are constantly looking out for loopholes in PHP-hosted websites. Luckily, there is a large enough PHP community across the world that cares about these issues. As a result, we have seen a plethora of PHP vulnerability scanners emerging as potential saviors to those millions of web hosting servers that run on PHP.
In this article, we explore the world of PHP vulnerability scanners, how you can leverage these PHP scanner tools to guard against cybersecurity issues, and review the best PHP scanners in the market.
What is PHP Vulnerability?
PHP vulnerability is a security loophole that can cause someone to exploit the web application.
Imagine you have a highly secure vault that stores your valuable items. To ensure the vault’s security, you have implemented various security measures, including a robust locking mechanism and surveillance cameras. Let’s say you are unaware of a hidden flaw in the locking mechanism. This flaw allows an intruder to bypass the lock and gain unauthorized access to the valuable items in the vault without triggering any alarms or alerts. Your PHP application is like a secure vault, and the flaw in the locking mechanism represents PHP vulnerability.
Various types of vulnerabilities can crop up in a PHP application. From uploading spurious files to injecting malicious code, these vulnerabilities have the potential to stall the application functionality or steal data. Given the attention that cyber security commands in today’s highly connected world powered by the Internet, these vulnerabilities pose a serious problem for any commercially successful PHP-hosted web application.
What is PHP vulnerability scanning detection?
Detection of PHP vulnerabilities can be done by scanning the PHP application.
Scanning the PHP code can reveal vulnerabilities caused due to improper handling of input data.
For example, a piece of PHP code can directly expose the database query:
<?php
$userid = $_GET['userid'];
$conn = new mysqli('localhost', 'username', 'password', 'database');
$result = $conn->query("SELECT * FROM users WHERE id = $userid");
// ... rest of the code ...
?>
In the above code, the userid parameter from the HTTP request is directly concatenated into the SQL query. An attacker can send a request with userid set to 1 OR 1=1, to force the SQL query to return all userid. This is known as SQL injection.
Another form of vulnerability is related to uncontrolled access to the filesystem.
<?php
$file = $_FILES['uploaded_file'];
move_uploaded_file($file['tmp_name'], '/uploads/' . $file['name']);
?>
In this case, a user can upload any file, including PHP. Configuring the server to execute PHP files in the upload directory can lead to remote code execution (RCE).
What does a PHP Scanner do?
A PHP vulnerability scanner runs extensive checks on a PHP web application’s code and runtime configuration to unearth possible vulnerabilities. PHP Scanners employ several techniques ranging from static code analysis to dynamic analysis.
Static analysis involves examining the source code without executing it. The scanner parses the code and creates a representation of the code pattern to predict vulnerability. This is static application security testing. In dynamic analysis, a PHP scanner sends specially crafted inputs to the running PHP application and observes the resulting behavior. This is dynamic application security testing that can detect vulnerabilities such as SQL injection, Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF).
A comprehensive vulnerability analysis typically involves both approaches for foolproof compliance against security flaws. In most cases, static PHP scanners are integrated into the CI/CD pipeline of the web development project to detect code-level security vulnerabilities early on. Similarly, dynamic PHP scanners, also known as web application scanners, are integrated with SEIM(Security Event and Incident Management) tools to manage evolving security risks as the application runs. SEIM allows proper interpretation of the results and the context surrounding the security vulnerabilities and helps manage the workflows related to fixing and mitigating the associated risks.
Best PHP Scanners Compared Side-by-side
Free | Static / Dynamic Scanning | PHP only | CLI / UI | USP | |
---|---|---|---|---|---|
PHPStan | Yes | Static | Yes | CLI | Very popular with over 12k GitHub stars |
SonarPHP | Yes | Static | No | UI | Part of SonarCube, which is widely used in enterprises |
Guardrails | Yes | Dynamic | No | UI | One of the best DAST tools |
Acunetix | No | Dynamic | No | UI | Wide adoption across various industries |
Snyk | Yes | Dynamic | No | UI | AI powered security scanning |
Exakat | Yes | Static | Yes | UI | Automated code fixing |
Psalm | Yes | Static | Yes | CLI | Inline security scanning in editor |
Best PHP Scanners of 2023
1. PHPStan
Best for: Small to medium software projects
PHPStan is an open-source static scanner that analyzes PHP source code for vulnerabilities across several levels of checks. It supports PHP version 7.2 and above. It supports PHP framework-specific extensions for checking code strictly written as per a framework’s requirement. Other extensions are available for checking different kinds of code scenarios related to object-oriented programming, exception handling, and beyond.
Top Features:
- PHPStan is a good tool for finding bugs related to types, variables, syntax, etc., and for detecting security issues such as unvalidated inputs, unsafe functions, and filesystem issues.
- PHPStan offers extensions to popular PHP frameworks like Symphony, Laravel, and Doctrine.
Pros:
- A very popular tool in the open-source community with over 11k stars.
- Web UI for analyzing errors
- Continuous analysis for scanning changed files in the background.
Cons:
- Not a standalone security analyzer.
- Not suitable if Laravel, Symphony, Doctrine, or PHP magic methods are not used.
Pricing:
PHPStan is free and open-sourced. PHPStan Pro extension is available starting at €7/month
2. SonarPHP
Best for: Medium to large software projects
SonarPHP is an open-source static code analyzer for PHP language, used as an extension for the popular SonarQube platform. It enables production-grade and stable PHP code by identifying bugs, vulnerabilities, and smells in PHP code. It supports up to PHP 8 and offers self-managed and cloud-based deployment for CI/CD workflows.
Top Features:
- SonarPHP supports over 200 rules for static analysis checks
- SonarPHP supports the writing of custom rules through RulesDefinition interface
Pros:
- It is part of the SonarQube ecosystem, which is very popular and supports SonarLint IDE extension.
- Extensive security analysis covering OWASP and CWE guidelines
Cons:
- SunarCube is more than just a tool and requires complex setup and configuration.
- License costs are high for generating detailed security reports.
Pricing:
SonarCube community edition is available for free. The self-managed license of SonarCube starts from $150/year. The cloud-hosted license of SonarCube starts from $10/month for 100K lines of code
3. Guardrails
Best for: Medium to Large Enterprises
Guardrails is a holistic application security platform designed to empower developers to avoid dangerous security issues and heighten and enhance their workflow. It augments the DevOps pipeline with security blocks to upgrade to a DevSecOps workflow. It also supports security tools orchestration and security rules curation.
Top Features:
- Guardrails integrates seamlessly with top version control platforms such as GitHub, BitBucket, and GitLab.
- Guardrails provides complete mappings for OWASP categories.
- Guardrails supports custom engines via Semgrep
Pros:
- Supports PHP tool integration via Semgrep
- Maker and checker functionality for actions related to the security code fixes.
Cons:
- Not a PHP-centric platform
- Does not support custom CI/CD platforms
Pricing:
Supports a free version for up to two repositories. The standard edition starts at $35 per month for each developer seat.
4. Acunetix
Best for: Mission-critical software
Acunetix is a web application security scanner supporting dynamic and interactive analysis. It is designed for modern web applications, built on concepts of single page applications, HTML5 heavy and interactive websites with password-protected areas. In addition to being a fully automated black-box scanner for PHP-based web servers, Acumetix can also perform PHP source code analysis.
Top Features:
- Acunetix can detect over 7000 vulnerabilities covering OWASP, XSS, SQL injections, and possible security breach scenarios.
- Acunetix can run lightning-fast scans with scheduling options across multiple environments simultaneously.
- Acunetix supports both DAST and IAST for faster remediation.
Pros:
- One of the robust web application scanners endorsed by the US government.
- Supports AcuSensor technology for interactive scanning and remediation.
Cons:
- Not a PHP focused scanner.
- Highly complex configuration for integration with CI/CD
Pricing:
Acunetix is a commercial product, and the pricing is only available through a quote request.
5. Snyk
Best for: Developer Centric Security Workflows
Snyk is a developer focussed and security and vulnerability scanner It supports many features that are developer-first and boasts of an industry-leading security intelligence capability that ensures security from code to cloud. Snyk supports PHP and leverages its vulnerability database to analyze source code.
Top Features:
- Snyk integrates with IDE to secure the code as it is written.
- Snyk leverages AI-powered approaches to finding vulnerabilities.
Pros:
- It is designed to be developer-centric so that it integrates with developer workflows
- It supports a unified policy engine for IaC and multiple cloud configurations
Cons:
- It is not a PHP-specific scanner
- The user interface has been reported to be a bit confusing.
Pricing:
Snyk supports a free edition with limited scans. Paid plans start with the Team edition at $52 per contributing developer per month.
6. Exakat
Exakat is a real-time, customizable static code analyzer and code fixer engine for all PHP 5.2 to PHP 8 applications. It has a collection of the most extensive rules for checking PHP code against common pitfalls, logic fallacies, anomalous code, and more. It integrates with popular version control platforms and CI/CD platforms. It can be deployed over the cloud or self-hosted.
Top Features:
- Exakat supports the concept of Exakat Cobbler, an automated code fixer based on deep analysis of PHP code.
- Exakat supports an ever-growing library of PHP coding best practices
Pros:
- Nice and intuitive dashboard for PHP static code analysis and reports.
- Supports compliance reports for identifying backward compatibility against PHP7 and earlier versions.
Cons:
- It is not a full-scale security scanner
Pricing:
Exakat offers a free community edition. Cloud hosting starts at 5€/month
7. Psalm
Psalm is a static code analyzer for PHP. It offers strict checking for type-related errors and fosters safe coding patterns. It also can fix bugs automatically. It supports some of the popular UNIX code editors and VS code integration. It can perform security analysis based on taint sources to detect security issues due to unvalidated inputs.
Top Features:
- Psalm supports custom plugins from tainted sources and sinks.
- Psalm integrates with IDE and the editor playground for pointing out bugs and code smells in a similar fashion to text editors, which underline spelling mistakes and grammar errors.
Pros:
- Easy installation and configuration for running code analysis
- Quick refactoring for PHP code
Cons:
- Does not cover the full extent of security and vulnerability scanning.
Pricing:
Psalm is open-sourced and hence freely available.
Conclusion
PHP scanners are an important part of the toolchain for any web application that has a commercial scope. They keep the PHP code secure and ensure that the new code added to the application is free from any vulnerabilities and meets the security compliance requirements. Static analyzer tools are great for integration into developer and CI/CD workflows. Whereas dynamic and runtime analyzers are required for more mission-driven applications, where runtime stimulation of security scenarios can help unearth critical security issues that may have a huge commercial impact.
FAQs
Why is PHP so vulnerable?
PHP is a very popular language for web development. Specifically, it is used to code the backend application logic of web applications. It has been around for nearly three decades. All these factors make it a robust and natural choice for building web applications and a frequent target for cyber security attacks. As such, PHP is not vulnerable, but for novice or untrained programmers, missing out on some secure coding guidelines can make it vulnerable. But there are a plethora of PHP security scanners out there that can help developers understand the security risks associated with their PHP code and suggest corrective actions.
How do I scan PHP for malicious code?
You can use a static or runtime analyzer to look for malicious code. Static analyzers such as PHPStan can scan the PHP source code for security risks associated with unvalidated inputs and other forms of possible malicious code that a hacker can harness to steal data or stall the working of the web application. Runtime analyzers, also known as web application scanners, can perform runtime checks by stimulating the running application with a malicious input to unearth security breaches.
Can PHP be malware?
PHP is not malware. However, a programmer can write a PHP program that acts as a malware injector via a web interface, such as API. A PHP web backend, in such cases, can return a malicious code disguised as a standard API response. This is possible with any programming language. It is not a drawback of PHP but is subject to either the moral intent of the programmers or their training in writing secured code. TO guard against such acts, it is important to conduct a code review of the PHP code and run static and dynamic analyzers to detect such issues in any PHP code.
Experienced software engineers and avid supporters of the developer community, specializing in APIs.