During vulnerability assessment or penetration testing, identifying the input vectors of the target application is a primordial step. Sometimes, when dealing with Web application testing, verification routines related to SQL injection flaws discovery are restricted to the GET and POST variables as the unique inputs vectors ever. What about other HTTP header parameters? Aren't they potential input vectors for SQL injection attacks? How can one test all these HTTP parameters and which vulnerability scanners to use in order to avoid leaving vulnerabilities undiscovered in parts of the application?

They start by describing the different kinds of headers that the attacks could come in on - GET, POST, cookies and the other HTTP headers. According to some results, the HTTP headers option is the least protected in most common applications. He includes some good examples of headers that might contain malicious data such as:

• X-Forwarded-For
• User-agent
• Referer

Techniques are also included showing you tools and methods to help test your own applications including some in-browser tools and external applications (like Sqlmap, Nessus, WebInspect, SkipFish and Wapiti) with some average scores from running them on various coverage scores.

I tried out the Pixy XSS and SQLI Scanner (http://pixybox.seclab.tuwien.ac.at/pixy/index.php) on a few simple PEAR files. On the first, I got a java exception, on the second it was unable to resolve the simplest of includes (no ability to resolve include_path). In short, the thing is useless for anything written using PEAR. Fun!

The Pixy XSS and SQLI Scanner is made to find SQL and XSS injection issues in scripts. It runs as a Java application and scans PHP4 source code to try to find problems. For more information on the scanner or to try it out for yourself, check out the project's homepage for documentation and downloads.

Well, database operations are bread-and-butter work for most PHP applications. PHP and MySQL, for example, have been like brother and sister for many years. You may have heard about "SQL injections", a bad taste from the outside world of $_GET, $_POST, $_COOKIE and the like.

They mention the obvious - not accepting unfiltered input from users - and how the Chorizo and Morcilla software work to identify and comabt them in an application. You can even check out a Flash video of the process you'd need to take.

This video shows you how Morcilla, our brand new PHP extension, lets Chorizo! have a look inside your application on the server.

We are able to hook into every PHP function and trace the payloads of Chorizo!. By default, Morcilla hooks into the whole MySQL function family, fopen, mail, include/require/include_once/require_once, preg_* and others. With a ZendEngine patch, we are able to trace unset variables and a lot more.

The video (basically a screen capture of the process) is a bit hard to read in the smaller version, so it's recommended to view the larger size if you want to see the options. It's interesting, though, to see how it picks out the errors and tells what they are and where you can go to fix them (like a file inclusion issue, as they demonstrate).

Go and check out Chorizo!'s new Help Center. We extended the existing tutorials and provide a smooth overview about the current documentation. Included is an overview about all the scanner plugins Chorizo! is using and explain a bit what each plugin does.

There are "Getting Started" guides offered, video tutorials, details on each of the plugins (PHPversions, XSS plugin, Session injection, etc), some of the features of the scanner, and some general troubleshooting information.

In the spirit of Web2.0 applications, we constantly improve Chorizo! and silently update the application with the newest features. In order to scan a host, you have to prove that you are the owner of the host by uploading a unique signature file to your host's document root. Some of our users had trouble uploading it into the docroot, some accidently put it into the wrong directory.

Their enhancement makes it easy to tell which of the products have their signature files in place and while don't at a glance.

We think it's time to commoditize PHP web application security. You may have heard of Chorizo!.

With this free account, it's possible to use the Chorizo! application service as a proxy and scan 1 host. All scan datas are encrypted, your data is only visible to you. There are also some valuable help documents available that explain the whole process from registering up to uploading the signature file onto your host and how to analyze the results.

They also have a commercial version that includes: the Advisor software to help you correct the issues found, a more detailed report analyzer, and a PDF export of the reports.