How To Review PHP Code for Vulnerabilities

This document will, when completed, be intended to help PHP developers learn to review code for security issues, and to help experienced code reviewers evaluate PHP applications faster, better, and more repeatably.

My preferences favor open source softwar. As far as IDE’s go, I have found Eclipse to be a very powerful code review tool. I’ve started documenting the process of configuring and using it, in a task-focused way, to assist the reviewer to perform common code review activities.

The page linked below will be regularly updated as I write more, and as I incorporate suggestions from others. It will probably finally reside on a Mozilla Developer Network page.

If you can suggest changes or additions to the doc above, please comment below. Thanks!

PHP Security Code Review for WordPress Plugins – Useful Links

I’m reviewing a bunch of WordPress plugins that Mozilla would like to use right now, and wanted to come up with some documentation on how to test this stuff for people who are experienced code reviewers, but maybe not very familiar with PHP or WordPress, which they could use to get up to speed and be productive quickly.  Also, to get this stuff into a more complete form on Mozilla Developer Network, to increase the number of people who have the tools to review plugins and the wordpress app itself.

First up – a set of links to docs I’ve found to be useful, ranging from PHP function refs, to the PHP source (how is that PHP function implemented in C, anyway?) , to some docs on how WordPress plugins work:

Please leave a comment below, if you have any additons or corrections to suggest

Comments Off on PHP Security Code Review for WordPress Plugins – Useful Links Posted in Uncategorized

Hacking the Vote?

First, welcome to my new blog!

I am excited to have recently joined Mozilla‘s Application Security Engineering team, and especially excited to be able to do security work I can actually talk about. At the moment, that means working my way through code-reviewing a bunch of WordPress plugins that Mozilla would like to use, some of which have their own plugins, and thinking about ways Mozilla can enlist community involvement in security, as it successfully has with Firefox and other products.

Once I get through reviewing 50,000 or so lines of PHP code, I’m looking forward to sharing the efficient, repeatable general PHP and WordPress plugin-specific security code review processes and tools for static and dynamic analysis I came up with to actually get it done.

If you’re wondering if there’s any connection between that and my putting this blog on the free host, no, there’s not. I have no idea as to how they secure it, or if it is, and haven’t tested my own blog here, because it’s not running on my computer, and I don’t have their permission, so that wouldn’t be right.

With that out of the way, I’m going to just jump right into my first post, a link to an article at MIT Technology Review about the mechanics of voting fraud.

MIT Technology review asks, How Long Before Hackers Steal Votes?

That, indirectly, is the question asked and answered in a just-released judge’s summary (pdf) of testimony from a trial conducted in 2008-2009 in which the state of New Jersey was sued for insufficiently guaranteeing the physical security of its electronic voting machines.

Experts called during the trial asserted that that the state’s existing security methods, consisting primarily of tape that should reveal evidence of tampering if key parts of a voting machine are removed or opened, were insufficient. So New Jersey expanded the number of physical seals on its machines from three to six. Subsequently, the same experts testified that these measures were essentially useless in the absence of training for election workers in the proper use of these seals, and that the seals interfered with legitimate maintenance of the machines.

In other words: New Jersey’s electronic voting machines, which are emblematic of machines across the U.S., remain vulnerable to attack by hackers who could inject software or hardware to skew vote counts.


I saw this guy, Datagram, give what I thought was one of the most original talks at Blackhat 2011 – a talk about “tamper-evident” seals, and how many can actually be tampered with, without easy detection.

Youtube has him giving the same talk a few days later, at Defcon: