Pixy Logo Pixy: XSS and SQLI Scanner for PHP Programs
Home
Documentation
Web Interface
Download
News
FAQ
Bug Reports
Other Tools
People
Contact

Try the Web Interface!

For those people who don't enjoy downloading and installing programs: You can also use our web interface to test Pixy. Even though it is not as powerful as the offline version, you can use it to get a first impression about what Pixy can do. You can find a short explanation of the generated output in the Quick Start section below.

Requirements

We tried to make the package easily accessible for new users: We don't harass you with tedious dependency resolution and complicated build instructions - all you need to get started is a Java 1.6 runtime environment. Pixy has been primarily developed for Linux, but this should not really matter since Java is platform-independent. However, there are some details that Windows users should consider (see below).

Quick Start

  • Download and decompress the Pixy package
  • Use the "run-all.pl" script in Pixy's root directory to perform all supported checks:

    run-all.pl <input php file>

    For instance, provide "getstarted.php" (located in Pixy's root directory) as input file, which contains a very simple SQLI vulnerability: 
    $a = 'hi';
$b = $_GET['evil'];

echo $a;    // this one is OK
echo $b;    // XSS vulnerability
    Hint: You can adjust the 'mem_min' and 'mem_max' variables in config/mem.pl to match the amount of memory your machine can provide.
  • As immediate output, Pixy will create a report that informs you about the points at which the scanned program might be vulnerable. For the above example script, the report looks like this: 
    File: blob.php

*** resolving literal includes ***



*** performing type analysis ***


inclusion iterations:            1
resolved literal includes:       0
resolved non-literal includes:   0
cyclic includes:                 0
not found includes:              0
unresolved non-literal includes: 0


Total phi entries: 5
Total cfg nodes: 5

*** performing taint analysis ***


Finished.

Time: 0 seconds

*** detecting vulnerabilities ***


*****************
XSS Analysis BEGIN
*****************

Number of sinks: 2

XSS Analysis Output
--------------------

Vulnerability detected!
- unconditional
- blob.php:7
- Graph: xss2

Total Vuln Count: 1

*****************
XSS Analysis END
*****************


*****************
SQL Analysis BEGIN
*****************

Number of sinks: 0

SQL Analysis Output
--------------------

Total Vuln Count: 0

*****************
SQL Analysis END
*****************

Total Time: 0 seconds
  • In addition to the generated report, more information will be dumped into the "graphs" directory. For our example above, it will create the file "xss_filename.php_2_min.dot" that can be viewed with dotty (from the Graphviz package). It contains a graph that tells you why Pixy believes something to be dangerous:

    In the above example, the invocation of "echo" is dangerous because it uses variable $x as parameter, which has been initialized with the value of $_GET['x']. The more complex the vulnerability, the happier you will be about these additional graphs - without them, it can become very difficult to trace a vulnerability back to its origins.

Windows Users

If you are working with Windows, you have two options:

  • Install Perl, and you will be able to use the same script as above (run-all.pl). For this, simply change the variable classpath_separator in the file config/mem.pl from : (colon) to ; (semicolon), and you are ready to go:

    perl run-all.pl <input php file>

  • Use the script run-all.bat instead of run-all.pl.


That's all for the impatient ones. If you want to learn more about Pixy's features and how to use them, please refer to our Tutorial.


International Secure Systems Lab