4

I'm interested in finding open-source tools for auditing some PHP code I didn't write, before putting it into production. I'll need black-box HTTP-probing scanners as well as static code parsers/analyzers.

Where can I find a good comprehensive list of all such tools, and a smaller list of which ones are actually worth trying?

Here's a start. I haven't tried any of them:

Alex R
  • 1,083
  • My similar question was closed but this one has been okay for 14 years? https://serverfault.com/questions/1157088/what-are-some-good-nginx-rate-limits-for-wordpress-websites – Jesse Nickles Mar 29 '24 at 13:39
  • 1
    Maybe it's the slightly different wording? A "comprehensive list" is a factual finite dataset which is not opinion based. TBH I'm just as baffled as you. I've had other questions closed that were much less defiant than this one. – Alex R Mar 30 '24 at 02:43

2 Answers2

1

Backtrack 4 has a bunch of web app testing and fuzzing tools included with it. So I tend to start with the tool found on it. In the past I have had good luck with W3AF identifying problems in apache and php.ini configurations as well as the PHP apps that I've inherited.

3dinfluence
  • 12,479
0

Having done both source and blackbox auditing before, I'm inclined to recommend Acunetix or IBM's Hailstorm. As previously mentioned, W3AF is a very good piece of software. But none of these pieces of software are nearly as good as doing it yourself.

zetavolt
  • 1,352