Hi,
How do I run PHP Security Scanner and SpikePHPSecAudit?
I've already extracted them at the root of my website and thought it could be run like phpSecInfo where you just navigate to
www.mySite.com/phpsecinfo/index.php
Any assistance will be appreciated.
ps I am using Windows XP and XAMPP
Spike PHP SecAudit does static analysis of the files, its also very old. Pixy and RATS are also static analysis tools for php, but I think Rats is the only one the three that is still maintained. These tools will produce a lot of false positives and it takes skill to tell the difference between a real problem and meaningless output.
In terms of scanners you are best off with Wapiti, which will produce very few false positives. Wapiti also very easy to use python wapiti.py http://localhost/vulnerable_app/. I recommend downloading "Hackme Blog" from The Whitebox. Many apps aren't immediately vulnerable, sometimes you have to use the app a bit before the vulnerability can be reached. Try scanning the blog after a fresh install, then login as the admin and create a blog entry and then scan it again.
If all goes well I'll see an exploit of yours on BugTraq, Give a shout out to "The Rook" ;).