Pixy

Pixy is a XSS and SQLI Scanner for PHP Program. It is very good in finding Cross-Site Scripting (XSS) and SQL Injection (SQLI) vulnerabilities. Its Web page is http://pixybox.seclab.tuwien.ac.at/pixy/.

Installation

We are providing a wrapper for Pixy that allows handling of multiple files and parsed output.

SLC5 (sorry, not available on SLC4)
yum install --enablerepo slc5-testing,slc5-cernonly pixy
Other systems

Note: This requires Sun's Java 1.6, Perl and perl-LC library. Also, GraphViz is required to be able to view / convert the generated dependency graphs.

# as ROOT
# * install Sun Java 1.6+
# * install graphviz
# * install Perl
# * install perl-LC library 
#      RPM: http://linuxsoft.cern.ch/cern/slc5X/i386/yum/os/perl-LC-1.1.2-1.noarch.rpm
#      source code: http://cons.web.cern.ch/cons/perl/
 
# as REGULAR USER or ROOT - as you prefer
cd <where you want to have Pixy code>
wget http://pixybox.seclab.tuwien.ac.at/pixy/dist/pixy_3_03.zip
unzip pixy_3_03.zip
cd Pixy
rm -rf run-all.pl run-all.bat scripts testfiles test src
wget -O pixy http://cern.ch/security/codetools/files/pixy
sed -i "s|/usr/share/java/pixy|`pwd`|" pixy
chmod u+x pixy

Usage

Pixy will report vulnerabilities found, and will generate dependency graphs, to help you understand how a non-sanitized user input value is used in subsequent PHP commands/calls, until it is used for generating HTML (resulting in Cross-Site Scripting vulnerability) or for accessing a database (resulting in SQL Injection vulnerability. We strongly encourage you to look at these graphs - they are extremely useful in localising the vulnerability.

Warning Unfortunately, Pixy may sometimes throw a Java exception. These errors are not deterministic, so don't get discouraged and just try again running Pixy with exactly the same arguments as before.

Basic Usage

Just point Pixy to the directory with your PHP code.

pixy <path_to_directory>
Advanced Usage
pixy -c --xml -o report.xml -t report_directory <path_to_directory>

Run pixy -h for help.