Web Application
Security Research

In-depth analysis of our latest vulnerability findings and best practices for secure development.

Integrate Security Testing into PhpStorm

7 min read 20 Feb 2018 by Julian Karl
PhpStorm is one of the leading IDEs for developing PHP applications. Although it offers code analysis features in the range of code completion and code quality analysis it is not able to detect pervasive security issues, such as Cross-Site Scripting or SQL Injection. With the help of our PhpStorm plugin you can seamlessly integrate our best-in-class security analysis directly into PhpStorm and detect critical vulnerabilities at the lowest cost point.

Joomla! 3.8.3: Privilege Escalation via SQL Injection

5 min read 6 Feb 2018 by Karim El Ouerghemmi
Joomla! is one of the biggest players in the market of content management systems and the second most used CMS on the web. RIPS discovered a second-order SQL injection (CVE-2018-6376) that could be used by attackers to leverage lower permissions and to escalate them into full admin permissions on Joomla! prior version 3.8.4.

CubeCart 6.1.12 - Admin Authentication Bypass

8 min read 17 Jan 2018 by Robin Peraglie
CubeCart is an open source e-commerce solution. In one of our latest security analysis we found two flaws in this web application that allow an attacker to circumvent the authentication mechanism required to login as an administrator (CVE-2018-20716). Once bypassed, an attacker can execute arbitrary code on the web server and steal all sensitive files and data.

PHP Security Advent Calendar 2017 Wrap-Up

6 min read 4 Jan 2018 by Felix Knischewski
In this year’s PHP Security Advent Calendar we published 24 challenges for the PHP community where security issues were hidden in code snippets for fun and training. The challenges are based on real-world security vulnerabilities that we found with the help of RIPS over the last year in popular PHP applications. Learn more about the main take-aways regarding PHP security.

PHP Security Advent Calendar 2017

1 min read 30 Nov 2017 by Johannes Dahse
We are happy to announce this year’s PHP security advent calendar where we will release a new calendar gift from December 1st to 24th. This year, we will focus on nifty PHP pitfalls and release a daily code challenge for you to solve. Can you spot the daily security bug?