A "hard problem" (which may be out of scope) to solve is the issue with dynamic web apps that have a fuck tonne of dependencies and rely on a database.

An example of this is the vast majority of wordpress plugins.

It would be interesting to be able to point phuzz at the webroot of an installed/configured Wordpress/whatever instance (with whatever plugins) and let it rip. Hooking calls to the database would also help with detecting SQLi, etc.

This functionality may already be possible in the applications current state, I'll have to run some tests later.

With results of the traces we should be able to determine which category of bug it is. A classifier needs to match function calls and parameters, then output appropriate Tags. e.g.

• str_replace = FilterStrReplace
• mysql_real_escape = SqlEscape
• stat/open = LocalFile
• system = CmdExecution
• connect/send = Network

This fits into the project because it will form the basis of the analyser and exploiter in the level above, e.g. 'LocalFile+CodeExecution' - RCE. The tags will be used to determine what modifications to make to the input parameters to verify the level of control over them, see if there's filtering etc.

A nice addition for usability would be to have a progress indicator for when large amounts of files are being scanned. Even something as simple as "X/Y Files Scanned - Z% Complete" would be decent.

A further enhancement to this would be a "time elapsed/estimated time remaining" counter.

While analysing lots of files we found a situation where Phuzz would hang indefinitely because of ... shrug some combination of PHP and TCP sockets.

There needs to be an enforced time-out, so Phuzz will kill PHP after 10 seconds of no response, or 60 seconds overall (both configurable).

Tracing must resume afterwards.

Implement using http://www.howzatt.demon.co.uk/NtTrace/ or http://intellectualheaven.com/default.asp?BH=StraceNT

Too much effort at the moment

I have no idea why this bug is still cropping up... Backtrace below.

# python -m phuzz -o output/ -t tests/ -d
DEBUG:phuzz:Waiting for server...
PHP 5.6.4-4ubuntu6.4 Development Server started at Sun Sep 18 14:47:57 2016
Listening on http://127.0.0.1:25581
Document root is /scratch/skyhigh/wordpress-research/phuzz/tests
Press Ctrl-C to quit.
[Sun Sep 18 14:47:57 2016] 127.0.0.1:50010 Invalid request (Unexpected EOF)
INFO:phuzz:SyscallTracer started, pid: 14257
INFO:__main__:Scanning all files in tests/
DEBUG:phuzz:Retrieving 'http://127.0.0.1:25581afu1.php'
ERROR:__main__:FAIL...
Traceback (most recent call last):
  File "/scratch/skyhigh/wordpress-research/phuzz/phuzz/__main__.py", line 41, in main
    worker.run_file(os.path.join(path, filename))
  File "phuzz/__init__.py", line 415, in run_file
    return self.run_path(webpath)
  File "phuzz/__init__.py", line 420, in run_path
    return self.run(url)
  File "phuzz/__init__.py", line 428, in run
    trace = self.trace(url, state)
  File "phuzz/__init__.py", line 381, in trace
    resp = self._request_for_state(url, state)
  File "phuzz/__init__.py", line 374, in _request_for_state
    allow_redirects=False)
  File "/home/skyhighatrist/.local/lib/python2.7/site-packages/requests/sessions.py", line 454, in request
    prep = self.prepare_request(req)
  File "/home/skyhighatrist/.local/lib/python2.7/site-packages/requests/sessions.py", line 388, in prepare_request
    hooks=merge_hooks(request.hooks, self.hooks),
  File "/home/skyhighatrist/.local/lib/python2.7/site-packages/requests/models.py", line 293, in prepare
    self.prepare_url(url, params)
  File "/home/skyhighatrist/.local/lib/python2.7/site-packages/requests/models.py", line 347, in prepare_url
    raise InvalidURL(*e.args)
InvalidURL: Failed to parse: 127.0.0.1:25581afu1.php
DEBUG:phuzz:SyscallTracer stopped, pid: 14257