Analysis Settings (PHP)

In the php preferences you can specify the configuration of the used server. Also the different issue types can be excluded from the analysis.

PHP server settings

The specification of the used PHP version is important for the analysis of the application. This information is used to display known vulnerabilities in the form of CVEs for the version being used. In addition, PHP functions may differ from version to version. Correctly specifying the version will result in better results and possibly avoid false positives.

The other settings, such as the default filter, must be transferred from the PHP server configuration. Correct information also produces a more accurate analysis result.

Second Order analysis settings

The engine can identify different types of second order vulnerabilities. Since the exploitability of these vulnerabilities is difficult to predict, the analysis requires resources and the processing is very complex, it is possible to switch off all or a selection of the different analysis types.

By pressing the Ctr key and clicking on the individual second order vulnerabilities the types can be selected or deselected.

Brief explanation of second order vulnerabilities:

FILE: Source of vulnerability out of included file

SQL: Source of vulnerability out of a database

SESSION: Source of vulnerability out of a session

TEMPLATE: Source or sink is affected by a template file

POP: Source or sink is affected by a __destruct or __wakeup method

Framework Hinting

The engine and its analysis are influenced by the insights that the Preparser determines. This also includes the frameworks, libraries and other third-party code used. Based on these findings, the engine uses specific resources for the analysis. The so-called hinting framework can be deactivated in order not to have to resort to a limited amount of these resources.

Selection of different issue types

Listed are all issue types from the three categories, exploitable issues, misconfiguration and code quality. If you want to limit your analysis and later review process to certain issue types, you can simply deselect unsuitable ones.

It is also possible to select individual child issue types to get an even more customized report.
In addition, there are buttons that select different groupings of issue types. For example, you can select only server-side issues and all possible misconfigurations with single click.

General server settings

Selection of the different issue types