Using phpparser lib, this .php script tries to identify where user input ("tainted" like $_GET) reach dangerous sinks (like shell_exec) without sanitization.
This script was born after reading Wooyun blog .php simple scanner example using phpparser and trying to modify it.
Compared to RIPS, WAP.jar or similar scanner, this script will try to be simpler so anyone can hack into it, support tainted classes / methods / inputs and avoid false positives.
tainted = under user control
How to use:
php tainterscan.php test/simple.php
- Create a network of connections
- Find routes which indicate vulnerabilities