This updated tool kind of slipped under the radar. PHP Source Auditor 4 (PSA4) is a perl script using Tk that, as the name would suggest, audits PHP source for vulnerabilities such as RCE, LFI, RFI, SQLi, and XSS. Setup and usage are fairly straightforward. You only really need perl/tk, a local AMP stack, and some source to check. You can tell by the screenshot that I have it running on a win32 box.

Here are some highlights:

• Deep scanning
• Local testing to remove false positives
• Generated HTML reports

It is a bit slow, but surely over 9000x faster (and probably more accurate) than checking your source by hand, or even with the assistance of something like Spike PHP Security Audit Tool

Major changes in 4:

• fixed freezing! (well, in some cases it still does)
• LFI support!
• Progress in terminal
• Stats changed: added ‘read lines’ and counter is now counting in percents

Major not-changed in 4:

• Style of coding, even though my skill in Perl has improved a lot since PSA3, I’m not gonna rewrite all code
• SQL Injection support, I received a lot of questions on this but what can I say? Automating such a thing is really, really hard. I’ve left the function in, it sucks and will almost never appear in your logs.