[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <46CC7212.3090809@coresecurity.com>
Date: Wed, 22 Aug 2007 14:27:46 -0300
From: Ezequiel Gutesman <egutesman@...esecurity.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Announcement: Releasing CORE GRASP for PHP.
An open source, dynamic web application protection system.
The correct URL is
http://grasp.coresecurity.com
Ezequiel Gutesman wrote:
> CORE GRASP for PHP is a web-application protection software aimed at
> detecting and blocking injection vulnerabilities and privacy violations.
> As mentioned during its presentation at Black Hat USA 2007, GRASP is
> being released as open source under the Apache 2.0 license and can be
> obtained from http://gasp.coresecurity.com/.
>
> The present implementation protects PHP 5.2.3 against SQL-injection
> attacks for the MySQL engine, it can be installed with almost the same
> effort as the PHP engine, both in Unix and Windows systems, and
> protection is immediate with any PHP web application running in the
> protected server.
>
> CORE GRASP works by enhancing the PHP execution engine (VM) to permit
> byte-level taint tracking and analysis for all the user-controlled or
> otherwise untrustable variables of the web application. Tainted bytes
> are then tracked and their taint marks propagated throughout the web
> application's runtime. Whenever the web application tries to interact
> with an DB backend using SQL statements that contain tainted bytes,
> GRASP analyzes the statment and detects and prevents attacks or abnormal
> actions.
>
> CORE GRASP was developed by CoreLabs, the research unit of Core Security
> Technologies. At CoreLabs, we plan to improve the tool and include new
> protections shortly. However, the invitation to collaborate with the
> project is open. If you would like to collaborate, please go to the
> GRASP website and subscribe to our mailing list.
>
> Project home: http://grasp.coresecurity.com/
> Documentation, presentation and papers:
> http://grasp.coresecurity.com/index.php?m=doc
> Download: http://grasp.coresecurity.com/index.php?m=dld
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists