About rips-docker

rips-docker is a Docker build for the (now abandoned) RIPS 0.5 static source code analyzer for PHP vulnerabilities

How to use this project

Clone this repo

git clone https://github.com/Spartan1776/rips-docker/
cd rips-docker

Configure Docker

If you haven't already installed docker, you'll need to do so. If you're running Ubuntu or a similar Debian-based distro that uses the Advanced Package Tool (APT, or "apt"), you can convert easyDockerInstall to an executable and run the installation file:

chmod +700 easyDockerInstall
sudo ./easyDockerInstall

If easyDockerInstall fails, try running kaliDockerFix

chmod +700 kaliDockerFix
sudo ./kaliDockerFix

Configuring Source Code Location

The rips-docker project was originally developed to support static source code analysis of PHP vulnerabilities in Hackazon; however, it includes functionality (see Option #2 below) for static analysis of any .php files.

Context - Hackazon

Hackazon is a vulnerable test application site, that incorporates a realistic e-commerce workflow with full functionality and technology commonly used in today’s mobile and web applications.

If you'd like to load Hackazon in a Docker container (not required to scan source code), an updated version of Newlode's Dockerized Hackazon project (now archived) is available here: https://github.com/Spartan1776/hackazon

Two Options for Source Code Analysis:

The Dockerfile is pre-configured with two ways to analyze source code:

1 - Load Hackazon source code directly with no user interaction:

Uncommenting the lines:

ADD https://github.com/rapid7/hackazon/archive/master.zip /tmp/
RUN cd /tmp/ && unzip master.zip && mkdir -p /container/source_code && cp -R /tmp/hackazon-master/* /container/source_code/

will load Hackazon source code directly from Rapid7's Hackazon GitHub project (https://github.com/rapid7/hackazon)

2 - Add Hackazon (or your own source code) to this project's "source code" folder

Uncommenting the lines (uncommented by default):

RUN mkdir -p /container/source_code
ADD source_code/* /container/source_code

will move whatever source code you have placed in the rips-docker/source_code directory (note: you may want to remove the REMOVE_ME.txt file inside this folder prior to scanning) to the /container/source_code directory inside the Docker container.

If you wanted to load a local copy of Hackazon into source_code:

cd rips-docker/source_code
rm -f REMOVE_ME.txt
git clone https://github.com/rapid7/hackazon

This will place a directory named "hackazon" with all GitHub project files inside the source_code directory.

Build and start

Once Docker is installed, start the docker image:

sudo docker compose up

Wait for a few seconds then contact the server:

For Firefox:

firefox http://127.0.0.1:8086

For Chrome:

chromium http://127.0.0.1:8086

Scanning source code

This guide won't go into an in-depth explanation of the settings available on the RIPS localhost page.

However, in order to scan your source code, enter:

/container/source_code

into the "path / file:" box on the RIPS localhost page.

Also check the "code style:" value ("phps" for Hackazon) prior to clicking "scan".

Changing source code between scans

To swap source code, use Option #1 or #2 for adding source code (mentioned above), then rebuild the docker image using:

sudo docker compose up --build

Happy hunting!

Special Thanks

This project was developed around the ripsscanner RIPS 0.5 static source code analyzer for PHP vulnerabilities (https://github.com/ripsscanner/rips).

The Docker configuration was developed with inspiration from Newlode's Dockerized Hackazon project (https://github.com/Newlode/hackazon).

Thanks for all the hard work!