Find security holes in PHP code with Progpilot

Tram Ho

Progpilot is a PHP source code analysis tool with the aim of finding security holes. Progpilot is a static analysis tool and uses taint checking to find errors. With this technique, the ability to report errors is more accurate than conventional analysis techniques such as regex. Progpilot has support to find bugs on frameworks such as: wordpress, symfony, codeigniter, prestashop, suitecrm.

In this post, I will:

  • overview
  • How to install.
  • Using.
  • Modify the rule set to improve scanning efficiency.


Progpilot is a tool that statically analyzes PHP source code to find security vulnerabilities such as: SQL injection, XSS, file inclusion, ….

Static analysis is the analysis process without executing code or code or program.

There are many static analysis techniques with progpilot using taint checking technique. This technique is simply understood as follows:

Taint checking  identifies all the functions that can cause an error such as: exec, echo, eval, …. all of these are called sink (where the execution of the function causes the error). From these sinks find relevant data that can be controlled by the user (this point is called the source).

Applying this technique progpilot gives much more accurate results than conventional analysis. Because this technique shows where to execute the sensitive function and the starting point of the data from which a more accurate prediction can be made.

Progpilot allows use as a standalone program or as a library.

Use as a standalone program

Use as a library

Install progpilot

There are 3 ways to install progpilot

Download phar file This is simple and there are no errors in the process. To download the executable file, visit the following link:

Build from source code This way is messy and not suitable for those of you who just want to download and use the tool. I want to read the source and change it, so I use this way.

To create phar file from source, follow these steps.

Using composer This is convenient in that it allows you to use progpilot as a library and as a standalone program. To install, use the following command:

When performing the installation in this way, the executable file of progpilot is located at the path vendor/bin/progpilot.

But now I still can’t install it due to some error :v


To use progpitlot we have to use CLI without interface. This has nothing to do with me, but I really like it. Using the CLI is easier than using the interface and much more convenient.

How to use progpilot

Progpilot allows you to test multiple files and folders at the same time.

The picture above I tested with 1 folder in this folder has only one file and this file also has only one error.

Law set

Progpilot allows you to modify the rules of: sink, source, sanitizer, validator.




The structure of the rules is basically the same.

  • All of them are required to have: name and language.
  • Laws are organized in json so it’s easy to write and edit.

A few other points:

  • Sink must have attack.
  • For sinks and sanitizers name must be the name of the function.
  • Sanitizer is a must have prevent and this prevent needs to correspond to attack in sinks.
  • name of source can be a deductive variable.

An example of writing a basic rule for sink is the function loadXML

In the example above I did not use parameters so any parameter of loadXML receive a value that may lead to an error, progpilot will warn. If you want to specify which parameters need to be checked by the program, we use additional parameters parameters.

After using it, I evaluate progpilot for many good results. But also many errors have not been found but this is an opensource tool, so the results are good. To improve scanning efficiency, you should edit the rule or add a rule to it.

I would like to end the post here!

Share the news now