From: Stefano Zanero (zanero@elet.polimi.it)
Date: Wed Sep 13 2006 - 04:47:01 EDT
Hi Kish,
I realize I've been a bit too cryptic in my answer:
> Stefano :), you must see Security Forest's page which
> says RATS can audit C,C++,Perl,PHP & Python source
> code.(http://www.securityforest.com/wiki/index.php/Category:Source_Code_Scanners)
Yes, RATS _can_ audit PHP source. What I was referring to is that web
app vulnerabilities have a different structure than the vulnerabilities
you commonly audit C source code for.
For instance, you can detect candidates for buffer overflow (along with
a bunch of false positives) through simple regexp pattern matching. It's
way more difficult to detect with few false positives candidates for SQL
injection.
The fact that RATS is able to handle PHP code is not a synonym to the
fact that it can handle web-app vulnerabilities.
Stefano
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:56 EDT