From: Barrie Dempster (barrie@reboot-robot.net)
Date: Thu Sep 14 2006 - 07:23:20 EDT
Using SWAAT as it comes is not entirely beneficial. The matches that come with
it in the xml files are extremely naive and will false positive a LOT. For
example SWAAT will pickup "system" as being a vulnerable call to the system
command, even if it is within a string eg...
<?php
echo "Backup the system!" ;
?>
This is just one example, it doesn't analyse the code at all.
**********************
Finding Name
Backup the System
Severity of Finding
Medium
Description
This function appears to issues a command to the operating system. If user
supplied input is used here it may lead to operating system injection
attacks. Ensure all such data is validated.
Finding Locations
In .\system.php, line 2 (context is <?php echo "Backup the System"; ?>)
**********************
Far too many false positives for this to be a useful static analyser. It's not
analysing at all, merely grepping - badly.
I'd steer clear of it for now, it could be more useful if you knock up your
own XML configs, but since it's functionality is more limited than grep,
you'd be better off just knocking up some, grep scripts.
Even `grep system\( *` is a better match and even this is a naive filter.
Calling SWAAT a static analyser is a bit of an exaggeration of it's current
capabilities.
--
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue
- http://reboot-robot.net -
"He who hingeth aboot, geteth hee-haw" Victor - Still Game
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:56 EDT