RE: tools to scan source code

From: Benjamin Livshits (livshits@cs.stanford.edu)
Date: Fri Sep 15 2006 - 17:11:29 EDT

• Next message: RSnake: "Re: Hardcoded Database IP in ASP"
• Previous message: Weir, Jason: "RE: User group tool"
• In reply to: Barrie Dempster: "Re: tools to scan source code"
• Next in thread: Nish Bhalla: "RE: tools to scan source code"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I would refer to the SAMATE project, which keeps a list of source and binary
analysis tools:

        http://samate.nist.gov/index.php/Tools

Regards,
-Ben

> -----Original Message-----
> From: listbounce@securityfocus.com
> [mailto:listbounce@securityfocus.com] On Behalf Of Barrie Dempster
> Sent: Thursday, September 14, 2006 4:23 AM
> To: pen-test@securityfocus.com
> Cc: Wahyu Wijaya H.; kish_pent@yahoo.com; Stefano Zanero; Ric Messier
> Subject: Re: tools to scan source code
>
> Using SWAAT as it comes is not entirely beneficial. The
> matches that come with it in the xml files are extremely
> naive and will false positive a LOT. For example SWAAT will
> pickup "system" as being a vulnerable call to the system
> command, even if it is within a string eg...
> <?php
> echo "Backup the system!" ;
> ?>
>
> This is just one example, it doesn't analyse the code at all.
>
> **********************
> Finding Name
> Backup the System
>
> Severity of Finding
> Medium
>
> Description
> This function appears to issues a command to the operating
> system. If user supplied input is used here it may lead to
> operating system injection attacks. Ensure all such data is validated.
>
>
> Finding Locations
> In .\system.php, line 2 (context is <?php echo "Backup the
> System"; ?>)
> **********************
>
> Far too many false positives for this to be a useful static
> analyser. It's not analysing at all, merely grepping - badly.
>
> I'd steer clear of it for now, it could be more useful if you
> knock up your own XML configs, but since it's functionality
> is more limited than grep, you'd be better off just knocking
> up some, grep scripts.
> Even `grep system\( *` is a better match and even this is a
> naive filter.
> Calling SWAAT a static analyser is a bit of an exaggeration
> of it's current capabilities.
>
> --
> With Regards..
> Barrie Dempster (zeedo) - Fortiter et Strenue
>
> - http://reboot-robot.net -
>
> "He who hingeth aboot, geteth hee-haw" Victor - Still Game
>

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

• Next message: RSnake: "Re: Hardcoded Database IP in ASP"
• Previous message: Weir, Jason: "RE: User group tool"
• In reply to: Barrie Dempster: "Re: tools to scan source code"
• Next in thread: Nish Bhalla: "RE: tools to scan source code"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:57 EDT