Penetration Testing mailing list archives
Re: tools to scan source code
From: Barrie Dempster <barrie () reboot-robot net>
Date: Thu, 14 Sep 2006 12:23:20 +0100
Using SWAAT as it comes is not entirely beneficial. The matches that come with it in the xml files are extremely naive and will false positive a LOT. For example SWAAT will pickup "system" as being a vulnerable call to the system command, even if it is within a string eg... <?php echo "Backup the system!" ; ?> This is just one example, it doesn't analyse the code at all. ********************** Finding Name Backup the System Severity of Finding Medium Description This function appears to issues a command to the operating system. If user supplied input is used here it may lead to operating system injection attacks. Ensure all such data is validated. Finding Locations In .\system.php, line 2 (context is <?php echo "Backup the System"; ?>) ********************** Far too many false positives for this to be a useful static analyser. It's not analysing at all, merely grepping - badly. I'd steer clear of it for now, it could be more useful if you knock up your own XML configs, but since it's functionality is more limited than grep, you'd be better off just knocking up some, grep scripts. Even `grep system\( *` is a better match and even this is a naive filter. Calling SWAAT a static analyser is a bit of an exaggeration of it's current capabilities. -- With Regards.. Barrie Dempster (zeedo) - Fortiter et Strenue - http://reboot-robot.net - "He who hingeth aboot, geteth hee-haw" Victor - Still Game
Attachment:
smime.p7s
Description:
Current thread:
- tools to scan source code Wahyu Wijaya H. (Sep 11)
- RE: tools to scan source code Ric Messier (Sep 11)
- Re: tools to scan source code Stefano Zanero (Sep 12)
- Re: tools to scan source code Kish Pent (Sep 13)
- Re: tools to scan source code Stefano Zanero (Sep 13)
- Re: tools to scan source code Ben Hall (Sep 13)
- Re: tools to scan source code Dan Catalin Vasile (Sep 13)
- RE: tools to scan source code Benjamin Livshits (Sep 13)
- Re: tools to scan source code Kish Pent (Sep 16)
- Re: tools to scan source code Stefano Zanero (Sep 12)
- Re: tools to scan source code Wahyu Wijaya H. (Sep 13)
- Re: tools to scan source code Barrie Dempster (Sep 14)
- RE: tools to scan source code Benjamin Livshits (Sep 15)
- RE: tools to scan source code Ric Messier (Sep 11)
- RE: tools to scan source code Lisa Foster (Sep 13)
- RE: tools to scan source code andy cuff (Sep 14)
- RE: tools to scan source code Ric Messier (Sep 14)
- RE: tools to scan source code Clemens, Dan (Sep 14)
- <Possible follow-ups>
- Fwd: Re: tools to scan source code marco () cerbtech net (Sep 12)