Penetration Testing mailing list archives
Re: tools to scan source code
From: Stefano Zanero <zanero () elet polimi it>
Date: Wed, 13 Sep 2006 10:47:01 +0200
Hi Kish, I realize I've been a bit too cryptic in my answer:
Stefano :), you must see Security Forest's page which says RATS can audit C,C++,Perl,PHP & Python source code.(http://www.securityforest.com/wiki/index.php/Category:Source_Code_Scanners)
Yes, RATS _can_ audit PHP source. What I was referring to is that web app vulnerabilities have a different structure than the vulnerabilities you commonly audit C source code for. For instance, you can detect candidates for buffer overflow (along with a bunch of false positives) through simple regexp pattern matching. It's way more difficult to detect with few false positives candidates for SQL injection. The fact that RATS is able to handle PHP code is not a synonym to the fact that it can handle web-app vulnerabilities. Stefano ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ------------------------------------------------------------------------
Current thread:
- tools to scan source code Wahyu Wijaya H. (Sep 11)
- RE: tools to scan source code Ric Messier (Sep 11)
- Re: tools to scan source code Stefano Zanero (Sep 12)
- Re: tools to scan source code Kish Pent (Sep 13)
- Re: tools to scan source code Stefano Zanero (Sep 13)
- Re: tools to scan source code Ben Hall (Sep 13)
- Re: tools to scan source code Dan Catalin Vasile (Sep 13)
- RE: tools to scan source code Benjamin Livshits (Sep 13)
- Re: tools to scan source code Kish Pent (Sep 16)
- Re: tools to scan source code Stefano Zanero (Sep 12)
- Re: tools to scan source code Wahyu Wijaya H. (Sep 13)
- Re: tools to scan source code Barrie Dempster (Sep 14)
- RE: tools to scan source code Benjamin Livshits (Sep 15)
- RE: tools to scan source code Ric Messier (Sep 11)