Penetration Testing mailing list archives
RE: tools to scan source code
From: "Benjamin Livshits" <livshits () cs stanford edu>
Date: Wed, 13 Sep 2006 15:02:48 -0700
We have contemplated augmenting LAPSE with .NET support. LAPSE, an open-source Java source code auditing tool, is now housed at OWASP: http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project Let me know if you are interested. -Ben
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ben Hall Sent: Wednesday, September 13, 2006 2:35 AM To: Stefano Zanero Cc: kish_pent () yahoo com; Ric Messier; Wahyu Wijaya H.; pen-test () securityfocus com Subject: Re: tools to scan source code Hello all, been watching this conversation closely as it is hugely relevant to me at the moment. I am just about to enter my final year of University, and I was hoping to create a static source code analyser for ASP.net applications......I thought it was a good idea, however after reading this I am starting to think otherwise, and maybe there could be better uses of the opportunity to complete a large project. Does anyone have any advice? I want to do a project involving security and .net. I've been recommend to do a application to edit the http request - like WebScarab however this has been done many times, and doesn't represent anything 'new' and while source code auditors aren't new, they are less readily available as open source software. This still is an option I might look into, and taking it off on a tangent some how, and doing more of a full pen-test application. I welcome anyones advice. Thank you Ben On 13/09/06, Stefano Zanero <zanero () elet polimi it> wrote:Hi Kish, I realize I've been a bit too cryptic in my answer:Stefano :), you must see Security Forest's page whichsays RATS canaudit C,C++,Perl,PHP & Python sourcecode.(http://www.securityforest.com/wiki/index.php/Category:Source_Code_Scanners)Yes, RATS _can_ audit PHP source. What I was referring tois that webapp vulnerabilities have a different structure than the vulnerabilities you commonly audit C source code for. For instance, you can detect candidates for buffer overflow (along with a bunch of false positives) through simple regexp pattern matching. It's way more difficult to detect with few falsepositivescandidates for SQL injection. The fact that RATS is able to handle PHP code is not asynonym to thefact that it can handle web-app vulnerabilities. Stefano------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php-------------------------------------------------------------------------------------------------------------------------------------- ---------- This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php -------------------------------------------------------------- ----------
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ------------------------------------------------------------------------
Current thread:
- tools to scan source code Wahyu Wijaya H. (Sep 11)
- RE: tools to scan source code Ric Messier (Sep 11)
- Re: tools to scan source code Stefano Zanero (Sep 12)
- Re: tools to scan source code Kish Pent (Sep 13)
- Re: tools to scan source code Stefano Zanero (Sep 13)
- Re: tools to scan source code Ben Hall (Sep 13)
- Re: tools to scan source code Dan Catalin Vasile (Sep 13)
- RE: tools to scan source code Benjamin Livshits (Sep 13)
- Re: tools to scan source code Kish Pent (Sep 16)
- Re: tools to scan source code Stefano Zanero (Sep 12)
- Re: tools to scan source code Wahyu Wijaya H. (Sep 13)
- Re: tools to scan source code Barrie Dempster (Sep 14)
- RE: tools to scan source code Benjamin Livshits (Sep 15)
- RE: tools to scan source code Ric Messier (Sep 11)
- RE: tools to scan source code Lisa Foster (Sep 13)
- RE: tools to scan source code andy cuff (Sep 14)