mailing list archives
Re: tools to scan source code
From: Barrie Dempster <barrie () reboot-robot net>
Date: Thu, 14 Sep 2006 12:23:20 +0100
Using SWAAT as it comes is not entirely beneficial. The matches that come with
it in the xml files are extremely naive and will false positive a LOT. For
example SWAAT will pickup "system" as being a vulnerable call to the system
command, even if it is within a string eg...
echo "Backup the system!" ;
This is just one example, it doesn't analyse the code at all.
Backup the System
Severity of Finding
This function appears to issues a command to the operating system. If user
supplied input is used here it may lead to operating system injection
attacks. Ensure all such data is validated.
In .\system.php, line 2 (context is <?php echo "Backup the System"; ?>)
Far too many false positives for this to be a useful static analyser. It's not
analysing at all, merely grepping - badly.
I'd steer clear of it for now, it could be more useful if you knock up your
own XML configs, but since it's functionality is more limited than grep,
you'd be better off just knocking up some, grep scripts.
Even `grep system\( *` is a better match and even this is a naive filter.
Calling SWAAT a static analyser is a bit of an exaggeration of it's current
Barrie Dempster (zeedo) - Fortiter et Strenue
- http://reboot-robot.net -
"He who hingeth aboot, geteth hee-haw" Victor - Still Game
RE: tools to scan source code Nish Bhalla (Sep 11)
Re: tools to scan source code Joachim Schipper (Sep 11)
Re: tools to scan source code Hylton Conacher(ZR1HPC) (Sep 12)
Re: tools to scan source code Benny Herlambang (Sep 13)