RE: Vuln Scanner for Web App Source Code

["Dan Denton" <ddenton () remitpro com>]

I'd highly recommend Paros Proxy for this task. We've used it with success
in locating pages vulnerable to XSS and SQLI. The product acts as a proxy
server, and also has a spider program built in. Once you've accessed the
pages you want to access, you can use the spider to crawl the rest of the
site, then run Paros's report program to analyze the results.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Paul J. Brickett
Sent: Monday, May 19, 2008 9:10 AM
To: cnanne () gmail com
Cc: security-basics () securityfocus com;
security-basics-return-49117 () securityfocus com
Subject: Re: Vuln Scanner for Web App Source Code

Acunetix Web Vulnerability Scanner will somewhat do this- it will 
attempt to manipulate various variables it detects in the pages 
you're scanning, then point 
out which variables in your souce are susceptible to unsanitized input, 
cross site scripting, ect.

That said, if you have the time doing this manually is the superior 
method. :)

-PJB

On Sun, 18 May 2008, cnanne () gmail com wrote:

> This might be a bit of a dumb question, but does anyone know of a good
Vulnerability Scanner for finding faults in the actual Source Code of the
Web App? Or can this task can only be done by hand?
> Any feedback on this is highly appreciative
>
>
> cheers,
>
> PhoenixRbrth