September 28, 2006

Static code analysis for web apps

Over at Security Compass they have released "Securitycompass Web Application Analysis Tool", or SWAAT for short.

It is a FREE static code analysis tool that will parse PHP, ASP and JSP files, looking for possible coding defects in the code.

I downloaded it and gave it a try on my ASP.NET 2.0 directories, and it couldn't pick them up at all. Checking their FAQ it says it supports .NET 1.1 or above... but I am thinking they mean ASP, and NOT ASP.NET. You may have better results.

If you are a PHP developer you may have better results. It looks like from their examples that this was what the tool was originally targeting for. It is in beta, and I caused a bunch of exceptions just trying to run it. ie: You have to run swaat.exe from their base directory, you can't call it with an explicit path, as it fails with an IO exception.... not being able to load the XML files. It is a beta, so I won't be to critical on that at this point.

You can download SWAAT here and give it a try. You might have better results than I did.

Posted by SilverStr at September 28, 2006 08:48 AM | TrackBack
Comments

Well, I'm not impressed. It flags a require_once call in PHP as a medium security risk.... ALL require_once calls!

And when I ran it on one of my large include directories, it spits out an exception:

Unhandled Exception: System.IndexOutOfRangeException: Index was outside the boun
ds of the array.
at SWAAT.PHP_Lexer.Accept_101()
at SWAAT.PHP_Lexer.lex()
at SWAAT.AnalysisEngine.Analyze(ILexer lexer, MessageDB msgs)
at SWAAT.Scanner.RunScan()
at SWAAT.SWAAT_Console.Run(String[] args)
at SWAAT.SWAAT_Console.Main(String[] args)

Not really helpful.

Posted by: Mike Weller at September 29, 2006 03:15 AM

Hi,
First of all thank you for downloading and trying out SWAAT. As you guys said it is in beta and we are trying to fix some of the bugs that have been reported to us.

It looks like three major bugs have been reported is crashing on excessive "&" in the files, trailing slash causing the application to crash and lastly that swaat has to be run from its home directory only as it is looking for the xml files.

That being said in response to your statement about .NET 1.1 and above supported is closer to the statement in terms of requirements for SWAAT as it is written in .NET. The code it audits is ASP.NET, hopefully in the next release we will attempt to start with C# etc.

Lastly to address Mike's comment about require_once, As far as i can tell we don't look for require_once. It is a free tool that looks for functions (which can be added / delete by modifying asp.xml, jsp.xml & php.xml) that if used improperly could lead to web application vulnerabilities.

It is supposed to aid auditors, developers etc.

I do realize that this release has too many findings which we are planning to address by doing some variable tracking etc.

If there are other problems / suggestions for improvement you would have, please send me an email directly at my above email address or to swaat@securitycompass.com and we would be happy to integrate it into the tool.

Thanks

Nish.
/Designer of SWAAT

Posted by: Nish at October 4, 2006 05:17 PM