Difference between revisions of "Category:OWASP SWAAT Project"

From OWASP
Jump to: navigation, search
(Removed orphan header, added link to talk page for status updates)
(5 intermediate revisions by 2 users not shown)
Line 1: Line 1:
[http://s1.shard.jp/losaul/australia-getaway.html australian sculptor
+
==== Main  ====
] [http://s1.shard.jp/olharder/autoroll-654.html top] [http://s1.shard.jp/galeach/new83.html anastasia left outside alone mp3
+
 
] [http://s1.shard.jp/losaul/yamaha-outboard.html air australia fare from only uk
+
''Please see the [[{{TALKPAGENAME}}|Discussion]] page for an update on the status of this project.''
] [http://s1.shard.jp/losaul/online-clothing.html kyoto protocol us australia
+
 
] [http://s1.shard.jp/bireba/pc-world-antivirus.html symantec antivirus 10.0
+
] [http://s1.shard.jp/bireba/vexira-antivirus.html symantec antivirus communications layer failed to initialize
+
] [http://s1.shard.jp/olharder/bxautozip.html auto cayuga dealer ontario used
+
] [http://s1.shard.jp/frhorton/ybfhg5c59.html african berkeley heights in jersey new
+
] [http://s1.shard.jp/olharder/autoroll-654.html index] [http://s1.shard.jp/olharder/autoroll-654.html links] [http://s1.shard.jp/galeach/new71.html christian beliefs on euthanasia
+
] [http://s1.shard.jp/losaul/townsville-australia.html australia book store
+
] [http://s1.shard.jp/losaul/australia-bank-fee.html christian jobs australia
+
] [http://s1.shard.jp/bireba/download-free.html downloading antivirus software
+
] [http://s1.shard.jp/losaul/aborigines--dreamtime.html honda pressure cleaners australia
+
] [http://s1.shard.jp/galeach/new165.html asian food center new jersey
+
] [http://s1.shard.jp/bireba/download-symantec.html ca antivirus software
+
] [http://s1.shard.jp/galeach/new133.html best business schools in asia
+
] [http://s1.shard.jp/olharder/buy-and-sell-autos.html advanc auto parts
+
] [http://s1.shard.jp/galeach/new47.html pan asia bistro
+
] [http://s1.shard.jp/olharder/autoroll-654.html map] [http://s1.shard.jp/losaul/helicopters-australia.html australia all ordinaries
+
] [http://s1.shard.jp/olharder/premium-autoboomru.html chase manhattan bank automotive finance
+
] [http://s1.shard.jp/frhorton/bq5czt3ax.html english colonialism in africa
+
] [http://s1.shard.jp/olharder/autoroll-654.html page] [http://s1.shard.jp/galeach/new48.html southasian tsunami
+
] [http://s1.shard.jp/olharder/autoroll-654.html top] [http://s1.shard.jp/olharder/sunnyside-auto.html missouri auto dealers association
+
] [http://s1.shard.jp/olharder/autoroll-654.html index] [http://s1.shard.jp/frhorton/tiwomyd3z.html scholarships for african american females
+
] [http://s1.shard.jp/galeach/new50.html asian ladyboy vids
+
] [http://s1.shard.jp/losaul/mark-edmondson-australian.html digital tv forum australia
+
] [http://s1.shard.jp/galeach/new69.html underage asian school girl
+
] [http://s1.shard.jp/galeach/new198.html asia claud
+
] [http://s1.shard.jp/bireba/antivirus-cd.html winantivirus pro 2005 free download
+
] [http://s1.shard.jp/galeach/new55.html etasia forum
+
] [http://s1.shard.jp/losaul/real-estate-for.html coffee suppliers australia
+
] [http://s1.shard.jp/olharder/johnny-bench.html rebuilt automobile motor
+
] [http://s1.shard.jp/galeach/new63.html physical maps of south asia
+
] [http://s1.shard.jp/frhorton/atm6jbmgn.html italian east africa part
+
] [http://s1.shard.jp/frhorton/y9my6dqry.html african chiclids information] [http://s1.shard.jp/frhorton/tulkpyc4u.html cellphones catapult rural africa
+
] [http://s1.shard.jp/bireba/panda-antivirus.html network antivirus scanner
+
] [http://s1.shard.jp/frhorton/y9ydrxv6i.html cheap tickets to africa
+
] [http://s1.shard.jp/olharder/autoroll-654.html domain] [http://s1.shard.jp/olharder/autoroll-654.html sitemap] [http://s1.shard.jp/olharder/o-riley-autoparts.html autoexecnew compile error hidden in module
+
] [http://s1.shard.jp/bireba/avg-antivirus.html symantics antivirus
+
] [http://s1.shard.jp/bireba/symantec-antivirus.html update antivirus software
+
+
 
== Overview ==
 
== Overview ==
  
Line 74: Line 37:
 
         c:\program files\swaat> swaat ..\myApp\somefile.php
 
         c:\program files\swaat> swaat ..\myApp\somefile.php
  
Results of the analysis are listed by default in a file called SWAAT-<year month day time>.html (e.g. SWAAT-20060723164024.html). If you wish to specify a different file use the –o option:
+
Results of the analysis are listed by default in a file called SWAAT-<year month day time>.html (e.g. SWAAT-20060723164024.html). If you wish to specify a different file use the –o option:
  
         c:\program files\swaat> swaat –o myOutput.html ..\myApp
+
         c:\program files\swaat> swaat –o myOutput.html ..\myApp
  
You may optionally turn off the xsl transform and simply save the raw xml results by using the –x option:
+
You may optionally turn off the xsl transform and simply save the raw xml results by using the –x option:
  
         c:\program files\swaat> swaat –x ..\myApp\*.php
+
         c:\program files\swaat> swaat –x ..\myApp\*.php
  
 
By running SWAAT you agree to the license terms described in license.txt
 
By running SWAAT you agree to the license terms described in license.txt
Line 86: Line 49:
 
== Additional Options ==
 
== Additional Options ==
  
SWAAT allows for two other options, the “–a lang” option and the “–i” option:
+
SWAAT allows for two other options, the “–a lang” option and the “–i” option:
  
* The “-a lang” allows you to force all extensions to be mapped to a particular language.
+
* The -a lang” allows you to force all extensions to be mapped to a particular language.
  
c:\program files\swaat> swaat –a PHP ..\myApp\
+
c:\program files\swaat> swaat –a PHP ..\myApp\
  
 
Note: Please ensure the language type must be in upper case (ASP, JSP, PHP).
 
Note: Please ensure the language type must be in upper case (ASP, JSP, PHP).
  
* The –I option ignores case when reading the content of the files as well as while reading the functions provided in the signature files.
+
* The –I option ignores case when reading the content of the files as well as while reading the functions provided in the signature files.
  
 
== Configuration ==
 
== Configuration ==
Line 130: Line 93:
 
SWAAT was generously donated by [http://www.securitycompass.com http://www.securitycompass.com/images/logo_small.JPG]
 
SWAAT was generously donated by [http://www.securitycompass.com http://www.securitycompass.com/images/logo_small.JPG]
  
[[Category:OWASP Project]]
+
==== Project Details ====
 +
{{:GPC Project Details/OWASP SWAAT Project | OWASP Project Identification Tab}}
 +
 
 +
__NOTOC__ <headertabs />
 +
 
 +
[[Category:OWASP Project|SWAAT Project]]

Revision as of 12:36, 31 October 2013

Main

Please see the Discussion page for an update on the status of this project.

Overview

SWAAT is an open source web application source code analysis tool. SWAAT searches through source code and analyzes against the database of potentially dangerous strings given in the .xml files. Thus it does NOT positively identify the existence of a vulnerability - this generally requires application contextual knowledge. It identifies the usage of functions / strings / SQL that could lead to a finding. All potentially dangerous code references are included in the output report.

The current version of SWAAT works only with server pages. Expect to see enhanced functionality in future versions of the application.

Goals

The aim of SWAAT is to help developers, testers, security staff, and auditors locate potentially dangerous portions of source code; it is designed to assist source code review.

After reviewing millions of lines of source code, most security professionals believe that automated run-time analysis tools are useful at identifying simple, common vulnerabilities. In most cases, however, the vast majority of vulnerabilities require human intelligence and knowledge of the application. SWAAT helps to reduce the burden of source code review by identifying potentially dangerous functions and strings in code and explaining both how they may be dangerous and how to mitigate potential risks.

Download

You can download the source here: http://www.securitycompass.com/swaat/swaat_source.zip

System Requirements

SWAAT was designed for the NET Framework 1.1.4322 or lower. SWAAT has been successfully tested on both Windows and Linux using Mono.

Execution

SWAAT is a command-line driven program for Windows and under Mono for Linux. In this first release, SWAAT must be run from within its installation directory.

The scenario below shows a simple execution of SWAAT:

       c:\program files\swaat> swaat ..\myapp

Here we are running SWAAT on all files in the "c:\program files\myapp" directory.

You can optionally execute swaat on specific files:

       c:\program files\swaat> swaat ..\myApp\somefile.php

Results of the analysis are listed by default in a file called SWAAT-<year month day time>.html (e.g. SWAAT-20060723164024.html). If you wish to specify a different file use the –o option:

       c:\program files\swaat> swaat –o myOutput.html ..\myApp

You may optionally turn off the xsl transform and simply save the raw xml results by using the –x option:

       c:\program files\swaat> swaat –x ..\myApp\*.php

By running SWAAT you agree to the license terms described in license.txt

Additional Options

SWAAT allows for two other options, the “–a lang” option and the “–i” option:

  • The “-a lang” allows you to force all extensions to be mapped to a particular language.

c:\program files\swaat> swaat –a PHP ..\myApp\

Note: Please ensure the language type must be in upper case (ASP, JSP, PHP).

  • The –I option ignores case when reading the content of the files as well as while reading the functions provided in the signature files.

Configuration

This version of SWAAT works on JSP, ASP .Net, and PHP. It also searches for generic indicators such as "SQL" and "Password", so it may provide some value on other platforms. Singatures for ASP, JSP and PHP functions are in their respective asp.xml, jsp.xml and php.xml files. Each signature file has mandatory XML tags "vuln match" and "type" and optional tags "severity" and "alt".

   * "vuln match" contains the string token to search for
   * "type" masp to a type of vulnerability as described in the "msg name" tags in msg.xml (e.g. userinput, racecondition, OSScripting, etc.)
   * "severity" specifies the risk level (high, medium, or low)
   * "alt" is a suggestion for an alternative, lower risk function to use (e.g. SecureRandom instead of Random)

In addition, the file embedded.xml looks for expressions across all three types of files (Java, ASP, and PHP). All "vuln match" tags in embedded.xml must start and end with ".*" wild card characters.

Regular expression searches can be added to any of the above-mentioned xml files.

The "vuln match" must contain the regular expression to search for. The following characters must be escaped with with a '\' character to be interpreted literally: ^ $ | ? . ( ) \ + * (e.g. "=".*\^" would find the literal string "^foobar").

Future Development

Future releases of SWAAT will include:

  • a graphical user interface (GUI)
  • integrated development environment (IDE) plug-ins
  • more sophisticated functionality and logic (for example to work with .java source)

Feedback and Participation

We hope you find the OWASP SWAAT Project useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to owasp@owasp.org. An OWASP SWAAT Project mailing list currently does not exist, but please check back here at a later date.

If you do make any additions to the configuration files or have any contributions to the findings database, please send them to owasp@owasp.org so they can be included in the next release.

Project Sponsors

SWAAT was generously donated by logo_small.JPG

Project Details

PROJECT INFO
What does this OWASP project offer you?
what is this project?
OWASP SWAAT Project

Purpose: N/A

License: N/A

who is working on this project?
Project Leader: N/A

Project Maintainer:

Project Contributor(s): N/A

how can you learn more?
Project Pamphlet: N/A

3x slide Project Presentation: N/A

Mailing list: N/A

Project Roadmap: N/A

Main links: N/A

Project Health: Yellow button.JPG Not Reviewed (Provisional)
To be reviewed under Assessment Criteria v2.0

Key Contacts
  • Contact the GPC to contribute, review or sponsor this project
  • Contact the GPC to report a problem or concern about this project or to update information.

This category currently contains no pages or media.