royharoush / wavsep

Automatically exported from code.google.com/p/wavsep
0 stars 0 forks source link

Suggestion #1

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
This is not a problem or an issue; just a suggestion:
- I've tested several major open source scanners. One of the most challenging 
thing for these scanners is the language of the file and when the different 
languages are mixed. Is it possible to support other languages such as .Net, 
php, and asp in this project?

- I've also attached some vulnerable stored procedures and ASPfiles that can be 
added to this project for open source scanners. Could you please check them and 
add them to the project if they are useful. I found out that the most of the 
open source scanners cannot find vulnerabilities of these ASP files.

- Could you please negotiate with the famous source scanners to have their test 
version as well. (Fortify, IBM Rational AppScan, Checkmarx, and so on)

Original issue reported on code.google.com by soroush....@gmail.com on 24 Jan 2011 at 10:50

Attachments:

GoogleCodeExporter commented 9 years ago
They are. Didn't plan to release it for different development technologies (I'm 
trying to mimic their behavior in some of the test cases), but I'll think how 
they can be used.

Original comment by sectoola...@gmail.com on 16 Dec 2011 at 2:57

GoogleCodeExporter commented 9 years ago
Please be very careful about mimicing other languages/vulnerabilities. You 
can't guess all the ways a scanner attempts to determine a vulnerability and 
you could end up making scanners FN and have your results be untrustworthy. 
(See: 
http://www.veracode.com/blog/2012/05/whitepaper-broken-logic-avoiding-the-test-s
ite-fallacy/).

Original comment by isaac.da...@gmail.com on 20 Jul 2012 at 8:41