Results 1 to 2 of 2

Thread: Tool: Check code src vuln

  1. #1
    Senior Member
    Join Date
    Nov 2002
    Posts
    382

    Tool: Check code src vuln

    Hereby a very interesting tool to scan open sources u may download, it could help to find out vulnerabilities included into source code.
    Very useful for vulnerability assesment and also to ppl devlopping stuff around (it's a way to learn to coding without vulnerable straight forward functions. Maybe M$ should use it!!!)

    I found it very useful and it may interest smoe AOs.

    Flawfinder

    How it works! Flawfinder works by using a built-in database of C/C++ functions with well-known problems, such as buffer overflow risks (e.g., strcpy(), strcat(), gets(), sprintf(), and the scanf() family), format string problems ([v][f]printf(), [v]snprintf(), and syslog()), race conditions (such as access(), chown(), chgrp(), chmod(), tmpfile(), tmpnam(), tempnam(), and mktemp()), potential shell metacharacter dangers (most of the exec() family, system(), popen()), and poor random number acquisition (such as random()).

    Flawfinder produces a list of ``hits'' (potential security flaws), sorted by risk; by default the riskiest hits are shown first. This risk level depends not only on the function, but on the values of the parameters of the function. For example, constant strings are often less risky than fully variable strings in many contexts.
    [...]
    it primarily does simple text pattern matching (though it does ignore comments and strings as it should). Nevertheless, flawfinder can be a very useful aid in finding and removing security vulnerabilities.
    [shadow] SHARING KNOWLEDGE[/shadow]

  2. #2
    Senior Member
    Join Date
    Jun 2003
    Posts
    723
    Neat O , i am off to packetstorm to read more edit -for more info -- http://www.dwheeler.com/flawfinder/
    Do unto others as you would have them do unto you.
    The international ban against torturing prisoners of war does not necessarily apply to suspects detained in America\'s war on terror, Attorney General John Ashcroft told a Senate oversight committee
    -- true colors revealed, a brown shirt and jackboots

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •