Chris Tankersley

· PHP Jack of All Trades ·

Web App Development - Code Reviewers and Fuzz Testing

I intend on writing up a tutorial showing how this works, but today I came across these two programs and used them a bit at work today. Both of these pieces of software look to help automate some of the penetration testing that I will begin doing on web applications we build, and as such look forward to more full write-ups on what these two programs can do.

Read on for info on RATS and wfuzz.

RATS - Rough Auditing Tool for Security

http://www.fortifysoftware.com/security-resources/rats.jsp

RATS is a code reviewing software that searches your code for what could potentially be vulnerabilities. For example, one of the scripts that we use has to use an fopen(), which RATS catches. It gives a few suggestions on making sure that unsafe calls are considered safe (in the case of fopen, it warns that allowing user input for the parameters is a bad idea so validate it first) and tells you what file and line the vulnerability is on.

RATS supports scanning of C, C++, Perl, PHP, and Python source code.

wfuzz

http://www.edge-security.com/wfuzz.php

wfuzz is a Python-based brute force and fuzzing software to test web applications. It will scan your application or page for things that hackers look for (open directories, odd POST/GET entries, etc) and let you know what it finds. While it runs in a console, wfuzz also lets you generate a nice HTML page that allows you to see and test first hand what wfuzz found.

wfuzz is language independant, it just requires that your application be browser-based.


Comments

Categories: Programming, Software

Tags: Security, Testing