[Owasp-orizon] Xml file with Orizon WebGoat results
Paolo Perego
thesp0nge at owasp.org
Mon May 18 05:50:11 EDT 2009
Hi there and sorry for the late answer.
On Wed, May 13, 2009 at 1:00 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
> Flow scanner), but can't seem to figure out how to run the latest version of
> Orizon on the WebGoat code
You can run over webgoat code but without any valuable hint. Jsp is
not covered yet so actually you can perform
just a basic and lame code crawling over the 10 java files (I've done
it just now, without any finding).
> I might be missing something here but the 1.7 binaries are only a couple
> jars with no rules, so how do I scan the code?
Library is contained in orizon-library-version.jar file, so looking at
the binary distribution, you can find this file
with all remaining jar files.
A brief recap to the list on about what happened during my speech at
AppSec latest 13 May.
I described our newer approach using Engine classes, and how engines
can interact each other.
I also used latest code from svn repository (that will become v1.18
next 21 May) to show up a brief demo.
I showed Orizon build a *partial* application model for PHP
(Wordpress) and Java (Tomcat). I also tried to show C support modeling
the linux kernel but a null pointer exception arised. Fixed now.
I showed also that Orizon is just able to make a crawl of the code,
not a real static analysis.
The video will be available soon at owasp.blip.tv.
My idea is to pack the version we have now, and submit it to Matt for
Live CD. I hope with this to have tons of
bug reports and feature requests.
During the speech I also proposed for the project a roadmap and some
goals we have to achieve in a year by now.
Slides are available here:
http://www.owasp.org/images/6/64/AppsecEU09_owasp_orizon_new_static_analysis_in_HiFi_.ppt
Dinis, I'll add an xml outputting facilities to the release I'll send
to Matt for Live CD. So you can have a first thing, but please note
that model is not build yet and results are just the ones obtained
with a source code crawling.
Ciao ciao
thesp0nge
--
"stay hungry, stay foolish"
OWASP Orizon project, http://orizon.sourceforge.net
"enjoy your code review experience"
More information about the Owasp-orizon
mailing list