[Owasp-codereview] [Owasp-lapse] Relation Between Vulnerability Sink and Vulnerability Sources

Lucas Ferreira listas at sapao.net
Thu Mar 5 10:26:28 EST 2009


Hello Zaki,

Sources are places in the code that get information from external entities
and sinks are places where informatios leaves the application. Using LAPSE
you can map which sinks may receive information that comes from external
entities through some of the listed sources.

LAPSE uses the concept of tainted variables, which are variables that hold
data that was received by the application but have not been checked or
validated. The idea is that any information in tainted variables must come
from a source and that tainted information which is sent to a sink is a
possible cause of vulnerabilities. So LAPSE is usefull to check if all data
acquired through a source is checked before it is used in a sink.

Regards,

Lucas

On Wed, Mar 4, 2009 at 23:01, Zaki Akhmad <zakiakhmad at gmail.com> wrote:

> Hi all
>
> Is it anybody here have using LAPSE[1][2]? I have a little bit
> confusion how is the relation between vulnerability sink and
> vulnerability sources? Is it between them there should be a link.
>
> --
> Zaki Akhmad
> [1]http://suif.stanford.edu/~livshits/work/lapse/<http://suif.stanford.edu/%7Elivshits/work/lapse/>
> [2]http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project
>
> CC: owasp-lapse mailing list
> _______________________________________________
> Owasp-lapse mailing list
> Owasp-lapse at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-lapse
>



-- 
If a tree falls in the forest and no one is around to see it, do the other
trees make fun of it?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-codereview/attachments/20090305/31a33818/attachment.html 


More information about the Owasp-codereview mailing list