Xanitizer
| Xanitizer
|
|
|---|---|
| Basic data
|
|
| developer | RIGS IT GmbH |
| Current version | 5.0 |
| operating system | Windows, Linux, macOS |
| programming language | Java , Scala , JavaScript , TypeScript |
| category | Development tool |
| License | commercial license |
| Xanitizer | |
Xanitizer is a programming tool for Web applications to vulnerabilities to browse. The programming languages Java , Scala , JavaScript and TypeScript are supported. Furthermore, the presentation frameworks JSP , JSF and AngularJS can be analyzed in order to identify possible attacks through cross-site scripting .
Xanitizer uses the following techniques to find security vulnerabilities:
- Taint analysis: A data flow analysis is used to determine the points at which user-defined data enter the software system (so-called taint sources), how this data moves through the system and ultimately reaches code points where it can potentially cause damage ("Taint Sinks")
- Protocol analysis: A data flow analysis is used to check whether a set of methods are called in the predefined order and with the correct parameters. This is particularly relevant when using cryptography .
- Detection of method calls: The bytecode of the software system is examined for calls to potentially harmful methods
- Checking the configuration: The configuration files of the web application are searched for configuration problems
In addition, the open source tools SpotBugs and OWASP -Dependency-Check can be executed with the Xanitizer. Your results will be integrated into the other results obtained.
Xanitizer includes a large number of predefined patterns for detecting security vulnerabilities. The user can extend this by further method patterns (for tainted sources, tainted sanitizers, tainted sinks and other possibly harmful methods). Regular expressions and XPath expressions can also be specified to find further problems in configuration files.
Xanitizer is used by default via a graphical user interface , but can also be run on the command line or as a Jenkins , Ant , Maven plug-in or Gradle plug-in (internally, however, Gradle only calls an Ant script) to, for example. to be integrated into a build environment. In addition, a plug-in is provided to be able to display the identified security gaps in the SonarQube platform .
See also
Web links
- Xanitizer (product page, English)
Individual evidence
- ^ OWASP Source Code Analysis Tools OWASP Open Source or Free Tools Of This Type
- ↑ OWASP Benchmark Project OWASP Benchmark Project Tool Support
- ↑ SonarQube Plugin Library External Analyzers