Xanitizer is a free to use proprietary software for analyzing Java Web applications for security vulnerabilities. The techniques used by Xanitizer in order to detect vulnerabilities include: * Taint analysis: Data-flow analysis is used to determine ways in which user-controlled data enters a software system (at taint sources), moves in the system, and reaches locations where it might cause harm (taint sinks). * Method invocation detection: The software systems byte code is searched for calls of possibly harmful methods. * Configuration checking: Web application configuration files are searched for configuration problems. Additionally, open-source tools FindBugs and OWASP Dependency Check can be run by Xanitizer, and their results can be integrated with the other results. Xanitizer comes with a number of predefined vulnerability detectors. The user can extend the functionality by specifying method patterns (for taint sources, taint sanitizers, taint sinks, and possibly harmful methods), and by specifying regular expressions and XPath expressions when looking for problems in configuration files. Xanitizer can be used with a graphical user interface, stand-alone on the command line, and as Ant or Maven plugin. An open source plugin is provided to integrate the detected security violations into the code quality platform SonarQube. Further reading * List of tools for static code analysis * Taint checking * Web application security
|