Contact Us Privacy Policy
SWAAT Frequently Asked Questions

What is SWAAT?

SWAAT stands for Security Compass Web Application Auditing Tool and is an open source web application source code analysis tool.

SWAAT is a free tool released by Security Compass, an application security consulting and training company. The aim of SWAAT is to help developers, testers, security staff, and auditors locate potentially dangerous portions of source code; it is designed to assist source code review. SWAAT does not provide sophisticated run-time analysis or variable tracking.

SWAAT has been donated to the Open Web Application Security Project (OWASP). Expect to see enhanced functionality in future versions of the application.

Back to top

What are the system requirements?

SWAAT was designed for the .NET Framework 1.1.4322 or greater. SWAAT has been successfully tested on both Windows and Linux using Mono.

Back to top

How do I check which version of the .NET framework I am running?

To check current version of .NET framework, look in C:\Windows\Microsoft.NET\Framework (or equivalent on your computer) and you will see directories that indicate the current version of the framework.

Back to top

How do I run SWAAT?

SWAAT is a command-line driven program for Windows and under Mono for Linux. In this first release, SWAAT must be run from within its installation directory.

The scenario below shows a simple execution of SWAAT:

u1:\program files\swaat> swaat ..\myapp

Here we are running SWAAT on all files in the "c:\program files\myapp" directory.

You can optionally execute swaat on specific files:

c:\program files\swaat> swaat ..\myApp\somefile.php

Results of the analysis are listed by default in a file called SWAAT-<year month day time>.html (e.g. SWAAT-20060723164024.html). If you wish to specify a different file use the -o option:

c:\program files\ swaat> swaat -o myOutput.html ..\myApp

You may optionally turn off the xsl transform and simply save the raw xml results by using the -x option:

c:\program files\swaat> swaat -x ..\myApp\*.php

By running SWAAT you agree to the license terms described in license.txt

Back to top

What other options can I run SWAAT with?

SWAAT allows for two other options, the -a lang option and the -i option.

The -a lang allows you to force all extensions to be mapped to a particular language.

c:\program files\swaat> swaat -a PHP ..\myApp\

Note: Please ensure the language type must be in upper case (ASP, JSP, PHP).

The -I option ignores case when reading the content of the files as well as while reading the functions provided in the signature files.

Back to top

How do I interpret these findings?

Each finding has a table with the following items:

  • Finding Name: a name for the finding, generally indicating a potentially dangerous function
  • Severity of Finding: the combined exposure impact and likelihood that the finding could present
  • Description: Description of the finding and how it could lead to an application security vulnerability
  • Finding Locations: The file name and line number the code was found with, along with a context showing the snippet of code where the finding is located

Back to top

Which languages does SWAAT scan?

This version of SWAAT works on Java, JSP, ASP .Net, and PHP. It also searches for generic indicators such as "SQL" and "Password", so it may provide some value on other platforms.

Back to top

How do I add my own signatures to the files?

Singatures for ASP, Java/JSP and PHP functions are in their respective asp.xml, jsp.xml and php.xml files. Each signature file has mandatory XML tags "vuln match" and "type" and optional tags "severity" and "alt".

  • "vuln match" contains the string token to search for
  • "type" masp to a type of vulnerability as described in the "msg name" tags in msg.xml (e.g. userinput, racecondition, OSScripting, etc.)
  • "severity" specifies the risk level (high, medium, or low)
  • "alt" is a suggestion for an alternative, lower risk function to use (e.g. SecureRandom instead of Random)

In addition, the file embedded.xml looks for expressions across all three types of files (Java, ASP, and PHP). All "vuln match" tags in embedded.xml must start and end with ".*" wild card characters.

If you do make any additions to these files, please send the signatures to us at swaat@securitycompass.com so we can include them in our next release. If you would like to be credited for it, please let us know.

Back to top

How can I search through regular expressions?

Regular expression searches can be added to any of the above-mentioned xml files.

The "vuln match" must contain the regular expression to search for. The following characters must be escaped with with a '\' character to be interpreted literally: ^ $ | ? . ( ) \ + * (e.g. "=".*\^" would find the literal string "^ foobar").

Back to top

How does SWAAT find vulnerabilities?

SWAAT searches through source code and analyzes against the database of potentially dangerous strings given in the .xml files. Thus it does NOT positively identify the existence of a vulnerability - this generally requires application contextual knowledge. It identifies the usage of functions / strings / SQL that could lead to a finding. All potentially dangerous code references are included in the output report.

Back to top

How much does SWAAT cost?

There is no cost to use SWAAT.

Back to top

Is SWAAT open source?

Security Compass actively encourages the open source movement and actively participates in the Open Web Application Security Project (OWASP). SWAAT was recently donated to OWASP and is now an open source tool.

Visit the OWASP SWAAT Project for links to the latest source code.

Back to top

How does SWAAT differ from other application scanning tools?

Most application scanning tools perform runtime analysis - that is, they attempt to identify application security vulnerabilities by injecting malicious parameter values, etc. While this may find some of the vulnerabilities in your application, our experience shows that most vulnerabilities require some contextual understanding of the application.

SWAAT assists in source code review. Unlike runtime analysis tools, SWAAT helps to identify potential security exposures by pointing out potentially malicious functions and explaining the possible risk behind them. Having audited several million lines of code, we at Security Compass firmly believe that an in depth application security analysis requires human intelligence - and SWAAT is the tool of choice to assist with that analysis.

Back to top

Does SWAAT do runtime or network analysis?

No, in its current release SWAAT does not address any runtime or network issues. It is dedicated to source code review. In future releases we may consider adding a component to assist in runtime validation of source code findings.

Back to top

What is the target audience of SWAAT?

SWAAT is aimed at developers, testers, QA staff, and security auditors. Using SWAAT progressively throughout the SDLC will help identify and eliminate potential security vulnerabilities before they exist.

Back to top

Will SWAAT eliminate all application security vulnerabilities?

While SWAAT is helpful in assisting with source code review, no tool can truly claim to guarantee elimination of all vulnerabilities. The best chance of minimizing application security vulnerabilities is to establish a Secure Software Development Life Cycle, which includes developer, tester, architect, requirements analyst, and manager training as well as integration of security activities into requirements, design, development, testing, and support. Use SWAAT as a tool to assist in these security activities.

Back to top

I'm getting an error, what should I do?

Please ensure that you are running SWAAT from within its installation directory.

SWAAT is still in its early release, so we'd appreciate you letting us know about any errors you find. Please send details to swaat@securitycompass.com

Back to top

I have some ideas for improvements, how do I let you know?

We appreciate any feedback you have. Please send comments to owasp@owasp.com

Back to top

What are the future plans for SWAAT?

Future releases of SWAAT will include a graphical user interface (GUI), integrated development environment (IDE) plug-ins, and more sophisticated functionality.

Back to top

How often will updates be made available and where I can retrieve these updates?

SWAAT is an open source tool that is now maintained by OWASP. Please visit http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project to find updates to the tool.

Back to top

Who makes SWAAT?

Security Compass built and released the first versions of the tool, but SWAAT was recently donated to the Open Web Application Security Project (OWASP). Security Compass is a consulting and training firm specializing in application security.

Back to top

Will Security Compass or any other third party have access to my results?

SWAAT does NOT, under any circumstances, send the results of your testing to Security Compass or any other third party. All results are stored locally where you saved them.

Back to top

SWAAT is not scanning the .java or .inc files, what is wrong ?

To scan .java files or .inc files you will have to add the following lines in suffix.xml. Similarly you can use the same syntax to map other extensions for the supported languages:

<suffix lang="asp" suffix="inc" />
<suffix lang="jsp" suffix="java" />

Back to top

Is there a mailing list that I can subscribe to for SWAAT?

There currently is no mailing list for SWAAT. Please visit the OWASP SWAAT Project page for any SWAAT news.

Back to top

Links
Copyright © 2007-2008 Security Compass. All Rights Reserved.