If I had time to dive into...

Blog:tech
My Security Planet
FuckTheSpam!
Projects
Grabber
PHP-Ast/Oracle
Resume

Last comments

Every-day's CSRF: Sorry, I turned off your christmas tree lights - David
ph34r the script kiddies: Whitehouse.org - bmej
Oh please stop it with these ridiculous CAPTCHAs! - poood343kjd
How to scan for basic php include injection / How to prevent this kind of injection ? - romain
How to scan for basic php include injection / How to prevent this kind of injection ? - lort
Scalp 0.4: apache log based attack analyzer, updated - romain
Scalp 0.4: apache log based attack analyzer, updated - Wahyudi
Scalp 0.4: apache log based attack analyzer, updated - romain
Scalp 0.4: apache log based attack analyzer, updated - Fabrice Terrasson
Scalp 0.4: apache log based attack analyzer, updated - Fabrice Terrasson
Protection against spam bot | fuckthespam.com - romain
Protection against spam bot | fuckthespam.com - Noam
Scalp: apache log based attack analyzer - romain
Trie based fast and massive replacement (Algorithm) - romain
Scalp: apache log based attack analyzer - Yoya
Trie based fast and massive replacement (Algorithm) - Ed
PHP Source Code Analyzer - wal
IE6 And IE7 don't have compatible CSS tricks - me
Oh please stop it with these ridiculous CAPTCHAs! - a
Oh please stop it with these ridiculous CAPTCHAs! - ta

Last entries

Every-day's CSRF: Sorry, I turned off your christmas tree lights
IE7, no Same Origin Policy when the script/file is on your file system
Internet User Privacy Values Survey
Last week at NIST
Scalp 0.4: apache log based attack analyzer, updated
PyQt and WebKit integration: unexpected limitation [fixed]
How fair should Google Search be?
And so you wanted to protect your email address on your website...
Why the "line of code" is indeed a good metric
Trie based fast and massive replacement (Algorithm)
A morning at work: Content-Disposition blocked!
Scalp: apache log based attack analyzer
My talk at SAW: Automated Evaluation of source code analyzer output
ph34r the script kiddies: Whitehouse.org
Yet another study on code quality: A Tale of Four Kernels
Static Analysis Tool Exposition is over
Oh please stop it with these ridiculous CAPTCHAs!
Accelerate the convergence to the bug: Running the test in 16-bit
Scaling MySQL db
MySQL table/field names
Untrusted websites passwords
NIST SATE step 3 completed: test cases information release
Code review: facilitate the SCA output analysis
OWASP France Chapter & OWASP Top Ten 2007 French
Code review tools: the missing link (so far)
SATE ready to go + weaknesses walker + Shmoo + 100
NIST Static Analysis Tool Exposition: No, this is not a competition!
Talk: Problems and solutions for testing web application security scanners
Definition parsing: first step done
Search engine keywords extraction
How come I didn't know this resource!!
Protection against spam bot | fuckthespam.com
PHP Source Code Analyzer
Leaving for Hawaii, HICSS conference
[WASC] Release of Script Mapping Project
"My Security Planet"
Attack Surface oriented Crawler: Focusing on what you actually want
Static Analysis Framework: PHP-Ast/Oracle
Yet another study oriented release
The new grabber

Blog:tech

This is a simple tech blog. I am mostly interested in application security, web, technologies... but every time I can, I try to play with some other field I like such as data-mining, graph theory, compilers, languages, etc..

Contact:

By Romain Monday, November 20 2006 - 10:09 UTC - Tools - Permalink

I would work on the creation of a hybrid/crystal box tool using:

PHP-Sat for the static analysis part or a Simple RegEx matcher
My own black box tester

Actually, it's quite easy to combine:

# don't care about the false positive rate
If you find something with the static analyser :
   # <=> check for false positive  
    test the parameter/address with the black box tester.

The result would be a serious decrease of the false-positive and hopefully an increase of the true-positive...

Comments

This post's comments feed

Last comments

Last entries

Blog:tech

Tags

Categories

Links

Web Security

General Sec.

Other

If I had time to dive into...

Comments

Add a comment