Page tree
Skip to end of metadata
Go to start of metadata

If it is necessary to fine tune elements of the configuration without running an entire snapshot or if it is necessary to browse the User Input Security results without using the CAST Engineering Dashboard, it is possible to use an unsupported CAST tool called the FlawExplorer to visualize the flaws. It takes in input “.flaw” files, and lets you browse the flaws. In addition, since the FlawExplorer is an "offline" tool, you can browse flaw files without having to connect to a CAST Management Service.

You can also use it during the snapshot generation, if the “Dataflow Security” task has been completed successfully.

Using FlawExplorer

flawExplorer.exe is located in the CAST installation folder - double click the file to run it:

Use the Load a flaw file option (located in the top lefthand corner of the GUI) to load up a flaw file. You can obtain a .flaw file by finding its path as displayed in the SecurityAnalyzer.log file, which can be found under the task “Run Data Flow Security”, during the snapshot computation:

The SecurityAnalyzer.log file path can be found also in the CAST-MS*.log.txt  file, generally located in %TEMP%\CAST\CAST\<version>.

Typical usage

  • In the Flaws box: select a flaw in the list. The Trace box will be refreshed and contains the corresponding execution trace.
  • In the Trace box: select a line in the execution trace. The Code viewer will be refreshed and contains the bookmark (highlighted in yellow) of the corresponding executed statement.

Hints:

  • In the Flaws box: You can use keyboard arrows to switch between flaws
  • In the Trace box: You can use keyboard arrows to play the execution trace.
Note that the flaw names displayed in the FlawExplorer are not exactly the same as those presented in the CAST Engineering Dashboard. For example, the flaw called “Http Response Splitting” as displayed in the FlawExplorer is reported as "Cross-site scripting" in the CAST Engineering Dashboard.
  • No labels