WES is a static code analyzer for web applications that doesn’t take the traditional approach of showing where problems may exist in our code. Rather WES simply pulls all of the endpoints, parameters, templates, methods, and line numbers for each, right out of the source code. These results can then be used to feed a dynamic scanner as a site map of the application. Reading all of this information right from the source code allows for a more complete listing of vectors for your dynamic scan than traditional techniques(crawlers, proxies, and brute forcers).
Currently WES supports processing the following frameworks:
- Spring
- Java Servlets
- JavaServer Pages (JSP)
- Django
To install the project you will want to do the following:
From Github:
pip install git+ssh://[email protected]/indeedsecurity/wes.git
or
pip install git+https://github.com/indeedsecurity/wes.git
WES supports a few methods of running from the command line. You have the option of supplying a git repository address (eg. [email protected]:owner/project.git) or a folder which contains the source code.
Running WES on individual projects can be done with the following commands:
wes -f myProjectFolder -u http://myProjectsBaseUrl.com
wes -r [email protected]:owner/project.git -u http://myProjectsBaseUrl.com
All of the following commands should be run from the root WES directory.
pytest tests
pytest integrationTest
pytest --cov-config .coveragerc --cov wes --cov-report term-missing tests