VCG stands for visual code grepper. It analyses code and let’s you know what part of the code is potentially vulnerable to hackers. For instance your PHP code might reveal USERNAME’s or worse, PASSWORD’s to potential attackers because of vulnerable code.
VCG let’s you know what is potentially unsafe giving us the option of patching the vulnerability.
So I decided to blog about it and try to let readers know how to use it.
Firstly, let’s imagine you have some code for a login page on your application. How do you know this code is secure from certain attacking techniques? Well, VCG tells us. VCG analyses the code and let’s us know what lines of code are vulnerable to what type of attack. It’s available here and here’s how to use it.
To analyse the code in VCG we need to do the following steps after downloading the software. We need to specify what kind of code we want to analyse (PHP, JAVA, Pearl, Python, etc.). This is done by clicking Settings and selecting the coding language we are using. Next we want to point VCG to the folder that contains the code we want it to analyse.. This is achieved by clicking File, New and Target. Once the folder has been loaded we can go ahead and run VCG, so choose Scan and Full Scan.
After analysing the code VCG presents us with a graph of the results, letting us know how many lines of code were scanned, the overall whitespace (vulnerable to SQL injection), the overall comments, potential flags and potential vulnerable code.
There were three threats found by VCG in my instance, yours will be different.
The great thing about VCG is it also let’s you know the line number of the code that’s vulnerable and also the type of vulnerability it poses.
So you can guard against it.
Code security is for a future blog and I’ll delve into RIPS where it suggests patches, stay tuned.
Qubits 14th July 2015