XANITIZER specializes on security analysis of Java Web applications and also considers the behavior of the applied Web frameworks. By means of static code analysis and (data flow) taint analysis the tool systematically scans the program code of an entire Java system for security vulnerabilities.
XANITIZER is the essential tool for Security Auditors of Java applications. Xanitizer can also be incorporated into a build process, automatically and regularly performing its analysis tasks and reporting detected security issues.
XANITIZER's security analysis can be performed for any Java system - regardless whether executable or not. The tool detects vulnerabilities like injections (SQL, Command, XPath, LDAP), cross-site scripting, privacy leaks, URL Redirection Abuse, Manipulated File System Access, IO Stream Resource Leak, and many more. The tool is highly customizable for specifying and searching for self-defined vulnerability patterns. When looking for XSS problems, XANITIZER also analyzes JSP and EL code as well as Freemarker templates, which is one of XANITIZER's unique features.
XANITIZER assesses the relevance of security findings by an automatically calculated rating. Findings can be inspected in fine detail in a code viewer, they can be manually classified and commented. A unique way of visualization allows to follow the path of suspicious data in the system and to check where code has to be fixed in order to mitigate a vulnerability. Besides, a dashboard presents an overview of the most important metrics and problems. A reporting engine is integrated and predefined report templates allow to create detail reports for single findings and overview reports for a set of findings.