Sources of malicious user input are the root for security vulnerabilities. By adding new source to the engine, new data flows can be detected and new issues can be discovered if present.

In addition to the general global variables that users pass input to a PHP script via HTTP, methods and functions can also pass user modifiable values. Such functions are often provided by a framework or library. The Java as well as the PHP engine have already integrated many of these functions and methods of frameworks (list of supported Java and PHP frameworks).

This means that the code that defines the functions and methods does not necessarily have to be analyzed. In case a source was missed during analysis or in case the source is not defined within the analyzed code, additional sources of user input from functions, methods, properties, or objects can be configured in this section. For each source, please specify the source type and the corresponding name. Please refer to the code examples for further details.

Adding all sources of an application ensures that only parts of an application can be scanned and still all sensitive data flows are detected.

Supported Source Types




Object properies


Adding a PHP function as source

Adding a Java method as source