Question

In Chapter 22 , I discussed the effectiveness of source code review for discovering web vulnerabilities. You might now be wondering: why not just perform a static analysis of the code? Why conduct fuzz testing at all?

在第 22 章中，我讨论了源代码审查发现 Web 漏洞的有效性。你现在可能会想：为什么不仅仅对代码执行静态分析？为什么还要进行模糊测试？

Static code analysis is an invaluable tool for identifying bugs and improper programming practices that attackers can exploit. However, static analysis has its limitations.

静态代码分析是识别漏洞和不当编程实践的宝贵工具，攻击者可以利用它们。然而，静态分析也有其局限性。

First, it evaluates an application in a non-live state. Performing code review on an application won’t let you simulate how the application will react when it’s running live and clients are interacting with it, and it’s very difficult to predict all the possible malicious inputs an attacker can provide.

首先，它评估应用程序的非实时状态。在应用程序进行代码审查时，您无法模拟应用程序在运行实时且客户正在与之交互时的反应，而且很难预测攻击者可以提供的所有可能的恶意输入。

Static code analysis also requires access to the application’s source code. When you’re doing a black-box test, as in a bug bounty scenario, you probably won’t be able to obtain the source code unless you can leak the application’s source code or identify the open source components the application is using. This makes fuzzing a great way of adding to your testing methodology, since you won’t need the source code to fuzz an application.

静态代码分析也需要获得应用程序的源代码。在黑盒测试中，例如在漏洞赏金情境下，你可能无法获得源代码，除非你可以泄露应用程序的源代码或确定应用程序正在使用的开源组件。这使得模糊测试成为您测试方法的重要手段之一，因为您不需要源代码就可以对应用程序进行模糊测试。