WES - Wintermute Endpoint Search
WES is a static code analyzer for web applications that doesn’t take the traditional approach of showing where problems may exist in our code. Rather WES simply pulls all of the endpoints, parameters, templates, methods, and line numbers for each, right out of the source code. These results can then be used to feed a dynamic scanner as a site map of the application. Reading all of this information right from the source code allows for a more complete listing of vectors for your dynamic scan than traditional techniques(crawlers, proxies, and brute forcers).
Currently WES supports processing the following frameworks:
- Java Servlets
- JavaServer Pages (JSP)
To install the project you will want to do the following:
pip install git+ssh://email@example.com/indeedsecurity/wes.git
pip install git+https://github.com/indeedsecurity/wes.git
Processing the source code
WES supports a few methods of running from the command line. You have the option of supplying a git repository address (eg. firstname.lastname@example.org:owner/project.git) or a folder which contains the source code.
Running WES on individual projects can be done with the following commands:
wes -f myProjectFolder -u http://myProjectsBaseUrl.com
wes -r email@example.com:owner/project.git -u http://myProjectsBaseUrl.com
All of the following commands should be run from the root WES directory.
pytest --cov-config .coveragerc --cov wes --cov-report term-missing tests