ECG

"Scan your Code as you would do with your Heart"

Quickly identify security threats in your application landscape and easily pinpoint high-risk vulnerabilities with ECG.

Request a Trial
ECG Web Interface, Dashboard

>

Unmatched Bug Detection

The first and the only solution able to detect real and complex security vulnerabilities in TCL/ADP files. ECG scans your TCL code for previously unknown security flaws; it supports ACS and OpenACS frameworks, NaviServer and AOLserver webserver.

>

Outstanding Performance

Scan your code repository as a local file path or archive upload for hundreds of issue categorie and review findings in real-time. In-depth security analysis in minutes instead of hours (or days) for continuous testing.

>

Code Summary

ECG summarizes and traceback all code lines that are related to the issue, this speed up the process of reviewing the affected code and applying a security patch at the best location.

>

Low False Positive

Highly accurate analysis results to focus on meaningful findings without wasting time. A human Security Analyst will check each reported issues, filtering out false positives, for the most accurate analysis possible. With our mixed approach, complex security bugs in the source code will be accurately detected.

>

Issues Details

Review the root cause of each issue and understand how a threat actor can abuse this vulnerability. Quickly fix vulnerabilities without further ado by reviewing the reliable and actionable information and the code samples presented by ECG.

>

Vulnerability Context

Instantly review which sensitive function calls are affected by unsanitized input from a malicious user. You can check how inputs could tamper the affected expression with our unique context view.

Vulnerability Checks

ECG scans your TCL code for previously unknown security flaws.

TCL

  • Code Execution
  • Code Injection
  • Code Quality
  • Format String Attack
  • Socket Creation/HTTP Operations
  • SQL Injection: TDBC Call
  • TCL C API Code Execution
  • TCL C API Memory Allocation
  • Unrestricted File Read/Write
  • Unsafe Interpreter Creation
  • Windows Registry Read/Write

OpenACS/ACS Generic

  • Code Execution
  • Command Execution
  • Easter Egg
  • HTTP GetURL
  • Open Redirect
  • SMTP Header Injection
  • SQL Injection
  • ZipSlip Check

NaviServer

  • ADP Debug Found
  • Basic Authentication
  • Code Execution
  • Command Execution
  • Control Port Interface
  • File Read/Write
  • Memory Allocation
  • NaviServer Configuration Parameters
  • Nsadmin Password
  • Open Redirect
  • Recommended Security Modifications
  • Running Process as Root
  • SMTP Header Injection
  • SQL Injection
  • Weak Crypto Function Usage
  • XSS
  • ZipSlip Check

AOLserver

  • Code Execution
  • Debug Enabled
  • File Inclusion
  • Safe Mode Disabled
  • Version With Known Vulnerabilities

Vulnerability Types

  • Code Execution
  • Code Injection
  • Command Injection
  • Cookie Misconfiguration
  • Cross-Site Scripting (XSS)
  • Dangerous Features
  • Default or Weak Salts and Keys
  • Denial of Service (DoS)
  • Deprecated Features
  • Directory Listing
  • Disabled CSRF Protections
  • Disabled XSS Filters
  • Enabled Debug Mode
  • Error Displaying
  • Execution After Redirect
  • File Upload
  • File Write (Arbitrary)
  • Format Strings
  • Hard-coded Password
  • HTTP Parameter Pollution
  • HTTP Response Splitting
  • Information Leakage
  • Known Vulnerabilities (CVEs)
  • LDAP Injection
  • Leftover Debug Code
  • Local File Inclusion (LFI)
  • Log Forging
  • No File Extension Restriction
  • Open Redirect
  • Path Traversal
  • Remote File Inclusion (RFI)
  • Server-Side Request Forgery
  • Session Fixation
  • Session Misconfiguration
  • SQL Injection
  • Suspicious Comments
  • Use Basic Auth
  • Used Root User
  • Weak CORS Header
  • Weak Cryptography
  • Weak CSP header
  • Weak Encryption
  • Weak Hash Functions
  • Weak HTTP header
  • Weak Passwords
  • Weak Strict-Transport-Security header
  • Weak X-XSS Protection header
  • XML/XXE Injection