[03:58:41] <gsingh93> iangcarroll: are you still using VTs mass api stuff?
[03:58:54] <gsingh93> is it just me or did all the documentation disappear
[10:01:53] <clinth> ooh apparently they're shipping some rust in the next update of firefox??
[12:14:57] <iangcarroll> yeah, gsingh93
[12:15:09] <iangcarroll> https://www.virustotal.com/en/documentation/private-api/
[12:15:10] <yossarian-bot> Title:  Private API version 2.0 - VirusTotal
[12:15:46] <iangcarroll> The `distribution` endpoints were deprecated in favor of `feed` though
[21:23:55] <clinth> hmm
[21:24:21] <clinth> I'm pretty shocked that there doesn't seem to be any existing program I can find to do taint checking for VB.NET or C#
[21:26:35] <clinth> or maybe there's just like, not a lot of available tools around taint checking in general?
[21:32:59] <gsingh93> clinth: that's likely because one of the more common uses of taint checking is memory corruption vulns, as opposed to other vulns
[21:33:18] <gsingh93> which is why there are more taint checking programs/libraries for C/binaries than for high level languages
[21:33:19] <clinth> ahh I was thinking sql injection taint checking :)
[21:33:29] <gsingh93> that would be wonderful
[21:34:11] <gsingh93> do you write webapps in VB.NET/C#?
[21:34:20] <clinth> especially since we have roslyn, a lot of the "hard work" around writing a tool to do this is already done
[21:34:33] <clinth> yeah, at work
[21:34:57] <clinth> we have a massive web app that's a hybrid of vb.net and c#
[21:35:09] <vishwin> le ouch.
[21:35:10] <clinth> using a hybrid of web forms and asp.net mvc too
[21:35:22] <gsingh93> i don't mind C#
[21:35:23] <gsingh93> but VB...
[21:35:29] <clinth> so, the syntax isn't great
[21:35:43] <clinth> but vb and c# have near feature parity
[21:36:02] <gsingh93> yea, cause you just need to compile to the .NET IL
[21:36:39] <clinth> yeah and the CLR is pretty damn good :)
[21:37:12] <clinth> we have a hackathon at work thursday and friday so im thinking i might try to hack together something to do this sql injection checking
[21:37:53] <gsingh93> looks like this does taint analysis for PHP
[21:37:55] <gsingh93> https://github.com/oliverklee/pixy
[21:37:55] <yossarian-bot> Title: GitHub - oliverklee/pixy: Pixy is a scanner static code analysis tools that scans PHP applications for security vulnerabilities.
[21:38:01] <gsingh93> paper: http://www.seclab.tuwien.ac.at/papers/pixy_techreport.pdf
[21:40:37] <clinth> vishwin: I didn't mean massive in like a .. bad way?
[21:41:00] <clinth> it just has a lot of features
[21:41:36] <clinth> (it's an oncology electronic health record and cancer treatment is complex)
[21:41:47] <clinth> and it's old :p
[21:41:58] <clinth> we've learned a lot about web application development since 2004
[21:41:58] <gsingh93> clinth: you might want to look into code property graphs: https://www.tu-braunschweig.de/Medien-DB/sec/pubs/2014-ieeesp.pdf
[21:42:23] <gsingh93> the current implementation by this guy is for C, but it looks really promising
[21:42:53] <gsingh93> essentially you can do queries like "is there a function call to malloc that takes it's input from an atoi that takes it's input from a gets?"
[21:44:37] <clinth> oh that's really cool!
[21:45:21] <clinth> I don't have a whole lot of experience around like, implementing graph related things
[21:45:26] <gsingh93> it's what i want for every language
[21:45:42] <clinth> but I'm sure I can find someone at work
[21:48:59] <clinth> yea this is super interesting
[21:49:08] <clinth> thanks gsingh93 :D I'll try to dive into this paper tomorrow
[23:48:38] *** Quits: m0shbear (~011899988@servbox.moshbear.net) (Ping timeout: 272 seconds)
[23:49:11] *** Joins: m0shbear (~011899988@servbox.moshbear.net)