A group of researchers from MIT, Stanford and Syracuse have developed a new program, named “Ardilla”, which can analyze PHP code for Cross-Site Scripting (XSS) and SQL injection attack vulnerabilities.
Rather than just static analysis, this program actually traces the data through the software to determine whether the threat is real. This decreases false-positives significantly, compared to simple static analysis.
Here’s the technical paper for all us serious geeks…