R3 (W.I.P) is Born — a Blazingly Fast and Secure Web Vulnerability Scanner

They said node was fast, they said java was fast, they said golang was fast, then came rust…

Rust vs Go – Which programs are faster? | Computer Language Benchmarks Game
Rust Go – Which programs are faster?benchmarksgame-team.pages.debian.net

Rust is awesome in so many ways for writing secure code, go read up on it! But for now check this from a forum…

I recently wrote an MPEG-2 subtitle decoder in Rust, and spent my weekend attacking it with cargo fuzz. The fuzzer ran over a billion sample inputs through my code.

I discovered:

– No malloc/free-related errors, thanks to the borrow checker.

– 3 errors where I constructed invalid Range objects. These might have been exploitable or resulted in infinite loops in C.

– One arithmetic underflow error, which might have been exploitable if it weren’t for Rust’s bounds checking.

So while writing high risk code, Rust ruled out most errors at compile time, and caught 4 more at run time. Up until now I had underrated Rust’s runtime checks as part of the overall security story, but I now consider them as indispensable as the compile time checks.

TL;DR

Rust is awesome for speed AND security, the compile time checks are invaluable and eliminate so many classes of bugs at build time.

r3

Anyway, enough about why Rust is so good and back to the new of r3, I was going to update 420 xss scanner in python then thought I would just combine all my web security tools into one powerful scanner built on blazingly fast, secure code.

Welcome r3, the start of a blazingly fast and secure web app vulnerability scanner. We don’t need ANOTHER web app scanner, but we do need one in Rust.int0x33/r3
Automated Web Vulnerability Scanner. Contribute to int0x33/r3 development by creating an account on GitHub.github.com