repositories / ssproject1617.git / blob
? search:


28cbb2714fd210128106ba42a7db5805275fc093
[ssproject1617.git] / report / fortify.tex
1
2
3 \subsection{Fortify's results, summarized}
4
5 Fortify's results can be summarized to the following:
6
7 \begin{enumerate}[label=(\Alph*)]
8 \item 50 cases of \XSS{} vurnerabilities, all labeled \textbf{critical}, because none of the \CMS{}'s forms include nonces / protection against \XSS{} is indeed missing.
9 \item \textbf{Password management}. In a user password reset form in \code{reset.php}, if the resetting fails, the password the user just entered reappears in the password field. This is not a database-retrieved password, and hence not actually as \textbf{critical} as Fortify labels it, but of course bad practice nonetheless.
10 \item In the \textbf{privact violation} category, Fortify found errors and warnings printed back to the browser, and labelled it \textbf{critical}. However, this happens in the installer script, which we have decided to treat separately, as explained earlier.
11 \item \textbf{\SQL{} injection} attacks are possible on the installer script, labelled \textbf{critical}. Yet again: the installer script.
12 \item \textbf{Cookie security}: the \code{HttpOnly} header is not set, labelled \textbf{high}.
13 \item \textbf{Privacy violation}: \HTML{} forms don't disable autocompletion. Labelled \textbf{high}. However, autocompletion of \HTML{} forms by means of the \code{autocompletion="none"} attribute notoriously doesn't really work. The larger problem is that the post/redirect/get pattern is not followed, as stated above at our analysis of OWASP requirement (9.1).
14 \item Fortify complains that \PHP{}'s \code{crypt(...)} function is \textbf{weak encryption} and labels the 5 usages \textbf{high}.
15 \end{enumerate}
16
17
18 \subsection{Analysis}
19
20 The main point that must be observed is that all the above results are quite low-level of nature. The majority of the OWASP ASVS requirements are of a more high-level nature. Two good examples are:
21
22 \begin{description}
23 \item[V4.9] Verify that the same access control rules implied by the presentation layer are enforced on the server side. \\
24 (\textit{The \CMS{} failed this requirement in our analysis.})
25 \item[V5.17] Verify that the application has defenses against \HTTP{} parameter pollution attacks, particularly if the application framework makes no distinction about the source of request parameters (\GET{}, \POST{}, cookies, headers, environment, etc.. \\
26 (\textit{The \CMS{} passed this requirement in our analysis.})
27 \end{description}
28
29 For this reason, Fortify was nowhere near able to identifying all the problems we found in the \CMS{}. An overview of our findings, where Fortify's concurrences are outlined explicitly, is given by the table below.
30
31
32 \newcommand{\p}{{\color{lightgray}\pass}}
33 \newcommand{\X}{\fail}
34 \setlength\fboxrule{1pt}
35 \setlength\fboxsep{4pt}
36 \newcommand{\F}[2]{%
37 \hspace*{-5pt}%
38 \boxed{\textrm{#2}}$^{\,\textrm{\small(#1)}}$%
39 \hspace*{-5pt}%
40 }% fortify-found security problem: \F\X
41
42 \begin{table}[th!]
43 \centering
44 %\renewcommand{\arraystretch}{1}
45 \begin{tabular}{@{}lllllllllll@{}}
46 \toprule
47 \# &
48 \textbf{V2} &
49 \textbf{V3} &
50 \textbf{V4} &
51 \textbf{V5} &
52 \textbf{V7} &
53 \textbf{V8} &
54 \textbf{V9} &
55 \textbf{V12} &
56 \textbf{V17} \\
57 \midrule
58 % V2 V3 V4 V5 V7 V8 V9 V12 V17
59 1 & \X & \p & \p & \p & & \X & \F{B}\X & \X & \TODO \\
60 2 & \F{B}\p & \p & & & \p & \p & & \p & \TODO \\
61 3 & & \X & & \X & & \X & \p & & \TODO \\
62 4 & \p & & \p & & & \X & \X & \X & \TODO \\
63 5 & & \p & \p & \p & & \p & \p & \p & \TODO \\
64 6 & \X & \p & & & & \p & & \X & \TODO \\
65 7 & \p & \X & & & \TODO & \p & \p & \X & \TODO \\
66 8 & \p & & \p & & & & & \X & \\
67 9 & \X & \p & \X & & & & \p & & \TODO \\
68 10 & & \X & \p & \X & & \X & \p & & \TODO \\
69 11 & & \p & & \p & & & \p & & \TODO \\
70 12 & \X & \X & \X & \p & & & & & \\
71 13 & \X & \X & \F{A}\X & \p & & \X & & & \\
72 14 & & & \X & \p & & & & & \\
73 15 & & & \X & \X & & & & & \\
74 16 & \X & & \X & \p & & & & & \\
75 17 & \p & & & \p & & & & & \\
76 18 & \X & & & \X & & & & & \\
77 19 & \p & & & \X & & & & & \\
78 20 & \X & & & \p & & & & & \\
79 21 & \X & & & \p & & & & & \\
80 22 & \p & & & \X & & & & & \\
81 23 & & & & \X & & & & & \\
82 24 & & & & \p & & & & & \\
83 25 & \X & & & \p & & & & & \\
84 26 & & & & \p & & & & & \\
85 27 & \X & & & & & & & & \\
86 28 & \X & & & & & & & & \\
87 29 & \X & & & & & & & & \\
88 30 & & & & & & & & & \\
89 31 & & & & & & & & & \\
90 32 & \X & & & & & & & & \\
91 33 & \p & & & & & & & & \\
92 \bottomrule
93 \end{tabular}
94 \caption{Summary of our results. Fortify's findings are outlined and labelled, see our analysis above.}
95 \end{table}