repositories / ssproject1617.git / blob
? search:


2eb48b95c244de5077d18a8fbb971f9b5e4cf0b8
[ssproject1617.git] / report / fortify.tex
1
2
3 \subsection{Fortify's results, summarized}
4
5 Fortify's results can be summarized to the following:
6
7 \begin{enumerate}[label=(\Alph*)]
8 \item 50 cases of \XSS{} vurnerabilities, all labeled \textbf{critical}, because none of the \CMS{}'s forms include nonces / protection against \XSS{} is indeed missing.
9 \item \textbf{Password management}. In a user password reset form in \code{reset.php}, if the resetting fails, the password the user just entered reappears in the password field. This is not a database-retrieved password, and hence not actually as \textbf{critical} as Fortify labels it, but of course bad practice nonetheless.
10 \item In the \textbf{privacy violation} category, Fortify found errors and warnings printed back to the browser, and labelled it \textbf{critical}. However, this happens in the installer script, which we have decided to treat separately, as explained earlier.
11 \item \textbf{\SQL{} injection} attacks are possible on the installer script, labelled \textbf{critical}. Yet again: the installer script.
12 \item \textbf{Cookie security}: the \code{HttpOnly} header is not set, labelled \textbf{high}.
13 \item \textbf{Privacy violation}: \HTML{} forms don't disable autocompletion. Labelled \textbf{high}. However, autocompletion of \HTML{} forms by means of the \code{autocompletion="none"} attribute notoriously doesn't really work. The larger problem is that the post/redirect/get pattern is not followed, as stated above at our analysis of OWASP requirement (9.1).
14 \item Fortify complains that \PHP{}'s \code{crypt(...)} function is \textbf{weak encryption} and labels the 5 usages \textbf{high}.
15 \end{enumerate}
16
17
18 \subsection{Analysis}
19
20 The main point that must be observed is that all the above results are quite low-level of nature. The majority of the OWASP ASVS requirements are of a more high-level nature. Two good examples are:
21
22 \begin{description}
23 \item[V4.9] Verify that the same access control rules implied by the presentation layer are enforced on the server side. \\
24 (\textit{The \CMS{} failed this requirement in our analysis.})
25 \item[V5.17] Verify that the application has defenses against \HTTP{} parameter pollution attacks, particularly if the application framework makes no distinction about the source of request parameters (\GET{}, \POST{}, cookies, headers, environment, etc. \\
26 (\textit{The \CMS{} passed this requirement in our analysis.})
27 \end{description}
28
29 For this reason, Fortify was nowhere near able to identifying all the problems we found in the \CMS{}. An overview of our findings, where Fortify's concurrences are outlined explicitly, is given by the table below.
30
31
32 \newcommand{\p}{{\color{lightgray}\pass}}
33 \newcommand{\X}{\fail}
34 \setlength\fboxrule{1pt}
35 \setlength\fboxsep{4pt}
36 \newcommand{\F}[2]{%
37 \hspace*{-5pt}%
38 \boxed{\textrm{#2}}$^{\,\textrm{\small(#1)}}$%
39 \hspace*{-5pt}%
40 }% fortify-found security problem: \F\X
41
42 \begin{table}[th!]
43 \centering
44 %\renewcommand{\arraystretch}{1}
45 \begin{tabular}{@{}llllllllll@{}}
46 \toprule
47 \# &
48 \textbf{V2} &
49 \textbf{V3} &
50 \textbf{V4} &
51 \textbf{V5 (6)} &
52 \textbf{V7} &
53 \textbf{V8} &
54 \textbf{V9} &
55 \textbf{V11} \\
56 \midrule
57 % V2 V3 V4 V5 V7 V8 V9 V11
58 1 & \X & \p & \p & \p & & \X & \F{B}\X & \X \\
59 2 & \F{B}\p & \p & & & \p & \p & & \p \\
60 3 & & \X & & \X & & \X & \p & \\
61 4 & \p & & \p & & & \X & \X & \X \\
62 5 & & \p & \p & \p & & \p & \p & \p \\
63 6 & \X & \p & & & \X & \p & & \X \\
64 7 & \p & \X & & & \p & \p & \p & \X \\
65 8 & \p & & \p & & & & & \X \\
66 9 & \X & \p & \X & & \p & & \p & \\
67 10 & & \X & \p & \X & & \X & \p & \\
68 11 & & \p & & \p & & & \p & \\
69 12 & \X & \X & \X & \p & \X & & & \\
70 13 & \X & \X & \F{A}\X & \p & \X & \X & & \\
71 14 & & & \X & \p & \p & & & \\
72 15 & & & \X & \X & & & & \\
73 16 & \X & & \X & \p & & & & \\
74 17 & \p & & & \p & & & & \\
75 18 & \X & & & \X & & & & \\
76 19 & \p & & & \X & & & & \\
77 20 & \X & & & \p & & & & \\
78 21 & \X & & & \p & & & & \\
79 22 & \p & & & \X & & & & \\
80 23 & & & & \X & & & & \\
81 24 & & & & \p & & & & \\
82 25 & \X & & & \p & & & & \\
83 26 & & & & \p & & & & \\
84 27 & \X & & & & & & & \\
85 28 & \X & & & & & & & \\
86 29 & \X & & & & & & & \\
87 30 & & & & & & & & \\
88 31 & & & & & & & & \\
89 32 & \X & & & & & & & \\
90 33 & \p & & & & & & & \\
91 \bottomrule
92 \end{tabular}
93 \caption{Summary of our results. Fortify's findings are outlined and labelled, see our analysis above.}
94 \end{table}