3 \subsection{Fortify's results, summarized
}
5 Fortify's results can be summarized to the following:
7 \begin{enumerate
}[label=(
\Alph*)
]
8 \item 50 cases of
\XSS{} vurnerabilities, all labeled
\textbf{critical
}, because none of the
\CMS{}'s forms include nonces / protection against
\XSS{} is indeed missing.
9 \item \textbf{Password management
}. In a user password reset form in
\code{reset.php
}, if the resetting fails, the password the user just entered reappears in the password field. This is not a database-retrieved password, and hence not actually as
\textbf{critical
} as Fortify labels it, but of course bad practice nonetheless.
10 \item In the
\textbf{privacy violation
} category, Fortify found errors and warnings printed back to the browser, and labelled it
\textbf{critical
}. However, this happens in the installer script, which we have decided to treat separately, as explained earlier.
11 \item \textbf{\SQL{} injection
} attacks are possible on the installer script, labelled
\textbf{critical
}. Yet again: the installer script.
12 \item \textbf{Cookie security
}: the
\code{HttpOnly
} header is not set, labelled
\textbf{high
}.
13 \item \textbf{Privacy violation
}:
\HTML{} forms don't disable autocompletion. Labelled
\textbf{high
}. However, autocompletion of
\HTML{} forms by means of the
\code{autocompletion="none"
} attribute notoriously doesn't really work. The larger problem is that the post/redirect/get pattern is not followed, as stated above at our analysis of OWASP requirement (
9.1).
14 \item Fortify complains that
\PHP{}'s
\code{crypt(...)
} function is
\textbf{weak encryption
} and labels the
5 usages
\textbf{high
}.
20 The main point that must be observed is that all the above results are quite low-level of nature. The majority of the OWASP ASVS requirements are of a more high-level nature. Two good examples are:
23 \item[V4.9
] Verify that the same access control rules implied by the presentation layer are enforced on the server side. \\
24 (
\textit{The
\CMS{} failed this requirement in our analysis.
})
25 \item[V5.17
] Verify that the application has defenses against
\HTTP{} parameter pollution attacks, particularly if the application framework makes no distinction about the source of request parameters (
\GET{},
\POST{}, cookies, headers, environment, etc. \\
26 (
\textit{The
\CMS{} passed this requirement in our analysis.
})
29 For this reason, Fortify was nowhere near able to identifying all the problems we found in the
\CMS{}. An overview of our findings, where Fortify's concurrences are outlined explicitly, is given by the table below.
32 \newcommand{\p}{\textit{pass
}}
33 \newcommand{\X}{\textbf{FAIL
}}
34 \setlength\fboxrule{1pt
}
35 \setlength\fboxsep{4pt
}
39 % \boxed{\textrm{#2}}$^{\,\textrm{\scriptsize(#1)}}$%
41 %}% fortify-found security problem: \F\X
45 \setlength{\lofF}{\widthof{\;
#2\;
}}
47 \framebox[\lofF]{\phantom{K
}}%
50 $^
{\,
\textrm{\scriptsize(
#1)
}}$
%
51 }% fortify-found security problem: \F\X
55 \renewcommand{\arraystretch}{1.2}
56 \begin{tabular
}{@
{}p
{20pt
}p
{35pt
}p
{35pt
}p
{35pt
}p
{35pt
}p
{35pt
}p
{35pt
}p
{35pt
}p
{35pt
}p
{35pt
}@
{}}
68 % V2 V3 V4 V5 V7 V8 V9 V11
69 1 &
\X &
\p &
\p &
\p & - &
\X &
\F{B
}\X &
\X \\
70 2 &
\F{B
}\p &
\p & - & - &
\p &
\p & - &
\p \\
71 3 & - &
\X & - &
\X & - &
\X &
\p & - \\
72 4 &
\p & - &
\p & - & - &
\X &
\X &
\X \\
73 5 & - &
\p &
\p &
\p & - &
\p &
\p &
\p \\
74 6 &
\X &
\p & - & - &
\X &
\p & - &
\X \\
75 7 &
\p &
\X & - & - &
\p &
\p &
\p &
\X \\
76 8 &
\p & - &
\p & - & - & - & - &
\X \\
77 9 &
\X &
\p &
\X & - &
\p & - &
\p & - \\
78 10 & - &
\X &
\p &
\X & - &
\X &
\p & - \\
79 11 & - &
\p & - &
\p & - & - &
\p & - \\
80 12 &
\X &
\X &
\X &
\p &
\X & - & - & - \\
81 13 &
\X &
\X &
\F{A
}\X &
\p &
\X &
\X & - & - \\
82 14 & - & - &
\X &
\p &
\p & - & - & - \\
83 15 & - & - &
\X &
\X & - & - & - & - \\
84 16 &
\X & - &
\X &
\p & - & - & - & - \\
85 17 &
\p & - & - &
\p & - & - & - & - \\
86 18 &
\X & - & - &
\X & - & - & - & - \\
87 19 &
\p & - & - &
\X & - & - & - & - \\
88 20 &
\X & - & - &
\p & - & - & - & - \\
89 21 &
\X & - & - &
\p & - & - & - & - \\
90 22 &
\p & - & - &
\X & - & - & - & - \\
91 23 & - & - & - &
\X & - & - & - & - \\
92 24 & - & - & - &
\p & - & - & - & - \\
93 25 &
\X & - & - &
\p & - & - & - & - \\
94 26 & - & - & - &
\p & - & - & - & - \\
95 27 &
\X & - & - & - & - & - & - & - \\
96 28 &
\X & - & - & - & - & - & - & - \\
97 29 &
\X & - & - & - & - & - & - & - \\
98 30 & - & - & - & - & - & - & - & - \\
99 31 & - & - & - & - & - & - & - & - \\
100 32 &
\X & - & - & - & - & - & - & - \\
101 33 &
\p & - & - & - & - & - & - & - \\
104 \caption{Summary of our results. Fortify's findings are outlined and labelled, see our analysis above.
}