repositories / ssproject1617.git / blob
? search:


7dd5595a248d96a70c17f5fdf9458f3a3c4a131f
[ssproject1617.git] / report / fortify.tex
1
2
3 \subsection{Fortify's results, summarized}
4
5 Fortify's results can be summarized to the following:
6
7 \begin{enumerate}[label=(\Alph*)]
8 \item 50 cases of \XSS{} vurnerabilities, all labeled \textbf{critical}, because none of the \CMS{}'s forms include nonces / protection against \XSS{} is indeed missing.
9 \item \textbf{Password management}. In a user password reset form in \code{reset.php}, if the resetting fails, the password the user just entered reappears in the password field. This is not a database-retrieved password, and hence not actually as \textbf{critical} as Fortify labels it, but of course bad practice nonetheless.
10 \item In the \textbf{privacy violation} category, Fortify found errors and warnings printed back to the browser, and labelled it \textbf{critical}. However, this happens in the installer script, which we have decided to treat separately, as explained earlier.
11 \item \textbf{\SQL{} injection} attacks are possible on the installer script, labelled \textbf{critical}. Yet again: the installer script.
12 \item \textbf{Cookie security}: the \code{HttpOnly} header is not set, labelled \textbf{high}.
13 \item \textbf{Privacy violation}: \HTML{} forms don't disable autocompletion. Labelled \textbf{high}. However, autocompletion of \HTML{} forms by means of the \code{autocompletion="none"} attribute notoriously doesn't really work. The larger problem is that the post/redirect/get pattern is not followed, as stated above at our analysis of OWASP requirement (9.1).
14 \item Fortify complains that \PHP{}'s \code{crypt(...)} function is \textbf{weak encryption} and labels the 5 usages \textbf{high}.
15 \end{enumerate}
16
17
18 \subsection{Analysis}
19
20 The main point that must be observed is that all the above results are quite low-level of nature. The majority of the OWASP ASVS requirements are of a more high-level nature. Two good examples are:
21
22 \begin{description}
23 \item[V4.9] Verify that the same access control rules implied by the presentation layer are enforced on the server side. \\
24 (\textit{The \CMS{} failed this requirement in our analysis.})
25 \item[V5.17] Verify that the application has defenses against \HTTP{} parameter pollution attacks, particularly if the application framework makes no distinction about the source of request parameters (\GET{}, \POST{}, cookies, headers, environment, etc. \\
26 (\textit{The \CMS{} passed this requirement in our analysis.})
27 \end{description}
28
29 For this reason, Fortify was nowhere near able to identifying all the problems we found in the \CMS{}. An overview of our findings, where Fortify's concurrences are outlined explicitly, is given by the table below.
30
31
32 \newcommand{\p}{\textit{pass}}
33 \newcommand{\X}{\textbf{FAIL}}
34 \setlength\fboxrule{1pt}
35 \setlength\fboxsep{4pt}
36
37 %\newcommand{\F}[2]{%
38 % \hspace*{-5pt}%
39 % \boxed{\textrm{#2}}$^{\,\textrm{\scriptsize(#1)}}$%
40 % \hspace*{-5pt}%
41 %}% fortify-found security problem: \F\X
42
43 \newlength{\lofF}
44 \newcommand{\F}[2]{%
45 \setlength{\lofF}{\widthof{\;#2\;}}
46 \hspace*{-2pt}%
47 \framebox[\lofF]{\phantom{K}}%
48 \hspace*{-\lofF}%
49 \;#2\;%
50 $^{\,\textrm{\scriptsize(#1)}}$%
51 }% fortify-found security problem: \F\X
52
53 \begin{table}[th!]
54 \centering
55 \renewcommand{\arraystretch}{1.2}
56 \begin{tabular}{@{}p{20pt}p{35pt}p{35pt}p{35pt}p{35pt}p{35pt}p{35pt}p{35pt}p{35pt}p{35pt}@{}}
57 \toprule
58 \# &
59 \textbf{V2} &
60 \textbf{V3} &
61 \textbf{V4} &
62 \textbf{V5/6} &
63 \textbf{V7} &
64 \textbf{V8} &
65 \textbf{V9} &
66 \textbf{V11} \\
67 \midrule
68 % V2 V3 V4 V5 V7 V8 V9 V11
69 1 & \X & \p & \p & \p & - & \X & \F{B}\X & \X \\
70 2 & \F{B}\p & \p & - & - & \p & \p & - & \p \\
71 3 & - & \X & - & \X & - & \X & \p & - \\
72 4 & \p & - & \p & - & - & \X & \X & \X \\
73 5 & - & \p & \p & \p & - & \p & \p & \p \\
74 6 & \X & \p & - & - & \X & \p & - & \X \\
75 7 & \p & \X & - & - & \p & \p & \p & \X \\
76 8 & \p & - & \p & - & - & - & - & \X \\
77 9 & \X & \p & \X & - & \p & - & \p & - \\
78 10 & - & \X & \p & \X & - & \X & \p & - \\
79 11 & - & \p & - & \p & - & - & \p & - \\
80 12 & \X & \X & \X & \p & \X & - & - & - \\
81 13 & \X & \X & \F{A}\X & \p & \X & \X & - & - \\
82 14 & - & - & \X & \p & \p & - & - & - \\
83 15 & - & - & \X & \X & - & - & - & - \\
84 16 & \X & - & \X & \p & - & - & - & - \\
85 17 & \p & - & - & \p & - & - & - & - \\
86 18 & \X & - & - & \X & - & - & - & - \\
87 19 & \p & - & - & \X & - & - & - & - \\
88 20 & \X & - & - & \p & - & - & - & - \\
89 21 & \X & - & - & \p & - & - & - & - \\
90 22 & \p & - & - & \X & - & - & - & - \\
91 23 & - & - & - & \X & - & - & - & - \\
92 24 & - & - & - & \p & - & - & - & - \\
93 25 & \X & - & - & \p & - & - & - & - \\
94 26 & - & - & - & \p & - & - & - & - \\
95 27 & \X & - & - & - & - & - & - & - \\
96 28 & \X & - & - & - & - & - & - & - \\
97 29 & \X & - & - & - & - & - & - & - \\
98 30 & - & - & - & - & - & - & - & - \\
99 31 & - & - & - & - & - & - & - & - \\
100 32 & \X & - & - & - & - & - & - & - \\
101 33 & \p & - & - & - & - & - & - & - \\
102 \bottomrule
103 \end{tabular}
104 \caption{Summary of our results. Fortify's findings are outlined and labelled, see our analysis above.}
105 \end{table}