repositories / ssproject1617.git / blob
? search:


8e2bb66ca4fa44292d1698d4e0fa1f337d777ee1
[ssproject1617.git] / report / fortify.tex
1
2
3 \subsection{Fortify's results, summarized}
4
5 Fortify's results can be summarized to the following:
6
7 \begin{enumerate}[label=(\Alph*)]
8 \item 50 cases of \textbf{XSS} vurnerabilities, all labeled \textbf{critical}, because none of the CMS's forms include nonces / protection against XSS is indeed missing.
9 \item \textbf{Password management}. In a user password reset form in \code{reset.php}, if the resetting fails, the password the user just entered reappears in the password field. This is not a database-retrieved password, and hence not actually as \textbf{critical} as Fortify labels it, but of course bad practice nonetheless.
10 \item In the \textbf{privact violation} category, Fortify found errors and warnings printed back to the browser, and labelled it \textbf{critical}. However, this happens in the installer script, which we have decided to treat separately, as explained earlier.
11 \item \textbf{SQL injection} attacks are possible on the installer script, labelled \textbf{critical}. Yet again: the installer script.
12 \item \textbf{Cookie security}: the \code{HttpOnly} header is not set, labelled \textbf{high}.
13 \item \textbf{Privacy violation}: HTML forms don't disable autocompletion. Labelled \textbf{high}. However, autocompletion of HTML forms by means of the \code{autocompletion="none"} attribute notoriously doesn't really work. The larger problem is that the post/redirect/get pattern is not followed, as stated above at our analysis of OWASP requirement (9.1).
14 \item Fortify complains that PHP's \code{crypt(...)} function is \textbf{weak encryption} and labels the 5 usages \textbf{high}.
15 \end{enumerate}
16
17
18 \subsection{Analysis}
19
20 The main point that must be observed is that all the above results are quite low-level of nature. The majority of the OWASP ASVS requirements are of a more high-level nature. Two good examples are:
21
22 \begin{description}
23 \item[V4.9] Verify that the same access control rules implied by the presentation layer are enforced on the server side. \\
24 (\textit{The CMS failed this requirement in our analysis.})
25 \item[V5.17] Verify that the application has defenses against HTTP parameter pollution attacks, particularly if the application framework makes no distinction about the source of request parameters (GET, POST, cookies, headers, environment, etc.. \\
26 (\textit{The CMS passed this requirement in our analysis.})
27 \end{description}
28
29 For this reason, Fortify was nowhere near able to identifying all the problems we found in the CMS. An overview of our findings, where Fortify's concurrences are outlined explicitly, is given by the table below.
30
31
32 \newcommand{\p}{{\color{lightgray}\pass}}
33 \newcommand{\X}{\fail}
34 \setlength\fboxrule{1pt}
35 \setlength\fboxsep{4pt}
36 \newcommand{\F}[2]{%
37 \hspace*{-5pt}%
38 \boxed{\textrm{#2}}$^{\,\textrm{\small(#1)}}$%
39 \hspace*{-5pt}%
40 }% fortify-found security problem: \F\X
41
42 \begin{table}[th!]
43 \centering
44 %\renewcommand{\arraystretch}{1}
45 \begin{tabular}{@{}lllllllllll@{}}
46 \toprule
47 \# &
48 \textbf{V2} &
49 \textbf{V3} &
50 \textbf{V4} &
51 \textbf{V5} &
52 \textbf{V7} &
53 \textbf{V8} &
54 \textbf{V9} &
55 \textbf{V12} &
56 \textbf{V17} \\
57 \midrule
58 % V2 V3 V4 V5 V7 V8 V9 V12 V17
59 1 & \X & \p & \p & \p & & \X & \F{B}\X & \X & \TODO \\
60 2 & \F{B}\p & \p & & & \p & \p & & \p & \TODO \\
61 3 & & \X & & \X & & \X & \p & & \TODO \\
62 4 & \p & & \p & & & \X & \X & \X & \TODO \\
63 5 & & \p & \p & \p & & \p & \p & \p & \TODO \\
64 6 & \X & \p & & & & \p & & \X & \TODO \\
65 7 & \p & \X & & & \TODO & \p & \p & \X & \TODO \\
66 8 & \p & & \p & & & & & \X & \\
67 9 & \X & \p & \X & & & & \p & & \TODO \\
68 10 & & \X & \p & \X & & \X & \p & & \TODO \\
69 11 & & \p & & \p & & & \p & & \TODO \\
70 12 & \X & \X & \X & \p & & & & & \\
71 13 & \X & \X & \F{A}\X & \p & & \X & & & \\
72 14 & & & \X & \p & & & & & \\
73 15 & & & \X & \X & & & & & \\
74 16 & \X & & \X & \p & & & & & \\
75 17 & \p & & & \p & & & & & \\
76 18 & \X & & & \X & & & & & \\
77 19 & \p & & & \X & & & & & \\
78 20 & \X & & & \p & & & & & \\
79 21 & \X & & & \p & & & & & \\
80 22 & \p & & & \X & & & & & \\
81 23 & & & & \X & & & & & \\
82 24 & & & & \p & & & & & \\
83 25 & \X & & & \p & & & & & \\
84 26 & & & & \p & & & & & \\
85 27 & \X & & & & & & & & \\
86 28 & \X & & & & & & & & \\
87 29 & \X & & & & & & & & \\
88 30 & & & & & & & & & \\
89 31 & & & & & & & & & \\
90 32 & \X & & & & & & & & \\
91 33 & \p & & & & & & & & \\
92 \bottomrule
93 \end{tabular}
94 \caption{Summary of our results. Fortify's findings are outlined and labelled, see our analysis above.}
95 \end{table}