X-Git-Url: https://git.martlubbers.net/?a=blobdiff_plain;f=report%2Ffortify.tex;h=b36d01525241a0374985cb37a2544ab573ebf1c7;hb=7b4f3b58aaa2b1f15acaacfb28f5ce20903f7c5e;hp=898597be47370563a94937efbc650c29d28d2813;hpb=41e1696df352f4a6b1e57d2ab53759e35cd4be7a;p=ssproject1617.git diff --git a/report/fortify.tex b/report/fortify.tex index 898597b..b36d015 100644 --- a/report/fortify.tex +++ b/report/fortify.tex @@ -22,72 +22,83 @@ The main point that must be observed is that all the above results are quite low \begin{description} \item[V4.9] Verify that the same access control rules implied by the presentation layer are enforced on the server side. \\ (\textit{The \CMS{} failed this requirement in our analysis.}) - \item[V5.17] Verify that the application has defenses against \HTTP{} parameter pollution attacks, particularly if the application framework makes no distinction about the source of request parameters (\GET{}, \POST{}, cookies, headers, environment, etc.. \\ + \item[V5.17] Verify that the application has defenses against \HTTP{} parameter pollution attacks, particularly if the application framework makes no distinction about the source of request parameters (\GET{}, \POST{}, cookies, headers, environment, etc. \\ (\textit{The \CMS{} passed this requirement in our analysis.}) \end{description} For this reason, Fortify was nowhere near able to identifying all the problems we found in the \CMS{}. An overview of our findings, where Fortify's concurrences are outlined explicitly, is given by the table below. -\newcommand{\p}{{\color{lightgray}\pass}} -\newcommand{\X}{\fail} +\newcommand{\p}{\textit{pass}} +\newcommand{\X}{\textbf{FAIL}} \setlength\fboxrule{1pt} \setlength\fboxsep{4pt} + +%\newcommand{\F}[2]{% +% \hspace*{-5pt}% +% \boxed{\textrm{#2}}$^{\,\textrm{\scriptsize(#1)}}$% +% \hspace*{-5pt}% +%}% fortify-found security problem: \F\X + +\newlength{\lofF} \newcommand{\F}[2]{% - \hspace*{-5pt}% - \boxed{\textrm{#2}}$^{\,\textrm{\small(#1)}}$% - \hspace*{-5pt}% + \setlength{\lofF}{\widthof{\;#2\;}} + \hspace*{-2pt}% + \framebox[\lofF]{\phantom{K}}% + \hspace*{-\lofF}% + \;#2\;% + $^{\,\textrm{\scriptsize(#1)}}$% }% fortify-found security problem: \F\X \begin{table}[th!] \centering -%\renewcommand{\arraystretch}{1} -\begin{tabular}{@{}llllllllll@{}} +\renewcommand{\arraystretch}{1.2} +\begin{tabular}{@{}p{20pt}p{35pt}p{35pt}p{35pt}p{35pt}p{35pt}p{35pt}p{35pt}p{35pt}p{35pt}@{}} \toprule \# & \textbf{V2} & \textbf{V3} & \textbf{V4} & -\textbf{V5 (6)} & +\textbf{V5/6} & \textbf{V7} & \textbf{V8} & \textbf{V9} & \textbf{V11} \\ \midrule % V2 V3 V4 V5 V7 V8 V9 V11 - 1 & \X & \p & \p & \p & & \X & \F{B}\X & \X \\ - 2 & \F{B}\p & \p & & & \p & \p & & \p \\ - 3 & & \X & & \X & & \X & \p & \\ - 4 & \p & & \p & & & \X & \X & \X \\ - 5 & & \p & \p & \p & & \p & \p & \p \\ - 6 & \X & \p & & & \X & \p & & \X \\ - 7 & \p & \X & & & \p & \p & \p & \X \\ - 8 & \p & & \p & & & & & \X \\ - 9 & \X & \p & \X & & \p & & \p & \\ -10 & & \X & \p & \X & & \X & \p & \\ -11 & & \p & & \p & & & \p & \\ -12 & \X & \X & \X & \p & \X & & & \\ -13 & \X & \X & \F{A}\X & \p & \X & \X & & \\ -14 & & & \X & \p & \p & & & \\ -15 & & & \X & \X & & & & \\ -16 & \X & & \X & \p & & & & \\ -17 & \p & & & \p & & & & \\ -18 & \X & & & \X & & & & \\ -19 & \p & & & \X & & & & \\ -20 & \X & & & \p & & & & \\ -21 & \X & & & \p & & & & \\ -22 & \p & & & \X & & & & \\ -23 & & & & \X & & & & \\ -24 & & & & \p & & & & \\ -25 & \X & & & \p & & & & \\ -26 & & & & \p & & & & \\ -27 & \X & & & & & & & \\ -28 & \X & & & & & & & \\ -29 & \X & & & & & & & \\ -30 & & & & & & & & \\ -31 & & & & & & & & \\ -32 & \X & & & & & & & \\ -33 & \p & & & & & & & \\ + 1 & \X & \p & \p & \p & - & \X & \F{B}\X & \X \\ + 2 & \F{B}\X & \p & - & - & \p & \p & - & \p \\ + 3 & - & \X & - & \X & - & \X & \p & - \\ + 4 & \p & - & \X & - & - & \X & \X & \X \\ + 5 & - & \p & \X & \p & - & \p & \p & \p \\ + 6 & \X & \p & - & - & \X & \p & - & \X \\ + 7 & \p & \X & - & - & \X & \p & \p & \X \\ + 8 & \p & - & \p & - & - & - & - & \X \\ + 9 & \X & - & \X & - & \X & - & \p & - \\ +10 & - & - & \X & \X & - & \X & \X & - \\ +11 & - & \p & - & \p & - & - & \p & - \\ +12 & \X & \X & \X & \p & \X & - & - & - \\ +13 & \X & - & \F{A}\X & \p & \X & \X & - & - \\ +14 & - & - & \X & \p & \p & - & - & - \\ +15 & - & - & \X & \X & - & - & - & - \\ +16 & \X & \p & \X & \p & - & - & - & - \\ +17 & \p & \X & - & \p & - & - & - & - \\ +18 & \X & \X & - & \X & - & - & - & - \\ +19 & \p & - & - & \X & - & - & - & - \\ +20 & \X & - & - & \p & - & - & - & - \\ +21 & \X & - & - & \p & - & - & - & - \\ +22 & \p & - & - & \X & - & - & - & - \\ +23 & \X & - & - & \X & - & - & - & - \\ +24 & \p & - & - & \p & - & - & - & - \\ +25 & \X & - & - & \p & - & - & - & - \\ +26 & \p & - & - & \p & - & - & - & - \\ +27 & \X & - & - & - & - & - & - & - \\ +28 & - & - & - & - & - & - & - & - \\ +29 & - & - & - & - & - & - & - & - \\ +30 & - & - & - & - & - & - & - & - \\ +31 & \X & - & - & - & - & - & - & - \\ +32 & \X & - & - & - & - & - & - & - \\ +33 & \p & - & - & - & - & - & - & - \\ \bottomrule \end{tabular} \caption{Summary of our results. Fortify's findings are outlined and labelled, see our analysis above.}