Download - Assignment 1 team 9
-
8/7/2019 Assignment 1 team 9
1/13
CSE 4392/ 5388 Assignment 1, Spring 2011
Team 9 [Kathy Foss, Mitali Bakshi, Dengfeng Xia, Vishal
Subramani]
Part 1: Done
Part 2: Done
Part 3:
a) Create a Project Summary.
Fig 1: Project Summary For Cleansheets 1 version 1.1
-
8/7/2019 Assignment 1 team 9
2/13
b) Manual Audit:
1) How large is the application?
145 files 19206 lines of code.... 1.51MB on disk
2) What specific technologies are involved?
Java
3) What is the basic design of the application?
Its a spreadsheet application in Java framework which uses Java GUIfeatures.
4) Who are the likely attackers?
Spreadsheet applications are database related and they hold importantsensitive information regarding the company. So the likely attackers
could be the users of the application, the network administrators orany other person who can/has gain access to the spreadsheet.
5) What would an attacker hope to achieve?
The spreadsheet application can provide a user with list of files ondisk which contain sensitive information. Also, if the attacker injects
malicious Javascript in the application files the attacker can also
tamper with the data associated with the application.
-
8/7/2019 Assignment 1 team 9
3/13
6) How are the developers trying to protect the application?
The attackers have tried to introduce try catch blocks to catch most ofthe exceptions however they have left 21 I/O catch blocks empty
which could prove to be fatal for the system. For eg: the developershave left the catch block associated with the spreadsheet formula input
empty and this is where the attacker might inject malicious code as I/P
which the system will not handle.
7) What areas of the application will likely attract the attention of the
attacker?
The areas like Empty Stack exceptions and Blank I/O exceptions willattract the attackers attention. Since Java is used, the attacker who
has the skill test to break java applications will be tempted to use the
class exception in a malicious way. If the attacker is able to loop
around the privilege level he can tamper the data associated with the
application on the given disk.
8) What sort of techniques might an attacker use to subvert the application?
The attacker can get hold of the printstack to leak system information.There are 4 deadcode field exceptions so the attacker might use these
unused fields for malicious use. SQL injection could be employed by
the attacker to subvert the application.
9) What risks would a successful attack pose to the company?
The company's sensitive information might be leaked and thecustomers of the company might lose confidence in the company's
privacy policies. The company might lose financially if the
spreadsheet is used for financial purposes and also their reputation.
-
8/7/2019 Assignment 1 team 9
4/13
c) The Complete Audit report is submitted as a web page namedCleanSheets1-audit.
d)1st Issue : System Information Leak Semantic
Fig2. Source code that corresponds to a sink for a system information leak.
Fig 3. The issue summary panel for system information leak
-
8/7/2019 Assignment 1 team 9
5/13
Fig 4. Detailed Description of a System Information Leak Issue.
2nd
Issue: Denial of Service
Fig 5. Source code that corresponds to a sink for Denial of Service.
-
8/7/2019 Assignment 1 team 9
6/13
Fig 6. The issue summary panel for Denial of Service
Fig 7. Detailed Description of a Denial of Service
-
8/7/2019 Assignment 1 team 9
7/13
e) Issue: Denial of Service
Fig 8. Bug Report.
Fig 9. Denial of Service Audited and Reviewed.
-
8/7/2019 Assignment 1 team 9
8/13
Fig 10: Blue solid circle annotates Issue audited.
f) Simple regular expression to Catch Constructor Invocation inCleanSheets.java
RULES:
00001
Fortify Software Custom Rulepack
1.0
Custom rulepack for WebGoat
-
8/7/2019 Assignment 1 team 9
9/13
A090AAC1-9CA8-4F40-994D-8C30FC6D4671
Constructor Invocation
Constructor invoked
4.0
default
csheets
CleanSheets
CleanSheets
-
8/7/2019 Assignment 1 team 9
10/13
Results:
Fig 11: After applying rule one hot issue is detected named Constructor invoked
g) Rule to Remove J2EE Bad Practices: Leftover Debug Code(Encapsulation, Structural)
Rules:
00001
Fortify Software Custom Rulepack
1.0
Custom rulepack for WebGoat
-
8/7/2019 Assignment 1 team 9
11/13
A090AAC1-9CA8-4F40-994D-8C30FC6D4671
Constructor Invocation
Constructor invoked
4.0
default
csheets
CleanSheets
CleanSheets
625EEE1F-464F-42DC-85D6-269A637EF747
csheets
CleanSheets
main
return
-
8/7/2019 Assignment 1 team 9
12/13
Result:
Fig 12: Before applying the Rule
-
8/7/2019 Assignment 1 team 9
13/13
Fig 13 : After applying the rule.