Page tree
Skip to end of metadata
Go to start of metadata

Introduction

The SecurityAnalyzer log reports the inner behavior of the User Input Security analysis. It must be read by the AIA in order to figure out what happened on several topics listed in the table below.

Main steps and checks to perform

The table below lists the main phases of the User Input Security analysis. Each phase is reported in the SecurityAnalyzer.log, through a number of log records. The success of each step must be controlled, in order to ensure correct execution. Some types of error do not stop the User Input Security analysis, so a proper examination must take place. Global numbers (number of entrypoints for each flaw, total number of flaws found, etc.) must the controlled too (see the checklist for this control).

No.PhaseCheck to perform and howSignificance of checks
1Custom blackbox and CASTIL loading

Do they all load? Any errors ?

Search SecurityAnalyzer.log for the text "Validate Validating" and follow the lines after this message for any error.

Hard to automate, since no success message, and error messages are various.

Error indicates if there is a corruption in your black boxing file.

2How many and which input methods are considered ?

Full list ("Inputs:") and number ("flaw sources found") starting at row ~450. In 8.3.x we have two lines :

INFO CastIL.EntryPointFinder FindInputs Inputs: [cast#lib]Network.read()

and then the full list of input methods (repeated for each of the 20 search).

In 8.3.x we have:

WARN CastIL.Blackboxes.BlackboxTranslator InstallMethod A method overrides that existing method:  [cast#lib]Network.read() without the method name

this means a method has been defined as custom input: this is a positive message (don't worry about the WARN).

-

2aWhich input methods are called?

This is a matter of "grepping" the entries with a non-zero count, amongst the 100s methods (range 350 - 690+) listed under [cast#lib]Network.read().

This can be achieved with a regexp: ([0-9]*[1-9][0-9]*\)

Smple output in 8.3.16 - 8.3.23: \([0-9]*[1-9][0-9]*\)

Search "([0-9][1-9][0-9])" (157 hits in 1 file)
	Line 1160:  [cast#lib]Network.read() (368)
	Line 1224:  [javax.servlet_3.0.0.jar]javax.servlet.http.HttpServletRequestWrapper.getParameter([ext]java.lang.String) (2)
	Line 1229:  [javax.servlet_3.0.0.jar]javax.servlet.http.HttpServletRequest.getParameter([ext]java.lang.String) (2)
	Line 1237:  [javax.servlet_3.0.0.jar]javax.servlet.ServletRequestWrapper.getParameter([ext]java.lang.String) (2)
	Line 1250:  [javax.servlet_3.0.0.jar]javax.servlet.ServletRequest.getParameter([ext]java.lang.String) (3)
	Line 1267:  [1-javax.jar]javax.servlet.http.HttpServletRequest.getParameter([ext]java.lang.String) (2)
	Line 1268:  [javax.servlet_3.0.0.jar]javax.servlet.ServletRequest.getParameter([ext]java.lang.String) (3)
	Line 1279:  [1-javax.jar]javax.servlet.ServletRequest.getParameter([ext]java.lang.String) (3)

This denotes the usage of some libraries.

Please note Spring MVC and JAX-RS exposed REST API are not listed here, as they are technically defined as Service Entry points.

3Search for flaws

How many entrypoints tested, and how many flaws found ? How many results thrown out ? See 2.1 SecurityAnalyzer.log in the checklist.

Filtering thanks to below regexps before 8.3.14 (or so), where '!!!' is the simple tag to use.
4Final summaryThe total number of entrypoints and total number of flaws found.Filtering thanks to below regexp.
5Runtime A very short time or a too long a time may be the indication something went wrong.Filtering thanks to below regexp.
UpsideFull list of external methods, that having neither an implementation nor a definition in predefined methods
  • WARN  SecurityAnalyzer.BlackboxDynamic BlackboxInputsAndTargets Method without implementation - before 8.3.15 or so.
  • INFO Method without neither implementation nor definition for the current flaw search -for new AIP releases.

Followed by a list of methods (100 to 1000's rows), repeated for each of the 23 searches

Indicates something is missing in the application architecture discovery and there is an opportunity for improving analysis quality.

Upsidedecision to consider some external methods as input, file path target, database target, or ..., thanks to the on-the-fly blackboxing
  • INFO  SecurityAnalyzer.BlackboxDynamic BlackboxMethodWithSpecificTarget Blackbox on the fly: [classpath]java.lang.Object.forName(ref [classpath]java.lang.String) with target reflection

Target can be write_session | database | reflection | log | file | ...

Extraction automated thanks to LINQ script.

-

Automate

The size of the log, as well as the absence of sections makes manual reading difficult. Using regexp to exhibit the main info allows to check the log in one go, or at least make this task easier. Use NotePad++ or any other regexp capable editor, and copy-paste the regexp exposed below.

Tips for checking the SecurityAnalyzer.log file

Manually controlling custom blackbox loading

Regexp for 8.0+ = Adding blackbox|Validating

Use the regexp to locate the portion of the log reporting this info. Then manually read this portion from A to Z (1 to 20 lines in general), to detect any malformed custom blackbox. Typical issues (that usually come from the script used to generate the blackbox.xml file) are:

  • missing namespace 
  • invalid XML document

Solution: edit the dcustom blackbox file, and fix the problem. Then rerun the User Input Security analysis, and check the log again for correct blackbox file loading.

Automate the other phases

Search for flaws, get the number of input methods and the 17[18|20|23 search results + final summary (+ runtime). Select the appropriate regexp that matches your AIP version :

Regexp for 8.3.12 - 8.3.18

  1. At first place : no regexp, just the - new - prefix '!!!' :
    1. Results = Search "!!!" (40 hits in 1 file)
  2. For more details, 2 possible regexp : 
    1. All 20 searches + the final summary : !!!|Summary 
      1. Results = Search "!!!|Summary" (42 hits in 1 file)
    2. All 20 searches + valid input method + final Summary : !!!|Summary|\([1-9]\d*\)
      1. Results = Search "!!!|Summary|\([1-9]\d*\)" (179 hits in 1 file)

Regexp for 8.3.7+

Two regexp.:

  1. First one, to assess the results in terms of number of searches started and number of flaws found, for all 20 flaw types: of 20|Tested|Summary 
  2. Second one (new since 8.3.7), in order to get the predefined input methods called (having a count > 0): Process flaw|Found=|\([1-9]\d*\)

Regexp for 8.3.3+

of 20|Tested|Summary

Or, in order to get the runtime of each search, of 20|Tested|Summary|time =

Or, in order to get the flaws (durring processing) search of 20|Tested|Summary|Flaw found:

  • Regexp for 8.3.0-8.3.2 = flaw sources found|of 18|Tested|Summary=|Summary:    or, in order to avoid repeated flaw sources found, just of 18|Tested|Summary=|Summary:

Sample output AIP 8.3.3+

 Sample output AIP 8.3.3+
Sample output of search results
  	Line 232: 2018-05-26 15:59:43,151 INFO  SecurityAnalyzer.Analyzer Run   Process flaw 1 of 20 : Path Manipulation
	Line 527: 2018-05-26 15:59:46,691 INFO  SecurityAnalyzer.Analyzer Run     Tested= 28 entrypoints, Found= 0 flaws
	Line 528: 2018-05-26 15:59:46,740 INFO  SecurityAnalyzer.Processor Process Total time = 3.5918024 seconds
	Line 779: 2018-05-26 15:59:48,309 INFO  SecurityAnalyzer.Analyzer Run   Process flaw 2 of 20 : Cross-site Scripting
	Line 1162: 2018-05-26 15:59:54,108 INFO  SecurityAnalyzer.Analyzer Run     Tested= 72 entrypoints, Found= 0 flaws
	Line 1163: 2018-05-26 15:59:54,120 INFO  SecurityAnalyzer.Processor Process Total time = 5.810844 seconds
	Line 1414: 2018-05-26 15:59:56,113 INFO  SecurityAnalyzer.Analyzer Run   Process flaw 3 of 20 : Request Parameters In Session
	Line 1653: 2018-05-26 15:59:56,745 INFO  SecurityAnalyzer.Analyzer Run     Tested= 0 entrypoints, Found= 0 flaws
	Line 1654: 2018-05-26 15:59:56,746 INFO  SecurityAnalyzer.Processor Process Total time = 0.632455 seconds
	Line 1905: 2018-05-26 15:59:58,192 INFO  SecurityAnalyzer.Analyzer Run   Process flaw 4 of 20 : HTTP Response Splitting
	Line 2144: 2018-05-26 15:59:58,773 INFO  SecurityAnalyzer.Analyzer Run     Tested= 0 entrypoints, Found= 0 flaws
	Line 2145: 2018-05-26 15:59:58,774 INFO  SecurityAnalyzer.Processor Process Total time = 0.5811928 seconds
	Line 2396: 2018-05-26 16:00:00,175 INFO  SecurityAnalyzer.Analyzer Run   Process flaw 5 of 20 : Resource Injection
	Line 2635: 2018-05-26 16:00:00,786 INFO  SecurityAnalyzer.Analyzer Run     Tested= 0 entrypoints, Found= 0 flaws
	Line 2636: 2018-05-26 16:00:00,788 INFO  SecurityAnalyzer.Processor Process Total time = 0.6134368 seconds
	Line 2887: 2018-05-26 16:00:02,210 INFO  SecurityAnalyzer.Analyzer Run   Process flaw 6 of 20 : Resource URL Manipulation
	Line 3126: 2018-05-26 16:00:02,813 INFO  SecurityAnalyzer.Analyzer Run     Tested= 0 entrypoints, Found= 0 flaws
	Line 3127: 2018-05-26 16:00:02,813 INFO  SecurityAnalyzer.Processor Process Total time = 0.6024462 seconds
	Line 3377: 2018-05-26 16:00:04,238 INFO  SecurityAnalyzer.Analyzer Run   Process flaw 7 of 20 : SQL Injection
	Line 3749: 2018-05-26 16:00:09,851 INFO  SecurityAnalyzer.Analyzer Run     Tested= 63 entrypoints, Found= 15 flaws
	Line 3750: 2018-05-26 16:00:09,852 INFO  SecurityAnalyzer.Processor Process Total time = 5.614087 seconds
	Line 4001: 2018-05-26 16:00:12,457 INFO  SecurityAnalyzer.Analyzer Run   Process flaw 8 of 20 : LDAP Injection
	Line 4240: 2018-05-26 16:00:13,134 INFO  SecurityAnalyzer.Analyzer Run     Tested= 0 entrypoints, Found= 0 flaws
	Line 4241: 2018-05-26 16:00:13,135 INFO  SecurityAnalyzer.Processor Process Total time = 0.6781297 seconds
	Line 4492: 2018-05-26 16:00:15,238 INFO  SecurityAnalyzer.Analyzer Run   Process flaw 9 of 20 : LDAP Attribute Injection
	Line 4731: 2018-05-26 16:00:15,867 INFO  SecurityAnalyzer.Analyzer Run     Tested= 0 entrypoints, Found= 0 flaws
	Line 4732: 2018-05-26 16:00:15,867 INFO  SecurityAnalyzer.Processor Process Total time = 0.6296329 seconds
	Line 4983: 2018-05-26 16:00:17,417 INFO  SecurityAnalyzer.Analyzer Run   Process flaw 10 of 20 : OS Command Injection
	Line 5222: 2018-05-26 16:00:17,911 INFO  SecurityAnalyzer.Analyzer Run     Tested= 0 entrypoints, Found= 0 flaws
	Line 5223: 2018-05-26 16:00:17,912 INFO  SecurityAnalyzer.Processor Process Total time = 0.4947088 seconds
	Line 5450: 2018-05-26 16:00:19,285 INFO  SecurityAnalyzer.Analyzer Run   Process flaw 11 of 20 : Process Control
	Line 5713: 2018-05-26 16:00:19,903 INFO  SecurityAnalyzer.Analyzer Run     Tested= 0 entrypoints, Found= 0 flaws
	Line 5714: 2018-05-26 16:00:19,904 INFO  SecurityAnalyzer.Processor Process Total time = 0.6186758 seconds
	Line 5941: 2018-05-26 16:00:22,373 INFO  SecurityAnalyzer.Analyzer Run   Process flaw 12 of 20 : Denial of Service Threat
	Line 6194: 2018-05-26 16:00:22,914 INFO  SecurityAnalyzer.Analyzer Run     Tested= 0 entrypoints, Found= 0 flaws
	Line 6204: 2018-05-26 16:00:22,914 INFO  SecurityAnalyzer.Processor Process Total time = 0.5403845 seconds
	Line 6432: 2018-05-26 16:00:25,332 INFO  SecurityAnalyzer.Analyzer Run   Process flaw 13 of 20 : Code Injection
	Line 6671: 2018-05-26 16:00:25,945 INFO  SecurityAnalyzer.Analyzer Run     Tested= 0 entrypoints, Found= 0 flaws
	Line 6672: 2018-05-26 16:00:25,946 INFO  SecurityAnalyzer.Processor Process Total time = 0.6132865 seconds
	Line 6947: 2018-05-26 16:00:27,309 INFO  SecurityAnalyzer.Analyzer Run   Process flaw 14 of 20 : Reflection Injection
	Line 7186: 2018-05-26 16:00:27,996 INFO  SecurityAnalyzer.Analyzer Run     Tested= 0 entrypoints, Found= 0 flaws
	Line 7187: 2018-05-26 16:00:27,997 INFO  SecurityAnalyzer.Processor Process Total time = 0.6871416 seconds
	Line 7414: 2018-05-26 16:00:29,367 INFO  SecurityAnalyzer.Analyzer Run   Process flaw 15 of 20 : XPath Injection
	Line 7681: 2018-05-26 16:00:30,095 INFO  SecurityAnalyzer.Analyzer Run     Tested= 2 entrypoints, Found= 0 flaws
	Line 7682: 2018-05-26 16:00:30,098 INFO  SecurityAnalyzer.Processor Process Total time = 0.7317596 seconds
	Line 7909: 2018-05-26 16:00:32,429 INFO  SecurityAnalyzer.Analyzer Run   Process flaw 16 of 20 : Log Forging
	Line 8172: 2018-05-26 16:00:33,130 INFO  SecurityAnalyzer.Analyzer Run     Tested= 0 entrypoints, Found= 0 flaws
	Line 8173: 2018-05-26 16:00:33,131 INFO  SecurityAnalyzer.Processor Process Total time = 0.7014961 seconds
	Line 8400: 2018-05-26 16:00:35,401 INFO  SecurityAnalyzer.Analyzer Run   Process flaw 17 of 20 : Uncontrolled Format String
	Line 8694: 2018-05-26 16:00:39,331 INFO  SecurityAnalyzer.Analyzer Run     Tested= 15 entrypoints, Found= 1 flaws
	Line 8695: 2018-05-26 16:00:39,338 INFO  SecurityAnalyzer.Processor Process Total time = 3.9366972 seconds
	Line 8922: 2018-05-26 16:00:41,494 INFO  SecurityAnalyzer.Analyzer Run   Process flaw 18 of 20 : Hard-coded Credentials
	Line 8932: 2018-05-26 16:00:41,522 INFO  SecurityAnalyzer.Analyzer Run     Tested= 0 entrypoints, Found= 0 flaws
	Line 8933: 2018-05-26 16:00:41,522 INFO  SecurityAnalyzer.Processor Process Total time = 0.0280247 seconds
	Line 9184: 2018-05-26 16:00:43,549 INFO  SecurityAnalyzer.Analyzer Run   Process flaw 19 of 20 : Use of Insufficiently Random Values
	Line 9190: 2018-05-26 16:00:43,911 INFO  SecurityAnalyzer.Analyzer Run     Tested= 104 entrypoints, Found= 0 flaws
	Line 9191: 2018-05-26 16:00:43,913 INFO  SecurityAnalyzer.Processor Process Total time = 0.363257 seconds
	Line 9466: 2018-05-26 16:00:46,037 INFO  SecurityAnalyzer.Analyzer Run   Process flaw 20 of 20 : Secured cookie
    Line 9467: 2018-05-26 16:00:46,137 INFO  SecurityAnalyzer.Analyzer Run     Tested= 0 entrypoints, Found= 0 flaws
    Line 9468: 2018-05-26 16:00:46,137 INFO  SecurityAnalyzer.Processor Process Total time = 0.1000247 seconds

Sample output AIP 8.3.7+

 Sample output AIP 8.3.7+ (first part of result for the second regexp)
Sample output of search results
  Search "Process flaw|Found=|\([1-9]\d*\)" (516 hits in 1 file)
  C:\CASTMS\LISA\b44706a102a14a0a92aa88ac35501983\Scr4c2ba846fe34426aba482a3cb6ad2124\SecurityAnalyzer.log (516 hits)
	Line 2848:  [cast#lib]Network.read() (341)
	Line 2915:  [javax.servlet_3.0.0.jar]javax.servlet.http.HttpServletRequestWrapper.getParameterMap() (2)
	Line 2916:  [javax.servlet_3.0.0.jar]javax.servlet.http.HttpServletRequestWrapper.getParameterValues([ext]java.lang.String) (4)
	Line 2918:  [javax.servlet_3.0.0.jar]javax.servlet.http.HttpServletRequestWrapper.getParameter([ext]java.lang.String) (144)
	Line 2920:  [sm-core_b5104ed7]com.salesmanager.core.util.www.integration.fb.FacebookIntegrationFactory.getFacebookUser(ref [javax.servlet-api-3.1.0]javax.servlet.http.HttpServletRequest,ref [sm-core_b5104ed7]com.salesmanager.core.entity.reference.Page) (1)
	Line 2921:  [sm-core_b5104ed7]com.salesmanager.core.module.impl.application.files.LocalFileImpl.getFileInputStream(ref [javax.servlet-api-3.1.0]javax.servlet.http.HttpServletRequest) (1)
	Line 2922:  [sm-central_9fda809a]com.salesmanager.central.orders.OrderListAction.getOrdersList() (2)
	Line 2923:  [javax.servlet_3.0.0.jar]javax.servlet.http.HttpServletRequest.getParameterMap() (2)
	Line 2924:  [javax.servlet_3.0.0.jar]javax.servlet.http.HttpServletRequest.getParameterValues([ext]java.lang.String) (4)
	Line 2926:  [javax.servlet_3.0.0.jar]javax.servlet.http.HttpServletRequest.getParameter([ext]java.lang.String) (144)
	Line 2931:  [javax.servlet_3.0.0.jar]javax.servlet.ServletRequestWrapper.getParameterMap() (2)
	Line 2932:  [javax.servlet_3.0.0.jar]javax.servlet.ServletRequestWrapper.getParameterValues([ext]java.lang.String) (4)
	Line 2934:  [javax.servlet_3.0.0.jar]javax.servlet.ServletRequestWrapper.getParameter([ext]java.lang.String) (144)
	Line 2939:  [javax.servlet_3.0.0.jar]javax.servlet.http.Cookie.getValue() (9)
	Line 2944:  [javax.servlet_3.0.0.jar]javax.servlet.ServletRequest.getParameterMap() (3)
	Line 2945:  [javax.servlet_3.0.0.jar]javax.servlet.ServletRequest.getParameterValues([ext]java.lang.String) (6)
	Line 2947:  [javax.servlet_3.0.0.jar]javax.servlet.ServletRequest.getParameter([ext]java.lang.String) (216)
	Line 2949:  [1-javax.jar]javax.servlet.ServletRequest.getParameterMap() (3)
	Line 2958:  [1-javax.jar]javax.servlet.http.HttpServletRequest.getParameterMap() (2)
	Line 2959:  [javax.servlet_3.0.0.jar]javax.servlet.ServletRequest.getParameterMap() (3)
	Line 2960:  [1-javax.jar]javax.servlet.http.HttpServletRequest.getParameterValues([ext]java.lang.String) (4)
	Line 2961:  [javax.servlet_3.0.0.jar]javax.servlet.ServletRequest.getParameterValues([ext]java.lang.String) (6)
	Line 2964:  [1-javax.jar]javax.servlet.http.HttpServletRequest.getParameter([ext]java.lang.String) (144)
	Line 2965:  [javax.servlet_3.0.0.jar]javax.servlet.ServletRequest.getParameter([ext]java.lang.String) (216)
	Line 2970:  [javax.servlet_3.0.0.jar]javax.servlet.http.Cookie.getValue() (9)
	Line 2974:  [1-javax.jar]javax.servlet.ServletRequest.getParameterValues([ext]java.lang.String) (6)
	Line 2976:  [1-javax.jar]javax.servlet.ServletRequest.getParameter([ext]java.lang.String) (216)
	Line 2981:  [1-javax.jar]javax.servlet.http.Cookie.getValue() (9)
	Line 3196: 2018-11-14 00:13:26,241 INFO  SecurityAnalyzer.Processor+<>c__DisplayClassf <Process>b__8   Process flaw 1 of 20 : Path Manipulation
	Line 3822: 2018-11-14 00:14:21,578 INFO  SecurityAnalyzer.Processor+<>c__DisplayClassf <Process>b__8     Tested= 617 entrypoints, Found= 8 flaws
....
(list of input methods is repeated for each flaw type)

Sample output AIP 8.3.13

 Sample output AIP 8.3.13 (first part of result for the second regexp)
The 20 searches and their results
Search "!!!" (40 hits in 1 file)
  C:\CASTMS\Log8313\Shopi_8313\Take_a_snapshot_of_205\SecurityAnalyzer-20190601-093440.log (40 hits)
	Line 3569: 2019-06-01 09:35:36,234 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Process flaw 1 of 20: Path manipulation
	Line 4328: 2019-06-01 09:35:58,771 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Tested= 758 entrypoints, Found= 3 flaws
	Line 7416: 2019-06-01 09:36:05,355 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Process flaw 2 of 20: Cross-site scripting (reflected) & Cross-site scripting (persistent)
	Line 8752: 2019-06-01 09:37:27,269 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Tested= 1335 entrypoints, Found= 122 flaws
	Line 11765: 2019-06-01 09:37:34,027 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Process flaw 3 of 20: Request parameters in session
	Line 12618: 2019-06-01 09:39:39,776 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Tested= 828 entrypoints, Found= 348 flaws
	Line 15625: 2019-06-01 09:39:47,459 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Process flaw 4 of 20: HTTP response splitting
	Line 15758: 2019-06-01 09:39:47,522 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Tested= 132 entrypoints, Found= 0 flaws
	Line 18765: 2019-06-01 09:39:54,255 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Process flaw 5 of 20: Resource injection
	Line 18766: 2019-06-01 09:39:54,255 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Tested= 0 entrypoints, Found= 0 flaws
	Line 21845: 2019-06-01 09:40:02,320 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Process flaw 6 of 20: Resource URL manipulation
	Line 21846: 2019-06-01 09:40:02,321 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Tested= 0 entrypoints, Found= 0 flaws
	Line 24949: 2019-06-01 09:40:09,283 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Process flaw 7 of 20: SQL injection & Second order SQL injection
	Line 25153: 2019-06-01 09:40:11,302 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Tested= 179 entrypoints, Found= 0 flaws
	Line 28184: 2019-06-01 09:40:19,831 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Process flaw 8 of 20: LDAP injection
	Line 28185: 2019-06-01 09:40:19,831 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Tested= 0 entrypoints, Found= 0 flaws
	Line 31192: 2019-06-01 09:40:25,939 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Process flaw 9 of 20: LDAP attribute injection
	Line 31193: 2019-06-01 09:40:25,939 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Tested= 0 entrypoints, Found= 0 flaws
	Line 34248: 2019-06-01 09:40:31,850 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Process flaw 10 of 20: OS command injection
	Line 34249: 2019-06-01 09:40:31,850 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Tested= 0 entrypoints, Found= 0 flaws
	Line 37256: 2019-06-01 09:40:36,787 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Process flaw 11 of 20: Process control
	Line 37257: 2019-06-01 09:40:36,787 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Tested= 0 entrypoints, Found= 0 flaws
	Line 40264: 2019-06-01 09:40:41,866 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Process flaw 12 of 20: Denial of service threat
	Line 40267: 2019-06-01 09:40:42,116 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Tested= 2 entrypoints, Found= 0 flaws
	Line 43274: 2019-06-01 09:40:47,775 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Process flaw 13 of 20: Code injection
	Line 43275: 2019-06-01 09:40:47,776 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Tested= 0 entrypoints, Found= 0 flaws
	Line 46380: 2019-06-01 09:40:53,955 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Process flaw 14 of 20: Reflection injection
	Line 46393: 2019-06-01 09:40:56,452 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Tested= 12 entrypoints, Found= 1 flaws
	Line 49400: 2019-06-01 09:41:01,856 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Process flaw 15 of 20: XPath injection
	Line 49401: 2019-06-01 09:41:01,857 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Tested= 0 entrypoints, Found= 0 flaws
	Line 52408: 2019-06-01 09:41:08,767 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Process flaw 16 of 20: Log forging
	Line 53966: 2019-06-01 09:43:05,014 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Tested= 1509 entrypoints, Found= 22 flaws
	Line 56974: 2019-06-01 09:43:12,393 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Process flaw 17 of 20: Uncontrolled format string
	Line 56995: 2019-06-01 09:43:16,628 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Tested= 20 entrypoints, Found= 8 flaws
	Line 59721: 2019-06-01 09:43:23,127 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Process flaw 18 of 20: Hard-coded credentials
	Line 59722: 2019-06-01 09:43:23,129 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Tested= 0 entrypoints, Found= 0 flaws
	Line 62396: 2019-06-01 09:43:33,012 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Process flaw 19 of 20: Use of insufficiently random values
	Line 62397: 2019-06-01 09:43:33,015 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Tested= 3751 entrypoints, Found= 0 flaws
	Line 65067: 2019-06-01 09:43:39,029 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Process flaw 20 of 20: Secured cookie
	Line 65072: 2019-06-01 09:43:39,068 INFO  SecurityAnalyzer.Processor AnalyzeFlawType   !!!Tested= 4 entrypoints, Found= 7 flaws
Sample output for Number of calls of input methods
Search "\([1-9]\d*\)" (1110 hits in 1 file)
  C:\CASTMS\Log8313\Shopi_8313\Take_a_snapshot_of_205\SecurityAnalyzer-20190601-093440.log (1110 hits)
	Line 3145:  [cast#lib]Network.read() (374)
	Line 3212:  [javax.servlet_3.0.0.jar]javax.servlet.http.HttpServletRequestWrapper.getParameterMap() (2)
	Line 3213:  [javax.servlet_3.0.0.jar]javax.servlet.http.HttpServletRequestWrapper.getParameterValues([ext]java.lang.String) (4)
	Line 3215:  [javax.servlet_3.0.0.jar]javax.servlet.http.HttpServletRequestWrapper.getParameter([ext]java.lang.String) (144)
	Line 3217:  [sm-core_16ab3c85]com.salesmanager.core.util.www.integration.fb.FacebookIntegrationFactory.getFacebookUser(ref [javax.servlet-api-3.1.0]javax.servlet.http.HttpServletRequest,ref [sm-core_16ab3c85]com.salesmanager.core.entity.reference.Page) (1)
	Line 3218:  [sm-core_16ab3c85]com.salesmanager.core.module.impl.application.files.LocalFileImpl.getFileInputStream(ref [javax.servlet-api-3.1.0]javax.servlet.http.HttpServletRequest) (1)
	Line 3219:  [sm-central_b1580b97]com.salesmanager.central.orders.OrderListAction.getOrdersList() (2)
	Line 3220:  [javax.servlet_3.0.0.jar]javax.servlet.http.HttpServletRequest.getParameterMap() (2)
	Line 3221:  [javax.servlet_3.0.0.jar]javax.servlet.http.HttpServletRequest.getParameterValues([ext]java.lang.String) (4)
	Line 3223:  [javax.servlet_3.0.0.jar]javax.servlet.http.HttpServletRequest.getParameter([ext]java.lang.String) (144)
	Line 3228:  [javax.servlet_3.0.0.jar]javax.servlet.ServletRequestWrapper.getParameterMap() (2)
	Line 3229:  [javax.servlet_3.0.0.jar]javax.servlet.ServletRequestWrapper.getParameterValues([ext]java.lang.String) (4)
	Line 3231:  [javax.servlet_3.0.0.jar]javax.servlet.ServletRequestWrapper.getParameter([ext]java.lang.String) (144)
	Line 3236:  [javax.servlet_3.0.0.jar]javax.servlet.http.Cookie.getValue() (9)
	Line 3241:  [javax.servlet_3.0.0.jar]javax.servlet.ServletRequest.getParameterMap() (3)
	Line 3242:  [javax.servlet_3.0.0.jar]javax.servlet.ServletRequest.getParameterValues([ext]java.lang.String) (6)
	Line 3244:  [javax.servlet_3.0.0.jar]javax.servlet.ServletRequest.getParameter([ext]java.lang.String) (216)
	Line 3246:  [1-javax.jar]javax.servlet.ServletRequest.getParameterMap() (3)
	Line 3255:  [1-javax.jar]javax.servlet.http.HttpServletRequest.getParameterMap() (2)
	Line 3256:  [javax.servlet_3.0.0.jar]javax.servlet.ServletRequest.getParameterMap() (3)
	Line 3257:  [1-javax.jar]javax.servlet.http.HttpServletRequest.getParameterValues([ext]java.lang.String) (4)
	Line 3258:  [javax.servlet_3.0.0.jar]javax.servlet.ServletRequest.getParameterValues([ext]java.lang.String) (6)
	Line 3261:  [1-javax.jar]javax.servlet.http.HttpServletRequest.getParameter([ext]java.lang.String) (144)
	Line 3262:  [javax.servlet_3.0.0.jar]javax.servlet.ServletRequest.getParameter([ext]java.lang.String) (216)
	Line 3267:  [javax.servlet_3.0.0.jar]javax.servlet.http.Cookie.getValue() (9)
	Line 3271:  [1-javax.jar]javax.servlet.ServletRequest.getParameterValues([ext]java.lang.String) (6)
	Line 3273:  [1-javax.jar]javax.servlet.ServletRequest.getParameter([ext]java.lang.String) (216)
	Line 3278:  [1-javax.jar]javax.servlet.http.Cookie.getValue() (9)
	Line 3505:  [Shopizer_iter#1.jar]com.opensymphony.xwork2.TextProvider.getText([rt.jar]java.lang.String,[rt.jar]java.util.List) (1)
	Line 3506:  [classpath]com.salesmanager.core.util.StrutsLabelUtil.getText(ref [ee.minimum-1.2.1]java.util.Locale,ref [ee.minimum-1.2.1]java.lang.String,ref [ee.minimum-1.2.1]java.lang.Object) (1)
	Line 3507:  [sm-core_16ab3c85]com.salesmanager.core.util.LabelUtil.getText(ref [ee.minimum-1.2.1]java.util.Locale,ref [ee.minimum-1.2.1]java.lang.String,ref [ee.minimum-1.2.1]java.lang.Object) (10)
	Line 3508:  [sm-core_16ab3c85]com.salesmanager.core.service.shipping.ShippingService.getShippingQuote(ref [classpath]java.util.Collection,ref [sm-core_16ab3c85]com.salesmanager.core.entity.customer.Customer,[rt.jar]int,ref [ee.minimum-1.2.1]java.util.Locale,ref [ee.minimum-1.2.1]java.lang.String) (3)
	Line 3510:  [Shopizer_iter#1.jar]com.opensymphony.xwork2.TextProvider.getText([rt.jar]java.lang.String,[]java.lang.String[]) (1)
	Line 3511:  [classpath]com.salesmanager.core.util.StrutsLabelUtil.getText(ref [ee.minimum-1.2.1]java.util.Locale,ref [ee.minimum-1.2.1]java.lang.String,ref [ee.minimum-1.2.1]java.lang.String) (1)
	Line 3512:  [sm-core_16ab3c85]com.salesmanager.core.util.LabelUtil.getText(ref [ee.minimum-1.2.1]java.lang.String,ref [ee.minimum-1.2.1]java.lang.String,ref [ee.minimum-1.2.1]java.lang.String) (4)
	Line 3513:  [Shopizer_iter#1.jar]com.opensymphony.xwork2.TextProvider.getText([rt.jar]java.lang.String) (1)
	Line 3514:  [classpath]com.salesmanager.core.util.StrutsLabelUtil.getText(ref [ee.minimum-1.2.1]java.util.Locale,ref [ee.minimum-1.2.1]java.lang.String) (4)
	Line 3515:  [sm-core_16ab3c85]com.salesmanager.core.util.LabelUtil.getText(ref [ee.minimum-1.2.1]java.lang.String,ref [ee.minimum-1.2.1]java.lang.String) (78)
	Line 3516:  [sm-core_16ab3c85]com.salesmanager.core.util.LabelUtil.getText(ref [ee.minimum-1.2.1]java.util.Locale,ref [ee.minimum-1.2.1]java.lang.String) (161)
	Line 3517:  [sm-core_16ab3c85]com.salesmanager.core.util.OrderUtil.getOrderTotals([rt.jar]long,ref [sm-core_16ab3c85]com.salesmanager.core.entity.orders.OrderTotalSummary,ref [ee.minimum-1.2.1]java.lang.String,ref [ee.minimum-1.2.1]java.util.Locale) (6)
	Line 3518:  [sm-core_16ab3c85]com.salesmanager.core.module.impl.integration.shipping.USPSQuotesImpl.getShippingMethodDescription(ref [ee.minimum-1.2.1]java.util.Locale) (2)
	Line 3519:  [sm-core_16ab3c85]com.salesmanager.core.module.impl.integration.shipping.USPSQuotesImpl.getShippingQuote(ref [sm-core_16ab3c85]com.salesmanager.core.service.merchant.ConfigurationResponse,ref [ee.minimum-1.2.1]java.math.BigDecimal,ref [classpath]java.util.Collection,ref [sm-core_16ab3c85]com.salesmanager.core.entity.customer.Customer,ref [sm-core_16ab3c85]com.salesmanager.core.entity.merchant.MerchantStore,ref [ee.minimum-1.2.1]java.util.Locale) (1)
	Line 3520:  [sm-core_16ab3c85]com.salesmanager.core.module.impl.integration.shipping.UPSQuotesImpl.getShippingQuote(ref [sm-core_16ab3c85]com.salesmanager.core.service.merchant.ConfigurationResponse,ref [ee.minimum-1.2.1]java.math.BigDecimal,ref [classpath]java.util.Collection,ref [sm-core_16ab3c85]com.salesmanager.core.entity.customer.Customer,ref [sm-core_16ab3c85]com.salesmanager.core.entity.merchant.MerchantStore,ref [ee.minimum-1.2.1]java.util.Locale) (1)
	Line 3521:  [sm-core_16ab3c85]com.salesmanager.core.module.impl.integration.shipping.UPSQuotesImpl.getShippingMethodDescription(ref [ee.minimum-1.2.1]java.util.Locale) (2)
	Line 3522:  [sm-core_16ab3c85]com.salesmanager.core.module.impl.integration.shipping.FedexQuotesImpl.getShippingQuote(ref [sm-core_16ab3c85]com.salesmanager.core.service.merchant.ConfigurationResponse,ref [ee.minimum-1.2.1]java.math.BigDecimal,ref [classpath]java.util.Collection,ref [sm-core_16ab3c85]com.salesmanager.core.entity.customer.Customer,ref [sm-core_16ab3c85]com.salesmanager.core.entity.merchant.MerchantStore,ref [ee.minimum-1.2.1]java.util.Locale) (1)
	Line 3523:  [sm-core_16ab3c85]com.salesmanager.core.module.impl.integration.shipping.FedexQuotesImpl.getShippingMethodDescription(ref [ee.minimum-1.2.1]java.util.Locale) (1)
	Line 3524:  [sm-core_16ab3c85]com.salesmanager.core.module.impl.integration.shipping.FedexGroundQuotesImpl.getShippingQuote(ref [sm-core_16ab3c85]com.salesmanager.core.service.merchant.ConfigurationResponse,ref [ee.minimum-1.2.1]java.math.BigDecimal,ref [classpath]java.util.Collection,ref [sm-core_16ab3c85]com.salesmanager.core.entity.customer.Customer,ref [sm-core_16ab3c85]com.salesmanager.core.entity.merchant.MerchantStore,ref [ee.minimum-1.2.1]java.util.Locale) (1)
	Line 3525:  [sm-core_16ab3c85]com.salesmanager.core.module.impl.integration.shipping.FedexGroundQuotesImpl.getShippingMethodDescription(ref [ee.minimum-1.2.1]java.util.Locale) (1)
	Line 3526:  [sm-core_16ab3c85]com.salesmanager.core.module.impl.integration.shipping.FedexExpressQuotesImpl.getShippingQuote(ref [sm-core_16ab3c85]com.salesmanager.core.service.merchant.ConfigurationResponse,ref [ee.minimum-1.2.1]java.math.BigDecimal,ref [classpath]java.util.Collection,ref [sm-core_16ab3c85]com.salesmanager.core.entity.customer.Customer,ref [sm-core_16ab3c85]com.salesmanager.core.entity.merchant.MerchantStore,ref [ee.minimum-1.2.1]java.util.Locale) (1)
	Line 3527:  [sm-core_16ab3c85]com.salesmanager.core.module.impl.integration.shipping.FedexExpressQuotesImpl.getShippingMethodDescription(ref [ee.minimum-1.2.1]java.util.Locale) (1)
	Line 3528:  [sm-core_16ab3c85]com.salesmanager.core.module.impl.integration.shipping.CanadaPostQuotesImpl.getShippingMethodDescription(ref [ee.minimum-1.2.1]java.util.Locale) (2)
	Line 3529:  [sm-core_16ab3c85]com.salesmanager.core.module.impl.integration.shipping.CanadaPostQuotesImpl.getShippingQuote(ref [sm-core_16ab3c85]com.salesmanager.core.service.merchant.ConfigurationResponse,ref [ee.minimum-1.2.1]java.math.BigDecimal,ref [classpath]java.util.Collection,ref [sm-core_16ab3c85]com.salesmanager.core.entity.customer.Customer,ref [sm-core_16ab3c85]com.salesmanager.core.entity.merchant.MerchantStore,ref [ee.minimum-1.2.1]java.util.Locale) (1)
	Line 3531:  [sm-core_16ab3c85]com.salesmanager.core.module.impl.application.prices.OneTimePriceModule.getHtmlPriceFormated(ref [ee.minimum-1.2.1]java.lang.String,ref [sm-core_16ab3c85]com.salesmanager.core.entity.catalog.ProductPrice,ref [ee.minimum-1.2.1]java.util.Locale,ref [ee.minimum-1.2.1]java.lang.String) (1)
	Line 3533:  [sm-core_16ab3c85]com.salesmanager.core.module.impl.application.prices.MonthlyPriceModule.getPriceSuffixText(ref [ee.minimum-1.2.1]java.lang.String,ref [ee.minimum-1.2.1]java.util.Locale) (5)
	Line 3534:  [sm-core_16ab3c85]com.salesmanager.core.entity.catalog.ProductPrice.getPriceSuffix() (2)
	Line 3535:  [sm-core_16ab3c85]com.salesmanager.core.module.impl.application.prices.MonthlyPriceModule.getHtmlPriceFormated(ref [ee.minimum-1.2.1]java.lang.String,ref [sm-core_16ab3c85]com.salesmanager.core.entity.catalog.ProductPrice,ref [ee.minimum-1.2.1]java.util.Locale,ref [ee.minimum-1.2.1]java.lang.String) (1)
	Line 3540:  [sm-core_16ab3c85]com.salesmanager.core.entity.reference.CentralMeasureUnits.getDescription() (2)
	Line 3541:  [sm-core_16ab3c85]com.salesmanager.core.entity.payment.CreditCard.getCreditCardName() (3)
	Line 3542:  [sm-core_16ab3c85]com.salesmanager.core.entity.catalog.ProductPrice.getDescription() (2)
	Line 3543:  [sm-core_16ab3c85]com.salesmanager.core.util.LabelUtil.getText(ref [javax.servlet-api-3.1.0]javax.servlet.http.HttpServletRequest,ref [ee.minimum-1.2.1]java.lang.String) (1)
	Line 3545:  [sm-core_16ab3c85]com.salesmanager.core.util.LabelUtil.getText(ref [ee.minimum-1.2.1]java.lang.String) (234)
	Line 3546:  [sm-core_16ab3c85]com.salesmanager.core.entity.reference.CoreModuleService.getDescription() (1)
	Line 3549:  [sm-central_b1580b97]com.salesmanager.central.merchantstore.StoreFrontContentAction.getTemplateSectionIds() (4)
	Line 3550:  [Shopizer_iter#1.jar]com.opensymphony.xwork2.ActionSupport.getText([rt.jar]java.lang.String,[]java.lang.String[]) (36)
	Line 3551:  [Shopizer_iter#1.jar]com.opensymphony.xwork2.ActionSupport.getText([rt.jar]java.lang.String) (183)
....
(list of input methods is repeated for each flaw type)

When it goes wrong: User Input Security analysis crash, not reported

Here a sample crash due to blackbox files clash (duplicate definitions) . See screen-shot below. Action: remove the unwanted blackbox file, and rerun the User Input Security analysis.

Click to enlarge

How to take SpringMVC and/or JAX-RS service entry points in the listing of input methods?

The log itself is too vague in this area (still as of 8.3.23): both messages in input section of log will get a (0) whatever the content of the generated blackbox files. As a workaround the content of the files must be manually checked, in the appropriate folders = subfolders of the byteCode folder , named com.castsoftware.springmvc and com.castsoftware.jaxrs respectively.

2019-12-16 17:38:43,767 [1] INFO Start search of flaw sources
2019-12-16 17:38:43,767 [1] INFO Starting search of inputs for [cast#lib]Network.read()
2019-12-16 17:38:44,017 [1] INFO Inputs: 
[cast#lib]Network.read() (464)
...
[System.Web]System.Web.UI.ITextControl.get_Text() (0)
[SpringMVCServiceEntryPoints]generated.EntryPoints.CallEntryPoints() (0)
[JAXRSServiceEntryPoints]com.castsoftware.jaxrs.CallEntryPoints() (0)
[kafka_input_2.1.0-alpha1]org.apache.kafka.clients.consumer.Consumer.poll([rt.jar]java.time.Duration) (0)
[kafka_input_2.1.0-alpha1]org.apache.kafka.clients.consumer.Consumer.poll([kafka_input_2.1.0-alpha1]long) (0)
2019-12-16 17:38:44,018 [1] INFO 372 flaw sources found
2019-12-16 17:38:44,018 [1] INFO 372 flaw sources found
2019-12-16 17:38:44,018 [1] INFO 0 additional flaw sources found
2019-12-16 17:38:44,206 [1] INFO !!!Process flaw 1 of 23: Path manipulation
...
  • No labels