Page tree
Skip to end of metadata
Go to start of metadata
Purpose

Run Data Flow Security Analysis enables us to detect improper user input validation in the source code included in our Application that can lead to some security vulnerabilities. It needs to be configured.

Below is the screen shot which shows where this step comes from.

In this page, the different logs lines corresponding to Run Data Flow Security Analysis is  listed with functional and technical explanation of the logs that it generates.


Excerpt Macro - Logs - Full Analysis Image for 83

 

Run Data Flow Security Analysis

CAST-MS-<date>-<time>.log.txt log file

The CAST MS log file contains information about all the task and sub task occurring during the snapshot. The contents of the SecurityAnalyzer.log log file are also included which can be lengthy.

INF: 2018-11-27 17:06:13: starting Task Run Data Flow Security Analysis on "webgoat"
Scanning C:\ProgramData\CAST\CAST\Extensions for downloaded extensions
Using C:\ProgramData\CAST\CAST\8.3 as <all users dir>
INF: 2018-11-27 17:06:13: starting Task Run J2EE Data Flow Security for "webgoat"
INF: 2018-11-27 17:06:13: C:\Program Files\CAST\8.3\DataflowRunner.exe --jobId=3 --flawSpec=C:\ProgramData\CAST\CAST\CASTMS\LISA\902239af9acc4ee5bc70ee458a981f54\TempFlaws_J2EEAppTechnology.xml --blackBox=C:\ProgramData\CAST\CAST\CASTMS\LISA\902239af9acc4ee5bc70ee458a981f54\blackboxOptions.xml --batch=C:\ProgramData\CAST\CAST\CASTMS\LTSA/902239af9acc4ee5bc70ee458a981f54/DataflowInput.txt --saveDb=C:\ProgramData\CAST\CAST\CASTMS\LISA\902239af9acc4ee5bc70ee458a981f54\Scr8c60461a5c7f4a5d841508662a8a946c\BuildAgent.datatransfer --showProgress=no --scripts=C:\Program Files\CAST\8.3\configuration\scripts --log=C:\ProgramData\CAST\CAST\CASTMS\LISA\902239af9acc4ee5bc70ee458a981f54\Scr8c60461a5c7f4a5d841508662a8a946c\SecurityAnalyzer.log --extFolder="C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.JEE-MavenHttp.1.4.0-funcrel" "C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.angularjs.1.5.0-funcrel" "C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.businessobject.1.0.0-funcrel" "C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.dmtboextractiondiscoverer.1.0.0-funcrel" "C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.dmtxmlscanner.1.0.0-funcrel" "C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.dotnet.1.0.0" "C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.html5.1.7.1-funcrel" "C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.internal.platform.0.3.0-funcrel" "C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.jaxrs.1.3.0-funcrel" "C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.jee.1.0.0-funcrel" "C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.jquery.1.5.0-funcrel" "C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.nodejs.1.5.0-funcrel" "C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.php.1.3.0" "C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.springmvc.1.3.0-funcrel" "C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.sqlanalyzer.2.3.0" "C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.tibco.1.2.1" "C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.wbslinker.1.5.0" "C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.webfilesdiscoverer.1.1.0-funcrel"


<Full Contents of SecurityAnalyzer.log - see below for an example>

INF: 2018-11-27 17:16:01: Task message: No Task message
INF: 2018-11-27 17:16:01: Log file: C:\ProgramData\CAST\CAST\CASTMS\LISA\902239af9acc4ee5bc70ee458a981f54\Scr8c60461a5c7f4a5d841508662a8a946c\SecurityAnalyzer.log
INF: 2018-11-27 17:16:01: ending Task Run J2EE Data Flow Security for "webgoat"
INF: 2018-11-27 17:16:01: starting Task Save results to database
INF: 2018-11-27 17:16:01: C:\Program Files\CAST\8.3/XMLTODB.exe /f:C:\ProgramData\CAST\CAST\CASTMS\LISA\902239af9acc4ee5bc70ee458a981f54\Scr8c60461a5c7f4a5d841508662a8a946c\BuildAgent.datatransfer /c:C:\Program Files\CAST\8.3\InstallScripts\Common\APPW\table_appw.xml /scp:dataflow /src:xml /st:sql /cs:LIBPQ:localhost:2282,postgres /u:operator /p:****** /db:test830_local
INF: 2018-11-27 17:16:02: Task message: No Task message
INF: 2018-11-27 17:16:02: No associated log file
INF: 2018-11-27 17:16:02: ending Task Save results to database
INF: 2018-11-27 17:16:02: Task message: No Task message
INF: 2018-11-27 17:16:02: No associated log file
INF: 2018-11-27 17:16:02: ending Task Run Data Flow Security Analysis on "webgoat"

Security Analyzer

SecurityAnalyzer.log

Sample results below - edited to provide sample of the file results

2018-11-27 17:06:13,879 INFO SecurityAnalyzer.Processor .ctor Logging to file 'C:\ProgramData\CAST\CAST\CASTMS\LISA\902239af9acc4ee5bc70ee458a981f54\Scr8c60461a5c7f4a5d841508662a8a946c\SecurityAnalyzer.log'
2018-11-27 17:06:13,988 INFO SecurityAnalyzer.Processor .ctor Flaws save in C:\ProgramData\CAST\CAST\CASTMS\LISA\902239af9acc4ee5bc70ee458a981f54\Scr8c60461a5c7f4a5d841508662a8a946c\BuildAgent.flaw
2018-11-27 17:06:13,988 INFO SecurityAnalyzer.Processor .ctor Flaws save in C:\ProgramData\CAST\CAST\CASTMS\LISA\902239af9acc4ee5bc70ee458a981f54\Scr8c60461a5c7f4a5d841508662a8a946c\BuildAgent.datatransfer for transfer to knowledge base
2018-11-27 17:06:13,988 INFO SecurityAnalyzer.Program Main PrimaryLog: Security analyzer called with : --jobId=3 --flawSpec=C:\ProgramData\CAST\CAST\CASTMS\LISA\902239af9acc4ee5bc70ee458a981f54\TempFlaws_J2EEAppTechnology.xml --blackBox=C:\ProgramData\CAST\CAST\CASTMS\LISA\902239af9acc4ee5bc70ee458a981f54\blackboxOptions.xml --batch=C:\ProgramData\CAST\CAST\CASTMS\LTSA/902239af9acc4ee5bc70ee458a981f54/DataflowInput.txt --saveDb=C:\ProgramData\CAST\CAST\CASTMS\LISA\902239af9acc4ee5bc70ee458a981f54\Scr8c60461a5c7f4a5d841508662a8a946c\BuildAgent.datatransfer --showProgress=no --scripts=C:\Program Files\CAST\8.3\configuration\scripts --log=C:\ProgramData\CAST\CAST\CASTMS\LISA\902239af9acc4ee5bc70ee458a981f54\Scr8c60461a5c7f4a5d841508662a8a946c\SecurityAnalyzer.log --extFolder=C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.JEE-MavenHttp.1.4.0-funcrel C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.angularjs.1.5.0-funcrel C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.businessobject.1.0.0-funcrel C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.dmtboextractiondiscoverer.1.0.0-funcrel C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.dmtxmlscanner.1.0.0-funcrel C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.dotnet.1.0.0 C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.html5.1.7.1-funcrel C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.internal.platform.0.3.0-funcrel C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.jaxrs.1.3.0-funcrel C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.jee.1.0.0-funcrel C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.jquery.1.5.0-funcrel C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.nodejs.1.5.0-funcrel C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.php.1.3.0 C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.springmvc.1.3.0-funcrel C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.sqlanalyzer.2.3.0 C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.tibco.1.2.1 C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.wbslinker.1.5.0 C:\ProgramData\CAST\CAST\Extensions\com.castsoftware.webfilesdiscoverer.1.1.0-funcrel
2018-11-27 17:06:14,160 INFO CastIL.Blackboxes.BlackBoxHelper Validate Validating cast#lib
2018-11-27 17:06:14,710 INFO CastIL.CircularBuffer`1 OnFreeMemory Initialization of a circular buffer of 1218999 elements with 1 rings
2018-11-27 17:06:14,929 INFO CastIL.Plugins.PluginFactories get_InstalledAssemblies CastIL documents managed by this plugin system are now : cast#lib
2018-11-27 17:06:14,929 INFO SecurityAnalyzer.Processor LoadBlackboxesForApplication Load custom blackbox files
2018-11-27 17:06:14,929 INFO SecurityAnalyzer.Processor LoadBlackboxesForApplication Load blackbox files in active extension folders
2018-11-27 17:06:14,929 INFO SecurityAnalyzer.Processor LoadBlackboxesForApplication Read bytecode blackboxes in DataFlowRunner
2018-11-27 17:06:14,960 INFO SecurityAnalyzer.Processor LoadBlackboxesForApplication Load CastIL code
2018-11-27 17:06:14,960 INFO CastIL.Application AddAssemblyFolder Adding CastIL assembly folder C:\ProgramData\CAST\CAST\CASTMS\LISA\902239af9acc4ee5bc70ee458a981f54\Scr8c60461a5c7f4a5d841508662a8a946c
2018-11-27 17:06:14,991 INFO CastIL.Application AddAssemblyFolder Guid storage loaded from C:\ProgramData\CAST\CAST\CASTMS\LISA\902239af9acc4ee5bc70ee458a981f54\Scr8c60461a5c7f4a5d841508662a8a946c\BuildAgent.guids
2018-11-27 17:06:15,038 DEBUG CastIL.Conversion.v1.Converter Convert Converting CastIL format from v1 to v2
2018-11-27 17:06:20,976 DEBUG CastIL.Conversion.v1.Converter Convert CastIL format converted
...
2018-11-27 17:06:31,118 INFO SecurityAnalyzer.Processor LoadBlackboxesForApplication Load official blackboxes
2018-11-27 17:06:31,149 INFO CastIL.Plugins.PluginFactories AddPlugin Adding or updating factory DotNetRuntime.DotNetRuntime of plugin DotNetRuntime.castil, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null with <plugin file="C:/Program%20Files/CAST/8.3/DotNetRuntime.castil.dll" />
2018-11-27 17:06:31,149 INFO CastIL.Blackboxes.BlackBoxHelper Validate Validating cast#lib
2018-11-27 17:06:31,164 INFO CastIL.Plugins.PluginFactories get_InstalledAssemblies CastIL documents managed by this plugin system are now : cast#lib cast#unsafe#DotNetRuntime mscorlib System System.Core System.Data System.DirectoryServices System.Web System.Windows.Forms System.Xml
2018-11-27 17:06:31,203 INFO CastIL.Plugins.PluginFactories AddPlugin Adding or updating factory JeeRuntime.JeeRuntime of plugin JeeRuntime.castil, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null with <plugin file="C:/Program%20Files/CAST/8.3/JeeRuntime.castil.dll" />
2018-11-27 17:06:31,205 INFO CastIL.Blackboxes.BlackBoxHelper Validate Validating cast#lib
2018-11-27 17:06:31,211 INFO CastIL.Plugins.PluginFactories get_InstalledAssemblies CastIL documents managed by this plugin system are now : cast#lib cast#unsafe#DotNetRuntime mscorlib System System.Core System.Data System.DirectoryServices System.Web System.Windows.Forms System.Xml 1-javax.jar apache-httpcomponents-httpclient.jar cast#unsafe#JeeRuntime commons-logging-1.1.1.jar ecs-1.4.2.jar ejb3_persistence.jar javax.servlet.jsp_2.2.0.jar javax.servlet_3.0.0.jar jce.jar jdo2-api.jar log4j-1.2.14.jar org.eclipse.swt.3.106.0.v20170608-0516.jar portlet.jar rt.jar
2018-11-27 17:06:31,211 INFO SecurityAnalyzer.Processor LoadBlackboxesForApplication Load flaws specification file
2018-11-27 17:06:31,259 INFO SecurityAnalyzer.Processor LoadBlackboxesForApplication Load dynamic blackboxes
2018-11-27 17:06:31,996 WARN SecurityAnalyzer.BlackboxDynamic BlackboxInputsAndTargets Method without implementation:
[servletapi-2.3.jar]javax.servlet.GenericServlet.getServletName()
[servletapi-2.3.jar]javax.servlet.GenericServlet.log([rt.jar]java.lang.String)
...
2018-11-27 17:06:33,221 INFO SecurityAnalyzer.BlackboxDynamic BlackboxMethodWithSpecificTarget Blackbox on the fly: [servletapi-2.3.jar]javax.servlet.ServletRequest.setAttribute([rt.jar]java.lang.String,[rt.jar]java.lang.Object) with target write_session
2018-11-27 17:06:33,239 INFO SecurityAnalyzer.BlackboxDynamic BlackboxMethodWithSpecificTarget Blackbox on the fly: [rt.jar]java.lang.Class.forName([rt.jar]java.lang.String) with target reflection
2018-11-27 17:06:33,240 INFO SecurityAnalyzer.BlackboxDynamic BlackboxMethodWithSpecificTarget Blackbox on the fly: [rt.jar]java.lang.Class.getMethod([rt.jar]java.lang.String,[]java.lang.Class) with target reflection
2018-11-27 17:06:33,247 INFO SecurityAnalyzer.BlackboxDynamic BlackboxMethodWithSpecificTarget Blackbox on the fly: [rt.jar]java.lang.Math.random() with target unsecure_random
2018-11-27 17:06:33,271 INFO SecurityAnalyzer.BlackboxDynamic BlackboxMethodWithSpecificTarget Blackbox on the fly: [rt.jar]java.util.Random.nextInt() with target unsecure_random
2018-11-27 17:06:33,280 INFO SecurityAnalyzer.BlackboxDynamic BlackboxMethodWithSpecificTarget Blackbox on the fly: [rt.jar]java.text.NumberFormat.parse([rt.jar]java.lang.String) with target string
2018-11-27 17:06:33,320 INFO SecurityAnalyzer.BlackboxDynamic BlackboxMethodWithSpecificTarget Blackbox on the fly: [rt.jar]java.nio.charset.Charset.forName([rt.jar]java.lang.String) with target reflection
2018-11-27 17:06:33,352 WARN CastIL.Blackboxes.BlackboxTranslator InstallMethod A method overrides that existing method: [cast#lib]Network.writeSession([cast#lib]!!0)
2018-11-27 17:06:33,352 WARN CastIL.Blackboxes.BlackboxTranslator InstallMethod A method overrides that existing method: [cast#lib]Reflection.write([cast#lib]!!0)
2018-11-27 17:06:33,352 WARN CastIL.Blackboxes.BlackboxTranslator InstallMethod A method overrides that existing method: [cast#lib]Reflection.write([cast#lib]!!0)
2018-11-27 17:06:33,352 WARN CastIL.Blackboxes.BlackboxTranslator InstallMethod A method overrides that existing method: [cast#lib]Reflection.write([cast#lib]!!0)
2018-11-27 17:06:33,352 WARN CastIL.Blackboxes.BlackboxTranslator InstallMethod A method overrides that existing method: [cast#lib]Reflection.write([cast#lib]!!0)
2018-11-27 17:06:33,352 WARN CastIL.Blackboxes.BlackboxTranslator InstallMethod A method overrides that existing method: [cast#lib]Network.unsecureRandom()
2018-11-27 17:06:33,352 WARN CastIL.Blackboxes.BlackboxTranslator InstallMethod A method overrides that existing method: [cast#lib]Reflection.write([cast#lib]!!0)
2018-11-27 17:06:33,352 WARN CastIL.Blackboxes.BlackboxTranslator InstallMethod A method overrides that existing method: [cast#lib]Reflection.write([cast#lib]!!0)
2018-11-27 17:06:33,367 INFO CastIL.Application SaveXmlApplication Snapshot of CastIL application setup saved in C:\ProgramData\CAST\CAST\CASTMS\LISA\902239af9acc4ee5bc70ee458a981f54\Scr8c60461a5c7f4a5d841508662a8a946c\castil-system.xml
2018-11-27 17:06:33,789 INFO SecurityAnalyzer.Processor LoadBlackboxesForApplication cast#spec
...
2018-11-27 17:06:33,794 INFO SecurityAnalyzer.Analyzer Run Process flaw 1 of 20 : Path Manipulation
2018-11-27 17:06:33,796 INFO SecurityAnalyzer.Analyzer+TaintedInputAnalyzer .ctor Start search of flaw sources
2018-11-27 17:06:33,797 INFO SecurityAnalyzer.Analyzer FindInputs Start search of flaw sources
2018-11-27 17:06:33,798 INFO CastIL.EntryPointFinder FindInputs Starting search of inputs for [cast#lib]Network.read()
2018-11-27 17:06:34,080 INFO CastIL.EntryPointFinder FindInputs Inputs:
...
2018-11-27 17:06:34,817 INFO SecurityAnalyzer.Analyzer FindInputs 291 flaw sources found
2018-11-27 17:06:34,817 INFO SecurityAnalyzer.Analyzer+TaintedInputAnalyzer .ctor 291 flaw sources found
2018-11-27 17:06:35,129 DEBUG SecurityAnalyzer.Analyzer Run Analyze target 0/100: 17: v124= callvirt v144<v143.write(v215) // [rt.jar]java.io.Writer.write([rt.jar]java.lang.String) // c:\castms\test830_css3\deploy\webgoat\webgoat\lessons\ajax\eval.jsp (34,3)->(34,3)

2018-11-27 17:06:35,192 DEBUG SecurityAnalyzer.Analyzer Run Flaw found: 2
2018-11-27 17:06:35,320 DEBUG SecurityAnalyzer.Analyzer Run Analyze target 1/100: 10: v111= callvirt v146<v143.write(v210) // [rt.jar]java.io.Writer.write([rt.jar]java.lang.String) // c:\castms\test830_css3\deploy\webgoat\webgoat\lessons\ajax\eval.jsp (30,3)->(30,3)

2018-11-27 17:06:35,330 DEBUG SecurityAnalyzer.Analyzer Run Flaw found: 1
2018-11-27 17:06:35,335 DEBUG SecurityAnalyzer.Analyzer Run Analyze target 2/100: 14: v9= callvirt v18<v17.write(v16) // [rt.jar]java.io.Writer.write([rt.jar]java.lang.String) // C:\CASTMS\test830_css3\Deploy\webgoat\webgoat\JavaSource\org\owasp\webgoat\lessons\Challenge2Screen.java (720,4)->(720,4)
...
2018-11-27 17:06:44,517 DEBUG SecurityAnalyzer.Analyzer Run Analyze target 99/100: 21: v252= callvirt v625<v624.newXPath() // [rt.jar]javax.xml.xpath.XPathFactory.newXPath() // C:\CASTMS\test830_css3\Deploy\webgoat\webgoat\JavaSource\org\owasp\webgoat\lessons\XPATHInjection.java (141,18)->(141,18)

2018-11-27 17:06:44,517 INFO SecurityAnalyzer.Analyzer Run Tested= 100 entrypoints, Found= 7 flaws
2018-11-27 17:06:44,633 INFO SecurityAnalyzer.Processor Process Total time = 10.8440714 seconds
2018-11-27 17:06:44,633 INFO CastIL.Blackboxes.BlackBoxHelper Validate Validating cast#lib
2018-11-27 17:06:44,633 INFO CastIL.Plugins.PluginFactories get_InstalledAssemblies CastIL documents managed by this plugin system are now : cast#lib
2018-11-27 17:06:44,633 INFO SecurityAnalyzer.Processor LoadBlackboxesForApplication Load custom blackbox files
2018-11-27 17:06:44,633 INFO SecurityAnalyzer.Processor LoadBlackboxesForApplication Load blackbox files in active extension folders
2018-11-27 17:06:44,883 INFO SecurityAnalyzer.Processor LoadBlackboxesForApplication Read bytecode blackboxes in DataFlowRunner
2018-11-27 17:06:44,899 INFO SecurityAnalyzer.Processor LoadBlackboxesForApplication Load CastIL code
2018-11-27 17:06:44,899 INFO CastIL.Application AddAssemblyFolder Adding CastIL assembly folder C:\ProgramData\CAST\CAST\CASTMS\LISA\902239af9acc4ee5bc70ee458a981f54\Scr8c60461a5c7f4a5d841508662a8a946c
2018-11-27 17:06:44,899 INFO CastIL.Application AddAssemblyFolder Guid storage loaded from C:\ProgramData\CAST\CAST\CASTMS\LISA\902239af9acc4ee5bc70ee458a981f54\Scr8c60461a5c7f4a5d841508662a8a946c\BuildAgent.guids
2018-11-27 17:06:44,914 DEBUG CastIL.Conversion.v1.Converter Convert Converting CastIL format from v1 to v2
2018-11-27 17:06:46,226 INFO CastIL.Plugins.PluginFactories Dispose A plugin system is closing cast#lib
...
repetition of above format for remaining flaw processing of the total 20 flaws
...
2018-11-27 17:15:58,143 INFO SecurityAnalyzer.Analyzer Run Process flaw 20 of 20 : Secured cookie
2018-11-27 17:15:58,175 DEBUG SecurityAnalyzer.Analyzer Run Analyze target 0/15: 59: v82= callvirt v148<v80.addCookie(v149) // [servletapi-2.3.jar]javax.servlet.http.HttpServletResponse.addCookie([servletapi-2.3.jar]javax.servlet.http.Cookie) // C:\CASTMS\test830_css3\Deploy\webgoat\webgoat\JavaSource\org\owasp\webgoat\lessons\Challenge2Screen.java (171,19)->(171,19)

2018-11-27 17:15:58,175 DEBUG SecurityAnalyzer.Analyzer Run Flaw found: 1
2018-11-27 17:15:58,175 DEBUG SecurityAnalyzer.Analyzer Run Analyze target 1/15: 21: v14= callvirt v241<v12.addCookie(v242) // [servletapi-2.3.jar]javax.servlet.http.HttpServletResponse.addCookie([servletapi-2.3.jar]javax.servlet.http.Cookie) // C:\CASTMS\test830_css3\Deploy\webgoat\webgoat\JavaSource\org\owasp\webgoat\lessons\Challenge2Screen.java (194,19)->(194,19)

2018-11-27 17:15:58,190 DEBUG SecurityAnalyzer.Analyzer Run Flaw found: 1
2018-11-27 17:15:58,190 DEBUG SecurityAnalyzer.Analyzer Run Analyze target 2/15: 26: v57= callvirt v106<v55.addCookie(v107) // [servletapi-2.3.jar]javax.servlet.http.HttpServletResponse.addCookie([servletapi-2.3.jar]javax.servlet.http.Cookie) // C:\CASTMS\test830_css3\Deploy\webgoat\webgoat\JavaSource\org\owasp\webgoat\lessons\WeakAuthenticationCookie.java (146,21)->(146,21)

2018-11-27 17:15:58,190 DEBUG SecurityAnalyzer.Analyzer Run Flaw found: 1
2018-11-27 17:15:58,190 DEBUG SecurityAnalyzer.Analyzer Run Analyze target 3/15: 22: v23= callvirt v246<v21.addCookie(v247) // [servletapi-2.3.jar]javax.servlet.http.HttpServletResponse.addCookie([servletapi-2.3.jar]javax.servlet.http.Cookie) // C:\CASTMS\test830_css3\Deploy\webgoat\webgoat\JavaSource\org\owasp\webgoat\lessons\WeakSessionID.java (200,20)->(200,20)

2018-11-27 17:15:58,190 DEBUG SecurityAnalyzer.Analyzer Run Flaw found: 1
2018-11-27 17:15:58,190 DEBUG SecurityAnalyzer.Analyzer Run Analyze target 4/15: 07: v14= callvirt v25<v13.addCookie(v24) // [servletapi-2.3.jar]javax.servlet.http.HttpServletResponse.addCookie([servletapi-2.3.jar]javax.servlet.http.Cookie) // C:\CASTMS\test830_css3\Deploy\webgoat\webgoat\JavaSource\org\owasp\webgoat\session\WebSession.java (276,5)->(276,5)

2018-11-27 17:15:58,206 DEBUG SecurityAnalyzer.Analyzer Run Flaw found: 3
2018-11-27 17:15:58,206 DEBUG SecurityAnalyzer.Analyzer Run Analyze target 5/15: 59: v82= callvirt v148<v80.addCookie(v149) // [servletapi-2.3.jar]javax.servlet.http.HttpServletResponse.addCookie([servletapi-2.3.jar]javax.servlet.http.Cookie) // C:\CASTMS\test830_css3\Deploy\webgoat\webgoat\JavaSource\org\owasp\webgoat\lessons\Challenge2Screen.java (171,19)->(171,19)

2018-11-27 17:15:58,206 DEBUG SecurityAnalyzer.Analyzer Run Analyze target 6/15: 21: v14= callvirt v241<v12.addCookie(v242) // [servletapi-2.3.jar]javax.servlet.http.HttpServletResponse.addCookie([servletapi-2.3.jar]javax.servlet.http.Cookie) // C:\CASTMS\test830_css3\Deploy\webgoat\webgoat\JavaSource\org\owasp\webgoat\lessons\Challenge2Screen.java (194,19)->(194,19)

2018-11-27 17:15:58,206 DEBUG SecurityAnalyzer.Analyzer Run Analyze target 7/15: 26: v57= callvirt v106<v55.addCookie(v107) // [servletapi-2.3.jar]javax.servlet.http.HttpServletResponse.addCookie([servletapi-2.3.jar]javax.servlet.http.Cookie) // C:\CASTMS\test830_css3\Deploy\webgoat\webgoat\JavaSource\org\owasp\webgoat\lessons\WeakAuthenticationCookie.java (146,21)->(146,21)

2018-11-27 17:15:58,206 DEBUG SecurityAnalyzer.Analyzer Run Analyze target 8/15: 22: v23= callvirt v246<v21.addCookie(v247) // [servletapi-2.3.jar]javax.servlet.http.HttpServletResponse.addCookie([servletapi-2.3.jar]javax.servlet.http.Cookie) // C:\CASTMS\test830_css3\Deploy\webgoat\webgoat\JavaSource\org\owasp\webgoat\lessons\WeakSessionID.java (200,20)->(200,20)

2018-11-27 17:15:58,206 DEBUG SecurityAnalyzer.Analyzer Run Analyze target 9/15: 07: v14= callvirt v25<v13.addCookie(v24) // [servletapi-2.3.jar]javax.servlet.http.HttpServletResponse.addCookie([servletapi-2.3.jar]javax.servlet.http.Cookie) // C:\CASTMS\test830_css3\Deploy\webgoat\webgoat\JavaSource\org\owasp\webgoat\session\WebSession.java (276,5)->(276,5)

2018-11-27 17:15:58,206 DEBUG SecurityAnalyzer.Analyzer Run Analyze target 10/15: 59: v82= callvirt v148<v80.addCookie(v149) // [servletapi-2.3.jar]javax.servlet.http.HttpServletResponse.addCookie([servletapi-2.3.jar]javax.servlet.http.Cookie) // C:\CASTMS\test830_css3\Deploy\webgoat\webgoat\JavaSource\org\owasp\webgoat\lessons\Challenge2Screen.java (171,19)->(171,19)

2018-11-27 17:15:59,168 DEBUG SecurityAnalyzer.Analyzer Run Analyze target 11/15: 21: v14= callvirt v241<v12.addCookie(v242) // [servletapi-2.3.jar]javax.servlet.http.HttpServletResponse.addCookie([servletapi-2.3.jar]javax.servlet.http.Cookie) // C:\CASTMS\test830_css3\Deploy\webgoat\webgoat\JavaSource\org\owasp\webgoat\lessons\Challenge2Screen.java (194,19)->(194,19)

2018-11-27 17:15:59,168 DEBUG SecurityAnalyzer.Analyzer Run Analyze target 12/15: 26: v57= callvirt v106<v55.addCookie(v107) // [servletapi-2.3.jar]javax.servlet.http.HttpServletResponse.addCookie([servletapi-2.3.jar]javax.servlet.http.Cookie) // C:\CASTMS\test830_css3\Deploy\webgoat\webgoat\JavaSource\org\owasp\webgoat\lessons\WeakAuthenticationCookie.java (146,21)->(146,21)

2018-11-27 17:15:59,168 DEBUG SecurityAnalyzer.Analyzer Run Analyze target 13/15: 22: v23= callvirt v246<v21.addCookie(v247) // [servletapi-2.3.jar]javax.servlet.http.HttpServletResponse.addCookie([servletapi-2.3.jar]javax.servlet.http.Cookie) // C:\CASTMS\test830_css3\Deploy\webgoat\webgoat\JavaSource\org\owasp\webgoat\lessons\WeakSessionID.java (200,20)->(200,20)

2018-11-27 17:15:59,184 DEBUG SecurityAnalyzer.Analyzer Run Analyze target 14/15: 07: v14= callvirt v25<v13.addCookie(v24) // [servletapi-2.3.jar]javax.servlet.http.HttpServletResponse.addCookie([servletapi-2.3.jar]javax.servlet.http.Cookie) // C:\CASTMS\test830_css3\Deploy\webgoat\webgoat\JavaSource\org\owasp\webgoat\session\WebSession.java (276,5)->(276,5)

2018-11-27 17:15:59,184 INFO SecurityAnalyzer.Analyzer Run Tested= 15 entrypoints, Found= 7 flaws
2018-11-27 17:15:59,184 INFO SecurityAnalyzer.Processor Process Total time = 1.0404626 seconds
2018-11-27 17:15:59,199 INFO SecurityAnalyzer.Processor Process Summary: Total Found= 103 flaws
2018-11-27 17:15:59,215 INFO SecurityAnalyzer.Processor Process Summary= 95 distinct flaws found.

  • No labels