Created by James Hurrell on Apr 22, 2022
The SecurityAnalyzer log reports the inner behavior of the User Input Security analysis. It must be read by the AIA in order to figure out what happened on several topics listed in the table below.
Main steps and checks to perform
The table below lists the main phases of the User Input Security analysis. Each phase is reported in the SecurityAnalyzer.log, through a number of log records. The success of each step must be controlled, in order to ensure correct execution. Some types of error do not stop the User Input Security analysis, so a proper examination must take place. Global numbers (number of entrypoints for each flaw, total number of flaws found, etc.) must the controlled too (see the checklist for this control).
No. | Phase | Check to perform and how | Significance of checks |
---|
1 | Custom blackbox and CASTIL loading | Do they all load? Any errors ? Search SecurityAnalyzer.log for the text "Validate Validating" and follow the lines after this message for any error. | Hard to automate, since no success message, and error messages are various. Error indicates if there is a corruption in your black boxing file. |
2 | How many and which input methods are considered ? | Full list ("Inputs:") and number ("flaw sources found") starting at row ~450. In 8.3.x we have two lines :
INFO CastIL.EntryPointFinder FindInputs Inputs: [cast#lib]Network.read()
and then the full list of input methods (repeated for each of the 20 search). In 8.3.x we have:
WARN CastIL.Blackboxes.BlackboxTranslator InstallMethod A method overrides that existing method: [cast#lib]Network.read() without the method name
this means a method has been defined as custom input: this is a positive message (don't worry about the WARN). | - |
2a | Which input methods are called? | This is a matter of "grepping" the entries with a non-zero count, amongst the 100s methods (range 350 - 690+) listed under [cast#lib]Network.read(). This can be achieved with a regexp: ([0-9]*[1-9][0-9]*\) Smple output in 8.3.16 - 8.3.23: \([0-9]*[1-9][0-9]*\)
Line 1160: [cast#lib]Network.read() (368)
Line 1224: [javax.servlet_3.0.0.jar]javax.servlet.http.HttpServletRequestWrapper.getParameter([ext]java.lang.String) (2)
Line 1229: [javax.servlet_3.0.0.jar]javax.servlet.http.HttpServletRequest.getParameter([ext]java.lang.String) (2)
Line 1237: [javax.servlet_3.0.0.jar]javax.servlet.ServletRequestWrapper.getParameter([ext]java.lang.String) (2)
Line 1250: [javax.servlet_3.0.0.jar]javax.servlet.ServletRequest.getParameter([ext]java.lang.String) (3)
Line 1267: [1-javax.jar]javax.servlet.http.HttpServletRequest.getParameter([ext]java.lang.String) (2)
Line 1268: [javax.servlet_3.0.0.jar]javax.servlet.ServletRequest.getParameter([ext]java.lang.String) (3)
Line 1279: [1-javax.jar]javax.servlet.ServletRequest.getParameter([ext]java.lang.String) (3)
| This denotes the usage of some libraries. Please note Spring MVC and JAX-RS exposed REST API are not listed here, as they are technically defined as Service Entry points. |
3 | Search for flaws | How many entrypoints tested, and how many flaws found ? How many results thrown out ? See 2.1 SecurityAnalyzer.log in the checklist. | Filtering thanks to below regexps before 8.3.14 (or so), where '!!!' is the simple tag to use. |
4 | Final summary | The total number of entrypoints and total number of flaws found. | Filtering thanks to below regexp. |
5 | Runtime | A very short time or a too long a time may be the indication something went wrong. | Filtering thanks to below regexp. |
Upside | Full list of external methods, that having neither an implementation nor a definition in predefined methods | - WARN SecurityAnalyzer.BlackboxDynamic BlackboxInputsAndTargets Method without implementation - before 8.3.15 or so.
- INFO Method without neither implementation nor definition for the current flaw search -for new AIP Core releases.
Followed by a list of methods (100 to 1000's rows), repeated for each of the 23 searches | Indicates something is missing in the application architecture discovery and there is an opportunity for improving analysis quality. |
Upside | decision to consider some external methods as input, file path target, database target, or ..., thanks to the on-the-fly blackboxing | - INFO SecurityAnalyzer.BlackboxDynamic BlackboxMethodWithSpecificTarget Blackbox on the fly: [classpath]java.lang.Object.forName(ref [classpath]java.lang.String) with target reflection
Target can be write_session | database | reflection | log | file | ... Extraction automated thanks to LINQ script. | - |
The size of the log, as well as the absence of sections makes manual reading difficult. Using regexp to exhibit the main info allows to check the log in one go, or at least make this task easier. Use NotePad++ or any other regexp capable editor, and copy-paste the regexp exposed below.
Regexp for 8.0+ = Adding blackbox|Validating
Use the regexp to locate the portion of the log reporting this info. Then manually read this portion from A to Z (1 to 20 lines in general), to detect any malformed custom blackbox. Typical issues (that usually come from the script used to generate the blackbox.xml file) are:
- missing namespace
- invalid XML document
Solution: edit the dcustom blackbox file, and fix the problem. Then rerun the User Input Security analysis, and check the log again for correct blackbox file loading.
Search for flaws, get the number of input methods and the 17[18|20|23 search results + final summary (+ runtime). Select the appropriate regexp that matches your AIP Core release:
- At first place : no regexp, just the - new - prefix '!!!' :
- Results = Search "!!!" (40 hits in 1 file)
- For more details, 2 possible regexp :
- All 20 searches + the final summary : !!!|Summary
- Results = Search "!!!|Summary" (42 hits in 1 file)
- All 20 searches + valid input method + final Summary : !!!|Summary|\([1-9]\d*\)
- Results = Search "!!!|Summary|\([1-9]\d*\)" (179 hits in 1 file)
Two regexp.:
- First one, to assess the results in terms of number of searches started and number of flaws found, for all 20 flaw types: of 20|Tested|Summary
- Second one (new since 8.3.7), in order to get the predefined input methods called (having a count > 0): Process flaw|Found=|\([1-9]\d*\)
of 20|Tested|Summary
Or, in order to get the runtime of each search, of 20|Tested|Summary|time =
Or, in order to get the flaws (durring processing) search of 20|Tested|Summary|Flaw found:
- Regexp for 8.3.0-8.3.2 = flaw sources found|of 18|Tested|Summary=|Summary: or, in order to avoid repeated flaw sources found, just of 18|Tested|Summary=|Summary:
Sample output AIP 8.3.3+
Line 232: 2018-05-26 15:59:43,151 INFO SecurityAnalyzer.Analyzer Run Process flaw 1 of 20 : Path Manipulation
Line 527: 2018-05-26 15:59:46,691 INFO SecurityAnalyzer.Analyzer Run Tested= 28 entrypoints, Found= 0 flaws
Line 528: 2018-05-26 15:59:46,740 INFO SecurityAnalyzer.Processor Process Total time = 3.5918024 seconds
Line 779: 2018-05-26 15:59:48,309 INFO SecurityAnalyzer.Analyzer Run Process flaw 2 of 20 : Cross-site Scripting
Line 1162: 2018-05-26 15:59:54,108 INFO SecurityAnalyzer.Analyzer Run Tested= 72 entrypoints, Found= 0 flaws
Line 1163: 2018-05-26 15:59:54,120 INFO SecurityAnalyzer.Processor Process Total time = 5.810844 seconds
Line 1414: 2018-05-26 15:59:56,113 INFO SecurityAnalyzer.Analyzer Run Process flaw 3 of 20 : Request Parameters In Session
Line 1653: 2018-05-26 15:59:56,745 INFO SecurityAnalyzer.Analyzer Run Tested= 0 entrypoints, Found= 0 flaws
Line 1654: 2018-05-26 15:59:56,746 INFO SecurityAnalyzer.Processor Process Total time = 0.632455 seconds
Line 1905: 2018-05-26 15:59:58,192 INFO SecurityAnalyzer.Analyzer Run Process flaw 4 of 20 : HTTP Response Splitting
Line 2144: 2018-05-26 15:59:58,773 INFO SecurityAnalyzer.Analyzer Run Tested= 0 entrypoints, Found= 0 flaws
Line 2145: 2018-05-26 15:59:58,774 INFO SecurityAnalyzer.Processor Process Total time = 0.5811928 seconds
Line 2396: 2018-05-26 16:00:00,175 INFO SecurityAnalyzer.Analyzer Run Process flaw 5 of 20 : Resource Injection
Line 2635: 2018-05-26 16:00:00,786 INFO SecurityAnalyzer.Analyzer Run Tested= 0 entrypoints, Found= 0 flaws
Line 2636: 2018-05-26 16:00:00,788 INFO SecurityAnalyzer.Processor Process Total time = 0.6134368 seconds
Line 2887: 2018-05-26 16:00:02,210 INFO SecurityAnalyzer.Analyzer Run Process flaw 6 of 20 : Resource URL Manipulation
Line 3126: 2018-05-26 16:00:02,813 INFO SecurityAnalyzer.Analyzer Run Tested= 0 entrypoints, Found= 0 flaws
Line 3127: 2018-05-26 16:00:02,813 INFO SecurityAnalyzer.Processor Process Total time = 0.6024462 seconds
Line 3377: 2018-05-26 16:00:04,238 INFO SecurityAnalyzer.Analyzer Run Process flaw 7 of 20 : SQL Injection
Line 3749: 2018-05-26 16:00:09,851 INFO SecurityAnalyzer.Analyzer Run Tested= 63 entrypoints, Found= 15 flaws
Line 3750: 2018-05-26 16:00:09,852 INFO SecurityAnalyzer.Processor Process Total time = 5.614087 seconds
Line 4001: 2018-05-26 16:00:12,457 INFO SecurityAnalyzer.Analyzer Run Process flaw 8 of 20 : LDAP Injection
Line 4240: 2018-05-26 16:00:13,134 INFO SecurityAnalyzer.Analyzer Run Tested= 0 entrypoints, Found= 0 flaws
Line 4241: 2018-05-26 16:00:13,135 INFO SecurityAnalyzer.Processor Process Total time = 0.6781297 seconds
Line 4492: 2018-05-26 16:00:15,238 INFO SecurityAnalyzer.Analyzer Run Process flaw 9 of 20 : LDAP Attribute Injection
Line 4731: 2018-05-26 16:00:15,867 INFO SecurityAnalyzer.Analyzer Run Tested= 0 entrypoints, Found= 0 flaws
Line 4732: 2018-05-26 16:00:15,867 INFO SecurityAnalyzer.Processor Process Total time = 0.6296329 seconds
Line 4983: 2018-05-26 16:00:17,417 INFO SecurityAnalyzer.Analyzer Run Process flaw 10 of 20 : OS Command Injection
Line 5222: 2018-05-26 16:00:17,911 INFO SecurityAnalyzer.Analyzer Run Tested= 0 entrypoints, Found= 0 flaws
Line 5223: 2018-05-26 16:00:17,912 INFO SecurityAnalyzer.Processor Process Total time = 0.4947088 seconds
Line 5450: 2018-05-26 16:00:19,285 INFO SecurityAnalyzer.Analyzer Run Process flaw 11 of 20 : Process Control
Line 5713: 2018-05-26 16:00:19,903 INFO SecurityAnalyzer.Analyzer Run Tested= 0 entrypoints, Found= 0 flaws
Line 5714: 2018-05-26 16:00:19,904 INFO SecurityAnalyzer.Processor Process Total time = 0.6186758 seconds
Line 5941: 2018-05-26 16:00:22,373 INFO SecurityAnalyzer.Analyzer Run Process flaw 12 of 20 : Denial of Service Threat
Line 6194: 2018-05-26 16:00:22,914 INFO SecurityAnalyzer.Analyzer Run Tested= 0 entrypoints, Found= 0 flaws
Line 6204: 2018-05-26 16:00:22,914 INFO SecurityAnalyzer.Processor Process Total time = 0.5403845 seconds
Line 6432: 2018-05-26 16:00:25,332 INFO SecurityAnalyzer.Analyzer Run Process flaw 13 of 20 : Code Injection
Line 6671: 2018-05-26 16:00:25,945 INFO SecurityAnalyzer.Analyzer Run Tested= 0 entrypoints, Found= 0 flaws
Line 6672: 2018-05-26 16:00:25,946 INFO SecurityAnalyzer.Processor Process Total time = 0.6132865 seconds
Line 6947: 2018-05-26 16:00:27,309 INFO SecurityAnalyzer.Analyzer Run Process flaw 14 of 20 : Reflection Injection
Line 7186: 2018-05-26 16:00:27,996 INFO SecurityAnalyzer.Analyzer Run Tested= 0 entrypoints, Found= 0 flaws
Line 7187: 2018-05-26 16:00:27,997 INFO SecurityAnalyzer.Processor Process Total time = 0.6871416 seconds
Line 7414: 2018-05-26 16:00:29,367 INFO SecurityAnalyzer.Analyzer Run Process flaw 15 of 20 : XPath Injection
Line 7681: 2018-05-26 16:00:30,095 INFO SecurityAnalyzer.Analyzer Run Tested= 2 entrypoints, Found= 0 flaws
Line 7682: 2018-05-26 16:00:30,098 INFO SecurityAnalyzer.Processor Process Total time = 0.7317596 seconds
Line 7909: 2018-05-26 16:00:32,429 INFO SecurityAnalyzer.Analyzer Run Process flaw 16 of 20 : Log Forging
Line 8172: 2018-05-26 16:00:33,130 INFO SecurityAnalyzer.Analyzer Run Tested= 0 entrypoints, Found= 0 flaws
Line 8173: 2018-05-26 16:00:33,131 INFO SecurityAnalyzer.Processor Process Total time = 0.7014961 seconds
Line 8400: 2018-05-26 16:00:35,401 INFO SecurityAnalyzer.Analyzer Run Process flaw 17 of 20 : Uncontrolled Format String
Line 8694: 2018-05-26 16:00:39,331 INFO SecurityAnalyzer.Analyzer Run Tested= 15 entrypoints, Found= 1 flaws
Line 8695: 2018-05-26 16:00:39,338 INFO SecurityAnalyzer.Processor Process Total time = 3.9366972 seconds
Line 8922: 2018-05-26 16:00:41,494 INFO SecurityAnalyzer.Analyzer Run Process flaw 18 of 20 : Hard-coded Credentials
Line 8932: 2018-05-26 16:00:41,522 INFO SecurityAnalyzer.Analyzer Run Tested= 0 entrypoints, Found= 0 flaws
Line 8933: 2018-05-26 16:00:41,522 INFO SecurityAnalyzer.Processor Process Total time = 0.0280247 seconds
Line 9184: 2018-05-26 16:00:43,549 INFO SecurityAnalyzer.Analyzer Run Process flaw 19 of 20 : Use of Insufficiently Random Values
Line 9190: 2018-05-26 16:00:43,911 INFO SecurityAnalyzer.Analyzer Run Tested= 104 entrypoints, Found= 0 flaws
Line 9191: 2018-05-26 16:00:43,913 INFO SecurityAnalyzer.Processor Process Total time = 0.363257 seconds
Line 9466: 2018-05-26 16:00:46,037 INFO SecurityAnalyzer.Analyzer Run Process flaw 20 of 20 : Secured cookie
Line 9467: 2018-05-26 16:00:46,137 INFO SecurityAnalyzer.Analyzer Run Tested= 0 entrypoints, Found= 0 flaws
Line 9468: 2018-05-26 16:00:46,137 INFO SecurityAnalyzer.Processor Process Total time = 0.1000247 seconds
Sample output AIP 8.3.7+ (first part of result for the second regexp)
Search "Process flaw|Found=|\([1-9]\d*\)" (516 hits in 1 file)
C:\CASTMS\LISA\b44706a102a14a0a92aa88ac35501983\Scr4c2ba846fe34426aba482a3cb6ad2124\SecurityAnalyzer.log (516 hits)
Line 2848: [cast#lib]Network.read() (341)
Line 2915: [javax.servlet_3.0.0.jar]javax.servlet.http.HttpServletRequestWrapper.getParameterMap() (2)
Line 2916: [javax.servlet_3.0.0.jar]javax.servlet.http.HttpServletRequestWrapper.getParameterValues([ext]java.lang.String) (4)
Line 2918: [javax.servlet_3.0.0.jar]javax.servlet.http.HttpServletRequestWrapper.getParameter([ext]java.lang.String) (144)
Line 2920: [sm-core_b5104ed7]com.salesmanager.core.util.www.integration.fb.FacebookIntegrationFactory.getFacebookUser(ref [javax.servlet-api-3.1.0]javax.servlet.http.HttpServletRequest,ref [sm-core_b5104ed7]com.salesmanager.core.entity.reference.Page) (1)
Line 2921: [sm-core_b5104ed7]com.salesmanager.core.module.impl.application.files.LocalFileImpl.getFileInputStream(ref [javax.servlet-api-3.1.0]javax.servlet.http.HttpServletRequest) (1)
Line 2922: [sm-central_9fda809a]com.salesmanager.central.orders.OrderListAction.getOrdersList() (2)
Line 2923: [javax.servlet_3.0.0.jar]javax.servlet.http.HttpServletRequest.getParameterMap() (2)
Line 2924: [javax.servlet_3.0.0.jar]javax.servlet.http.HttpServletRequest.getParameterValues([ext]java.lang.String) (4)
Line 2926: [javax.servlet_3.0.0.jar]javax.servlet.http.HttpServletRequest.getParameter([ext]java.lang.String) (144)
Line 2931: [javax.servlet_3.0.0.jar]javax.servlet.ServletRequestWrapper.getParameterMap() (2)
Line 2932: [javax.servlet_3.0.0.jar]javax.servlet.ServletRequestWrapper.getParameterValues([ext]java.lang.String) (4)
Line 2934: [javax.servlet_3.0.0.jar]javax.servlet.ServletRequestWrapper.getParameter([ext]java.lang.String) (144)
Line 2939: [javax.servlet_3.0.0.jar]javax.servlet.http.Cookie.getValue() (9)
Line 2944: [javax.servlet_3.0.0.jar]javax.servlet.ServletRequest.getParameterMap() (3)
Line 2945: [javax.servlet_3.0.0.jar]javax.servlet.ServletRequest.getParameterValues([ext]java.lang.String) (6)
Line 2947: [javax.servlet_3.0.0.jar]javax.servlet.ServletRequest.getParameter([ext]java.lang.String) (216)
Line 2949: [1-javax.jar]javax.servlet.ServletRequest.getParameterMap() (3)
Line 2958: [1-javax.jar]javax.servlet.http.HttpServletRequest.getParameterMap() (2)
Line 2959: [javax.servlet_3.0.0.jar]javax.servlet.ServletRequest.getParameterMap() (3)
Line 2960: [1-javax.jar]javax.servlet.http.HttpServletRequest.getParameterValues([ext]java.lang.String) (4)
Line 2961: [javax.servlet_3.0.0.jar]javax.servlet.ServletRequest.getParameterValues([ext]java.lang.String) (6)
Line 2964: [1-javax.jar]javax.servlet.http.HttpServletRequest.getParameter([ext]java.lang.String) (144)
Line 2965: [javax.servlet_3.0.0.jar]javax.servlet.ServletRequest.getParameter([ext]java.lang.String) (216)
Line 2970: [javax.servlet_3.0.0.jar]javax.servlet.http.Cookie.getValue() (9)
Line 2974: [1-javax.jar]javax.servlet.ServletRequest.getParameterValues([ext]java.lang.String) (6)
Line 2976: [1-javax.jar]javax.servlet.ServletRequest.getParameter([ext]java.lang.String) (216)
Line 2981: [1-javax.jar]javax.servlet.http.Cookie.getValue() (9)
Line 3196: 2018-11-14 00:13:26,241 INFO SecurityAnalyzer.Processor+<>c__DisplayClassf <Process>b__8 Process flaw 1 of 20 : Path Manipulation
Line 3822: 2018-11-14 00:14:21,578 INFO SecurityAnalyzer.Processor+<>c__DisplayClassf <Process>b__8 Tested= 617 entrypoints, Found= 8 flaws
....
(list of input methods is repeated for each flaw type)
Sample output AIP 8.3.13 (first part of result for the second regexp)
Search "!!!" (40 hits in 1 file)
C:\CASTMS\Log8313\Shopi_8313\Take_a_snapshot_of_205\SecurityAnalyzer-20190601-093440.log (40 hits)
Line 3569: 2019-06-01 09:35:36,234 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Process flaw 1 of 20: Path manipulation
Line 4328: 2019-06-01 09:35:58,771 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Tested= 758 entrypoints, Found= 3 flaws
Line 7416: 2019-06-01 09:36:05,355 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Process flaw 2 of 20: Cross-site scripting (reflected) & Cross-site scripting (persistent)
Line 8752: 2019-06-01 09:37:27,269 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Tested= 1335 entrypoints, Found= 122 flaws
Line 11765: 2019-06-01 09:37:34,027 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Process flaw 3 of 20: Request parameters in session
Line 12618: 2019-06-01 09:39:39,776 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Tested= 828 entrypoints, Found= 348 flaws
Line 15625: 2019-06-01 09:39:47,459 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Process flaw 4 of 20: HTTP response splitting
Line 15758: 2019-06-01 09:39:47,522 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Tested= 132 entrypoints, Found= 0 flaws
Line 18765: 2019-06-01 09:39:54,255 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Process flaw 5 of 20: Resource injection
Line 18766: 2019-06-01 09:39:54,255 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Tested= 0 entrypoints, Found= 0 flaws
Line 21845: 2019-06-01 09:40:02,320 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Process flaw 6 of 20: Resource URL manipulation
Line 21846: 2019-06-01 09:40:02,321 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Tested= 0 entrypoints, Found= 0 flaws
Line 24949: 2019-06-01 09:40:09,283 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Process flaw 7 of 20: SQL injection & Second order SQL injection
Line 25153: 2019-06-01 09:40:11,302 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Tested= 179 entrypoints, Found= 0 flaws
Line 28184: 2019-06-01 09:40:19,831 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Process flaw 8 of 20: LDAP injection
Line 28185: 2019-06-01 09:40:19,831 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Tested= 0 entrypoints, Found= 0 flaws
Line 31192: 2019-06-01 09:40:25,939 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Process flaw 9 of 20: LDAP attribute injection
Line 31193: 2019-06-01 09:40:25,939 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Tested= 0 entrypoints, Found= 0 flaws
Line 34248: 2019-06-01 09:40:31,850 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Process flaw 10 of 20: OS command injection
Line 34249: 2019-06-01 09:40:31,850 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Tested= 0 entrypoints, Found= 0 flaws
Line 37256: 2019-06-01 09:40:36,787 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Process flaw 11 of 20: Process control
Line 37257: 2019-06-01 09:40:36,787 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Tested= 0 entrypoints, Found= 0 flaws
Line 40264: 2019-06-01 09:40:41,866 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Process flaw 12 of 20: Denial of service threat
Line 40267: 2019-06-01 09:40:42,116 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Tested= 2 entrypoints, Found= 0 flaws
Line 43274: 2019-06-01 09:40:47,775 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Process flaw 13 of 20: Code injection
Line 43275: 2019-06-01 09:40:47,776 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Tested= 0 entrypoints, Found= 0 flaws
Line 46380: 2019-06-01 09:40:53,955 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Process flaw 14 of 20: Reflection injection
Line 46393: 2019-06-01 09:40:56,452 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Tested= 12 entrypoints, Found= 1 flaws
Line 49400: 2019-06-01 09:41:01,856 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Process flaw 15 of 20: XPath injection
Line 49401: 2019-06-01 09:41:01,857 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Tested= 0 entrypoints, Found= 0 flaws
Line 52408: 2019-06-01 09:41:08,767 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Process flaw 16 of 20: Log forging
Line 53966: 2019-06-01 09:43:05,014 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Tested= 1509 entrypoints, Found= 22 flaws
Line 56974: 2019-06-01 09:43:12,393 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Process flaw 17 of 20: Uncontrolled format string
Line 56995: 2019-06-01 09:43:16,628 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Tested= 20 entrypoints, Found= 8 flaws
Line 59721: 2019-06-01 09:43:23,127 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Process flaw 18 of 20: Hard-coded credentials
Line 59722: 2019-06-01 09:43:23,129 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Tested= 0 entrypoints, Found= 0 flaws
Line 62396: 2019-06-01 09:43:33,012 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Process flaw 19 of 20: Use of insufficiently random values
Line 62397: 2019-06-01 09:43:33,015 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Tested= 3751 entrypoints, Found= 0 flaws
Line 65067: 2019-06-01 09:43:39,029 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Process flaw 20 of 20: Secured cookie
Line 65072: 2019-06-01 09:43:39,068 INFO SecurityAnalyzer.Processor AnalyzeFlawType !!!Tested= 4 entrypoints, Found= 7 flaws
Search "\([1-9]\d*\)" (1110 hits in 1 file)
C:\CASTMS\Log8313\Shopi_8313\Take_a_snapshot_of_205\SecurityAnalyzer-20190601-093440.log (1110 hits)
Line 3145: [cast#lib]Network.read() (374)
Line 3212: [javax.servlet_3.0.0.jar]javax.servlet.http.HttpServletRequestWrapper.getParameterMap() (2)
Line 3213: [javax.servlet_3.0.0.jar]javax.servlet.http.HttpServletRequestWrapper.getParameterValues([ext]java.lang.String) (4)
Line 3215: [javax.servlet_3.0.0.jar]javax.servlet.http.HttpServletRequestWrapper.getParameter([ext]java.lang.String) (144)
Line 3217: [sm-core_16ab3c85]com.salesmanager.core.util.www.integration.fb.FacebookIntegrationFactory.getFacebookUser(ref [javax.servlet-api-3.1.0]javax.servlet.http.HttpServletRequest,ref [sm-core_16ab3c85]com.salesmanager.core.entity.reference.Page) (1)
Line 3218: [sm-core_16ab3c85]com.salesmanager.core.module.impl.application.files.LocalFileImpl.getFileInputStream(ref [javax.servlet-api-3.1.0]javax.servlet.http.HttpServletRequest) (1)
Line 3219: [sm-central_b1580b97]com.salesmanager.central.orders.OrderListAction.getOrdersList() (2)
Line 3220: [javax.servlet_3.0.0.jar]javax.servlet.http.HttpServletRequest.getParameterMap() (2)
Line 3221: [javax.servlet_3.0.0.jar]javax.servlet.http.HttpServletRequest.getParameterValues([ext]java.lang.String) (4)
Line 3223: [javax.servlet_3.0.0.jar]javax.servlet.http.HttpServletRequest.getParameter([ext]java.lang.String) (144)
Line 3228: [javax.servlet_3.0.0.jar]javax.servlet.ServletRequestWrapper.getParameterMap() (2)
Line 3229: [javax.servlet_3.0.0.jar]javax.servlet.ServletRequestWrapper.getParameterValues([ext]java.lang.String) (4)
Line 3231: [javax.servlet_3.0.0.jar]javax.servlet.ServletRequestWrapper.getParameter([ext]java.lang.String) (144)
Line 3236: [javax.servlet_3.0.0.jar]javax.servlet.http.Cookie.getValue() (9)
Line 3241: [javax.servlet_3.0.0.jar]javax.servlet.ServletRequest.getParameterMap() (3)
Line 3242: [javax.servlet_3.0.0.jar]javax.servlet.ServletRequest.getParameterValues([ext]java.lang.String) (6)
Line 3244: [javax.servlet_3.0.0.jar]javax.servlet.ServletRequest.getParameter([ext]java.lang.String) (216)
Line 3246: [1-javax.jar]javax.servlet.ServletRequest.getParameterMap() (3)
Line 3255: [1-javax.jar]javax.servlet.http.HttpServletRequest.getParameterMap() (2)
Line 3256: [javax.servlet_3.0.0.jar]javax.servlet.ServletRequest.getParameterMap() (3)
Line 3257: [1-javax.jar]javax.servlet.http.HttpServletRequest.getParameterValues([ext]java.lang.String) (4)
Line 3258: [javax.servlet_3.0.0.jar]javax.servlet.ServletRequest.getParameterValues([ext]java.lang.String) (6)
Line 3261: [1-javax.jar]javax.servlet.http.HttpServletRequest.getParameter([ext]java.lang.String) (144)
Line 3262: [javax.servlet_3.0.0.jar]javax.servlet.ServletRequest.getParameter([ext]java.lang.String) (216)
Line 3267: [javax.servlet_3.0.0.jar]javax.servlet.http.Cookie.getValue() (9)
Line 3271: [1-javax.jar]javax.servlet.ServletRequest.getParameterValues([ext]java.lang.String) (6)
Line 3273: [1-javax.jar]javax.servlet.ServletRequest.getParameter([ext]java.lang.String) (216)
Line 3278: [1-javax.jar]javax.servlet.http.Cookie.getValue() (9)
Line 3505: [Shopizer_iter#1.jar]com.opensymphony.xwork2.TextProvider.getText([rt.jar]java.lang.String,[rt.jar]java.util.List) (1)
Line 3506: [classpath]com.salesmanager.core.util.StrutsLabelUtil.getText(ref [ee.minimum-1.2.1]java.util.Locale,ref [ee.minimum-1.2.1]java.lang.String,ref [ee.minimum-1.2.1]java.lang.Object) (1)
Line 3507: [sm-core_16ab3c85]com.salesmanager.core.util.LabelUtil.getText(ref [ee.minimum-1.2.1]java.util.Locale,ref [ee.minimum-1.2.1]java.lang.String,ref [ee.minimum-1.2.1]java.lang.Object) (10)
Line 3508: [sm-core_16ab3c85]com.salesmanager.core.service.shipping.ShippingService.getShippingQuote(ref [classpath]java.util.Collection,ref [sm-core_16ab3c85]com.salesmanager.core.entity.customer.Customer,[rt.jar]int,ref [ee.minimum-1.2.1]java.util.Locale,ref [ee.minimum-1.2.1]java.lang.String) (3)
Line 3510: [Shopizer_iter#1.jar]com.opensymphony.xwork2.TextProvider.getText([rt.jar]java.lang.String,[]java.lang.String[]) (1)
Line 3511: [classpath]com.salesmanager.core.util.StrutsLabelUtil.getText(ref [ee.minimum-1.2.1]java.util.Locale,ref [ee.minimum-1.2.1]java.lang.String,ref [ee.minimum-1.2.1]java.lang.String) (1)
Line 3512: [sm-core_16ab3c85]com.salesmanager.core.util.LabelUtil.getText(ref [ee.minimum-1.2.1]java.lang.String,ref [ee.minimum-1.2.1]java.lang.String,ref [ee.minimum-1.2.1]java.lang.String) (4)
Line 3513: [Shopizer_iter#1.jar]com.opensymphony.xwork2.TextProvider.getText([rt.jar]java.lang.String) (1)
Line 3514: [classpath]com.salesmanager.core.util.StrutsLabelUtil.getText(ref [ee.minimum-1.2.1]java.util.Locale,ref [ee.minimum-1.2.1]java.lang.String) (4)
Line 3515: [sm-core_16ab3c85]com.salesmanager.core.util.LabelUtil.getText(ref [ee.minimum-1.2.1]java.lang.String,ref [ee.minimum-1.2.1]java.lang.String) (78)
Line 3516: [sm-core_16ab3c85]com.salesmanager.core.util.LabelUtil.getText(ref [ee.minimum-1.2.1]java.util.Locale,ref [ee.minimum-1.2.1]java.lang.String) (161)
Line 3517: [sm-core_16ab3c85]com.salesmanager.core.util.OrderUtil.getOrderTotals([rt.jar]long,ref [sm-core_16ab3c85]com.salesmanager.core.entity.orders.OrderTotalSummary,ref [ee.minimum-1.2.1]java.lang.String,ref [ee.minimum-1.2.1]java.util.Locale) (6)
Line 3518: [sm-core_16ab3c85]com.salesmanager.core.module.impl.integration.shipping.USPSQuotesImpl.getShippingMethodDescription(ref [ee.minimum-1.2.1]java.util.Locale) (2)
Line 3519: [sm-core_16ab3c85]com.salesmanager.core.module.impl.integration.shipping.USPSQuotesImpl.getShippingQuote(ref [sm-core_16ab3c85]com.salesmanager.core.service.merchant.ConfigurationResponse,ref [ee.minimum-1.2.1]java.math.BigDecimal,ref [classpath]java.util.Collection,ref [sm-core_16ab3c85]com.salesmanager.core.entity.customer.Customer,ref [sm-core_16ab3c85]com.salesmanager.core.entity.merchant.MerchantStore,ref [ee.minimum-1.2.1]java.util.Locale) (1)
Line 3520: [sm-core_16ab3c85]com.salesmanager.core.module.impl.integration.shipping.UPSQuotesImpl.getShippingQuote(ref [sm-core_16ab3c85]com.salesmanager.core.service.merchant.ConfigurationResponse,ref [ee.minimum-1.2.1]java.math.BigDecimal,ref [classpath]java.util.Collection,ref [sm-core_16ab3c85]com.salesmanager.core.entity.customer.Customer,ref [sm-core_16ab3c85]com.salesmanager.core.entity.merchant.MerchantStore,ref [ee.minimum-1.2.1]java.util.Locale) (1)
Line 3521: [sm-core_16ab3c85]com.salesmanager.core.module.impl.integration.shipping.UPSQuotesImpl.getShippingMethodDescription(ref [ee.minimum-1.2.1]java.util.Locale) (2)
Line 3522: [sm-core_16ab3c85]com.salesmanager.core.module.impl.integration.shipping.FedexQuotesImpl.getShippingQuote(ref [sm-core_16ab3c85]com.salesmanager.core.service.merchant.ConfigurationResponse,ref [ee.minimum-1.2.1]java.math.BigDecimal,ref [classpath]java.util.Collection,ref [sm-core_16ab3c85]com.salesmanager.core.entity.customer.Customer,ref [sm-core_16ab3c85]com.salesmanager.core.entity.merchant.MerchantStore,ref [ee.minimum-1.2.1]java.util.Locale) (1)
Line 3523: [sm-core_16ab3c85]com.salesmanager.core.module.impl.integration.shipping.FedexQuotesImpl.getShippingMethodDescription(ref [ee.minimum-1.2.1]java.util.Locale) (1)
Line 3524: [sm-core_16ab3c85]com.salesmanager.core.module.impl.integration.shipping.FedexGroundQuotesImpl.getShippingQuote(ref [sm-core_16ab3c85]com.salesmanager.core.service.merchant.ConfigurationResponse,ref [ee.minimum-1.2.1]java.math.BigDecimal,ref [classpath]java.util.Collection,ref [sm-core_16ab3c85]com.salesmanager.core.entity.customer.Customer,ref [sm-core_16ab3c85]com.salesmanager.core.entity.merchant.MerchantStore,ref [ee.minimum-1.2.1]java.util.Locale) (1)
Line 3525: [sm-core_16ab3c85]com.salesmanager.core.module.impl.integration.shipping.FedexGroundQuotesImpl.getShippingMethodDescription(ref [ee.minimum-1.2.1]java.util.Locale) (1)
Line 3526: [sm-core_16ab3c85]com.salesmanager.core.module.impl.integration.shipping.FedexExpressQuotesImpl.getShippingQuote(ref [sm-core_16ab3c85]com.salesmanager.core.service.merchant.ConfigurationResponse,ref [ee.minimum-1.2.1]java.math.BigDecimal,ref [classpath]java.util.Collection,ref [sm-core_16ab3c85]com.salesmanager.core.entity.customer.Customer,ref [sm-core_16ab3c85]com.salesmanager.core.entity.merchant.MerchantStore,ref [ee.minimum-1.2.1]java.util.Locale) (1)
Line 3527: [sm-core_16ab3c85]com.salesmanager.core.module.impl.integration.shipping.FedexExpressQuotesImpl.getShippingMethodDescription(ref [ee.minimum-1.2.1]java.util.Locale) (1)
Line 3528: [sm-core_16ab3c85]com.salesmanager.core.module.impl.integration.shipping.CanadaPostQuotesImpl.getShippingMethodDescription(ref [ee.minimum-1.2.1]java.util.Locale) (2)
Line 3529: [sm-core_16ab3c85]com.salesmanager.core.module.impl.integration.shipping.CanadaPostQuotesImpl.getShippingQuote(ref [sm-core_16ab3c85]com.salesmanager.core.service.merchant.ConfigurationResponse,ref [ee.minimum-1.2.1]java.math.BigDecimal,ref [classpath]java.util.Collection,ref [sm-core_16ab3c85]com.salesmanager.core.entity.customer.Customer,ref [sm-core_16ab3c85]com.salesmanager.core.entity.merchant.MerchantStore,ref [ee.minimum-1.2.1]java.util.Locale) (1)
Line 3531: [sm-core_16ab3c85]com.salesmanager.core.module.impl.application.prices.OneTimePriceModule.getHtmlPriceFormated(ref [ee.minimum-1.2.1]java.lang.String,ref [sm-core_16ab3c85]com.salesmanager.core.entity.catalog.ProductPrice,ref [ee.minimum-1.2.1]java.util.Locale,ref [ee.minimum-1.2.1]java.lang.String) (1)
Line 3533: [sm-core_16ab3c85]com.salesmanager.core.module.impl.application.prices.MonthlyPriceModule.getPriceSuffixText(ref [ee.minimum-1.2.1]java.lang.String,ref [ee.minimum-1.2.1]java.util.Locale) (5)
Line 3534: [sm-core_16ab3c85]com.salesmanager.core.entity.catalog.ProductPrice.getPriceSuffix() (2)
Line 3535: [sm-core_16ab3c85]com.salesmanager.core.module.impl.application.prices.MonthlyPriceModule.getHtmlPriceFormated(ref [ee.minimum-1.2.1]java.lang.String,ref [sm-core_16ab3c85]com.salesmanager.core.entity.catalog.ProductPrice,ref [ee.minimum-1.2.1]java.util.Locale,ref [ee.minimum-1.2.1]java.lang.String) (1)
Line 3540: [sm-core_16ab3c85]com.salesmanager.core.entity.reference.CentralMeasureUnits.getDescription() (2)
Line 3541: [sm-core_16ab3c85]com.salesmanager.core.entity.payment.CreditCard.getCreditCardName() (3)
Line 3542: [sm-core_16ab3c85]com.salesmanager.core.entity.catalog.ProductPrice.getDescription() (2)
Line 3543: [sm-core_16ab3c85]com.salesmanager.core.util.LabelUtil.getText(ref [javax.servlet-api-3.1.0]javax.servlet.http.HttpServletRequest,ref [ee.minimum-1.2.1]java.lang.String) (1)
Line 3545: [sm-core_16ab3c85]com.salesmanager.core.util.LabelUtil.getText(ref [ee.minimum-1.2.1]java.lang.String) (234)
Line 3546: [sm-core_16ab3c85]com.salesmanager.core.entity.reference.CoreModuleService.getDescription() (1)
Line 3549: [sm-central_b1580b97]com.salesmanager.central.merchantstore.StoreFrontContentAction.getTemplateSectionIds() (4)
Line 3550: [Shopizer_iter#1.jar]com.opensymphony.xwork2.ActionSupport.getText([rt.jar]java.lang.String,[]java.lang.String[]) (36)
Line 3551: [Shopizer_iter#1.jar]com.opensymphony.xwork2.ActionSupport.getText([rt.jar]java.lang.String) (183)
....
(list of input methods is repeated for each flaw type)
Here a sample crash due to blackbox files clash (duplicate definitions) . See screen-shot below. Action: remove the unwanted blackbox file, and rerun the User Input Security analysis.
Click to enlarge
How to take SpringMVC and/or JAX-RS service entry points in the listing of input methods?
The log itself is too vague in this area (still as of 8.3.23): both messages in input section of log will get a (0) whatever the content of the generated blackbox files. As a workaround the content of the files must be manually checked, in the appropriate folders = subfolders of the byteCode folder , named com.castsoftware.springmvc and com.castsoftware.jaxrs respectively.
2019-12-16 17:38:43,767 [1] INFO Start search of flaw sources
2019-12-16 17:38:43,767 [1] INFO Starting search of inputs for [cast#lib]Network.read()
2019-12-16 17:38:44,017 [1] INFO Inputs:
[cast#lib]Network.read() (464)
...
[System.Web]System.Web.UI.ITextControl.get_Text() (0)
[SpringMVCServiceEntryPoints]generated.EntryPoints.CallEntryPoints() (0)
[JAXRSServiceEntryPoints]com.castsoftware.jaxrs.CallEntryPoints() (0)
[kafka_input_2.1.0-alpha1]org.apache.kafka.clients.consumer.Consumer.poll([rt.jar]java.time.Duration) (0)
[kafka_input_2.1.0-alpha1]org.apache.kafka.clients.consumer.Consumer.poll([kafka_input_2.1.0-alpha1]long) (0)
2019-12-16 17:38:44,018 [1] INFO 372 flaw sources found
2019-12-16 17:38:44,018 [1] INFO 372 flaw sources found
2019-12-16 17:38:44,018 [1] INFO 0 additional flaw sources found
2019-12-16 17:38:44,206 [1] INFO !!!Process flaw 1 of 23: Path manipulation
...