8/7/2019 Assignment 1 team 9

1/13

CSE 4392/ 5388 Assignment 1, Spring 2011

Team 9 [Kathy Foss, Mitali Bakshi, Dengfeng Xia, Vishal

Subramani]

Part 1: Done

Part 2: Done

Part 3:

a) Create a Project Summary.

Fig 1: Project Summary For Cleansheets 1 version 1.1

8/7/2019 Assignment 1 team 9

2/13

b) Manual Audit:

1) How large is the application?

145 files 19206 lines of code.... 1.51MB on disk

2) What specific technologies are involved?

Java

3) What is the basic design of the application?

Its a spreadsheet application in Java framework which uses Java GUIfeatures.

4) Who are the likely attackers?

Spreadsheet applications are database related and they hold importantsensitive information regarding the company. So the likely attackers

could be the users of the application, the network administrators orany other person who can/has gain access to the spreadsheet.

5) What would an attacker hope to achieve?

The spreadsheet application can provide a user with list of files ondisk which contain sensitive information. Also, if the attacker injects

malicious Javascript in the application files the attacker can also

tamper with the data associated with the application.

8/7/2019 Assignment 1 team 9

3/13

6) How are the developers trying to protect the application?

The attackers have tried to introduce try catch blocks to catch most ofthe exceptions however they have left 21 I/O catch blocks empty

which could prove to be fatal for the system. For eg: the developershave left the catch block associated with the spreadsheet formula input

empty and this is where the attacker might inject malicious code as I/P

which the system will not handle.

7) What areas of the application will likely attract the attention of the

attacker?

The areas like Empty Stack exceptions and Blank I/O exceptions willattract the attackers attention. Since Java is used, the attacker who

has the skill test to break java applications will be tempted to use the

class exception in a malicious way. If the attacker is able to loop

around the privilege level he can tamper the data associated with the

application on the given disk.

8) What sort of techniques might an attacker use to subvert the application?

The attacker can get hold of the printstack to leak system information.There are 4 deadcode field exceptions so the attacker might use these

unused fields for malicious use. SQL injection could be employed by

the attacker to subvert the application.

9) What risks would a successful attack pose to the company?

The company's sensitive information might be leaked and thecustomers of the company might lose confidence in the company's

privacy policies. The company might lose financially if the

spreadsheet is used for financial purposes and also their reputation.

8/7/2019 Assignment 1 team 9

4/13

c) The Complete Audit report is submitted as a web page namedCleanSheets1-audit.

d)1st Issue : System Information Leak Semantic

Fig2. Source code that corresponds to a sink for a system information leak.

Fig 3. The issue summary panel for system information leak

8/7/2019 Assignment 1 team 9

5/13

Fig 4. Detailed Description of a System Information Leak Issue.

2nd

Issue: Denial of Service

Fig 5. Source code that corresponds to a sink for Denial of Service.

8/7/2019 Assignment 1 team 9

6/13

Fig 6. The issue summary panel for Denial of Service

Fig 7. Detailed Description of a Denial of Service

8/7/2019 Assignment 1 team 9

7/13

e) Issue: Denial of Service

Fig 8. Bug Report.

Fig 9. Denial of Service Audited and Reviewed.

8/7/2019 Assignment 1 team 9

8/13

Fig 10: Blue solid circle annotates Issue audited.

f) Simple regular expression to Catch Constructor Invocation inCleanSheets.java

RULES:

00001

Fortify Software Custom Rulepack

1.0

Custom rulepack for WebGoat

8/7/2019 Assignment 1 team 9

9/13

A090AAC1-9CA8-4F40-994D-8C30FC6D4671

Constructor Invocation

Constructor invoked

4.0

default

csheets

CleanSheets

CleanSheets

8/7/2019 Assignment 1 team 9

10/13

Results:

Fig 11: After applying rule one hot issue is detected named Constructor invoked

g) Rule to Remove J2EE Bad Practices: Leftover Debug Code(Encapsulation, Structural)

Rules:

00001

Fortify Software Custom Rulepack

1.0

Custom rulepack for WebGoat

8/7/2019 Assignment 1 team 9

11/13

A090AAC1-9CA8-4F40-994D-8C30FC6D4671

Constructor Invocation

Constructor invoked

4.0

default

csheets

CleanSheets

CleanSheets

625EEE1F-464F-42DC-85D6-269A637EF747

csheets

CleanSheets

main

return

8/7/2019 Assignment 1 team 9

12/13

Result:

Fig 12: Before applying the Rule

8/7/2019 Assignment 1 team 9

13/13

Fig 13 : After applying the rule.