Introduction and use analysis of commercial fortify white box artifacts

Introduction and use analysis of commercial fortify white box artifacts 1. what is fortify and what can it do?

A: Fortify SCA is a static, white-box software source code security testing tool for HP products. It uses the built-in five main analysis engines: data stream, semantics, structure, control flow, and configuration flow to perform static analysis on the source code of the application software, in the process of analysis, it comprehensively matches and searches with its unique software security vulnerability rule set, so that security vulnerabilities in the source code can be scanned and reported.

2. how many languages does it support scanning?

A: The 21 languages supported by FortifySCA are:

1. asp.net 2. VB. net 3. c #. net 4. ASP 5. VBscript 6. VS6 7. java 8.JSP 9. javascript 10. HTML 11. XML 12. c/C ++ 13.PHP 14. t-SQL 15.PL/ SQL 16. action script 17. object-C (iphone-2012/5) 18. coldFusion5.0-buy 19. python-purchase 20. COBOL-purchase 21. SAP-ABAP-purchase

3. is it free?

A: No, it is charged. Of course there is no cracking on the Internet. It seems that he charges 0.1 million a month.

4. how to use it?

After fortify is installed, open

Interface:

Select advanced scan

He asked if to update it? I chose "No" because it is my private account. I purchased it in February for one month. I am afraid that the update will not work. If you have purchased the product, you can select YES.

The following page is displayed after selection.

Browsing indicates the path in which the scan result is saved.

Click next.

Parameter description:

Enable clean: The last scan result is clear. unless you change the build ID, the intermediate file may affect the next scan. Enable translation: convert source code to nst file-64: scan 64-bit mode, sca default scan is 32-bit mode. -Xmx4000m: 4000M is about 4G, the number of memory-Xmx4G: You can also use G to define this parameter is recommended to add-encoding: custom encoding, UTF-8 is more comprehensive, it is better to specify the character set for conversion when parsing the code by the tool. it is recommended to add it. if the Chinese comment is not added, it will be garbled. -Diable-source-: rendering: do not load the code irrelevant to the vulnerability to the Audit Platform. We do not recommend that you add the code so that the code is not completely displayed.

Click Next

It said: this is a J2EE Web application.

Select No (because you are scanning PHP)

Then scan (start scanning)

Always run in background

Run in background

Canceled

Details meaning: Details

After scanning:

None indicates the other 1

A1 injection 7

A3 xss 37

35 insecure direct object references in A4

A6 sensitive data exposed 4

A10 unverified redirection and forwarding 2

If you find it in English, you can change it to the following Chinese:

The analysis diagram provided by the official website is as follows:

Vulnerability Analysis: none vulnerability:

This is a variable. according to the Chinese saying, "variable overwrite" is short ".

Let's talk about how this vulnerability works:

Variable

$first ="hello";$hello ="world";echo $first." ".$$first;

The result is hello world.

$ First is $ hello, because the value of $ first is hello.

----------- But it is different in foreach ------------------

 $ Value) {// if it is in foreach, it's not the same echo $ key; // separates $ and then $ key equals the key and then starts merging like opening the http://www.com.com/demo.php? A = value becomes $ a because the key of $ key is a, so it becomes $ a $ key = $ value; // $ a = value replace variable} echo'
 '; Echo $ a;?>

A1 injection vulnerability:

It is found that the $ c variable is controlled by the client for GET requests.

The safe_replace function filters the following characters:

function safe_replace($string) {$string = str_replace('%20','',$string);$string = str_replace('%27','',$string);$string = str_replace('%2527','',$string);$string = str_replace('*','',$string);$string = str_replace('"','"',$string);$string = str_replace("'",'',$string);$string = str_replace('"','',$string);$string = str_replace(';','',$string);$string = str_replace('<','<',$string);$string = str_replace('>','>',$string);$string = str_replace("{",'',$string);$string = str_replace('}','',$string);$string = str_replace('//','',$string);return $string;}

Include $ c. ". php"; however, A. php is spliced.

However, if the php version is earlier than 5.3.40, null bytes, that is, % 00, can be used as the end of the string. In other words, it is truncated .....

A3 xss vulnerability

$field_sql="update ".DB_PRE."member set {$field_sql} where userid={$last_id}";$query=$this->mysql->query($field_sql);

When writing data to the database, there is no limit or no filtering is performed during the output, and the output is directly caused by XSS. (I will not explain it one by one)

A4 insecure direct object reference vulnerability

The number of file uploads is not configured, which can cause attacks.

A6 sensitive data exposure vulnerability:

Unverified redirection and forwarding vulnerabilities in A10:

Here, I don't want to find out who is using this function. anyone who understands PHP can understand it ..

The entire process has basically ended, but I would like to remind you that when you set the memory, if you do not set the memory, it will automatically help you set it, for example, if your computer memory is 8 GB, it will be automatically set to 8 GB, then it will occupy your 8 GB memory, and then make your computer card. Remember to set your memory before the next scan. if your computer has 8 GB memory and 7 GB memory, you can play 4399 small games with 1 GB of memory left. ~ _~

* Contribution Author: Xidong,