The rulepack augmented to include this rule is also available in in Java

Making Code 39 in Java The rulepack augmented to include this rule is also available in
The rulepack augmented to include this rule is also available in
Paint Code 3 Of 9 In Java
Using Barcode encoder for Java Control to generate, create Code 39 image in Java applications.
<install_dir>/Tutorial/java/answers/exercise9/step2xml
Create Bar Code In Java
Using Barcode creation for Java Control to generate, create bar code image in Java applications.
At the heart of a rule de nition is FunctionIdentifier tag This tag controls the functions that will trigger the rule A standard function identi er consists of a namespace (or package), class, and function, each of which can be represented either as a literal string (using the <Value> tag) or as a regular expression (using the <Pattern> tag) The overrides attribute controls whether the rule will match against methods in a subclass that override the speci ed method The extends attribute controls whether the rule match against methods in a subclass that are not de ned in the parent class
Barcode Scanner In Java
Using Barcode decoder for Java Control to read, scan read, scan image in Java applications.
1 Change to the following directory:
Encode ANSI/AIM Code 39 In Visual C#.NET
Using Barcode drawer for Visual Studio .NET Control to generate, create Code-39 image in VS .NET applications.
<install_dir>/Tutorial/java/source/webgoat
USS Code 39 Maker In .NET
Using Barcode maker for ASP.NET Control to generate, create Code 3/9 image in ASP.NET applications.
13 Source Code Analysis Exercises for Java
Encoding ANSI/AIM Code 39 In .NET
Using Barcode generator for .NET framework Control to generate, create Code 39 image in .NET framework applications.
2 Enter the following command:
Drawing USS Code 39 In Visual Basic .NET
Using Barcode drawer for Visual Studio .NET Control to generate, create Code-39 image in Visual Studio .NET applications.
sourceanalyzer -cp "WEB-INF/lib/*jar" -f webgoat_customfpr -rules rulesxml
Generating Bar Code In Java
Using Barcode drawer for Java Control to generate, create barcode image in Java applications.
3 Switch to Audit Workbench 4 Choose Import New SCA Analysis from the Tools menu, select the new results le webgoat_customfpr, and click Open 5 Con rm that every call to sessionWebSessiongetUserName() is now agged under the category Dangerous Input Source
UPC-A Supplement 5 Drawer In Java
Using Barcode drawer for Java Control to generate, create UPC-A Supplement 2 image in Java applications.
Introduce an Error and Lose Results
UCC - 12 Encoder In Java
Using Barcode generation for Java Control to generate, create USS-128 image in Java applications.
Writing rules can be a tricky process because errors are easy to introduce and sometimes hard to debug To better understand the potential for error, modify the function identi er from the previous rule to incorrectly specify the function getUserNames(), as shown in the following rule:
EAN13 Creator In Java
Using Barcode generation for Java Control to generate, create UPC - 13 image in Java applications.
<SemanticRule formatVersion="32" language="java"> <RuleID>A090AAC1-9CA8-4F40-994D-8C30FC6D4671</RuleID> <VulnKingdom>Input Validation and Representation</VulnKingdom> <VulnCategory>Dangerous Input Source</VulnCategory> <DefaultSeverity>40</DefaultSeverity> <Type>default</Type> <Description/> <FunctionIdentifier> <NamespaceName> <Value>session</Value> </NamespaceName> <ClassName> <Value>WebSession</Value> </ClassName> <FunctionName> <Value>getUserNames</Value> </FunctionName> <ApplyTo overrides="true" extends="true"/> </FunctionIdentifier> </SemanticRule>
Create Bar Code In Java
Using Barcode encoder for Java Control to generate, create bar code image in Java applications.
The rulepack augmented to re ect this change is also available in <install_dir>/Tutorial/java/answers/exercise9/step3xml 1 Enter the following command:
UPC Case Code Encoder In Java
Using Barcode creator for Java Control to generate, create GTIN - 14 image in Java applications.
sourceanalyzer -cp "WEB-INF/lib/*jar" -f webgoat_customfpr -rules rulesxml
Data Matrix 2d Barcode Encoder In C#.NET
Using Barcode drawer for .NET Control to generate, create DataMatrix image in .NET applications.
Exercise 139
Code-128 Scanner In Visual Studio .NET
Using Barcode reader for VS .NET Control to read, scan read, scan image in .NET framework applications.
2 Choose Import New SCA Analysis from the Tools menu, select the new results le webgoat_customfpr, and click Open 3 Con rm that the new issues you produced no longer appear in the output because the function identi er fails to match against the intended function
DataMatrix Generation In VB.NET
Using Barcode creation for .NET framework Control to generate, create Data Matrix 2d barcode image in .NET applications.
Make a Rule More Flexible Using a Regular Expression
Code 3 Of 9 Scanner In Visual Studio .NET
Using Barcode recognizer for .NET Control to read, scan read, scan image in .NET applications.
Using a regular expression as part of a function identi er allows the associated rule to apply to a broader set of methods Modify the rule that failed to correctly match against any method that begins with the string getUser, as shown in the following rule:
Bar Code Printer In .NET
Using Barcode printer for .NET Control to generate, create bar code image in Visual Studio .NET applications.
<SemanticRule formatVersion="32" language="java"> <RuleID>A090AAC1-9CA8-4F40-994D-8C30FC6D4671</RuleID> <VulnKingdom>Input Validation and Representation</VulnKingdom> <VulnCategory>Dangerous Input Source</VulnCategory> <DefaultSeverity>40</DefaultSeverity> <Type>default</Type> <Description/> <FunctionIdentifier> <NamespaceName> <Value>session</Value> </NamespaceName> <ClassName> <Value>WebSession</Value> </ClassName> <FunctionName> <Pattern>getUser*</Pattern> </FunctionName> <ApplyTo overrides="true" extends="true"/> </FunctionIdentifier> </SemanticRule>
Create Barcode In Visual Basic .NET
Using Barcode printer for VS .NET Control to generate, create bar code image in Visual Studio .NET applications.
The rulepack augmented to reflect this change is also available in
Draw Code 39 Full ASCII In .NET
Using Barcode generator for ASP.NET Control to generate, create Code 39 Extended image in ASP.NET applications.
<install_dir>/Tutorial/java/answers/exercise9/step4xml
1 Enter the following command:
sourceanalyzer -cp "WEB-INF/lib/*jar" -f webgoat_customfpr -rules rulesxml
2 Choose Import New SCA Analysis from the Tools menu, select the new results le webgoat_customfpr, and click Open 3 Con rm that the Dangerous Input Source issues are detected once again
13 Source Code Analysis Exercises for Java
Create and Test Data ow Source and Sink Rules
Inspect the Dangerous Input Source issue agged in BasicAuthenticationjava on line 173 The Apache ECS function ElementContaineraddElement() can be used in various ways, but in this case, it is collecting content that will subsequently be sent to the user s Web browser, making this use of WebSessiongetUserName() vulnerable to cross-site scripting To flag this as a Cross-Site Scripting issue, you must write two custom rules: a dataflow source for WebSessiongetUserName() and a dataflow sink for ElementContaineraddElement() To identify this and other new vulnerabilities, include the following dataflow rules in your rulepack These rules identify WebSessiongetUserName() as a source of user input and ElementContaineraddElement() as a Cross-Site Scripting sink
<DataflowSourceRule formatVersion="32" language="java"> <RuleID>CC8A592E-277F-4D25-93AC-7F1EF0994CF6</RuleID> <TaintFlags>+XSS,+HTTPRS</TaintFlags> <FunctionIdentifier> <NamespaceName> <Value>session</Value> </NamespaceName> <ClassName> <Value>WebSession</Value> </ClassName> <FunctionName> <Value>getUserName</Value> </FunctionName> <ApplyTo overrides="true" extends="true"/> </FunctionIdentifier> <OutArguments>return</OutArguments> </DataflowSourceRule> <DataflowSinkRule formatVersion="32" language="java"> <RuleID>D99929A9-37C5-4FED-81CA-B6522AE8B763</RuleID> <VulnCategory>Cross-Site Scripting (custom)</VulnCategory> <DefaultSeverity>40</DefaultSeverity> <Description/> <Sink> <InArguments>0</InArguments> <Conditional> <TaintFlagSet taintFlag="XSS"/> </Conditional> </Sink> <FunctionIdentifier> <NamespaceName> <Value>orgapacheecs</Value> </NamespaceName>
Exercise 139
<ClassName> <Value>ElementContainer</Value> </ClassName> <FunctionName> <Value>addElement</Value> </FunctionName> <ApplyTo overrides="true" extends="true"/> </FunctionIdentifier> </DataflowSinkRule>
The rulepack augmented to include these rules is also available in <install_dir>/Tutorial/java/answers/exercise9/step5xml 1 Enter the following command:
sourceanalyzer -cp "EB-INF/lib/*jar" -f webgoat_customfpr -rules rulesxml
2 Choose Import New SCA Analysis from the Tools menu, select the new results le webgoat_customfpr, and click Open 3 Con rm that an issue is now reported in the Cross-Site Scripting (custom) category for BasicAuthenticationjava on line 173 4 Notice that another issue is reported in the Cross-Site Scripting (custom) category, but its input originates from an HTTP request parameter rather than WebSessiongetUserName() This issue is reported because the Fortify Secure Coding Rulepacks identify all HTTP request parameters as tainted with HTML metacharacters Custom rules do not function in a vacuum Often a small number of custom rules working together with the Fortify Secure Coding Rulepacks can be used to detect issues more broadly or accurately