Fod

Fortify on Demand
Security Review
Company: Test Company
Project: Franklin Bank Java app
Version: 1.0 (Java)
Latest Analysis: 9/25/2015 6:58:20 AM

Executive Summary
Company: Test Company Fortify Security Rating
Project: Franklin Bank
Version: 1.0 164 issues
Static Analysis Date:
Dynamic Analysis Date:
Application Details
Application type Financial Application use Developed For Sale
Business Units Software Apps - Public Facing Data classification Other
Development Lead Michael Yoffee Interface type Web Access
Project type Application Regions North America
Test Type Static
Risk Totals by Severity Risk Totals by Instance Count
Likelihood
Most Prevalent Issues (by Category) Remediation Roadmap

To Achieve Major Fixes Minor Fixes
0 8
1 129
0 0
26 0
0 0
Issue Status
New Existing Reopened
164 0 0
This report contains HPE CONFIDENTIAL information, including but not limited to HPE's analysis, techniques for 2
analysis and recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
Issue Breakdown
Issues are divided based on their impact (potential damage) and likelihood (probability of identification and exploit).
High impact / high likelihood issues represent the highest priority and present the greatest threat.
Low impact / low likelihood issues are the lowest priority and present the smallest threat.
See Appendix for more information.
Rating Category Test Type
Critical Cross-Site Scripting: Reflected Static 8

High Null Dereference Static 103
High Open Redirect Static 5
High Password Management: Empty Password Static 1
High Password Management: Password in Configuration File Static 1
High Unreleased Resource: Database Static 3
High Unreleased Resource: Streams Static 17
Low Cross-Site Request Forgery Static 26
Vulnerabilities in your applications may take some time to remediate, test and move to production. In the meantime, we suggest HPE
Application Defender to virtually patch these vulnerabilities. App Defender is installed from the cloud and begins monitoring and
protecting your applications in minutes. A free trial is available at www.hp-application-defender.com. The team is ready to help you. Give
it a try or contact us at hpAppDefender@hp.com.
Issue Breakdown by OWASP Top 10 2013
PCI Sections 6.3, 6.5 & 6.6
The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members
include a variety of security experts from around the world who have shared their expertise to produce this list.
The PCI compliance standards, particularly sections 6.3, 6.5, and 6.6, reference the OWASP Top Ten vulnerability categories as the core
categories that must be tested for and remediated.
OWASP 2013 Category Severity

Critical High Medium Low
A10 Unvalidated Redirects and Forwards 5
A3 Cross-Site Scripting (XSS) 8
A6 Sensitive Data Exposure 2
A8 Cross-Site Request Forgery (CSRF) 26
None 123
Total 8 130 26
Issue Breakdown by Analysis Type
Issues are divided based on their impact (potential damage) and likelihood (probability of identification and exploit).
High impact / high likelihood issues represent the highest priority and present the greatest threat.
Low impact / low likelihood issues are the lowest priority and present the smallest threat.
See Appendix for more information.
Category Static Dynamic

Cross-Site Request Forgery 26 0
Cross-Site Scripting: Reflected 8 0
Null Dereference 103 0
Open Redirect 5 0
Password Management: Empty Password 1 0
Password Management: Password in Configuration File 1 0
Unreleased Resource: Database 3 0
Unreleased Resource: Streams 17 0
Total 164 0
Issue Details
Below is an enumeration of all issues found in the project. The issues are organized by priority and category and then broken down by the
package, namespace, or location in which they occur.
The priority of an issue can be Critical, High, Medium, or Low.
Issues from static analysis reported on at same line number with the same category originate from different taint sources.
6.1.1 Cross-Site Scripting: Reflected Critical

CWE ID 79, CWE ID 80
OWASP Top 10: A3 Cross-Site Scripting (XSS)
PCI 3.0: Requirement 6.5.7
Summary
The method in sends unvalidated data to a web browser on line , which can result in the browser executing malicious code.Sending unvalidated data to a web
browser can result in the browser executing malicious code.
Explanation
Cross-site scripting (XSS) vulnerabilities occur when:
1. Data enters a web application through an untrusted source. In the case of Reflected XSS, the untrusted source is typically a web request, while in the case
of Persisted (also known as Stored) XSS it is typically a database or other back-end datastore.
In this case the data enters at in main.jsp at line 34.
2. The data is included in dynamic content that is sent to a web user without being validated.
In this case the data is sent at in main.jsp at line 114.
The malicious content sent to the web browser often takes the form of a segment of JavaScript, but may also include HTML, Flash or any other type of code
that the browser may execute. The variety of attacks based on XSS is almost limitless, but they commonly include transmitting private data like cookies or
other session information to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the
user's machine under the guise of the vulnerable site.
Example 1: The following JSP code segment reads an employee ID, eid, from an HTTP request and displays it to the user.
<% String eid = request.getParameter("eid"); %>

...
Employee ID: <%= eid %>
Example 1: The following code reads an employee ID, eid, from an HTTP servlet request, then displays the value back to the user in the servlet's response.
String eid = request.getParameter("eid");

...
ServletOutputStream out = response.getOutputStream();
out.print("Employee ID: " + eid);
...
out.close();
...
Example 1: The following JSP code segment reads an employee ID, eid, from an HTTP request and displays it to the user via the <c:out/> tag. By setting
escapeXml="false", it does not perform even basic checking for potentially malicious data.
Employee ID: <c:out value="${param.eid}" escapeXml="false"/>
Example 1: The following code reads an employee ID, eid, from a JSF form.
...
<h:form>
Enter employee ID: <h:inputText value="#{eid}"/>
</h:form>
...
Its response page then reads the value of eid and displays it to the user.
...
Employee ID: <h:outputText value="#{eid}" escape="false"/>
...
Example 1: The following code reads an employee ID, eid, from an HTTP request, then checks the value for this key in bundle. If the key doesn't exist, the
default functionality is to print the key to the user.
<fmt:setLocale value="en"/>
<fmt:setBundle basename="com.company.Names" var="names"/>
Employee ID: <fmt:message key="${param.eid}" bundle="${names}"/>

...

...
The code in this example operates correctly if eid contains only standard alphanumeric text. If eid has a value that includes meta-characters or source
code, then the code will be executed by the web browser as it displays the HTTP response.
Initially this might not appear to be much of a vulnerability. After all, why would someone enter a URL that causes malicious code to run on their own
computer? The real danger is that an attacker will create the malicious URL, then use e-mail or social engineering tricks to lure victims into visiting a link to
the URL. When victims click the link, they unwittingly reflect the malicious content through the vulnerable web application back to their own computers. This
mechanism of exploiting vulnerable web applications is known as Reflected XSS.
Example 2: The following JSP code segment queries a database for an employee with a given ID and prints the corresponding employee's name.
<%...
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery("select * from emp where id="+eid);
if (rs != null) {
rs.next();
String name = rs.getString("name");
}
%>
Employee Name: <%= name %>
Example 2: The following code segment queries a database for an employee with a given ID and prints the corresponding employee's name in the servlet's
response.
...
if (rs != null) {
rs.next();
}
ServletOutputStream out = response.getOutputStream();

out.print("Employee Name: " + name);
...
out.close();
...
Example 2: The following JSP code segment queries a database for an employee with a given ID and prints the corresponding employee's name via the
<c:out/> tag. By setting escapeXml="false", it does not perform even basic checking for potentially malicious data.
<%...
if (rs != null) {
rs.next();
}
%>
Employee Name: <c:out value="${name}" escapeXml="false"/>
Example 2: The following JSP code segment queries a database for an employee with a given ID and looks up the corresponding employee's name in a bundle
via the key attribute within the <fmt:message/> tag. If the key does not exist, the value passed to key gets printed to the page.
<%...
if (rs != null) {
rs.next();
}
%>
<fmt:setLocale value="en"/>
<fmt:setBundle basename="com.company.Names" var="names"/>
Employee Name: <fmt:message key="<%= name %>" bundle="${names}"/>
Example 2: The following code first queries a database for an employee with a given ID, converts the results into a list, and stores the list inside
employeesBean.
public class employeesBean {

private List<EmployeeData> employeeList;
...
public List<EmployeeData> getEmployeeList() {
...
return convertToList(rs);
}
...
}
Then it uses JSF's dataTable construct to print the corresponding employee's name.
<f:view>
...
<h:dataTable value="employeesBean.employeeList" var="employee">
...
<h:column>
<f:facet name="header">
<h:outputText value="Employee Name"/>
</f:facet>
<h:outputText value="#{employee.name}" escape="false"/>
</h:column>
...
</h:dataTable>
...
</f:view>
<%...
if (rs != null) {
rs.next();
}
%>
<%...
if (rs != null) {
rs.next();
}
%>
As in Example 1, this code functions correctly when the values of name are well-behaved, but it does nothing to prevent exploits if they are not. Again, this
code can appear less dangerous because the value of name is read from a database, whose contents are apparently managed by the application. However, if
the value of name originates from user-supplied data, then the database can be a conduit for malicious content. Without proper input validation on all data
stored in the database, an attacker can execute malicious commands in the user's web browser. This type of exploit, known as Persistent (or Stored) XSS, is
particularly insidious because the indirection caused by the data store makes it more difficult to identify the threat and increases the possibility that the
attack will affect multiple users. XSS got its start in this form with web sites that offered a "guestbook" to visitors. Attackers would include JavaScript in their
guestbook entries, and all subsequent visitors to the guestbook page would execute the malicious code.
Some think that in the mobile world, classic web application vulnerabilities, such as cross-site scripting, do not make sense -- why would the user attack
themself? However, keep in mind that the essence of mobile platforms is applications that are downloaded from various sources and run alongside each other
on the same device. The likelihood of running a piece of malware next to a banking application is high, which necessitates expanding the attack surface of
mobile applications to include inter-process communication.
Example 3: The following code enables JavaScript in Android's WebView (by default, JavaScript is disabled) and loads a page based on the value received
from an Android intent.
...
WebView webview = (WebView) findViewById(R.id.webview);
webview.getSettings().setJavaScriptEnabled(true);
String url = this.getIntent().getExtras().getString("url");
webview.loadUrl(url);
...
If the value of url starts with javascript:, JavaScript code that follows will execute within the context of the web page inside WebView.
As the examples demonstrate, XSS vulnerabilities are caused by code that includes unvalidated data in an HTTP response. There are three vectors by which
an XSS attack can reach a victim:
- As in Example 1, data is read directly from the HTTP request and reflected back in the HTTP response. Reflected XSS exploits occur when an attacker
causes a user to supply dangerous content to a vulnerable web application, which is then reflected back to the user and executed by the web browser. The
most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims. URLs
constructed in this manner constitute the core of many phishing schemes, whereby an attacker convinces victims to visit a URL that refers to a vulnerable
site. After the site reflects the attacker's content back to the user, the content is executed and proceeds to transfer private information, such as cookies that
may include session information, from the user's machine to the attacker or perform other nefarious activities.
- As in Example 2, the application stores dangerous data in a database or other trusted data store. The dangerous data is subsequently read back into the
application and included in dynamic content. Persistent XSS exploits occur when an attacker injects dangerous content into a data store that is later read and
included in dynamic content. From an attacker's perspective, the optimal place to inject malicious content is in an area that is displayed to either many users
or particularly interesting users. Interesting users typically have elevated privileges in the application or interact with sensitive data that is valuable to the
attacker. If one of these users executes malicious content, the attacker may be able to perform privileged operations on behalf of the user or gain access to
sensitive data belonging to the user.
- As in Example 3, a source outside the application stores dangerous data in a database or other data store, and the dangerous data is subsequently read
back into the application as trusted data and included in dynamic content.
A number of modern web frameworks provide mechanisms for performing validation of user input. Struts and Spring MVC are among them. To highlight the
unvalidated sources of input, the rulepacks dynamically re-prioritize the issues reported by HP Fortify Static Code Analyzer by lowering their probability of
exploit and providing pointers to the supporting evidence whenever the framework validation mechanism is in use. We refer to this feature as
Context-Sensitive Ranking. To further assist the HP Fortify user with the auditing process, the HP Fortify Software Security Research Group makes available
the Data Validation project template that groups the issues into folders based on the validation mechanism applied to their source of input.
A number of modern web frameworks provide mechanisms for performing validation of user input. Struts and Spring MVC are among them. To highlight the
unvalidated sources of input, the rulepacks dynamically re-prioritize the issues reported by HP Fortify Static Code Analyzer by lowering their probability of
exploit and providing pointers to the supporting evidence whenever the framework validation mechanism is in use. We refer to this feature as
Context-Sensitive Ranking. To further assist the HP Fortify user with the auditing process, the HP Fortify Software Security Research Group makes available
the Data Validation project template that groups the issues into folders based on the validation mechanism applied to their source of input.
Recommendation
The solution to XSS is to ensure that validation occurs in the correct places and checks for the correct properties.
Since XSS vulnerabilities occur when an application includes malicious data in its output, one logical approach is to validate data immediately before it leaves
the application. However, because web applications often have complex and intricate code for generating dynamic content, this method is prone to errors of
omission (missing validation). An effective way to mitigate this risk is to also perform input validation for XSS.
Web applications must validate their input to prevent other vulnerabilities, such as SQL injection, so augmenting an application's existing input validation
mechanism to include checks for XSS is generally relatively easy. Despite its value, input validation for XSS does not take the place of rigorous output
validation. An application may accept input through a shared data store or other trusted source, and that data store may accept input from a source that
does not perform adequate input validation. Therefore, the application cannot implicitly rely on the safety of this or any other data. This means the best way
to prevent XSS vulnerabilities is to validate everything that enters the application and leaves the application destined for the user.
The most secure approach to validation for XSS is to create a whitelist of safe characters that are allowed to appear in HTTP content and accept input
composed exclusively of characters in the approved set. For example, a valid username might only include alpha-numeric characters or a phone number
might only include digits 0-9. However, this solution is often infeasible in web applications because many characters that have special meaning to the
browser should still be considered valid input once they are encoded, such as a web design bulletin board that must accept HTML fragments from its users.
A more flexible, but less secure approach is known as blacklisting, which selectively rejects or escapes potentially dangerous characters before using the
input. In order to form such a list, you first need to understand the set of characters that hold special meaning for web browsers. Although the HTML
standard defines what characters have special meaning, many web browsers try to correct common mistakes in HTML and may treat other characters as
special in certain contexts, which is why we do not encourage the use of blacklists as a means to prevent XSS. The CERT(R) Coordination Center at the
Software Engineering Institute at Carnegie Mellon University provides the following details about special characters in various contexts [1]:
In the content of a block-level element (in the middle of a paragraph of text):
- "<" is special because it introduces a tag.
- "&" is special because it introduces a character entity.
- ">" is special because some browsers treat it as special, on the assumption that the author of the page intended to include an opening "<", but omitted it in
error.
The following principles apply to attribute values:
- In attribute values enclosed with double quotes, the double quotes are special because they mark the end of the attribute value.
- In attribute values enclosed with single quote, the single quotes are special because they mark the end of the attribute value.
- In attribute values without any quotes, white-space characters, such as space and tab, are special.
- "&" is special when used with certain attributes, because it introduces a character entity.
In URLs, for example, a search engine might provide a link within the results page that the user can click to re-run the search. This can be implemented by
encoding the search query inside the URL, which introduces additional special characters:
- Space, tab, and new line are special because they mark the end of the URL.
- "&" is special because it either introduces a character entity or separates CGI parameters.
- Non-ASCII characters (that is, everything above 128 in the ISO-8859-1 encoding) are not allowed in URLs, so they are considered to be special in this
context.
- The "%" symbol must be filtered from input anywhere parameters encoded with HTTP escape sequences are decoded by server-side code. For example, "%"
must be filtered if input such as "%68%65%6C%6C%6F" becomes "hello" when it appears on the web page in question.
Within the body of a <SCRIPT> </SCRIPT>:
- Semicolons, parentheses, curly braces, and new line characters should be filtered out in situations where text could be inserted directly into a pre-existing
script tag.
Server-side scripts:
- Server-side scripts that convert any exclamation characters (!) in input to double-quote characters (") on output might require additional filtering.
Other possibilities:
- If an attacker submits a request in UTF-7, the special character '<' appears as '+ADw-' and may bypass filtering. If the output is included in a page that does
not explicitly specify an encoding format, then some browsers try to intelligently identify the encoding based on the content (in this case, UTF-7).
Once you identify the correct points in an application to perform validation for XSS attacks and what special characters the validation should consider, the
next challenge is to identify how your validation handles special characters. If special characters are not considered valid input to the application, then you
can reject any input that contains special characters as invalid. A second option in this situation is to remove special characters with filtering. However,
filtering has the side effect of changing any visual representation of the filtered content and may be unacceptable in circumstances where the integrity of the
input must be preserved for display.
If input containing special characters must be accepted and displayed accurately, validation must encode any special characters to remove their significance.
A complete list of ISO 8859-1 encoded values for special characters is provided as part of the official HTML specification [2].
Many application servers attempt to limit an application's exposure to cross-site scripting vulnerabilities by providing implementations for the functions
responsible for setting certain specific HTTP response content that perform validation for the characters essential to a cross-site scripting attack. Do not rely
on the server running your application to make it secure. When an application is developed there are no guarantees about what application servers it will run
on during its lifetime. As standards and known exploits evolve, there are no guarantees that application servers will also stay in sync.
Instances
Cross-Site Scripting: Reflected Critical
Package: /
Location Analysis Info Analyzer
Sink:/.main.jsp._jspService
Enclosing Method:_jspService
ID 10601967 - WebContent/main.jsp:114 dataflow
Source:javax.servlet.ServletRequest.getParameter() from /.main .jsp._jspService in
main.jsp:34
main.jsp:34
main.jsp:34
main.jsp:34
main.jsp:34
Package: /lessons/CrossSiteScripting
Sink:/lessons/CrossSiteScripting.SearchStaff.jsp._jspService
ID 10601866 - WebContent/lessons/CrossSiteScripting/SearchStaff.jsp:11 dataflow
Source:javax.servlet.ServletRequest.getParameter() from
/lessons/CrossSiteScripting.SearchStaff.jsp. _jspService in SearchStaff.jsp:7
Package: /lessons/RoleBasedAccessControl
Sink:/lessons/RoleBasedAccessControl.SearchStaff.jsp. _jspService
ID 10601867 - WebContent/lessons/RoleBasedAccessControl/SearchStaff Enclosing Method:_jspService
dataflow
.jsp:11 Source:javax.servlet.ServletRequest.getParameter() from
/lessons/RoleBasedAccessControl.SearchStaff.jsp. _jspService in SearchStaff.jsp:7
Package: /lessons/SQLInjection
Sink:/lessons/SQLInjection.SearchStaff.jsp._jspService
ID 10601911 - WebContent/lessons/SQLInjection/SearchStaff.jsp:11 dataflow
/lessons/SQLInjection.SearchStaff.jsp. _jspService in SearchStaff.jsp:7
6.2.1 Null Dereference High
CWE ID 476
OWASP Top 10: None
Summary
The method in can crash the program by dereferencing a null pointer on line .The program can potentially dereference a null pointer, thereby causing a null
pointer exception.
Explanation
Null pointer exceptions usually occur when one or more of the programmer's assumptions is violated. A dereference-after-store error occurs when a program
explicitly sets an object to null and dereferences it later. This error is often the result of a programmer initializing a variable to null when it is declared.
In this case, the variable can be null when it is dereferenced at line 508, thereby causing a null pointer exception.
Most null pointer issues result in general software reliability problems, but if attackers can intentionally trigger a null pointer dereference, they can use the
resulting exception to bypass security logic or to cause the application to reveal debugging information that will be valuable in planning subsequent attacks.
Example: In the following code, the programmer explicitly sets the variable foo to null. Later, the programmer dereferences foo before checking the
object for a null value.
Foo foo = null;

...
foo.setBar(val);
...
}
Recommendation
Implement careful checks before dereferencing objects that might be null. When possible, abstract null checks into wrappers around code that manipulates
resources to ensure that they are applied in all cases and to minimize the places where mistakes can occur.
Instances
Null Dereference High
Package: com.t_tank.j2h
Sink:com.t_tank.j2h.Java2Html.class$
ID 10601936 - WebContent/WEB-INF/lib/com/t_tank/j2h/Java2Html.java:148 controlflow
Enclosing Method:class$
Sink:com.t_tank.j2h.Java2Html.generateHtml
Enclosing Method:generateHtml
Sink:com.t_tank.j2h.Java2Html.main
Enclosing Method:main
Package: org.enhydra.instantdb.db
ID 10601839 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.BlobColumn.BlobColumn

controlflow
/BlobColumn.java:129 Enclosing Method:BlobColumn
ID 10601972 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.BlobColumn.deleteBlob

controlflow
/BlobColumn.java:562 Enclosing Method:deleteBlob
ID 10601841 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.BlobColumn.getOffsetByRow
controlflow
/BlobColumn.java:527 Enclosing Method:getOffsetByRow
ID 10601951 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.BlobColumn.extractBinaryNumbers

controlflow
/BlobColumn.java:167 Enclosing Method:extractBinaryNumbers
ID 10601975 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.BlobColumn.getByRow

controlflow
/BlobColumn.java:508 Enclosing Method:getByRow
ID 10601935 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.BlobColumn.writeObject

controlflow
/BlobColumn.java:372 Enclosing Method:writeObject
ID 10601871 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.BlobColumn.onClose

controlflow
/BlobColumn.java:577 Enclosing Method:onClose
ID 10601930 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.ByteColumn.deleteBitSet

controlflow
/ByteColumn.java:289 Enclosing Method:deleteBitSet
ID 10601950 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.ByteColumn.getByRow

controlflow
/ByteColumn.java:259 Enclosing Method:getByRow
ID 10601970 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.Char1Column.getByRow

controlflow
/Char1Column.java:131 Enclosing Method:getByRow
ID 10601939 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.Char1Column.equalToRow

controlflow
/Char1Column.java:179 Enclosing Method:equalToRow
ID 10601945 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/Column Sink:org.enhydra.instantdb.db.Column.getByRow

controlflow
.java:329 Enclosing Method:getByRow
ID 10601912 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/Column Sink:org.enhydra.instantdb.db.Column.setRow

controlflow
.java:523 Enclosing Method:setRow
ID 10601872 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/Cursor Sink:org.enhydra.instantdb.db.Cursor.update

controlflow
.java:202 Enclosing Method:update
ID 10601949 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.Database.dbCreate

controlflow
/Database.java:753 Enclosing Method:dbCreate

controlflow
ID 10601880 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.Database.dbOpen

controlflow
/Database.java:332 Enclosing Method:dbOpen
ID 10601844 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.Database.initialise

controlflow
/Database.java:527 Enclosing Method:initialise
ID 10601826 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.Database.close

controlflow
/Database.java:936 Enclosing Method:close
ID 10601881 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.Database.setPath

controlflow
/Database.java:482 Enclosing Method:setPath
ID 10601825 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.Database.dbOpen

controlflow
/Database.java:443 Enclosing Method:dbOpen

controlflow
ID 10601923 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.Database.execSQL

controlflow
/Database.java:901 Enclosing Method:execSQL
ID 10601850 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.Database.run

controlflow
/Database.java:1202 Enclosing Method:run
ID 10601828 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.Database.run

controlflow
/Database.java:1191 Enclosing Method:run

controlflow
controlflow
ID 10601922 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.DateColumn.setFormatArray

controlflow
/DateColumn.java:123 Enclosing Method:setFormatArray
ID 10601963 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.DateColumn.toDate

controlflow
/DateColumn.java:370 Enclosing Method:toDate

controlflow

controlflow
ID 10601924 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.DateColumn.setFormatArray

controlflow
/DateColumn.java:125 Enclosing Method:setFormatArray
ID 10601925 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.DoubleColumn.getByRow

controlflow
/DoubleColumn.java:170 Enclosing Method:getByRow
ID 10601877 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.expression.interpretColumn

controlflow
/expression.java:326 Enclosing Method:interpretColumn
ID 10601874 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.FileImporter.getFilePath

controlflow
/FileImporter.java:63 Enclosing Method:getFilePath
ID 10601836 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.FileImporter.getNextRow

controlflow
/FileImporter.java:327 Enclosing Method:getNextRow
ID 10601838 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.FloatColumn.getByRow

controlflow
/FloatColumn.java:181 Enclosing Method:getByRow
ID 10601855 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.indexTable.bind

controlflow
/indexTable.java:386 Enclosing Method:bind
ID 10601822 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.indexTable.indexTable

controlflow
/indexTable.java:225 Enclosing Method:indexTable

controlflow

controlflow

controlflow
ID 10601846 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.indexTable.getColsFromNames

controlflow
/indexTable.java:190 Enclosing Method:getColsFromNames
ID 10601868 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.IntegerColumn.getByRow

controlflow
/IntegerColumn.java:267 Enclosing Method:getByRow
ID 10601869 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.IntegerColumn.equalToRow

controlflow
/IntegerColumn.java:295 Enclosing Method:equalToRow
ID 10601853 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/Journal Sink:org.enhydra.instantdb.db.Journal.rollback

controlflow
.java:471 Enclosing Method:rollback
ID 10601842 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/Journal Sink:org.enhydra.instantdb.db.Journal.updateTransactionCount

controlflow
.java:168 Enclosing Method:updateTransactionCount
ID 10601978 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/Journal Sink:org.enhydra.instantdb.db.Journal.closeLog

controlflow
.java:147 Enclosing Method:closeLog
ID 10601973 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/Journal Sink:org.enhydra.instantdb.db.Journal.openLog

controlflow
.java:133 Enclosing Method:openLog
ID 10601962 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.LongColumn.equalToRow
controlflow
/LongColumn.java:330 Enclosing Method:equalToRow
ID 10601928 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.LongColumn.getByRow

controlflow
/LongColumn.java:264 Enclosing Method:getByRow
ID 10601931 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.ReadAheadBuffer.readRow

controlflow
/ReadAheadBuffer.java:168 Enclosing Method:readRow
ID 10601819 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/Search Sink:org.enhydra.instantdb.db.Search.evaluate

controlflow
.java:888 Enclosing Method:evaluate
ID 10601865 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/SQLProg Sink:org.enhydra.instantdb.db.SQLProg.compile_import

controlflow
.java:1071 Enclosing Method:compile_import
ID 10601976 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/SQLProg Sink:org.enhydra.instantdb.db.SQLProg.compile_alter_table

controlflow
.java:382 Enclosing Method:compile_alter_table
ID 10601840 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/SQLProg Sink:org.enhydra.instantdb.db.SQLProg.compile_select

controlflow
.java:1475 Enclosing Method:compile_select
ID 10601885 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/SQLProg Sink:org.enhydra.instantdb.db.SQLProg.execute

controlflow
.java:253 Enclosing Method:execute
ID 10601897 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/SQLProg Sink:org.enhydra.instantdb.db.SQLProg.compile_create_table

controlflow
.java:1710 Enclosing Method:compile_create_table
ID 10601919 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/SQLProg Sink:org.enhydra.instantdb.db.SQLProg.compile_alter_table

controlflow
.java:378 Enclosing Method:compile_alter_table
ID 10601820 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/SQLProg Sink:org.enhydra.instantdb.db.SQLProg.compile_set

controlflow
.java:928 Enclosing Method:compile_set

controlflow

controlflow
ID 10601861 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/SQLProg Sink:org.enhydra.instantdb.db.SQLProg.compile_set

controlflow
.java:910 Enclosing Method:compile_set
ID 10601926 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/SQLProg Sink:org.enhydra.instantdb.db.SQLProg.handleGroupBy

controlflow
.java:1127 Enclosing Method:handleGroupBy
ID 10601875 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/SQLProg Sink:org.enhydra.instantdb.db.SQLProg.compile_select

controlflow
.java:1372 Enclosing Method:compile_select
ID 10601971 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.sqltoken.setupToken

controlflow
/sqltoken.java:218 Enclosing Method:setupToken
ID 10601906 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.sqltoken.setupToken

controlflow
/sqltoken.java:220 Enclosing Method:setupToken
ID 10601902 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.sqltoken.matches

controlflow
/sqltoken.java:312 Enclosing Method:matches
ID 10601886 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.StringColumn.getByRow

controlflow
/StringColumn.java:194 Enclosing Method:getByRow
ID 10601887 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.StringColumn.equalToRow

controlflow
/StringColumn.java:229 Enclosing Method:equalToRow
ID 10601829 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/Table Sink:org.enhydra.instantdb.db.Table.recover

controlflow
.java:619 Enclosing Method:recover
ID 10601947 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/Table Sink:org.enhydra.instantdb.db.Table.deleteRow

controlflow
.java:1749 Enclosing Method:deleteRow
Sink:org.enhydra.instantdb.db.Table.saveRowCounts
ID 10601918 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/Table .java:231 controlflow
Enclosing Method:saveRowCounts
ID 10601857 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/Table Sink:org.enhydra.instantdb.db.Table.addOrderedField
controlflow
.java:1672 Enclosing Method:addOrderedField
ID 10601977 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/Table Sink:org.enhydra.instantdb.db.Table.lt

controlflow
.java:2006 Enclosing Method:lt
ID 10601969 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/Table Sink:org.enhydra.instantdb.db.Table.addRowAtRow

controlflow
.java:1418 Enclosing Method:addRowAtRow
ID 10601884 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/Table Sink:org.enhydra.instantdb.db.Table.addOrderedField

controlflow
.java:1638 Enclosing Method:addOrderedField
ID 10601966 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/Table Sink:org.enhydra.instantdb.db.Table.open

controlflow
.java:580 Enclosing Method:open
ID 10601940 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/Table Sink:org.enhydra.instantdb.db.Table.newColAdded

controlflow
.java:774 Enclosing Method:newColAdded
ID 10601856 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/Table Sink:org.enhydra.instantdb.db.Table.recover

controlflow
.java:607 Enclosing Method:recover
ID 10601858 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/Table Sink:org.enhydra.instantdb.db.Table.markDirty

controlflow
.java:258 Enclosing Method:markDirty
ID 10601948 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/Table Sink:org.enhydra.instantdb.db.Table.swap

controlflow
.java:2041 Enclosing Method:swap
ID 10601870 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/Table Sink:org.enhydra.instantdb.db.Table.registerTable

controlflow
.java:953 Enclosing Method:registerTable
ID 10601938 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/Table Sink:org.enhydra.instantdb.db.Table.addRowAtRow

controlflow
.java:1502 Enclosing Method:addRowAtRow
ID 10601862 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/Table Sink:org.enhydra.instantdb.db.Table.rowToString

controlflow
.java:2076 Enclosing Method:rowToString
ID 10601883 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.TableLock.freeWriteLock

controlflow
/TableLock.java:298 Enclosing Method:freeWriteLock
ID 10601896 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.tokenList.parseTokens

controlflow
/tokenList.java:245 Enclosing Method:parseTokens
ID 10601916 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.tokenList.parseTokens

controlflow
/tokenList.java:237 Enclosing Method:parseTokens
ID 10601957 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/Trace Sink:org.enhydra.instantdb.db.Trace.setExport

controlflow
.java:254 Enclosing Method:setExport
ID 10601968 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.Transaction.prepare

controlflow
/Transaction.java:493 Enclosing Method:prepare
ID 10601932 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.Transaction.complete

controlflow
/Transaction.java:169 Enclosing Method:complete
ID 10601914 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.Transaction.complete

controlflow
/Transaction.java:173 Enclosing Method:complete
Package: org.enhydra.instantdb.jdbc
ID 10601917 - WebContent/WEB-INF/lib/org/enhydra/instantdb/jdbc Sink:org.enhydra.instantdb.jdbc.idbConnection.idbConnection

controlflow
/idbConnection.java:88 Enclosing Method:idbConnection
ID 10601843 - WebContent/WEB-INF/lib/org/enhydra/instantdb/jdbc Sink:org.enhydra.instantdb.jdbc.idbDriver.<static>

controlflow
/idbDriver.java:52 Enclosing Method:<static>
ID 10601845 - WebContent/WEB-INF/lib/org/enhydra/instantdb/jdbc Sink:org.enhydra.instantdb.jdbc.idbPreparedStatement .executeBatch

controlflow
/idbPreparedStatement.java:279 Enclosing Method:executeBatch
ID 10601956 - WebContent/WEB-INF/lib/org/enhydra/instantdb/jdbc Sink:org.enhydra.instantdb.jdbc.idbPreparedStatement .setAsciiStream
controlflow
/idbPreparedStatement.java:195 Enclosing Method:setAsciiStream
ID 10601830 - WebContent/WEB-INF/lib/org/enhydra/instantdb/jdbc Sink:org.enhydra.instantdb.jdbc.idbPreparedStatement .setAnyStream

controlflow
/idbPreparedStatement.java:216 Enclosing Method:setAnyStream
ID 10601873 - WebContent/WEB-INF/lib/org/enhydra/instantdb/jdbc Sink:org.enhydra.instantdb.jdbc.idbResultsSet.readFromStream

controlflow
/idbResultsSet.java:791 Enclosing Method:readFromStream
ID 10601954 - WebContent/WEB-INF/lib/org/enhydra/instantdb/jdbc Sink:org.enhydra.instantdb.jdbc.idbResultsSet .updateCharacterStream

controlflow
/idbResultsSet.java:811 Enclosing Method:updateCharacterStream
ID 10601943 - WebContent/WEB-INF/lib/org/enhydra/instantdb/jdbc Sink:org.enhydra.instantdb.jdbc.idbStatement.executeBatch

controlflow
/idbStatement.java:361 Enclosing Method:executeBatch
6.2.2 Open Redirect High
CWE ID 601
OWASP Top 10: A10 Unvalidated Redirects and Forwards
Summary
The file passes unvalidated data to an HTTP redirect function on line . Allowing unvalidated input to control the URL used in a redirect can aid phishing
attacks.Allowing unvalidated input to control the URL used in a redirect can aid phishing attacks.
Explanation
Redirects allow web applications to direct users to different pages within the same application or to external sites. Applications utilize redirects to aid in site
navigation and, in some cases, to track how users exit the site. Open redirect vulnerabilities occur when a web application redirects clients to any arbitrary
URL that can be controlled by an attacker.
Attackers can utilize open redirects to trick users into visiting a URL to a trusted site and redirecting them to a malicious site. By encoding the URL, an
attacker can make it more difficult for end-users to notice the malicious destination of the redirect, even when it is passed as a URL parameter to the trusted
site. Open redirects are often abused as part of phishing scams to harvest sensitive end-user data.
In this case, the URL the client will be redirected to is accepted at in config.jsp at line 12.
The data is sent at in config.jsp at line 12.
Example 1: The following JSP code instructs the user's browser to open a URL parsed from the dest request parameter when a user clicks the link.
<%
...
String strDest = request.getParameter("dest");
pageContext.forward(strDest);
...
%>
If a victim received an email instructing the user to follow a link to "http://trusted.example.com/ecommerce/redirect.asp?dest=www.wilyhacker.

com", the user would likely click on the link believing they would be transferred to the trusted site. However, when the user clicks the link, the code above will
redirect the browser to "http://www.wilyhacker.com".
Many users have been educated to always inspect URLs they receive in emails to make sure the link specifies a trusted site they know. However, if the
attacker Hex encoded the destination url as follows:
"http://trusted.example.com/ecommerce/redirect.asp?dest=%77%69%6C%79%68%61
%63%6B%65%72%2E%63%6F%6D"
then even a savvy end-user may be fooled into following the link.
Recommendation
Unvalidated user input should not be allowed to control the destination URL in a redirect. Instead, use a level of indirection: create a list of legitimate URLs
that users are allowed to specify and only allow users to select from the list. With this approach, input provided by users is never used directly to specify a
URL for redirects.
Example 2: The following code references an array populated with valid URLs. The link the user clicks passes in the array index that corresponds to the
desired URL.
<%
...
try {
int strDest = Integer.parseInt(request.getParameter("dest"));
if((strDest >= 0) && (strDest <= strURLArray.length -1 ))
{
strFinalURL = strURLArray[strDest];
pageContext.forward(strFinalURL);
}
}
catch (NumberFormatException nfe) {
// Handle exception
...
}
...
%>
In some situations this approach is impractical because the set of legitimate URLs is too large or too hard to keep track of. In such cases, use a similar
approach to restrict the domains that users can be redirected to, which can at least prevent attackers from sending users to malicious external sites.

Instances
Open Redirect High
Package: /lessons/ConfManagement
Sink:/lessons/ConfManagement.config.jsp._jspService
ID 10601964 - WebContent/lessons/ConfManagement/config.jsp:12 dataflow
/lessons/ConfManagement.config.jsp._jspService in config.jsp:12
Sink:/lessons/ConfManagement.config.jsp._jspService
ID 10601965 - WebContent/lessons/ConfManagement/config.jsp:12 dataflow
/lessons/ConfManagement.config.jsp._jspService in config.jsp:11
Package: /lessons/General
Sink:/lessons/General.redirect.jsp._jspService
ID 10601910 - WebContent/lessons/General/redirect.jsp:12 dataflow
/lessons/General.redirect.jsp._jspService in redirect.jsp:12
6.2.3 Password Management: Empty Password High
CWE ID 259
OWASP Top 10: A6 Sensitive Data Exposure
PCI 3.0: Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1
Summary
Empty passwords may compromise system security in a way that cannot be easily remedied.
Explanation
It is never a good idea to assign an empty string to a password variable. If the empty password is used to successfully authenticate against another system,
then the corresponding account's security is likely compromised because it accepts an empty password. If the empty password is merely a placeholder until a
legitimate value can be assigned to the variable, then it can confuse anyone unfamiliar with the code and potentially cause problems on unexpected control
flow paths.
In this case an empty password was found in the call to in Database.java at line 124.
Example 1: The code below attempts to connect to a database with an empty password.
...
DriverManager.getConnection(url, "scott", "");
...
If the code in Example 1 succeeds, it indicates that the database user account "scott" is configured with an empty password, which can be easily guessed by
an attacker. Even worse, once the program has shipped, updating the account to use a non-empty password will require a code change.
Example 2: The code below initializes a password variable to an empty string, attempts to read a stored value for the password, and compares it against a
user-supplied value.
...
String storedPassword = "";
String temp;
if ((temp = readPassword()) != null) {

storedPassword = temp;
}
if(storedPassword.equals(userPassword))
// Access protected resources
...
}
...
If readPassword() fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially bypass the
password check by providing an empty string for userPassword.
In the mobile world, password management is even trickier, considering a much higher chance of device loss.
Example 3: The code below initializes username and password variables to empty strings, reads credentials from an Android WebView store if they have not
been previously rejected by the server for the current request, and uses them to setup authentication for viewing protected pages.
...
webview.setWebViewClient(new WebViewClient() {
public void onReceivedHttpAuthRequest(WebView view,
HttpAuthHandler handler, String host, String realm) {
String username = "";
String password = "";
if (handler.useHttpAuthUsernamePassword()) {
String[] credentials = view.getHttpAuthUsernamePassword(host, realm);
username = credentials[0];
password = credentials[1];
}
handler.proceed(username, password);
}
});
...
Similar to Example 2, if useHttpAuthUsernamePassword() returns false, an attacker will be able to view protected pages by supplying an empty
password.
Recommendation
Always read stored password values from encrypted, external resources and assign password variables meaningful values. Ensure that sensitive resources
are never protected with empty or null passwords.
For Android, as well as any other platform that uses SQLite database, a good option is SQLCipher -- an extension to SQLite database that provides
transparent 256-bit AES encryption of database files. Thus, credentials can be stored in an encrypted database.
Example 4: The code below demonstrates how to integrate SQLCipher into an Android application after downloading the necessary binaries, and store
credentials into the database file.
import net.sqlcipher.database.SQLiteDatabase;
...
SQLiteDatabase.loadLibs(this);
File dbFile = getDatabasePath("credentials.db");
dbFile.mkdirs();
dbFile.delete();
SQLiteDatabase db = SQLiteDatabase.openOrCreateDatabase(dbFile, "credentials", null);
db.execSQL("create table credentials(u, p)");
db.execSQL("insert into credentials(u, p) values(?, ?)", new Object[]{username, password});
...
Note that references to android.database.sqlite.SQLiteDatabase are substituted with those of

net.sqlcipher.database.SQLiteDatabase.
To enable encryption on the WebView store, WebKit has to be re-compiled with the sqlcipher.so library.

Instances
Password Management: Empty Password High
Sink:FieldAccess: defaultPassword in
ID 10601904 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db /Database.java:124 Database.java:124 structural
Enclosing Method:Database
6.2.4 Password Management: Password in
High
Configuration File
CWE ID 13, CWE ID 260, CWE ID 555
OWASP Top 10: A6 Sensitive Data Exposure
PCI 3.0: Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1
Summary
Storing a plaintext password in a configuration file may result in a system compromise.
Explanation
Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource. Developers sometimes
believe that they cannot defend the application from someone who has access to the configuration, but this attitude makes an attacker's job easier. Good
password management guidelines require that a password never be stored in plaintext.
In this case, a hardcoded password exists in server-config.wsdd at line 11.
Recommendation
A password should never be stored in plaintext. Instead, the password should be entered by an administrator when the system starts. If that approach is
impractical, a less secure but often adequate solution is to obfuscate the password and scatter the de-obfuscation material around the system so that an
attacker has to obtain and correctly combine multiple system resources to decipher the password.
Some third-party products claim the ability to manage passwords in a more secure way. For example, WebSphere Application Server 4.x uses a simple XOR
encryption algorithm for obfuscating values, but be skeptical about such facilities. WebSphere and other application servers offer outdated and relatively
weak encryption mechanisms that are insufficient for security-sensitive environments. For a secure solution the only viable option is a proprietary one.
Instances
Password Management: Password in Configuration File High
Package: N/A
Sink: in server-config.wsdd:11
ID 10601851 - WebContent/WEB-INF/server-config.wsdd:11 configuration
Enclosing Method:
6.2.5 Unreleased Resource: Database High
CWE ID 404
OWASP Top 10: None
Summary
The function in sometimes fails to release a system resource allocated by on line .The program can potentially fail to release a database connection.
Explanation
The program can potentially fail to release a database connection.
In this case, there are program paths on which the resource allocated in JdbcImporter.java at line 55 is not released.
Resource leaks have at least two common causes:
- Error conditions and other exceptional circumstances.
- Confusion over which part of the program is responsible for releasing the resource.
Most unreleased resource issues result in general software reliability problems, but if an attacker can intentionally trigger a resource leak, the attacker may be
able to launch a denial of service attack by depleting the resource pool.
Example: Under normal conditions, the following code executes a database query, processes the results returned by the database, and closes the allocated
statement object. But if an exception occurs while executing the SQL or processing the results, the statement object will not be closed. If this happens often
enough, the database will run out of available cursors and not be able to execute any more SQL queries.

ResultSet rs = stmt.executeQuery(CXN_SQL);
harvestResults(rs);
stmt.close();
Recommendation
1. Never rely on finalize() to reclaim resources. In order for an object's finalize() method to be invoked, the garbage collector must determine
that the object is eligible for garbage collection. Because the garbage collector is not required to run unless the JVM is low on memory, there is no guarantee
that an object's finalize() method will be invoked in an expedient fashion. When the garbage collector finally does run, it may cause a large number of
resources to be reclaimed in a short period of time, which can lead to "bursty" performance and lower overall system throughput. This effect becomes more
pronounced as the load on the system increases.
Finally, if it is possible for a resource reclamation operation to hang (if it requires communicating over a network to a database, for example), then the thread
that is executing the finalize() method will hang.
2. Release resources in a finally block. The code for the Example should be rewritten as follows:
public void execCxnSql(Connection conn) {

Statement stmt;
try {
stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(CXN_SQL);
...
}
finally {
if (stmt != null) {
safeClose(stmt);
}
}
}
public static void safeClose(Statement stmt) {

if (stmt != null) {
try {
stmt.close();
} catch (SQLException e) {
log(e);
}
}
}
This solution uses a helper function to log the exceptions that might occur when trying to close the statement. Presumably this helper function will be reused
whenever a statement needs to be closed.
Also, the execCxnSql method does not initialize the stmt object to null. Instead, it checks to ensure that stmt is not null before calling
safeClose(). Without the null check, the Java compiler reports that stmt might not be initialized. This choice takes advantage of Java's ability to
detect uninitialized variables. If stmt is initialized to null in a more complex method, cases in which stmt is used without being initialized will not be
detected by the compiler.

Instances
Unreleased Resource: Database High
ID 10601818 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.JdbcImporter.JdbcImporter

controlflow
/JdbcImporter.java:60 Enclosing Method:JdbcImporter

controlflow

controlflow
6.2.6 Unreleased Resource: Streams High
CWE ID 404
OWASP Top 10: None
Summary
The function in sometimes fails to release a system resource allocated by on line .The program can potentially fail to release a system resource.
Explanation
The program can potentially fail to release a system resource.
In this case, there are program paths on which the resource allocated in BlobColumn.java at line 223 is not released.
Resource leaks have at least two common causes:
- Error conditions and other exceptional circumstances.
- Confusion over which part of the program is responsible for releasing the resource.
Most unreleased resource issues result in general software reliability problems, but if an attacker can intentionally trigger a resource leak, the attacker may be
able to launch a denial of service attack by depleting the resource pool.
Example: The following method never closes the file handle it opens. The finalize() method for FileInputStream eventually calls close(), but
there is no guarantee as to how long it will take before the finalize() method will be invoked. In a busy environment, this can result in the JVM using up
all of its file handles.
private void processFile(String fName) throws FileNotFoundException, IOException {

FileInputStream fis = new FileInputStream(fName);
int sz;
byte[] byteArray = new byte[BLOCK_SIZE];
while ((sz = fis.read(byteArray)) != -1) {
processBytes(byteArray, sz);
}
}
Recommendation
1. Never rely on finalize() to reclaim resources. In order for an object's finalize() method to be invoked, the garbage collector must determine
that the object is eligible for garbage collection. Because the garbage collector is not required to run unless the JVM is low on memory, there is no guarantee
that an object's finalize() method will be invoked in an expedient fashion. When the garbage collector finally does run, it may cause a large number of
resources to be reclaimed in a short period of time, which can lead to "bursty" performance and lower overall system throughput. This effect becomes more
pronounced as the load on the system increases.
Finally, if it is possible for a resource reclamation operation to hang (if it requires communicating over a network to a database, for example), then the thread
that is executing the finalize() method will hang.
2. Release resources in a finally block. The code for the Example should be rewritten as follows:
public void processFile(String fName) throws FileNotFoundException, IOException {

FileInputStream fis;
try {
fis = new FileInputStream(fName);
int sz;
byte[] byteArray = new byte[BLOCK_SIZE];
while ((sz = fis.read(byteArray)) != -1) {
processBytes(byteArray, sz);
}
}
finally {
if (fis != null) {
safeClose(fis);
}
}
}
public static void safeClose(FileInputStream fis) {

if (fis != null) {
try {
fis.close();
} catch (IOException e) {
log(e);
}
}
}
This solution uses a helper function to log the exceptions that might occur when trying to close the stream. Presumably this helper function will be reused
whenever a stream needs to be closed.
Also, the processFile method does not initialize the fis object to null. Instead, it checks to ensure that fis is not null before calling
safeClose(). Without the null check, the Java compiler reports that fis might not be initialized. This choice takes advantage of Java's ability to
detect uninitialized variables. If fis is initialized to null in a more complex method, cases in which fis is used without being initialized will not be
detected by the compiler.

Instances
Unreleased Resource: Streams High
Package: com.t_tank.j2h
Sink:com.t_tank.j2h.Java2Html.initialize
Enclosing Method:initialize
Sink:com.t_tank.j2h.Java2Html.initialize
Enclosing Method:initialize
Sink:com.t_tank.j2h.Java2Html.initializeAPIClasses
Enclosing Method:initializeAPIClasses
Sink:com.t_tank.j2h.Java2Html.initializeKeywords
Enclosing Method:initializeKeywords
ID 10601955 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.BlobColumn.toObject

controlflow
/BlobColumn.java:223 Enclosing Method:toObject

controlflow
ID 10601937 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.FileImporter.FileImporter

controlflow
/FileImporter.java:104 Enclosing Method:FileImporter
ID 10601946 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.FileImporter.FileImporter

controlflow
/FileImporter.java:99 Enclosing Method:FileImporter
ID 10601901 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.indexTable.close
controlflow
/indexTable.java:137 Enclosing Method:close

controlflow
ID 10601909 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.ReadAheadBuffer.ReadAheadBuffer

controlflow
/ReadAheadBuffer.java:58 Enclosing Method:ReadAheadBuffer

controlflow
ID 10601921 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/Table Sink:org.enhydra.instantdb.db.Table.markDirty

controlflow
.java:243 Enclosing Method:markDirty

controlflow
ID 10601878 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/Table Sink:org.enhydra.instantdb.db.Table.construct

controlflow
.java:174 Enclosing Method:construct
6.3.1 Cross-Site Request Forgery Low
CWE ID 352
OWASP Top 10: A8 Cross-Site Request Forgery (CSRF)
Summary
The form post at line must contain a user-specific secret in order to prevent an attacker from making unauthorized requests.Form posts must contain a
user-specific secret in order to prevent an attacker from making unauthorized requests.
Explanation
A cross-site request forgery (CSRF) vulnerability occurs when:
1. A Web application uses session cookies.
2. The application acts on an HTTP request without verifying that the request was made with the user's consent.
In this case the application generates HTTP request via a form post at EditProfile.jsp line 10.
A nonce is a cryptographic random value that is sent with a message to prevent replay attacks. If the request does not contain a nonce that proves its
provenance, the code that handles the request is vulnerable to a CSRF attack (unless it does not change the state of the application). This means a Web
application that uses session cookies has to take special precautions in order to ensure that an attacker can't trick users into submitting bogus requests.
Imagine a Web application that allows administrators to create new accounts by submitting this form:
<form method="POST" action="/new_user" >

Name of new user: <input type="text" name="username">
Password for new user: <input type="password" name="user_passwd">
<input type="submit" name="action" value="Create User">
</form>
An attacker might set up a Web site with the following:
<form method="POST" action="http://www.example.com/new_user">

<input type="hidden" name="username" value="hacker">
<input type="hidden" name="user_passwd" value="hacked">
</form>
<script>
document.usr_form.submit();
</script>
If an administrator for example.com visits the malicious page while she has an active session on the site, she will unwittingly create an account for the
attacker. This is a CSRF attack. It is possible because the application does not have a way to determine the provenance of the request. Any request could be a
legitimate action chosen by the user or a faked action set up by an attacker. The attacker does not get to see the Web page that the bogus request
generates, so the attack technique is only useful for requests that alter the state of the application.
Most Web browsers send an HTTP header named referer along with each request. The referer header is supposed to contain the URL of the referring
page, but attackers can forge it, so the referer header is not useful for determining the provenance of a request.
Applications that pass the session identifier in the URL rather than as a cookie do not have CSRF problems because there is no way for the attacker to access
the session identifier and include it as part of the bogus request.
CSRF is entry number five on the 2007 OWASP Top 10 list.
Recommendation
Applications that use session cookies must include some piece of information in every form post that the back-end code can use to validate the provenance
of the request. One way to do that is to include a random request identifier or nonce, like this:
RequestBuilder rb = new RequestBuilder(RequestBuilder.POST, "/new_user");
body = addToPost(body, new_username);
body = addToPost(body, new_passwd);
body = addToPost(body, request_id);
rb.sendRequest(body, new NewAccountCallback(callback));
Then the back-end logic can validate the request identifier before processing the rest of the form data. When possible, the request identifier should be unique
to each server request rather than shared across every request for a particular session. As with session identifiers, the harder it is for an attacker to guess the
request identifier, the harder it is to conduct a successful CSRF attack. The token should not be easily guessed and it should be protected in the same way
that session tokens are protected, such as using SSLv3.
Additional mitigation techniques include:
Framework protection: Most modern web application frameworks embed CSRF protection and they will automatically include and verify CSRF tokens.
Use a Challenge-Response control: Forcing the customer to respond to a challenge sent by the server is a strong defense against CSRF. Some of the
challenges that can be used for this purpose are: CAPTCHAs, password re-authentication and one-time tokens.
Check HTTP Referer/Origin headers: An attacked won't be able to spoof these headers while performing a CSRF attack. This makes these headers a useful
method to prevent CSRF attacks.
Double-submit Session Cookie: Sending the session ID Cookie as a hidden form value in addition to the actual session ID Cookie is a good protection against
CSRF attacks. The server will check both values and make sure they are identical before processing the rest of the form data. If an attacker submits a form in
behalf of a user, he won't be able to modify the session ID cookie value as per the same-origin-policy.
Limit Session Lifetime: When accessing protected resources using a CSRF attack, the attack will only be valid as long as the session ID sent as part of the
attack is still valid on the server. Limiting the Session lifetime will reduce the probability of a successful attack.
The techniques described here can be defeated with XSS attacks. Effective CSRF mitigation includes XSS mitigation techniques.

Instances
Cross-Site Request Forgery Low
Package: N/A
Sink: in EditProfile.jsp:10
ID 10601892 - WebContent/lessons/CrossSiteScripting/EditProfile.jsp:10 content
Enclosing Method:
Sink: in ListStaff.jsp:13
ID 10601981 - WebContent/lessons/CrossSiteScripting/ListStaff.jsp:13 content
Enclosing Method:
Sink: in Login.jsp:9
ID 10601876 - WebContent/lessons/CrossSiteScripting/Login.jsp:9 content
Enclosing Method:
Sink: in SearchStaff.jsp:15
ID 10601952 - WebContent/lessons/CrossSiteScripting/SearchStaff.jsp:15 content
Enclosing Method:
Sink: in ViewProfile.jsp:118
ID 10601821 - WebContent/lessons/CrossSiteScripting/ViewProfile.jsp:118 content
Enclosing Method:
Enclosing Method:
Enclosing Method:
Enclosing Method:
ID 10601847 - WebContent/lessons/RoleBasedAccessControl/EditProfile .jsp:10 content
Enclosing Method:
Sink: in error.jsp:10
ID 10601900 - WebContent/lessons/RoleBasedAccessControl/error.jsp:10 content
Enclosing Method:
ID 10601979 - WebContent/lessons/RoleBasedAccessControl/ListStaff.jsp:14 content
Enclosing Method:
ID 10601852 - WebContent/lessons/RoleBasedAccessControl/Login.jsp:9 content
Enclosing Method:
ID 10601934 - WebContent/lessons/RoleBasedAccessControl/SearchStaff .jsp:15 content
Enclosing Method:
ID 10601854 - WebContent/lessons/RoleBasedAccessControl/ViewProfile .jsp:128 content
Enclosing Method:
Enclosing Method:
Enclosing Method:
ID 10601894 - WebContent/lessons/SQLInjection/EditProfile.jsp:10 content
Enclosing Method:
ID 10601980 - WebContent/lessons/SQLInjection/ListStaff.jsp:14 content
Enclosing Method:
ID 10601890 - WebContent/lessons/SQLInjection/Login.jsp:9 content
Enclosing Method:
ID 10601944 - WebContent/lessons/SQLInjection/SearchStaff.jsp:15 content
Enclosing Method:
ID 10601889 - WebContent/lessons/SQLInjection/ViewProfile.jsp:138 content
Enclosing Method:
Enclosing Method:
Enclosing Method:
Enclosing Method:
Sink: in webgoat.jsp:74
ID 10601959 - WebContent/webgoat.jsp:74 content
Enclosing Method:
Sink: in webgoat_challenge.jsp:51
ID 10601864 - WebContent/webgoat_challenge.jsp:51 content
Enclosing Method:
Analysis Traces
Below is an enumeration of all static issues with their stack trace sections.
ID 10601967 - Cross-Site Scripting: Reflected Critical
Analysis Trace Source

WebContent/main.jsp:31-37
main.jsp:34 - getParameter(return)
String printCookies = "";
main.jsp:34 - Assignment to menu String lessonComplete = "<img src=\"images/buttons/lessonComplete.jpg\">";
String m = "menu";
main.jsp:114 - print(0) String menu = request.getParameter(m);
List categories = course.getCategories();
if (webSession.isAuthorizedInLesson(webSession.getRole(), WebSession.SHOWHINTS))
{
%>
<a href="attack?show=PreviousHint&menu=<%=menu%>" target="_top" onclick="MM_nbGroup('down','group1','hintLeft','',1)"
onmouseover="MM_nbGroup('over','hintLeft','images/buttons/hintLeftOver.jpg','',1)"
onmouseout="MM_nbGroup('out')">
<img src="images/buttons/hintLeft.jpg" alt="Previous Hint" name="hintLeft" width="22" height="20" border="0" id="hintLeft"/>
Analysis Trace Diagram
main.jsp._jspService
getParameter(return)
Assignment to menu
print(0)

String m = "menu";
<img src="images/buttons/hintLeft.jpg" alt="Previous Hint" name="hintLeft" width="22" height="20" border="0" id="hintLeft"/>
</a>
<a href="attack?show=NextHint&menu=<%=menu%>" target="_top" onclick="MM_nbGroup('down','group1','hint','',1)"
onmouseover="MM_nbGroup('over','hint','images/buttons/hintOver.jpg','',1)"
<img src="images/buttons/hint.jpg" alt="Hints" name="hint" width="35" height="20" border="0" id="hint"/>
Assignment to menu
print(0)

String m = "menu";
<img src="images/buttons/params.jpg" alt="Show Params" name="attack?show=Params" width="92" height="20" border="0"
id="params"/>
</a>
<a href="attack?show=Cookies&menu=<%=menu%>" target="_top" onclick="MM_nbGroup('down','group1','cookies','',1)"
onmouseover="MM_nbGroup('over','cookies','images/buttons/cookiesOver.jpg','',1)"
Assignment to menu
print(0)

String m = "menu";
<img src="images/buttons/hint.jpg" alt="Hints" name="hint" width="35" height="20" border="0" id="hint"/>
</a>
<a href="attack?show=NextHint&menu=<%=menu%>" target="_top" onclick="MM_nbGroup('down','group1','hintRight','',1)"
onmouseover="MM_nbGroup('over','hintRight','images/buttons/hintRightOver.jpg','',1)"
<img src="images/buttons/hintRight.jpg" alt="Next Hint" name="hintRight" width="20" height="20" border="0" id="hintRight"/>
Assignment to menu
print(0)

String m = "menu";
<img src="images/buttons/hintRight.jpg" alt="Next Hint" name="hintRight" width="20" height="20" border="0" id="hintRight"/>
</a>
<%}%>
<a href="attack?show=Params&menu=<%=menu%>" target="_top" onclick="MM_nbGroup('down','group1','params','',1)"
onmouseover="MM_nbGroup('over','params','images/buttons/paramsOver.jpg','',1)"
<img src="images/buttons/params.jpg" alt="Show Params" name="attack?show=Params" width="92" height="20" border="0"
Assignment to menu
print(0)

WebContent/lessons/CrossSiteScripting/SearchStaff.jsp:4-10
SearchStaff.jsp:7 - getParameter(return)
<div id="lesson_search">
SearchStaff.jsp:7 - Assignment to searchedName <%
WebSession webSession = ((WebSession)session.getAttribute("websession"));
SearchStaff.jsp:11 - print(0) String searchedName = request.getParameter(CrossSiteScripting.SEARCHNAME);
if (searchedName != null)
{
%>
{
%>
Employee <%=searchedName%> not found.
<%
}
%>
SearchStaff.jsp._jspService
Assignment to searchedName
print(0)

WebContent/lessons/RoleBasedAccessControl/SearchStaff.jsp:4-10
SearchStaff.jsp:11 - print(0) String searchedName = request.getParameter(RoleBasedAccessControl.SEARCHNAME);
{
%>
{
%>
<%
}
%>
print(0)

WebContent/lessons/SQLInjection/SearchStaff.jsp:4-10
SearchStaff.jsp:11 - print(0) String searchedName = request.getParameter(SQLInjection.SEARCHNAME);
{
%>
{
%>
<%
}
%>
print(0)
ID 10601975 - Null Dereference High

N/A
BlobColumn.java:495 - Assigned null : <inline expression>
No source available
BlobColumn.java:508 - Dereferenced : <inline expression>
BlobColumn.getByRow
Assigned null : <inline expression>
Dereferenced : <inline expression>

N/A
No source available
BlobColumn.writeObject

N/A
No source available
BlobColumn.java:577 - Branch not taken: (traceIt(4) != 0)
BlobColumn.onClose BlobColumn.java
Branch not taken: (traceIt(4) != 0)

N/A
No source available
BlobColumn.BlobColumn

N/A
No source available
BlobColumn.deleteBlob

N/A
No source available
BlobColumn.getOffsetByRow

N/A
BlobColumn.java:152 - Branch taken: (<inline No source available
BlobColumn.java:152 - goto
BlobColumn.java:165 - Branch not taken: (<inline expression> !=
BlobColumn.extractBinaryNumbers BlobColumn.java
Branch taken: (<inline

expression>.countTokens() != 1)
goto
Branch not taken: (<inline expression> != null)

N/A
ByteColumn.java:286 - Assigned null : <inline expression>
No source available
ByteColumn.java:289 - Dereferenced : <inline expression>
ByteColumn.deleteBitSet

N/A
ByteColumn.java:245 - Assigned null : <inline expression>
No source available
ByteColumn.java:259 - Dereferenced : <inline expression>
ByteColumn.getByRow

N/A
Char1Column.java:123 - Assigned null : <inline expression>
No source available
Char1Column.java:131 - Dereferenced : <inline expression>
Char1Column.getByRow

N/A
Char1Column.java:165 - Assigned null : <inline expression>
No source available
Char1Column.java:179 - Dereferenced : <inline expression>
Char1Column.equalToRow

N/A
Column.java:327 - Assigned null : <inline expression>
No source available
Column.java:329 - Dereferenced : <inline expression>
Column.getByRow

N/A
Column.java:521 - Assigned null : <inline expression>
No source available
Column.java:523 - Dereferenced : <inline expression>
Column.setRow

N/A
Cursor.java:196 - Assigned null : <inline expression>
No source available
Cursor.java:202 - Dereferenced : <inline expression>
Cursor.update

N/A
Database.java:772 - Assigned null : <inline expression>
No source available
Database.java:774 - Dereferenced : <inline expression>
Database.dbCreate

N/A
No source available
Database.dbCreate

N/A
No source available
Database.dbCreate

N/A
No source available
Database.dbOpen

N/A
No source available
Database.initialise

N/A
No source available
Database.close

N/A
No source available
Database.setPath

N/A
No source available
Database.dbOpen

N/A
No source available
Database.initialise

N/A
No source available
Database.execSQL

N/A
Database.java:1200 - Branch taken: (<inline expression> != null) No source available
Database.java:1200 - goto
Database.run Database.java
Branch taken: (<inline expression> != null)
goto

N/A
Database.java:1190 - Branch not taken: (<inline No source available
Database.run Database.java
Branch not taken: (<inline

expression>.timerQueue != null)

N/A
No source available
Database.initialise

N/A
DateColumn.java:357 - Assigned null : <inline expression>
No source available
DateColumn.java:362 - Dereferenced : <inline expression>
DateColumn.toDate

N/A
No source available
DateColumn.java:357 - java.lang.Throwable thrown
DateColumn.java:365 - Branch not taken: (<inline expression> !=
DateColumn.java:367 - Branch taken: (<inline expression> ==
DateColumn.java:367 - goto
DateColumn.toDate DateColumn.java
java.lang.Throwable thrown
Branch taken: (<inline expression> == null)
goto

N/A
No source available
DateColumn.java:372 - Branch taken: (<inline expression> <
DateColumn.toDate DateColumn.java
goto
goto
Branch taken: (<inline expression> <

(dateFormats.length))
goto
goto

N/A
No source available
DateColumn.setFormatArray DateColumn.java

N/A
No source available
DateColumn.setFormatArray

N/A
DoubleColumn.java:165 - Assigned null : <inline expression>
No source available
DoubleColumn.java:170 - Dereferenced : <inline expression>
DoubleColumn.getByRow

N/A
expression.java:321 - Assigned null : null
expression.java:324 - Branch not taken: (<inline expression> != No source available
expression.java:325 - Branch not taken: (null != null)

expression.java:326 - Dereferenced : null
expression.interpretColumn expression.java
Assigned null : null
Branch not taken: (null != null)
Dereferenced : null

N/A
FileImporter.java:60 - Assigned null : <inline expression>
No source available
FileImporter.java:63 - Dereferenced : <inline expression>
FileImporter.getFilePath

N/A
FileImporter.java:316 - Assigned null : <inline expression>
FileImporter.java:319 - Branch taken: (<inline expression>.type No source available
FileImporter.java:319 - goto
FileImporter.java:325 - Branch taken: (<inline expression> !=
FileImporter.java:327 - Dereferenced : <inline expression>
FileImporter.getNextRow FileImporter.java
Branch taken: (<inline expression>.type != 6)
goto
goto

N/A
FloatColumn.java:176 - Assigned null : <inline expression>
No source available
FloatColumn.java:181 - Dereferenced : <inline expression>
FloatColumn.getByRow

N/A
idbConnection.java:79 - Assigned null : <inline expression>
No source available
idbConnection.java:88 - Dereferenced : <inline expression>
idbConnection.idbConnection

N/A
idbDriver.java:50 - Assigned null : <inline expression>
No source available
idbDriver.java:52 - Dereferenced : <inline expression>
idbDriver.<static>

idbPreparedStatement.java:268 - Assigned null : <inline N/A
idbPreparedStatement.java:279 - Dereferenced : <inline No source available
idbPreparedStatement.executeBatch

idbPreparedStatement.setAsciiStream

idbPreparedStatement.setAnyStream

N/A
idbResultsSet.java:809 - Assigned null : <inline expression>
No source available
idbResultsSet.java:811 - Dereferenced : <inline expression>
idbResultsSet.updateCharacterStream

N/A
idbResultsSet.java:789 - Assigned null : <inline expression>
No source available
idbResultsSet.java:791 - Dereferenced : <inline expression>
idbResultsSet.readFromStream

N/A
idbStatement.java:350 - Assigned null : <inline expression>
No source available
idbStatement.java:361 - Dereferenced : <inline expression>
idbStatement.executeBatch

N/A
indexTable.java:290 - Assigned null : <inline expression>
No source available
indexTable.java:310 - Dereferenced : <inline expression>
indexTable.indexTable

N/A
No source available
indexTable.bind

N/A
No source available
indexTable.java:361 - goto
indexTable.java:361 - Branch taken: (<inline expression> <=
indexTable.java:362 - Branch not taken: (<inline
indexTable.bind indexTable.java
goto
Branch taken: (<inline expression> <= <inline

expression>.rowCount)
goto
expression>.rowDeleted(<inline expression>)
expression>.tblID.equals(<inline expression>)

expression>.parentTable == null)
goto

expression>.hasMoreElements() == 0)

N/A
No source available
indexTable.java:181 - Branch not taken: (<inline expression> >=
indexTable.getColsFromNames indexTable.java
goto
Branch not taken: (<inline expression> >=

<inline expression>.size())
expression>.indexedCols.size() == 1)

N/A
No source available
indexTable.indexTable

N/A
No source available
indexTable.bind indexTable.java
goto

expression>.indexedCols.size() == 1)

N/A
IntegerColumn.java:262 - Assigned null : <inline expression>
No source available
IntegerColumn.java:267 - Dereferenced : <inline expression>
IntegerColumn.getByRow

N/A
IntegerColumn.java:289 - Assigned null : <inline expression>
No source available
IntegerColumn.java:295 - Dereferenced : <inline expression>
IntegerColumn.equalToRow

N/A
Java2Html.java:148 - Assigned null : <inline expression>
No source available
Java2Html.java:148 - Dereferenced : <inline expression>
Java2Html.class$

N/A
No source available
Java2Html.java:204 - goto
Java2Html.java:207 - Branch taken: (<inline
Java2Html.java:358 - Branch taken: (<inline expression> == 0)
Java2Html.java:366 - Branch not taken: (<inline expression> ==
Java2Html.java:366 - Branch not taken: (<inline expression> !=
Java2Html.generateHtml Java2Html.java
goto

expression>.hasMoreTokens() != 0)
goto
goto
goto
Branch taken: (<inline expression> == 0)
goto
goto
Branch not taken: (<inline expression> == 0)

N/A
No source available
Java2Html.main

N/A
Journal.java:114 - Assigned null : <inline expression>
No source available
Journal.java:133 - Dereferenced : <inline expression>
Journal.openLog

N/A
No source available
Journal.closeLog

N/A
No source available
Journal.updateTransactionCount

N/A
No source available
Journal.rollback

N/A
LongColumn.java:259 - Assigned null : <inline expression>
No source available
LongColumn.java:264 - Dereferenced : <inline expression>
LongColumn.getByRow

N/A
LongColumn.java:324 - Assigned null : <inline expression>
No source available
LongColumn.java:330 - Dereferenced : <inline expression>
LongColumn.equalToRow

ReadAheadBuffer.java:166 - Assigned null : <inline expression> N/A
ReadAheadBuffer.java:168 - Dereferenced : <inline expression> No source available
ReadAheadBuffer.readRow

N/A
Search.java:884 - Assigned null : <inline expression>
No source available
Search.java:885 - goto
Search.java:888 - Dereferenced : <inline expression>
Search.evaluate Search.java
goto

SQLProg.java:1115 - Assigned null : <inline expression>.rsTable N/A
SQLProg.java:1127 - Dereferenced : <inline No source available
SQLProg.handleGroupBy
Assigned null : <inline expression>.rsTable
Dereferenced : <inline
expression>.groupTable

N/A
SQLProg.java:1360 - Assigned null : <inline expression>
No source available
SQLProg.java:1363 - goto
SQLProg.java:1366 - Branch not taken: (<inline expression> >=
SQLProg.java:1372 - Dereferenced : <inline expression>
SQLProg.compile_select SQLProg.java
goto
goto
Branch not taken: (<inline expression> >=

<inline expression>.size())

N/A
No source available
SQLProg.execute

N/A
No source available
SQLProg.java:252 - Branch not taken: (traceIt(4) != 0)
SQLProg.execute SQLProg.java

N/A
No source available
SQLProg.compile_import

N/A
No source available
SQLProg.compile_set

N/A
No source available
SQLProg.compile_alter_table

N/A
No source available
SQLProg.compile_create_table

N/A
No source available
SQLProg.java:252 - Branch taken: (traceIt(4) == 0)
SQLProg.execute SQLProg.java
Branch taken: (traceIt(4) == 0)
goto

N/A
No source available
SQLProg.compile_set

N/A
No source available
SQLProg.compile_select

N/A
SQLProg.java:359 - Branch taken: (<inline No source available
SQLProg.java:367 - Branch taken: (<inline
SQLProg.java:380 - Branch not taken: (<inline
SQLProg.compile_alter_table SQLProg.java

expression>.matched.containsKey("column")
goto
expression>.matched.containsKey("add_col")
goto
expression>.matched.containsKey("alter_col")

N/A
sqltoken.java:156 - Assigned null : <inline expression>
sqltoken.java:159 - Branch taken: (<inline expression>.type != 1) No source available
sqltoken.java:159 - goto
sqltoken.java:164 - Branch taken: (<inline expression>.type != 2)
sqltoken.java:186 - Branch taken: (<inline
sqltoken.java:217 - Branch not taken: (<inline
sqltoken.java:217 - Branch not taken: (<inline expression> == 0)
sqltoken.java:218 - Dereferenced : <inline expression>
sqltoken.setupToken sqltoken.java
goto
goto
goto
expression>.lastIndexOf(<inline expression>)
goto
goto
Branch taken: (<inline expression>.equals("[")

== 0)
goto
Branch taken: (<inline expression>.equals("{")

== 0)
goto
Branch taken: (<inline expression>.equals("|")

== 0)
goto
Branch taken: (<inline expression>.equals("<")

== 0)
goto

expression>.equals(",...") != 0)

N/A
sqltoken.java:159 - Branch taken: (<inline expression>.type != 1) No source available
sqltoken.java:219 - Branch not taken: (<inline
sqltoken.java:219 - Branch not taken: (<inline expression> == 0)
sqltoken.setupToken sqltoken.java
goto
goto
goto
expression>.lastIndexOf(<inline expression>)
goto
goto
Branch taken: (<inline expression>.equals("[")

== 0)
goto
Branch taken: (<inline expression>.equals("{")

== 0)
goto
Branch taken: (<inline expression>.equals("|")

== 0)
goto
Branch taken: (<inline expression>.equals("<")

== 0)
goto
Branch taken: (<inline expression>.equals(",...")

== 0)
goto

expression>.equals("...") != 0)

N/A
sqltoken.java:293 - Branch taken: (<inline expression>.repeat == No source available
sqltoken.matches sqltoken.java
Branch taken: (<inline expression>.repeat ==

0)
goto
goto

N/A
StringColumn.java:172 - Assigned null : <inline expression>
No source available
StringColumn.java:194 - Dereferenced : <inline expression>
StringColumn.getByRow

N/A
StringColumn.java:214 - Assigned null : <inline expression>
No source available
StringColumn.java:229 - Dereferenced : <inline expression>
StringColumn.equalToRow

N/A
Table.java:1476 - Assigned null : <inline expression>
No source available
Table.java:1502 - Dereferenced : <inline expression>
Table.addRowAtRow

N/A
No source available
Table.registerTable

N/A
No source available
Table.rowToString

N/A
No source available
Table.markDirty

N/A
No source available
Table.java:607 - Branch not taken: (traceIt(8) != 0)
Table.recover Table.java

N/A
No source available
Table.newColAdded

N/A
No source available
Table.open

N/A
No source available
Table.swap

N/A
No source available
Table.java:619 - Branch not taken: (traceIt(4) != 0)
Table.recover Table.java

N/A
No source available
Table.java:1626 - Branch taken: (<inline expression> == null)
Table.java:1626 - goto
Table.java:1630 - Branch taken: (<inline expression> < <inline
Table.java:1630
Table.java:1632 -- Branch
goto taken: (<inline
Table.addOrderedField Table.java
goto
goto
Branch taken: (<inline expression> < <inline

expression>.columnList.size())
goto
expression>.equalsIgnoreCase(<inline
goto

N/A
No source available
Table.addRowAtRow Table.java
goto

N/A
No source available
Table.lt

N/A
No source available
Table.java:1660 - Branch taken: (<inline expression> != null)
Table.addOrderedField Table.java
goto
goto
goto

N/A
No source available
Table.saveRowCounts

N/A
No source available
Table.deleteRow

N/A
TableLock.java:294 - Assigned null : <inline expression>
No source available
TableLock.java:298 - Dereferenced : <inline expression>
TableLock.freeWriteLock

tokenList.java:199 - Assigned null : <inline N/A
No source available
tokenList.java:202 - goto
tokenList.java:202 - Branch taken: (<inline expression> < <inline
tokenList.java:237 - Dereferenced : <inline
tokenList.parseTokens tokenList.java
Assigned null : <inline expression>.curToken
goto
Branch taken: (<inline expression> < <inline

expression>)
goto
goto
goto
goto
Dereferenced : <inline expression>.curToken

N/A
tokenList.java:242 - Assigned null : <inline expression>
No source available
tokenList.java:245 - Dereferenced : <inline expression>
tokenList.parseTokens

N/A
Trace.java:250 - Assigned null : <inline expression>
No source available
Trace.java:254 - Dereferenced : <inline expression>
Trace.setExport

N/A
Transaction.java:486 - Assigned null : <inline expression>
No source available
Transaction.java:493 - Dereferenced : <inline expression>
Transaction.prepare

N/A
Transaction.java:165 - Branch taken: ((<inline No source available
Transaction.java:165 - goto
Transaction.complete Transaction.java
Branch taken: ((<inline

expression>.prepareRecordPosition - 0) == 0)
goto

N/A
Transaction.java:165 - Branch not taken: ((<inline No source available
Transaction.java:167 - {?} thrown

Transaction.complete Transaction.java
Branch not taken: ((<inline

expression>.prepareRecordPosition - 0) != 0)
{?} thrown
ID 10601964 - Open Redirect High

WebContent/lessons/ConfManagement/config.jsp:9-15
config.jsp:12 - getParameter(return)
<body>
config.jsp:12 - sendRedirect(0) <% response.sendRedirect("/WebGoat/attack?" +
"Screen=" + request.getParameter("Screen") +
"&menu=" + request.getParameter("menu") +
"&succeeded=yes");
%>
config.jsp._jspService
sendRedirect(0)

config.jsp:11 - getParameter(return)
</head>
config.jsp:12 - sendRedirect(0) <body>
<% response.sendRedirect("/WebGoat/attack?" +
"&succeeded=yes");
%>
<body>
"&succeeded=yes");
%>
config.jsp._jspService
sendRedirect(0)

WebContent/lessons/General/redirect.jsp:9-15
redirect.jsp:12 - getParameter(return)
<body>
redirect.jsp:12 - sendRedirect(0) <% response.sendRedirect("/WebGoat/attack?" +
"&fromRedirect=yes&language=" + request.getParameter("language"));
%>
</body>
redirect.jsp._jspService
sendRedirect(0)

redirect.jsp:12 - sendRedirect(0) "Screen=" + request.getParameter("Screen") +
%>
</body>
</html>
<body>
%>
</body>
sendRedirect(0)

</head>
redirect.jsp:12 - sendRedirect(0) <body>
%>
<body>
%>
</body>
sendRedirect(0)
ID 10601904 - Password Management: Empty Password High

N/A
Database.java:124 - FieldAccess: defaultPassword
No source available
Database.java:1 - Field: defaultPassword
Database.java
FieldAccess: defaultPassword
Field: defaultPassword
ID 10601851 - Password Management: Password in Configuration File High

WebContent/WEB-INF/server-config.wsdd:8-14
server-config.wsdd:11
<parameter name="disablePrettyXML" value="true"/>
<parameter name="adminPassword" value="admin"/>
<!--
server-config.wsdd
ID 10601849 - Unreleased Resource: Database High

JdbcImporter.java:54 - Branch not taken: (<inline expression> != N/A
No source available
JdbcImporter.java:55 - getConnection(...)
JdbcImporter.java:55 - <inline expression>.con refers to a
JdbcImporter.java:54 - goto
JdbcImporter.java:60 - <inline
JdbcImporter.java:60 - <inline expression>.stmt refers to a
JdbcImporter.java:61 - null thrown

JdbcImporter.java:61 - throw
JdbcImporter.java:61 - end scope : Database resource leaked :
JdbcImporter.java JdbcImporter.JdbcImporter
getConnection(...)
<inline expression>.con refers to a database

connection
goto
<inline expression>.con.createStatement()
<inline expression>.stmt refers to a database

command
<inline expression>.stmt.executeQuery(...)
null thrown
throw
end scope : Database resource leaked : null

thrown

No source available
JdbcImporter.java:60 - <inline expression>.con no longer refers
JdbcImporter.java:60 - <inline expression> no longer refers to a
getConnection(...)

connection
goto
null thrown
throw
<inline expression>.con no longer refers to a

database connection
<inline expression> no longer refers to a
database connection
thrown

No source available

getConnection(...)

connection
goto
<inline expression>.con.createStatement()
null thrown
throw

thrown
ID 10601955 - Unreleased Resource: Streams High

BlobColumn.java:205 - Branch taken: (<inline expression> != N/A
No source available
BlobColumn.java:206 - Branch not taken: ((<inline expression>
BlobColumn.java:208 - Branch taken: (<inline
BlobColumn.java:223 - new FileInputStream(...)
BlobColumn.java:223 - <inline expression> refers to an allocated
BlobColumn.java:226 - {?} thrown

BlobColumn.java:226 - <inline expression> no longer refers to
BlobColumn.java:226 - <inline expression> no longer refers to
BlobColumn.java:226 - end scope : Resource leaked
BlobColumn.java BlobColumn.toObject
goto
Branch not taken: ((<inline expression>

instanceof null) != 0)
Branch taken: (<inline expression>.binType !=
STRING_BLOB)
goto
new FileInputStream(...)
<inline expression> refers to an allocated

resource
{?} thrown
<inline expression> no longer refers to an

allocated resource
allocated resource
end scope : Resource leaked

N/A
No source available
Database.java:523 - new FileInputStream(...)
Database.java:523 - <inline expression> refers to an allocated
Database.java:524 - new BufferedInputStream(<inline
Database.java:524 - <inline expression> refers to an allocated
Database.java:525 - <inline expression> no longer refers to an
Database.java:525 - end scope : Resource leaked
Database.java Database.initialise
goto
goto

resource
new BufferedInputStream(<inline
expression>)
resource
allocated resource
allocated resource
allocated resource
allocated resource

FileImporter.java:96 - Branch not taken: (<inline expression> != N/A
No source available
FileImporter.java:98 - new FileReader(...)
FileImporter.java:98 - <inline expression> refers to an allocated
FileImporter.java:99 - new BufferedReader(<inline expression>)
FileImporter.java:102 - null thrown

FileImporter.java:102 - throw
FileImporter.java:102 - <inline expression> no longer refers to
FileImporter.java:102 - end scope : Resource leaked : null
FileImporter.java FileImporter.FileImporter
new FileReader(...)

resource
new BufferedReader(<inline expression>)

resource
null thrown
throw

allocated resource
allocated resource
allocated resource
allocated resource
end scope : Resource leaked : null thrown

N/A
No source available
FileImporter.java:103 - new FileReader(...)
FileImporter.java:104 - new BufferedReader(<inline
FileImporter.java:104 - <inline expression>.dataSource refers to
FileImporter.java:110 - Branch not taken: (<inline expression>
FileImporter.java:110 - Branch not taken: (<inline expression>
FileImporter.java:111 - throw
FileImporter.java:111 - <inline expression>.dataSource no longer
FileImporter.java:111 - <inline expression> no longer refers to an
FileImporter.java:111 - end scope : Resource leaked
FileImporter.java FileImporter.FileImporter
goto
new FileReader(...)

resource
new BufferedReader(<inline expression>)
<inline expression>.dataSource refers to an

allocated resource
goto
Branch not taken: (<inline expression> ==

null)
throw
<inline expression>.dataSource no longer

refers to an allocated resource
allocated resource
allocated resource
allocated resource

indexTable.java:136 - Branch taken: (<inline N/A
No source available
indexTable.java:137 - new ReadAheadBuffer(...)
indexTable.java:137 - <inline expression>.rndFile refers to an
indexTable.java:138 - null thrown

indexTable.java:138 - throw
indexTable.java:138 - <inline expression>.rndFile no longer
indexTable.java:138 - <inline expression> no longer refers to an
indexTable.java:138 - end scope : Resource leaked : null thrown
indexTable.java indexTable.close

expression>.dbase.readOnly == 0)
goto
new ReadAheadBuffer(...)
<inline expression>.rndFile refers to an

allocated resource
null thrown
throw
<inline expression>.rndFile no longer refers to

an allocated resource
allocated resource

N/A
No source available
indexTable.java:288 - Branch taken: (<inline
indexTable.java:290 - new FileInputStream(...)
indexTable.java:290 - <inline expression> refers to an allocated
indexTable.java:291 - new BufferedInputStream(<inline
indexTable.java:292 - new DataInputStream(<inline
indexTable.java:294 - {?} thrown

indexTable.java:309 - end scope : Resource leaked
indexTable.java indexTable.indexTable
goto
goto
Branch taken: (<inline expression>.recovered

== 0)
goto

resource
new BufferedInputStream(<inline
expression>)
resource
new DataInputStream(<inline expression>)

resource
{?} thrown

allocated resource
allocated resource
allocated resource
allocated resource
allocated resource
allocated resource

N/A
Java2Html.java:515 - Branch taken: (<inline No source available
Java2Html.java:522 - new FileInputStream(...)
Java2Html.java:522 - <inline expression> refers to an allocated
Java2Html.java:523 - java.lang.Throwable thrown

Java2Html.java:523 - <inline expression> no longer refers to an
Java2Html.java:523 - end scope : Resource leaked :
Java2Html.java Java2Html.main
goto
Branch taken: (<inline expression>.hasNext()

!= 0)
goto

resource

allocated resource
allocated resource
end scope : Resource leaked :

N/A
Java2Html.java:766 - Branch not taken: (<inline No source available
Java2Html.java:768 - new FileOutputStream(...)

Java2Html.java:769 - new ObjectOutputStream(<inline
Java2Html.java:771 - null thrown

Java2Html.java:771 - throw
Java2Html.java:771 - end scope : Resource leaked : null thrown
Java2Html.java Java2Html.initializeAPIClasses
goto

expression>.writeSerialFiles == 1)
new FileOutputStream(...)

resource
new ObjectOutputStream(<inline
expression>)
resource
null thrown
throw

allocated resource
allocated resource
allocated resource
allocated resource

Java2Html.java:667 - Branch not taken: (<inline N/A
No source available
Java2Html.java:671 - Branch not taken: (<inline
Java2Html.java:675 - getResourceAsStream(...)
Java2Html.java:679 - new ObjectInputStream(<inline
Java2Html.java:680 - {?} thrown

Java2Html.java:680 - end scope : Resource leaked : {?} thrown
Java2Html.java Java2Html.initialize

expression>.initialized == 0)
goto

getResourceAsStream(...)

resource
new ObjectInputStream(<inline expression>)

resource
{?} thrown

allocated resource
allocated resource
allocated resource
allocated resource
end scope : Resource leaked : {?} thrown

N/A
Java2Html.java:748 - Branch not taken: (<inline No source available

Java2Html.java:751 - new ObjectOutputStream(<inline
Java2Html.java:753 - null thrown

Java2Html.java:753 - throw
Java2Html.java:753 - end scope : Resource leaked : null thrown
Java2Html.java Java2Html.initializeKeywords
goto

expression>.writeSerialFiles == 1)

resource
new ObjectOutputStream(<inline
expression>)
resource
null thrown
throw

allocated resource
allocated resource
allocated resource
allocated resource

Java2Html.java:667 - Branch not taken: (<inline N/A
No source available
Java2Html.java:671 - Branch not taken: (<inline
Java2Html.java:705 - getResourceAsStream(...)
Java2Html.java:709 - new ObjectInputStream(<inline
Java2Html.java:710 - {?} thrown

Java2Html.java:710 - end scope : Resource leaked : {?} thrown
Java2Html.java Java2Html.initialize

goto

goto
goto
goto
getResourceAsStream(...)

resource
new ObjectInputStream(<inline expression>)

resource
{?} thrown

allocated resource
allocated resource
allocated resource
allocated resource
end scope : Resource leaked : {?} thrown

N/A
Java2Html.java:515 - Branch taken: (<inline No source available
Java2Html.java:525 - java.lang.Throwable thrown

Java2Html.java:525 - end scope : Resource leaked :
Java2Html.java Java2Html.main
goto
Branch taken: (<inline expression>.hasNext()

!= 0)
goto

resource

allocated resource
allocated resource

N/A
ReadAheadBuffer.java:58 - new RandomAccessFile(...)
No source available
ReadAheadBuffer.java:58 - null thrown
ReadAheadBuffer.java:58 - throw
ReadAheadBuffer.java:58 - <inline expression> no longer refers
ReadAheadBuffer.java:58 - end scope : Resource leaked : null
ReadAheadBuffer.ReadAheadBuffer ReadAheadBuffer.java
new RandomAccessFile(...)
null thrown
throw

allocated resource

N/A
Table.java:489 - Branch taken: (<inline No source available
Table.java:498 - Branch not taken: (<inline
Table.java:499 - new ReadAheadBuffer(...)

Table.java:499 - <inline expression>.rndFile refers to an
Table.java:504 - null thrown
Table.java:504 - throw
Table.java:504 - <inline expression>.rndFile no longer refers to
Table.java:504 - <inline expression> no longer refers to an
Table.java:504 - end scope : Resource leaked : null thrown
Table.java Table.open
goto

expression>.fileDesc.exists() != 0)
goto
goto

expression>.dbase.readOnly != 0)

allocated resource
goto
null thrown
throw

allocated resource

N/A
Table.java:242 - Branch not taken: (<inline expression>.rndFile No source available

Table.java:244 - java.lang.Throwable thrown

Table.java:244 - end scope : Resource leaked :
Table.java Table.markDirty
goto
Branch not taken: (<inline expression>.rndFile

== null)

allocated resource

allocated resource

N/A
Table.java:489 - Branch taken: (<inline No source available
Table.java:498 - Branch taken: (<inline

Table.java Table.open
goto

expression>.fileDesc.exists() != 0)
goto
goto

expression>.dbase.readOnly == 0)
goto

allocated resource
null thrown
throw

allocated resource

N/A
Table.java:158 - Branch taken: (<inline expression>.tableType No source available
Table.java:167 - Branch not taken: (<inline expression> != null)
Table.java:170 - Branch taken: (<inline expression>.tableType !=
Table.java Table.construct
goto
Branch taken: (<inline expression>.tableType

== 3)
goto
Branch taken: (<inline expression>.tableType

!= 3)
goto
goto

allocated resource
goto
null thrown
throw

allocated resource
ID 10601892 - Cross-Site Request Forgery Low

WebContent/lessons/CrossSiteScripting/EditProfile.jsp:7-90
EditProfile.jsp:10
%>
<div class="lesson_title_box"><strong>Welcome Back </strong><span
class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span></div>
<div class="lesson_text">
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<Table>
<TR><TD>
EditProfile.jsp

WebContent/lessons/SQLInjection/EditProfile.jsp:7-90
EditProfile.jsp:10
%>
class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span></div>
<Table>
<TR><TD>
EditProfile.jsp

WebContent/lessons/RoleBasedAccessControl/EditProfile.jsp:7-106
EditProfile.jsp:10
%>
class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span> - Edit Profile Page</div>
<Table border="0" cellpadding="0" cellspacing="0">
<TR><TD width="110">
EditProfile.jsp

WebContent/lessons/RoleBasedAccessControl/error.jsp:7-16
error.jsp:10
%>
<br><br><br>An error has occurred.
<br><br><br>
<form method="POST" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<input type="submit" name="action" value="<%=RoleBasedAccessControl.LOGIN_ACTION%>"/>
</form>
error.jsp

WebContent/lessons/SQLInjection/ListStaff.jsp:11-28
ListStaff.jsp:14
<br>
<p>Select from the list below</p>
<table width="60%" border="0" cellpadding="3">
<tr>
<td> <label>
ListStaff.jsp

WebContent/lessons/RoleBasedAccessControl/ListStaff.jsp:11-28
ListStaff.jsp:14
<br>
<tr>
<td> <label>
ListStaff.jsp

WebContent/lessons/CrossSiteScripting/ListStaff.jsp:10-27
ListStaff.jsp:13
<br>
<br>
<tr>
<td> <label>
ListStaff.jsp

WebContent/lessons/CrossSiteScripting/Login.jsp:6-29
Login.jsp:9
<%
%>
<label>
<select name="<%=CrossSiteScripting.EMPLOYEE_ID%>">
<%
Login.jsp

WebContent/lessons/SQLInjection/Login.jsp:6-29
Login.jsp:9
<%
%>
<label>
<select name="<%=SQLInjection.EMPLOYEE_ID%>">
<%
Login.jsp

WebContent/lessons/RoleBasedAccessControl/Login.jsp:6-29
Login.jsp:9
<%
%>
<label>
<select name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>">
<%
Login.jsp

SearchStaff.jsp:15
<%
}
%>
<label>Name
<input class="lesson_text_db" type="text" name="<%=SQLInjection.SEARCHNAME%>"/>
</label>
SearchStaff.jsp

SearchStaff.jsp:15
<%
}
%>
<label>Name
<input class="lesson_text_db" type="text" name="<%=RoleBasedAccessControl.SEARCHNAME%>"/>
</label>
SearchStaff.jsp

SearchStaff.jsp:15
<%
}
%>
<label>Name
<input class="lesson_text_db" type="text" name="<%=CrossSiteScripting.SEARCHNAME%>"/>
</label>
SearchStaff.jsp

WebContent/lessons/SQLInjection/ViewProfile.jsp:135-144
ViewProfile.jsp:138
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), SQLInjection.DELETEPROFILE_ACTION))
{
%>
<input type="hidden" name="<%=SQLInjection.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
<input type="submit" name="action" value="<%=SQLInjection.DELETEPROFILE_ACTION%>"/>
</form>
ViewProfile.jsp

WebContent/lessons/CrossSiteScripting/ViewProfile.jsp:127-136
ViewProfile.jsp:130
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), CrossSiteScripting.EDITPROFILE_ACTION))
{
%>
<input type="hidden" name="<%=CrossSiteScripting.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
<input type="submit" name="action" value="<%=CrossSiteScripting.EDITPROFILE_ACTION%>"/>
</form>
ViewProfile.jsp

WebContent/lessons/RoleBasedAccessControl/ViewProfile.jsp:125-134
ViewProfile.jsp:128
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), RoleBasedAccessControl.EDITPROFILE_ACTION))
{
%>
<input type="hidden" name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
<input type="submit" name="action" value="<%=RoleBasedAccessControl.EDITPROFILE_ACTION%>"/>
</form>
ViewProfile.jsp

ViewProfile.jsp:116
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), RoleBasedAccessControl.LISTSTAFF_ACTION))
{
%>
<input type="hidden" name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
<input type="submit" name="action" value="<%=RoleBasedAccessControl.LISTSTAFF_ACTION%>"/>
</form>
ViewProfile.jsp

ViewProfile.jsp:151
</td>
<td width="190"> </td>
<td width="76">
<form method="POST">
<input type="submit" name="action" value="<%=RoleBasedAccessControl.LOGOUT_ACTION%>"/>
</form>
</td>
ViewProfile.jsp

ViewProfile.jsp:118
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), CrossSiteScripting.EDITPROFILE_ACTION))
{
%>
<input type="submit" name="action" value="<%=CrossSiteScripting.LISTSTAFF_ACTION%>"/>
</form></td>
ViewProfile.jsp

ViewProfile.jsp:143
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), CrossSiteScripting.DELETEPROFILE_ACTION))
{
%>
<input type="submit" name="action" value="<%=CrossSiteScripting.DELETEPROFILE_ACTION%>"/>
</form>
ViewProfile.jsp

ViewProfile.jsp:148
</td>
<td width="76">
<input type="submit" name="action" value="<%=SQLInjection.LOGOUT_ACTION%>"/>
</form>
</td>
ViewProfile.jsp

ViewProfile.jsp:112
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), SQLInjection.LISTSTAFF_ACTION))
{
%>
<input type="submit" name="action" value="<%=SQLInjection.LISTSTAFF_ACTION%>"/>
</form>
ViewProfile.jsp

ViewProfile.jsp:153
</td>
<td width="76">
<input type="submit" name="action" value="<%=CrossSiteScripting.LOGOUT_ACTION%>"/>
</form>
</td>
ViewProfile.jsp

ViewProfile.jsp:125
if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), SQLInjection.EDITPROFILE_ACTION))
{
%>
<input type="submit" name="action" value="<%=SQLInjection.EDITPROFILE_ACTION%>"/>
</form>
ViewProfile.jsp

WebContent/webgoat.jsp:71-79
webgoat.jsp:74
<tr>
<td colspan = "2">
<div align="center" class="style2">
<form id="form" name="form" method="post" action="attack">
<input type="submit" name="start" value="Start WebGoat" />
</form>
</div>
webgoat.jsp

WebContent/webgoat_challenge.jsp:48-58
webgoat_challenge.jsp:51
<td><div align="center"><span class="style2_ch"></span></div></td>
</tr>
</table>
<form id="form" name="form" method="post" action="attack">
<div align="center">
<input type="submit" name="start" value="Start" />
</div>
webgoat_challenge.jsp
Static File Listing
The static file listing displays all files scanned by the SCA scanner.
Filename Size (bytes)

/WebGoat/build.xml 13499
/WebGoat/JavaSource/org/owasp/webgoat/HammerHead.java 15421
/WebGoat/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java 27716
/WebGoat/JavaSource/org/owasp/webgoat/lessons/AccessControlMatrix.java 7620
/WebGoat/JavaSource/org/owasp/webgoat/lessons/admin/AdminScreen.java 2754
/WebGoat/JavaSource/org/owasp/webgoat/lessons/admin/ProductsAdminScreen.java 3718
/WebGoat/JavaSource/org/owasp/webgoat/lessons/admin/RefreshDBScreen.java 4456
/WebGoat/JavaSource/org/owasp/webgoat/lessons/admin/ReportCardScreen.java 9100
/WebGoat/JavaSource/org/owasp/webgoat/lessons/admin/SummaryReportCardScreen.java 8870
/WebGoat/JavaSource/org/owasp/webgoat/lessons/admin/UserAdminScreen.java 3696
/WebGoat/JavaSource/org/owasp/webgoat/lessons/admin/ViewDatabase.java 4754
/WebGoat/JavaSource/org/owasp/webgoat/lessons/admin/WelcomeAdminScreen.java 2649
/WebGoat/JavaSource/org/owasp/webgoat/lessons/BackDoors.java 9031
/WebGoat/JavaSource/org/owasp/webgoat/lessons/BasicAuthentication.java 10561
/WebGoat/JavaSource/org/owasp/webgoat/lessons/BlindSqlInjection.java 11982
/WebGoat/JavaSource/org/owasp/webgoat/lessons/BufferOverflow.java 2934
/WebGoat/JavaSource/org/owasp/webgoat/lessons/Category.java 2253
/WebGoat/JavaSource/org/owasp/webgoat/lessons/Challenge2Screen.java 22286
/WebGoat/JavaSource/org/owasp/webgoat/lessons/CommandInjection.java 11395
/WebGoat/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java 14412
/WebGoat/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/EditProfile.java 6539
/WebGoat/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/FindProfile.java 7548
/WebGoat/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/UpdateProfile.java 14214
/WebGoat/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/ViewProfile.java 8089
/WebGoat/JavaSource/org/owasp/webgoat/lessons/CSRF.java 10680
/WebGoat/JavaSource/org/owasp/webgoat/lessons/DefaultLessonAction.java 11394
/WebGoat/JavaSource/org/owasp/webgoat/lessons/DOMInjection.java 6051
/WebGoat/JavaSource/org/owasp/webgoat/lessons/DOS_Login.java 7784
/WebGoat/JavaSource/org/owasp/webgoat/lessons/Encoding.java 27961
/WebGoat/JavaSource/org/owasp/webgoat/lessons/FailOpenAuthentication.java 5654
/WebGoat/JavaSource/org/owasp/webgoat/lessons/ForcedBrowsing.java 4864
/WebGoat/JavaSource/org/owasp/webgoat/lessons/ForgotPassword.java 9421
/WebGoat/JavaSource/org/owasp/webgoat/lessons/HiddenFieldTampering.java 6866
/WebGoat/JavaSource/org/owasp/webgoat/lessons/HtmlClues.java 7295
/WebGoat/JavaSource/org/owasp/webgoat/lessons/HttpBasics.java 3662
/WebGoat/JavaSource/org/owasp/webgoat/lessons/HttpOnly.java 12839
/WebGoat/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java 9010
/WebGoat/JavaSource/org/owasp/webgoat/lessons/JavaScriptValidation.java 10915
/WebGoat/JavaSource/org/owasp/webgoat/lessons/JSONInjection.java 8989
/WebGoat/JavaSource/org/owasp/webgoat/lessons/LessonAction.java 924
/WebGoat/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java 10096
/WebGoat/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java 5113
/WebGoat/JavaSource/org/owasp/webgoat/lessons/NewLesson.java 2524
/WebGoat/JavaSource/org/owasp/webgoat/lessons/PathBasedAccessControl.java 9204
/WebGoat/JavaSource/org/owasp/webgoat/lessons/ReflectedXSS.java 9918
/WebGoat/JavaSource/org/owasp/webgoat/lessons/RemoteAdminFlaw.java 3333
/WebGoat/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/DeleteProfile.java 5248
/WebGoat/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/EditProfile.java 6735
/WebGoat/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/FindProfile.java 5987
/WebGoat/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/ListStaff.java 5661
/WebGoat/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/Login.java 6457
/WebGoat/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/Logout.java 2743
/WebGoat/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessC 16172
/WebGoat/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/SearchStaff.java 1773
/WebGoat/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/UpdateProfile.java 10839
/WebGoat/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/ViewProfile.java 7629
/WebGoat/JavaSource/org/owasp/webgoat/lessons/SilentTransactions.java 9834
/WebGoat/JavaSource/org/owasp/webgoat/lessons/SoapRequest.java 15296
/WebGoat/JavaSource/org/owasp/webgoat/lessons/SQLInjection/ListStaff.java 5677
/WebGoat/JavaSource/org/owasp/webgoat/lessons/SQLInjection/Login.java 8442
/WebGoat/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java 13956
/WebGoat/JavaSource/org/owasp/webgoat/lessons/SQLInjection/ViewProfile.java 8900
/WebGoat/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java 10160
/WebGoat/JavaSource/org/owasp/webgoat/lessons/SqlStringInjection.java 8498
/WebGoat/JavaSource/org/owasp/webgoat/lessons/StoredXss.java 11331
/WebGoat/JavaSource/org/owasp/webgoat/lessons/ThreadSafetyProblem.java 6352
/WebGoat/JavaSource/org/owasp/webgoat/lessons/TraceXSS.java 9654
/WebGoat/JavaSource/org/owasp/webgoat/lessons/UncheckedEmail.java 8425
/WebGoat/JavaSource/org/owasp/webgoat/lessons/WeakAuthenticationCookie.java 10447
/WebGoat/JavaSource/org/owasp/webgoat/lessons/WeakSessionID.java 7316
/WebGoat/JavaSource/org/owasp/webgoat/lessons/WelcomeScreen.java 4430
/WebGoat/JavaSource/org/owasp/webgoat/lessons/WSDLScanning.java 9347
/WebGoat/JavaSource/org/owasp/webgoat/lessons/WsSAXInjection.java 7003
/WebGoat/JavaSource/org/owasp/webgoat/lessons/WsSqlInjection.java 8844
/WebGoat/JavaSource/org/owasp/webgoat/lessons/XMLInjection.java 9984
/WebGoat/JavaSource/org/owasp/webgoat/lessons/XPATHInjection.java 7731
/WebGoat/JavaSource/org/owasp/webgoat/LessonSource.java 5861
/WebGoat/JavaSource/org/owasp/webgoat/servlets/Controller.java 2151
/WebGoat/JavaSource/org/owasp/webgoat/session/Authorization.java 1717
/WebGoat/JavaSource/org/owasp/webgoat/session/Course.java 11483
/WebGoat/JavaSource/org/owasp/webgoat/session/CreateDB.java 32882
/WebGoat/JavaSource/org/owasp/webgoat/session/DatabaseUtilities.java 4941
/WebGoat/JavaSource/org/owasp/webgoat/session/ECSFactory.java 16222
/WebGoat/JavaSource/org/owasp/webgoat/session/Employee.java 5038
/WebGoat/JavaSource/org/owasp/webgoat/session/EmployeeStub.java 2072
/WebGoat/JavaSource/org/owasp/webgoat/session/ErrorScreen.java 7200
/WebGoat/JavaSource/org/owasp/webgoat/session/LessonSession.java 2065
/WebGoat/JavaSource/org/owasp/webgoat/session/LessonTracker.java 11801
/WebGoat/JavaSource/org/owasp/webgoat/session/Parameter.java 2147
/WebGoat/JavaSource/org/owasp/webgoat/session/ParameterNotFoundException.java 1829
/WebGoat/JavaSource/org/owasp/webgoat/session/ParameterParser.java 29813
/WebGoat/JavaSource/org/owasp/webgoat/session/Screen.java 8768
/WebGoat/JavaSource/org/owasp/webgoat/session/UnauthenticatedException.java 1337
/WebGoat/JavaSource/org/owasp/webgoat/session/UnauthorizedException.java 1334
/WebGoat/JavaSource/org/owasp/webgoat/session/UserTracker.java 6598
/WebGoat/JavaSource/org/owasp/webgoat/session/ValidationException.java 1475
/WebGoat/JavaSource/org/owasp/webgoat/session/WebgoatProperties.java 3207
/WebGoat/JavaSource/org/owasp/webgoat/session/WebSession.java 28628
/WebGoat/JavaSource/org/owasp/webgoat/util/Exec.java 14084
/WebGoat/JavaSource/org/owasp/webgoat/util/ExecResults.java 8370
/WebGoat/JavaSource/org/owasp/webgoat/util/ExecutionException.java 1754
/WebGoat/JavaSource/org/owasp/webgoat/util/HtmlEncoder.java 8836
/WebGoat/JavaSource/org/owasp/webgoat/util/Interceptor.java 4150
/WebGoat/JavaSource/org/owasp/webgoat/util/ThreadWatcher.java 3018
/WebGoat/WebContent/css/layers.css 219
/WebGoat/WebContent/css/lesson.css 911
/WebGoat/WebContent/css/menu.css 572
/WebGoat/WebContent/css/webgoat.css 3782
/WebGoat/WebContent/css/webgoat_challenge.css 535
/WebGoat/WebContent/database/database.prp 11518
/WebGoat/WebContent/database/webgoat.mdb 188416
/WebGoat/WebContent/images/buttons/catStarted.jpg 549
/WebGoat/WebContent/images/buttons/cookies.jpg 2205
/WebGoat/WebContent/images/buttons/cookiesOver.jpg 3847
/WebGoat/WebContent/images/buttons/help.jpg 1327
/WebGoat/WebContent/images/buttons/helpOver.jpg 690
/WebGoat/WebContent/images/buttons/hint.jpg 1262
/WebGoat/WebContent/images/buttons/hintLeft.jpg 1068
/WebGoat/WebContent/images/buttons/hintLeftOver.jpg 482
/WebGoat/WebContent/images/buttons/hintOver.jpg 1936
/WebGoat/WebContent/images/buttons/hintRight.jpg 1075
/WebGoat/WebContent/images/buttons/hintRightOver.jpg 476
/WebGoat/WebContent/images/buttons/html.jpg 1896
/WebGoat/WebContent/images/buttons/htmlOver.jpg 3163
/WebGoat/WebContent/images/buttons/java.jpg 1781
/WebGoat/WebContent/images/buttons/javaOver.jpg 2991
/WebGoat/WebContent/images/buttons/lessonComplete.jpg 613
/WebGoat/WebContent/images/buttons/logout.jpg 784
/WebGoat/WebContent/images/buttons/logoutOver.jpg 2623
/WebGoat/WebContent/images/buttons/params.jpg 2131
/WebGoat/WebContent/images/buttons/paramsOver.jpg 3605
/WebGoat/WebContent/images/buttons/plans.jpg 2056
/WebGoat/WebContent/images/buttons/plansOver.jpg 3385
/WebGoat/WebContent/images/header/header.jpg 27421
/WebGoat/WebContent/images/header/header_ASP.jpg 85335
/WebGoat/WebContent/images/header/header_coldFusion.jpg 85792
/WebGoat/WebContent/images/header/header_CShrp.jpg 84672
/WebGoat/WebContent/images/header/header_dotNet.jpg 85330
/WebGoat/WebContent/images/icons/rightArrow.jpg 798
/WebGoat/WebContent/images/logos/aspect.jpg 3208
/WebGoat/WebContent/images/logos/G2.jpg 2163
/WebGoat/WebContent/images/logos/macadamian.gif 1625
/WebGoat/WebContent/images/logos/owasp.jpg 3565
/WebGoat/WebContent/images/logos/parasoft.jpg 3646
/WebGoat/WebContent/images/menu_images/1x1.gif 49
/WebGoat/WebContent/javascript/javascript.js 369
/WebGoat/WebContent/javascript/lessonNav.js 2655
/WebGoat/WebContent/javascript/makeWindow.js 239
/WebGoat/WebContent/javascript/menu_system.js 7534
/WebGoat/WebContent/javascript/toggle.js 1277
/WebGoat/WebContent/lesson_plans/AccessControlMatrix.html 912
/WebGoat/WebContent/lesson_plans/BackDoors.html 1086
/WebGoat/WebContent/lesson_plans/BasicAuthentication.html 974
/WebGoat/WebContent/lesson_plans/BlindSqlInjection.html 1314
/WebGoat/WebContent/lesson_plans/BufferOverflow.html 290
/WebGoat/WebContent/lesson_plans/ChallengeScreen.html 291
/WebGoat/WebContent/lesson_plans/CommandInjection.html 992
/WebGoat/WebContent/lesson_plans/CrossSiteScripting.html 1059
/WebGoat/WebContent/lesson_plans/CSRF.html 2109
/WebGoat/WebContent/lesson_plans/DOMInjection.html 898
/WebGoat/WebContent/lesson_plans/DOS_Login.html 618
/WebGoat/WebContent/lesson_plans/Encoding.html 380
/WebGoat/WebContent/lesson_plans/FailOpenAuthentication.html 681
/WebGoat/WebContent/lesson_plans/ForcedBrowsing.html 833
/WebGoat/WebContent/lesson_plans/ForgotPassword.html 758
/WebGoat/WebContent/lesson_plans/HiddenFieldTampering.html 707
/WebGoat/WebContent/lesson_plans/HtmlClues.html 540
/WebGoat/WebContent/lesson_plans/HttpBasics.html 1541
/WebGoat/WebContent/lesson_plans/HttpOnly.html 936
/WebGoat/WebContent/lesson_plans/HttpSplitting.html 2196
/WebGoat/WebContent/lesson_plans/JavaScriptValidation.html 908
/WebGoat/WebContent/lesson_plans/JSONInjection.html 1269
/WebGoat/WebContent/lesson_plans/Lesson_Plan_Template.html 643
/WebGoat/WebContent/lesson_plans/LogSpoofing.html 733
/WebGoat/WebContent/lesson_plans/NewLesson.html 1505
/WebGoat/WebContent/lesson_plans/PathBasedAccessControl.html 602
/WebGoat/WebContent/lesson_plans/ReflectedXSS.html 765
/WebGoat/WebContent/lesson_plans/RemoteAdminFlaw.html 731
/WebGoat/WebContent/lesson_plans/RoleBasedAccessControl.html 1540
/WebGoat/WebContent/lesson_plans/SilentTransactions.html 1263
/WebGoat/WebContent/lesson_plans/SoapRequest.html 757
/WebGoat/WebContent/lesson_plans/SqlNumericInjection.html 1062
/WebGoat/WebContent/lesson_plans/SqlStringInjection.html 1111
/WebGoat/WebContent/lesson_plans/StoredXss.html 791
/WebGoat/WebContent/lesson_plans/ThreadSafetyProblem.html 1287
/WebGoat/WebContent/lesson_plans/TraceXSS.html 793
/WebGoat/WebContent/lesson_plans/UncheckedEmail.html 506
/WebGoat/WebContent/lesson_plans/WeakAuthenticationCookie.html 899
/WebGoat/WebContent/lesson_plans/WeakSessionID.html 570
/WebGoat/WebContent/lesson_plans/WelcomeScreeen.html 710
/WebGoat/WebContent/lesson_plans/WSDLScanning.html 555
/WebGoat/WebContent/lesson_plans/WsSAXInjection.html 725
/WebGoat/WebContent/lesson_plans/WsSqlInjection.html 689
/WebGoat/WebContent/lesson_plans/XMLInjection.html 791
/WebGoat/WebContent/lesson_plans/XPATHInjection.html 1486
/WebGoat/WebContent/lesson_template/lessons.html 2745
/WebGoat/WebContent/lesson_template/logo.jpg 33265
/WebGoat/WebContent/lessons/ConfManagement/config.jsp 558
/WebGoat/WebContent/lessons/CrossSiteScripting/CrossSiteScripting.css 1386
/WebGoat/WebContent/lessons/CrossSiteScripting/CrossSiteScripting.jsp 764
/WebGoat/WebContent/lessons/CrossSiteScripting/EditProfile.jsp 4874
/WebGoat/WebContent/lessons/CrossSiteScripting/error.jsp 125
/WebGoat/WebContent/lessons/CrossSiteScripting/images/lesson1_header.jpg 44854
/WebGoat/WebContent/lessons/CrossSiteScripting/images/lesson1_loginWindow.jpg 9976
/WebGoat/WebContent/lessons/CrossSiteScripting/images/lesson1_menu.jpg 5682
/WebGoat/WebContent/lessons/CrossSiteScripting/images/lesson1_SearchWindow.jpg 34912
/WebGoat/WebContent/lessons/CrossSiteScripting/images/lesson1_workspace.jpg 23580
/WebGoat/WebContent/lessons/CrossSiteScripting/ListStaff.jsp 2141
/WebGoat/WebContent/lessons/CrossSiteScripting/Login.jsp 1610
/WebGoat/WebContent/lessons/CrossSiteScripting/SearchStaff.jsp 850
/WebGoat/WebContent/lessons/CrossSiteScripting/ViewProfile.jsp 4962
/WebGoat/WebContent/lessons/General/redirect.jsp 600
/WebGoat/WebContent/lessons/RoleBasedAccessControl/EditProfile.jsp 5169
/WebGoat/WebContent/lessons/RoleBasedAccessControl/error.jsp 623
/WebGoat/WebContent/lessons/RoleBasedAccessControl/images/accessControl.jpg 35331
/WebGoat/WebContent/lessons/RoleBasedAccessControl/images/dbSchema.jpg 105001
/WebGoat/WebContent/lessons/RoleBasedAccessControl/images/lesson1_header.jpg 44854
/WebGoat/WebContent/lessons/RoleBasedAccessControl/images/lesson1_loginWindow.jpg 9976
/WebGoat/WebContent/lessons/RoleBasedAccessControl/images/lesson1_menu.jpg 5682
/WebGoat/WebContent/lessons/RoleBasedAccessControl/images/lesson1_SearchWindow.jpg 34912
/WebGoat/WebContent/lessons/RoleBasedAccessControl/images/lesson1_workspace.jpg 23580
/WebGoat/WebContent/lessons/RoleBasedAccessControl/images/orgChart.jpg 87561
/WebGoat/WebContent/lessons/RoleBasedAccessControl/ListStaff.jsp 2189
/WebGoat/WebContent/lessons/RoleBasedAccessControl/Login.jsp 1634
/WebGoat/WebContent/lessons/RoleBasedAccessControl/RoleBasedAccessControl.css 1402
/WebGoat/WebContent/lessons/RoleBasedAccessControl/RoleBasedAccessControl.jsp 784
/WebGoat/WebContent/lessons/RoleBasedAccessControl/SearchStaff.jsp 871
/WebGoat/WebContent/lessons/RoleBasedAccessControl/ViewProfile.jsp 4924
/WebGoat/WebContent/lessons/SQLInjection/EditProfile.jsp 4744
/WebGoat/WebContent/lessons/SQLInjection/error.jsp 125
/WebGoat/WebContent/lessons/SQLInjection/images/lesson1_header.jpg 44854
/WebGoat/WebContent/lessons/SQLInjection/images/lesson1_loginWindow.jpg 9976
/WebGoat/WebContent/lessons/SQLInjection/images/lesson1_menu.jpg 5682
/WebGoat/WebContent/lessons/SQLInjection/images/lesson1_SearchWindow.jpg 34912
/WebGoat/WebContent/lessons/SQLInjection/images/lesson1_workspace.jpg 23580
/WebGoat/WebContent/lessons/SQLInjection/ListStaff.jsp 2071
/WebGoat/WebContent/lessons/SQLInjection/Login.jsp 1574
/WebGoat/WebContent/lessons/SQLInjection/SearchStaff.jsp 820
/WebGoat/WebContent/lessons/SQLInjection/SQLInjection.css 1362
/WebGoat/WebContent/lessons/SQLInjection/SQLInjection.jsp 734
/WebGoat/WebContent/lessons/SQLInjection/ViewProfile.jsp 4201
/WebGoat/WebContent/lessons/XPATHInjection/EmployeesData.xml 517
/WebGoat/WebContent/main.jsp 10576
/WebGoat/WebContent/META-INF/MANIFEST.MF 21
/WebGoat/WebContent/sideWindow.jsp 832
/WebGoat/WebContent/users/ReadMe.txt 58
/WebGoat/WebContent/webgoat.jsp 4712
/WebGoat/WebContent/webgoat_challenge.jsp 3654
/WebGoat/WebContent/WEB-INF/lib/axis.jar 1599495
/WebGoat/WebContent/WEB-INF/lib/axis-ant.jar 33501
/WebGoat/WebContent/WEB-INF/lib/catalina.jar 745101
/WebGoat/WebContent/WEB-INF/lib/commons-collections-3.1.jar 559366
/WebGoat/WebContent/WEB-INF/lib/commons-digester.jar 100632
/WebGoat/WebContent/WEB-INF/lib/commons-discovery-0.2.jar 71442
/WebGoat/WebContent/WEB-INF/lib/commons-logging-1.0.4.jar 38015
/WebGoat/WebContent/WEB-INF/lib/ecs-1.4.2.jar 388156
/WebGoat/WebContent/WEB-INF/lib/idb.jar 236041
/WebGoat/WebContent/WEB-INF/lib/j2h.jar 53109
/WebGoat/WebContent/WEB-INF/lib/jaxrpc.jar 32071
/WebGoat/WebContent/WEB-INF/lib/jta-spec1_0_1.jar 8809
/WebGoat/WebContent/WEB-INF/lib/log4j-1.2.8.jar 352668
/WebGoat/WebContent/WEB-INF/lib/saaj.jar 19427
/WebGoat/WebContent/WEB-INF/lib/wsdl4j-1.5.1.jar 126771
/WebGoat/WebContent/WEB-INF/server-config.wsdd 3504
/WebGoat/WebContent/WEB-INF/web.xml 11265
/WebGoat/WebContent/WEB-INF/webgoat.properties 37
/WebGoat/WebContent/WEB-INF/web-unix.xml 11276
/WebGoat/WebContent/WEB-INF/web-windows.xml 11265
Appendix - Descriptions of Key Terminology
Security Rating
The Fortify 5-star assessment rating provides information on the likelihood and impact of defects present within an application. A perfect rating
within this system would be 5 complete stars indicating that no high impact vulnerabilities were uncovered.
Rating
Fortify awards one star to projects that undergo a Fortify security review, which analyzes a project for a variety of
software security vulnerabilities.
Fortify awards two stars to projects that undergo a Fortify security review that identifies no high likelihood / high
impact issues. Vulnerabilities that are trivial to exploit and have a high business or technical impact should never
exist in business-critical software.
Fortify awards three stars to projects that undergo a Fortify security review that identifies no low likelihood / high
impact issues and meets the requirements needed to receive two stars. Vulnerabilities that have a high impact, even
if they are non-trivial to exploit, should never exist in business critical software.
Fortify awards four stars to projects that undergo a Fortify security review that identifies no high likelihood / low
impact issues and meets the requirements for three stars. Vulnerabilities that have a low impact, but are easy to
exploit, should be considered carefully as they may pose a greater threat if an attacker exploits many of them as
part of a concerted effort or leverages a low impact vulnerability as a stepping stone to mount a high-impact attack.
Fortify awards five stars to projects that undergo a Fortify security review that identifies no issues.
Likelihood and Impact

Likelihood
Likelihood is the probability that a vulnerability will be accurately identified and successfully exploited.
Impact
Impact is the potential damage an attacker could do to assets by successfully exploiting a vulnerability. This damage can be in the form of, but not
limited to, financial loss, compliance violation, loss of brand reputation, and negative publicity.
Fortify Priority Order

Critical
Critical-priority issues have high impact and high likelihood. Critical-priority issues are easy to detect and exploit and result in large asset damage.
These issues represent the highest security risk to the application. As such, they should be remediated immediately.
SQL Injection is an example of a critical issue.
High
High-priority issues have high impact and low likelihood. High-priority issues are often difficult to detect and exploit, but can result in large asset
damage.
These issues represent a high security risk to the application. High priority issues should be remediated in the next scheduled patch release.
Medium
Medium-priority issues have low impact and high likelihood. Medium-priority issues are easy to detect and exploit, but typically result in small asset
damage.
These issues represent a moderate security risk to the application. Medium-priority issues should be remediated in the next scheduled product
Low
Low-priority issues have low impact and low likelihood. Low-priority issues can be difficult to detect and exploit and typically result in small asset
damage.
These issues represent a minor security risk to the application. Low priority issues should be remediated as time allows.
Issue Status
New
New issues are ones that have been identified for the first time in the most recent analysis of the application.
Existing
Existing issues are issues that have been found in a previous analysis of the application and are still present in the latest analysis.
Reopened
Reopened issues have been discovered in a previous analysis of the application but were not present in subsequent analyses. These issues are now
present again in the most recent analysis of the application.
Fortify Remediation Effort

Major Remediation
Major remediation effort issues must often be addressed at multiple locations to fix the root problem.
Minor Remediation
Minor remediation effort issues can typically be addressed at the location of the root problem.

Fod

Uploaded by

Copyright:

Available Formats

Fod

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fod

Uploaded by

Copyright:

Available Formats

Fortify on Demand

Company: Test Company

Project: Franklin Bank Java app

Version: 1.0 (Java)

Latest Analysis: 9/25/2015 6:58:20 AM

Risk Totals by Severity Risk Totals by Instance Count

Most Prevalent Issues (by Category) Remediation Roadmap

Rating Category Test Type

Critical Cross-Site Scripting: Reflected Static 8

OWASP 2013 Category Severity

Category Static Dynamic

6.1.1 Cross-Site Scripting: Reflected Critical

In this case the data enters at in main.jsp at line 34.

In this case the data is sent at in main.jsp at line 114.

<% String eid = request.getParameter("eid"); %>

String eid = request.getParameter("eid");

Employee ID: <c:out value="${param.eid}" escapeXml="false"/>

Employee ID: <fmt:message key="${param.eid}" bundle="${names}"/>

<% String eid = request.getParameter("eid"); %>

<% String eid = request.getParameter("eid"); %>

Employee Name: <%= name %>

ServletOutputStream out = response.getOutputStream();

Employee Name: <c:out value="${name}" escapeXml="false"/>

Employee Name: <fmt:message key="<%= name %>" bundle="${names}"/>

public class employeesBean {

Employee Name: <%= name %>

Employee Name: <%= name %>

In the content of a block-level element (in the middle of a paragraph of text):

- "<" is special because it introduces a tag.

- "&" is special because it introduces a character entity.

The following principles apply to attribute values:

Within the body of a <SCRIPT> </SCRIPT>:

Location Analysis Info Analyzer

Location Analysis Info Analyzer

Location Analysis Info Analyzer

Location Analysis Info Analyzer

Foo foo = null;

Location Analysis Info Analyzer

Location Analysis Info Analyzer

ID 10601839 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.BlobColumn.BlobColumn

ID 10601972 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.BlobColumn.deleteBlob

ID 10601951 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.BlobColumn.extractBinaryNumbers

ID 10601975 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.BlobColumn.getByRow

ID 10601935 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.BlobColumn.writeObject

ID 10601871 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.BlobColumn.onClose

ID 10601930 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.ByteColumn.deleteBitSet

ID 10601950 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.ByteColumn.getByRow

ID 10601970 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.Char1Column.getByRow

ID 10601939 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.Char1Column.equalToRow

ID 10601945 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/Column Sink:org.enhydra.instantdb.db.Column.getByRow

ID 10601912 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/Column Sink:org.enhydra.instantdb.db.Column.setRow

ID 10601872 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db/Cursor Sink:org.enhydra.instantdb.db.Cursor.update

ID 10601949 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.Database.dbCreate

ID 10601958 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.Database.dbCreate

ID 10601880 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.Database.dbOpen

ID 10601844 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.Database.initialise

ID 10601826 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.Database.close

ID 10601881 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.Database.setPath

ID 10601825 - WebContent/WEB-INF/lib/org/enhydra/instantdb/db Sink:org.enhydra.instantdb.db.Database.dbOpen