What Fortify has found is that the defect density of open-source code is quite large. For example, Net Trust (a Google project to create a security mechanism for simple single sign-on and authentication), had an estimated 12.215 errors per 1,000 lines of code.
And here is another example; an XSS vulnerability, from these lines of Sun's instructions:
try
{
firstname = request.getParameter("firstname");
}
catch (Exception e)
{
e.printStackTrace();
}
userName = firstname;
...
pw.print(" Thanks for your feedback, " + userName + "!");
...
pw.print(" Thanks for your feedback, " + userName + "!");
The code expects that a user has entered a name like this: "Bob". An attacker could set it up so that the data looks like this:
{script}sendDataToMotherShip(){/script}
(I have replaced ">" & "<" with "}" and "{" to render the script.) Then the victim's browser would execute a function named sendDataToMotherShip().
A secure version of the server-side code, would check input to make sure that it only contains an expected set of characters and no executable scripts.
The report may be found @ http://developers.sun.com/learning/javaoneonline/2006/coreenterprise/TS-1660.pdf
There are 2 short recent articles on eWeek on this subject as well:
http://www.eweek.com/article2/0,1895,2128071,00.asp
and
http://www.eweek.com/article2/0,1895,2115638,00.asp
Check them out!
No comments:
Post a Comment