Hulp
Deze pagina aan uw boek toevoegen
Boek weergeven (27 pagina's)
Pagina's suggererenSoftwareSecurity2012/Group 2/Introduction
Introduction
FluxBB is forum software which can be installed on a server to run on a website. FluxBB is, as its developers claim, fast, light, and user-friendly. According to the developers, this forum is faster and lighter than some of the "feature heavy" forum applications. It is open source and can be downloaded for free from their website.
For FluxBB, several modifications are available from its website which implement various types of additional functionality. One of these modifications is the modification "Custom BBCode". As in many forums, the markup language BBCode can be used to change the layout of the text or to modify the forum post in another way. The Custom BBCode modification allows the user to create its own BBCode commands or tags.
In this research, we look into security issues in the "Custom BBCode" modification for FluxBB. We look into these issues both manually and in an automated manner. We use RIPS and YASCA to investigate security issues in the FluxBB source code and in the Custom BBCode modification. We also investigate the source code of the modification manually using the three security requirements defined by the Open Web Application Security Project (OWASP) in the Application Security Verification Standard (ASVS).
This research is organized as follows: First, we introduce the security requirements in the ASVS and motivate which ones we will investigate with regard to the Custom BBCode modification. Second, we show the code scanning results. Third, we show the results of a manual code inpection. Based on these results, we conclude this research with a verdict about the FluxBB Custom BBCode modification based on three of the requirements of the ASVS. An evaluation of the research is done, in which special attention is given to an evaluation of the code scanning tools used during this research.
