SoftwareSecurity2013/Group 1/Code Scanning Reflection/Fortify
Fortify reflection
In total, Fortify notified us of 2680 issues, of which 290 critical, 1321 high, 102 medius and 967 low. Almost 28% of the critical issues originate from the admin pages, which was expected because the admin interface can show a lot of server information and offers a lot of low level commands.
A lot of issues were due to source and sink problems caused by wrappers around the default PHP escaping functions. These functions are marked as safe (for a specific category of issues) by Fortify, but Fortify isn’t following wrapper code paths. The naive approach would be to silence all source and sink issues, but we started to create rules for commonly used methods that are wrappers. A rule was created for the function pun_htmlspecialchars()
since it is a wrapper for the PHP built-in htmlspecialchars()
. We've checked it by hand to be sure we can trust it. After a rescan with custom rules, we reduced the number of issues from 2680 to 187! This major change allowed us to check the remaining issues by hand.
Only two issues (six uses) were found by Fortify. However, we were surprised to see none of our manual found issues were found by Fortify. Even the method get_remote_address()
, which causes most of the SQL injections, wasn't marked by Fortify. The same way we created new rules for validating data, we also tried to create a rule to mark the output of get_remote_address()
as tainted. However, using the same approach, did not work (Fortify still wasn't able to mark uses as dangerous). We are certain the get_remote_address()
method could lead to SQL injections. After some attempts, we stop trying.
On the other hand, Fortify did point us to potential dangerous function we haven't thought of (but used correctly in FluxBB). The method paginate()
is used in FluxBB to split long list over multiple pages. Due to PHP loose typing system, the following operations are valid but very unexpected:
var_dump("5abc" - 2); //outputs 3 var_dump("5abc" > 2); //outputs true
In FluxBB, the paginate method does not convert its arguments to integers and the above operations (in some other form) are executed. Pages using the paginate method are derived from $_GET
after. , however, we believe that such a global method should escape arguments properly. If one developer allows an user to call the paginate method as follows (e.g. by not checking $_GET
parameters, it would fail (tested):
paginate("5some_html_here", 2, "http://example.org");
Toolset issues
In general, it was a lot harder to get Fortify to work. We planned to start with Fortify the week after our exams, but this got delayed because Bertine Scholten (our contact in Twente) wasn’t available for handing out Fortify. In our opinion, Fortify isn’t as easy to get it up and running as the other tools we’ve used. The documentation folder contains 38 PDF files with no immediate clue of which one to start with. In the end, we got it working on OSX with the least amount work (only one installer to run). With the following commands from the FluxBB directory, a result was generated:
/Applications/HP_Fortify/HP_Fortify_SCA_and_Apps_3.80/bin/sourceanalyzer -Xmx2048M -b mybuild . /Applications/HP_Fortify/HP_Fortify_SCA_and_Apps_3.80/bin/sourceanalyzer -Xmx2048M -b mybuild -scan -f results.fpr
Note the Java VM parameter to increase the maximum heap size to get it running. The file result.fpr could be opened via the included program called Audit Workbench. This tool is really complete and allowed us to filter through the false positives in an efficient way. We also liked the predefined grouping categories, e.g. ‘OWASP Top 10 2007’.