SoftwareSecurity2014/Group 8/Log
2014-04-01
First meeting. Focus was on deciding which application to assess; this resulted in Wordpress v3.8.1 being chosen. We probably want to focus on V5: Input Validation for the assignment.
Furthermore, we got everyone to be able to run the Fortify software and we did a quick analysis of Wordpress to get acquinted with the software.
2014-04-22
We started analyzing the output of Fortify. We also ran RATS over the Wordpress 3.8.1 codebase with different warning levels; decided to prioritize on the high severity warnings. We also tried running RIPS over the code, but Wordpress seems to be too big a project for that.
The work that has to completed before the next meeting was divided. Each of members of the team will focus on one or more of the categories that Fortify specifies and that has to do with input validation.
Dirk - Command Injection
Inés - Persistent Cross-Site Scripting & SQL Injection
Iwan - Reflected Cross-Site Scripting
Max - Dangerous File Inclusion & Path Manipulation
Herman - RATS Results
2014-04-29
Discussed the individual results we produced and added them together. Finalized all the code scanning results and conclusions. We also did reflection on both Fortify and RATS and their results.
2014-05-05
Herman: Sanitized the text in quite some places.
2014-05-13
We started working on part 2B of the ASVS. First we analyzed what we actually had to do to for this part.
We decided to prioritize our investigation of the code on certain files. Prioritization of the files is based on the following:
- Knowledge about Wordpress core
- Verification Requirement V5
- (Partially, the things that we learned in part 1B)
We created the following work division:
- Dirk - wp-signup.php
- Herman - xmlrpc.php
- Inès - wp-login.php
- Iwan - wp-comments-post.php
- Max - includes/wp-db.php
This is just the initial division of work; we probably will increase the amount of files under investigation as we get deeper into the code.
2014-05-20
Discussed the results we had gathered so far. We dug pretty deep into the code to uncover the secrets of Wordpress input validation and sanitization. We discussed how we would continue the investigation and helped each other on their own parts. We made a list of the PHP files that are included on the homepage of a running Wordpress installation. This gave us further pointers on what files to actually consider in the manual code review (files that are used by an administrator don't need to be included for normal users, for example).
2014-05-27
We sat together to work towards finalizing the manual code review. Started to summarize our results to get insights on the final verdict for the verification requirements for input validation. Made a commitment to think about our own results and reflection so that we can finalize the verdict the next time we meet.
2014-06-03
We worked on finalizing the final verdict for the verification requirements and on writing the reflection on the OWASP ASVS experience. Due to the fact that we already made a personal list of our experiences we could quickly create a final reflection of the security assessment. We added some more reasoning on the final verdict. Together we discussed what we liked about doing the ASVS and what problems we had while doing the assignment.
2014-06-05
Herman: checked all of the part 2B related pages for spelling, style and consistency errors and corrected them.