SoftwareSecurity2012/Group 8/Log

Uit Werkplaats
Ga naar: navigatie, zoeken

Logfile

Action: Done by: Date: Time spent: Comments: Follow up actions:
Install+config of FluxBB on webserver Maurice 4/12/2012 1 hour Installation is pretty simple None.
First look at FluxBB Jeroen 4/12/2012 30 minutes PHP doesn't look as bad as expected. None.
Installation, configuration and run RATS Mark & Aram 4/13/2012 2 hours Might be useful, but it looks like it generates a lot of false positives We have to check up on possible false positives.
Install+test RIPS Aram + Mark 4/13/2012 2 hours Simple to install, output looks interesting. Serious potential bugs like command execution, SQL injection and file inclusion we investigated were all false positives. Review all the output for true positives?
Analyze RATS output, email.php Aram + Jeroen 4/13/2012 2 hours Even after reading RFC's it seems foolproof. None.
Install+test PHPLint and Pixy Jeroen 4/13/2012 3 hours Easy to install, PHPLint looks useless, Pixy looks useful. Have a closer look at Pixy.
Installation, configuration and run CodeSecure Mark 4/16/2012 3 hours This license only excepts up to 10k lines of code, FluxBB has more. Freezes during scan with large file numbers. Does work for smaller amount of files. Will try this again on a different system.
Tried CodeSecure on a different system Mark 4/18/2012 1 hour Ran into the same problems. Somebody else has to try this.
Added info and tested CodeSecure some more Mark 4/20/2012 2 hours Could not verify the results. Unless somebody else tries it and can provide some results to compare, I would say we should not use this tool.
Install+test RIPS Maurice 4/22/2012 2 hours Installation is pretty straighforward, output looks nice Analyze output for false positives.
Install+test RATS Maurice 4/22/2012 40 minutes Pretty easy to install under linux, runs extremely quickly. Analyze output for false positives as there seem to be too many problems.
Download CodeSecure Maurice 4/22/2012 1 hour The CodeSecure website is sloooow... Actually use the software.
Install+test CodeSecure, minify FluxBB source Maurice 4/22/2012 4 hours The licence is very crippling and minifying php code is simple but leaves it totally illegible Decipher results to see what it actually found.
Analyze RIPS output Maurice 4/22/2012 1 hour Good looking output, but there is a LOT of it depending on the verbosity settings. -
Last tests PHPLint and documentation Jeroen 4/22/2012 1 hour PHPLint is useless to us. None.
Pixy output and documentation Jeroen 4/22/2012 1.5 hour Pixy is nice. None.
Installed, running and analysing the result of YASCA Mark 4/22/2012 3 hours Simple to install and use, output looks limited compared to other tools -
Typed reflection and result of YASCA + reading of wiki info Mark 4/22/2012 2 hours Was a little difficult to write about YASCA with such limited info -
Meeting/Discussion Maurice + Jeroen + Aram + Mark 5/25/2012 1 hour Verify the output of the tools -
Meeting/Discussion Maurice + Jeroen + Aram + Mark 6/1/2012 1 hour Start thinking about OWASP requirements + take a look at the sourcecode of FluxBB -
Review of FluxBB for exploitable bugs using RIPS, RATS and manual source code review / live testing Aram 6/3/2012 2 hours No source of input conclusively determined to be insecure.
Meeting/Discussion Maurice + Jeroen + Aram + Mark 6/8/2012 2 hours Continue thinking about OWASP requirements + looking at the sourcecode of FluxBB -
Meeting/Discussion Maurice + Jeroen + Aram + Mark 6/15/2012 1.5 hours - -
Updating Wiki Maurice + Jeroen + Aram + Mark 6/19/2012 6 hours Update Wiki with our findings. -

TODO-list

What to do: When: By:
Presentation 6/22/2012 Everybody