-
Notifications
You must be signed in to change notification settings - Fork 0
chuz93/eigthball
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
Compile EightBall.java and run it. It takes an integer as an argument: java EightBall 391 java EightBall 2000 Normally it will reply with a message from the files 0, 1, or 2. However, due to bad error handling, if you put a filename instead of an integer as an argument, it will show the contents of the file. (For simplicity, the user input comes from the command line argument. What would happen if it came from a web form?) Try: java EightBall /etc/passwd (on Unix) java EightBall C:\autoexec.bat (on Windows) Now run sourceanalyzer on the file: $ sourceanalyzer -b EightBall -clean $ sourceanalyzer -b EightBall EightBall.java $ sourceanalyzer -b EightBall -scan -f EightBall.fpr And view the results with Audit Workbench: $ auditworkbench EightBall.fpr The output should contain vulnerabilities with the following categories: Path Manipulation Unreleased Resource: Streams J2EE Bad Practices: Leftover Debug Code Other issues may also be present depending on the rule packs used to scan. The Unchecked Return Value warns that FileReader.read() could have failed and that its return value should be checked before the output is used. scan. The Path Manipulation vulnerability indicates that the user can control the file opened by the FileReader. The Unreleased Resource vulnerability indicates that the program does not close the FileReader. The J2EE Bad Practices vulnerability indicates the presence of a main() method, which should not appear in a J2EE application. Since this is not a J2EE application, this category of vulnerabilities does not apply. We can configure which categories of rules will be displayed based on the type of application using the Audit Guide in Audit Workbench.
About
No description, website, or topics provided.
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published