Skip to content

chuz93/eigthball

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Compile EightBall.java and run it.  It takes an integer as an argument:

java EightBall 391
java EightBall 2000

Normally it will reply with a message from the files 0, 1, or 2.  However,
due to bad error handling, if you put a filename instead of an integer as
an argument, it will show the contents of the file.  (For simplicity, the
user input comes from the command line argument.  What would happen if it
came from a web form?)  Try:

java EightBall /etc/passwd         (on Unix)
java EightBall C:\autoexec.bat     (on Windows)


Now run sourceanalyzer on the file:

$ sourceanalyzer -b EightBall -clean
$ sourceanalyzer -b EightBall EightBall.java
$ sourceanalyzer -b EightBall -scan -f EightBall.fpr

And view the results with Audit Workbench:

$ auditworkbench EightBall.fpr

The output should contain vulnerabilities with the following categories:

      Path Manipulation
      Unreleased Resource: Streams
      J2EE Bad Practices: Leftover Debug Code

Other issues may also be present depending on the rule packs used to scan.

The Unchecked Return Value warns that FileReader.read() could have failed and
that its return value should be checked before the output is used.
scan.

The Path Manipulation vulnerability indicates that the user can control
the file opened by the FileReader. The Unreleased Resource vulnerability
indicates that the program does not close the FileReader.

The J2EE Bad Practices vulnerability indicates the presence of a main()
method, which should not appear in a J2EE application. Since this is not
a J2EE application, this category of vulnerabilities does not apply.
We can configure which categories of rules will be displayed based on
the type of application using the Audit Guide in Audit Workbench.

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages