Veracode Detailed Report
Application Security Report As of 14 Nov 2017
Prepared for: Prepared on: Application:
Business Criticality:
Copyright By PowCoder代写 加微信 powcoder
Required Analysis:
Type(s) of Analysis Conducted: Scope of Static Scan:
April 5, 2018
Facebook Follower Counter Bot
Not Specified BC3 (Medium) Static
2 of 25 Modules Analyzed
Inside This Report
Executive Summary
Summary of Flaws by Severity Action Items
Flaw Types by Category Policy Summary
Findings & Recommendations Methodology
1 1 1 4 5 6
While every precaution has been taken in the preparation of this document, Veracode, Inc. assumes no responsibility for errors, omissions, or for damages resulting from the use of the information herein. The Veracode platform uses static and/or dynamic analysis techniques to discover potentially exploitable flaws. Due to the nature of software security testing, the lack of discoverable flaws does not mean the software is 100% secure.
© 2018 Veracode, Inc. and Veracode Confidential
65 Network Drive, Burlington, MA 01803
Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report
Application Security Report As of 14 Nov 2017
Veracode Level: VL1
Rated: Nov 14, 2017
Manual Scan
Not Included in Report
Application: Target Level:
Scans Included in Report
Static Scan
Facebook Bot Scan 1 Score: 74 Completed: 11/14/17
Executive Summary
Facebook Follower Counter Bot VL3
Dynamic Scan
Business Criticality: Published Rating:
Veracode Detailed Report prepared for – Apr 5, 2018
Not Included in Report
This report contains a summary of the security flaws identified in the application using automated static, automated dynamic and/or manual security analysis techniques. This is useful for understanding the overall security quality of an individual application or for comparisons between applications.
Application Business Criticality: BC3 (Medium)
Impacts:Operational Risk (Low), Financial Loss (Medium)
An application’s business criticality is determined by business risk factors such as: reputation damage, financial loss, operational risk, sensitive information disclosure, personal safety, and legal violations. The Veracode Level and required assessment techniques are selected based on the policy assigned to the application.
Analyses Performed vs. Required
Performed: Required:
Action Items:
Summary of Flaws Found by Severity
Veracode recommends the following approaches ranging from the most basic to the strong security measures that a vendor can undertake to increase the overall security level of the application.
Required Analysis
Your policy requires periodic Static Scan and you are overdue. Please submit your application for Static Scan and remediate the required detected flaws to conform to your assigned policy.
Flaws To Fix By Expires Date
A grace period is specified for any flaw that violates the rules contained in your policy. These include CWE, Rollup Category, Issue Severity, Industry Standards as well as any flaws the prevent an application from achieving a minimum Veracode Level and/or score. To maintain policy compliance you must fix these flaws and resubmit your application for scanning before the grace period expires. The detailed flaw listing will badge the flaws that must be fixed and show the fix by date as well.
The grace period has expired [11/14/17] for 2 flaws that were found in your Static Scan.
Flaw Severities
© 2018 Veracode, Inc. and Veracode Confidential
65 Network Drive, Burlington, MA 01803
1 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for – Apr 5, 2018
High severity flaws and above must be fixed for policy compliance.
Longer Timeframe (6 – 12 months)
Certify that software engineers have been trained on application security principles and practices.
© 2018 Veracode, Inc. and Veracode Confidential
65 Network Drive, Burlington, MA 01803
2 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Scope of Static Scan
The following modules were included in the static scan because the scan submitter selected them as entry points, which are modules that accept external data.
Engine Version: 117385
The following modules were included in the application scan:
JS files within followy-master.zip JAVASCRIPT_5_1 JavaScript 117385 Python files within followy-master.zip Python 117385
The following modules were not selected for a full scan. Code paths in these modules that are not called from a scanned module are not included in this report.
Veracode Detailed Report prepared for – Apr 5, 2018
Module Name Compiler Operating Environment Engine Version
Module Name Compiler Operating Environment Engine Version
chardetect.exe cli-32.exe
cli-64.exe
cli.exe easy_install-3.6.exe easy_install.exe flask.exe gui-32.exe gui-64.exe
gui.exe gunicorn.exe gunicorn_paster.exe pip.exe
pip3.6.exe
python.exe python36.dll pythonw.exe t32.exe
MSVC10_X86 MSVC9_X86 MSVC9_X86_64 MSVC9_X86 MSVC10_X86 MSVC10_X86 MSVC10_X86 MSVC9_X86 MSVC9_X86_64 MSVC9_X86 MSVC10_X86 MSVC10_X86 MSVC10_X86 MSVC10_X86 MSVC10_X86 MSVC14_X86 MSVC14_X86 MSVC14_X86 MSVC10_X86 MSVC10_X86_64 MSVC10_X86 MSVC10_X86_64 MSVC10_X86
Win32 Win32 Win64 Win32 Win32 Win32 Win32 Win32 Win64 Win32 Win32 Win32 Win32 Win32 Win32 Win32 Win32 Win32 Win32 Win64 Win32 Win64 Win32
© 2018 Veracode, Inc.
65 Network Drive, Burlington, MA 01803
and Veracode Confidential Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Flaw Types by Severity and Category
Veracode Detailed Report
prepared for – Apr 5, 2018
Code Injection 2
0 75 CRLF Injection 1 Cross-Site Scripting 3 Cryptographic Issues 54 Directory Traversal 14 Server Configuration 3 0 0 0 77
High Medium
Very Low Informational Total
© 2018 Veracode, Inc.
65 Network Drive, Burlington, MA 01803
and Veracode Confidential Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Static Scan Security Quality Score = 74
Policy Evaluation
Policy Name: Veracode Recommended Medium Revision: 1
Policy Status: Did Not Pass
Description
Veracode provides default policies to make it easier for organizations to begin measuring their applications against policies. Veracode Recommended Policies are available for customers as an option when they are ready to move beyond the initial bar set by the Veracode Transitional Policies. The policies are based on the Veracode Level definitions.
Minimum Veracode Level (VL3) Score (VL3)
Scan Requirements
Remediation
Flaw Severity
Very High High Medium Low
Very Low Informational
Requirement
VL3 70 High
0 days 0 days 0 days 0 days 0 days 0 days
Flaws found: 2
Last performed
Flaws Exceeding
2 0 0 0 0 0
Did not pass Passed
Did not pass
Did not pass
Did not pass Passed Passed Passed Passed Passed
Veracode Detailed Report
prepared for – Apr 5, 2018
© 2018 Veracode, Inc.
65 Network Drive, Burlington, MA 01803
and Veracode Confidential Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Findings & Recommendations
Detailed Flaws by Severity
Very High (2 flaws)
Code Injection(2 flaws)
Description
Fix Required by Policy.
Veracode Detailed Report
prepared for – Apr 5, 2018
Code injection is the process of injecting untrusted input into an application that dynamically evalutes and executes the input as code. Common examples of code injection include Remote File Includes and Eval Injection into applications implemented in an interpreted language such as PHP.
Recommendations
Do not allow untrusted input to be evaluated or otherwise interpreted as code.
Associated Flaws by CWE ID:
Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) (CWE ID 95)(2 flaws)
Description
The software allows untrusted input to be fed directly into a function (e.g. “eval”) that dynamically evaluates and executes the input as code, usually in the same interpreted language that the product uses.
Effort to Fix: 3 – Complex implementation error. Fix is approx. 51-500 lines of code. Up to 5 days to fix.
Recommendations
Validate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. In general, avoid executing code derived from untrusted input.
Instances found via Static Scan
Python files within followy-master.zip
Python files within followy-master.zip
/followy-master/…/launch.py 30 /followy-master/…/launch.py 31
11/14/17 11/14/17
© 2018 Veracode, Inc.
65 Network Drive, Burlington, MA 01803
and Veracode Confidential Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
High (0 flaws)
No flaws of this type were found
Medium (75 flaws)
CRLF Injection(1 flaw)
Description
The acronym CRLF stands for “Carriage Return, Line Feed” and refers to the sequence of characters used to denote the end of a line of text. CRLF injection vulnerabilities occur when data enters an application from an untrusted source and is not properly validated before being used. For example, if an attacker is able to inject a CRLF into a log file, he could append falsified log entries, thereby misleading administrators or cover traces of the attack. If an attacker is able to inject CRLFs into an HTTP response header, he can use this ability to carry out other attacks such as cache poisoning. CRLF vulnerabilities primarily affect data integrity.
Recommendations
Apply robust input filtering for all user-supplied data, using centralized data validation routines when possible. Use output filters to sanitize all output derived from user-supplied input, replacing non-alphanumeric characters with their HTML entity equivalents.
Associated Flaws by CWE ID:
Improper Output Neutralization for Logs (CWE ID 117)(1 flaw)
Description
A function call could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker’s tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible.
Effort to Fix: 2 – Implementation error. Fix is approx. 6-50 lines of code. 1 day to fix.
Recommendations
Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Only write custom blacklisting code when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.
Veracode Detailed Report
prepared for – Apr 5, 2018
Instances found via Static Scan
Flaw Id Module # Class #
JS files within followy-master.zip
/…/debug/shared/debugger.js 118
Cross-Site Scripting(3 flaws) Description
© 2018 Veracode, Inc.
65 Network Drive, Burlington, MA 01803
and Veracode Confidential Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed occur whenever a web application uses untrusted data in the output it generates without validating or encoding it. XSS vulnerabilities are commonly exploited to steal or manipulate cookies, modify presentation of content, and compromise sensitive information, with new attack vectors being discovered on a regular basis. XSS is also commonly referred to as HTML injection.
XSS vulnerabilities can be either persistent or transient (often referred to as stored and reflected, respectively). In a persistent XSS vulnerability, the injected code is stored by the application, for example within a blog comment or message board. The attack occurs whenever a victim views the page containing the malicious script. In a transient XSS vulnerability, the injected code is included directly in the HTTP request. These attacks are often carried out via malicious URLs sent via email or another website and requires the victim to browse to that link. The consequence of an XSS attack to a victim is the same regardless of whether it is persistent or transient; however, persistent XSS vulnerabilities are likely to affect a greater number of victims due to its delivery mechanism.
Recommendations
Several techniques can be used to prevent XSS attacks. These techniques complement each other and address security at different points in the application. Using multiple techniques provides defense-in-depth and minimizes the likelihood of a XSS vulnerability.
* Use output filtering to sanitize all output generated from user-supplied input, selecting the appropriate method of encoding based on the use case of the untrusted data. For example, if the data is being written to the body of an HTML page, use HTML entity encoding. However, if the data is being used to construct generated Javascript or if it is consumed by client-side methods that may interpret it as code (a common technique in Web 2.0 applications), additional restrictions may be necessary beyond simple HTML encoding.
* Validate user-supplied input using positive filters (white lists) to ensure that it conforms to the expected format, using centralized data validation routines when possible.
* Do not permit users to include HTML content in posts, notes, or other data that will be displayed by the application. If users are permitted to include HTML tags, then carefully limit access to specific elements or attributes, and use strict validation filters to prevent abuse.
Associated Flaws by CWE ID:
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CWE ID 80)(3 flaws)
Description
This call contains a cross-site scripting (XSS) flaw. The application populates the HTTP response with untrusted input, allowing an attacker to embed malicious content, such as Javascript code, which will be executed in the context of the victim’s browser. XSS vulnerabilities are commonly exploited to steal or manipulate cookies, modify presentation of content, and compromise confidential information, with new attack vectors being discovered on a regular basis.
Effort to Fix: 3 – Complex implementation error. Fix is approx. 51-500 lines of code. Up to 5 days to fix.
Recommendations
Use contextual escaping on all untrusted data before using it to construct any portion of an HTTP response. The escaping method should be chosen based on the specific use case of the untrusted data, otherwise it may not protect fully against the attack. For example, if the data is being written to the body of an HTML page, use HTML entity escaping; if the data is being written to an attribute, use attribute escaping; etc. When a web framework provides built- in support for automatic XSS escaping, do not disable it. Both the OWASP Java Encoder library for Java and the Microsoft AntiXSS library provide contextual escaping methods. For more details on contextual escaping, see https://www.owasp.org/index.php/XSS_%%28Cross_Site_Scripting%%29_Prevention_Cheat_Sheet. In addition, as a best practice, always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.
© 2018 Veracode, Inc. and Veracode Confidential
Veracode Detailed Report prepared for – Apr 5, 2018
65 Network Drive, Burlington, MA 01803
8 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Instances found via Static Scan
Flaw Id Module # Class #
3810- 319- 219-
Cryptographic Issues(54 flaws)
Description
Applications commonly use cryptography to
integrity of sensitive data, both in transit and at rest. The proper and accurate implementation of cryptography is extremely critical to its efficacy. Configuration or coding mistakes as well as incorrect assumptions may negate a large degree of the protection it affords, leaving the crypto implementation vulnerable to attack.
Common cryptographic mistakes include, but are not limited to, selecting weak keys or weak cipher modes, unintentionally exposing sensitive cryptographic data, using predictable entropy sources, and mismanaging or hard-coding keys.
Developers often make the dangerous assumption that they can improve security by designing their own cryptographic algorithm; however, one of the basic tenets of cryptography is that any cipher whose effectiveness is reliant on the secrecy of the algorithm is fundamentally flawed.
Recommendations
Select the appropriate type of cryptography for the intended purpose. Avoid proprietary encryption algorithms as they typically rely on “security through obscurity” rather than sound mathematics. Select key sizes appropriate for the data being protected; for high assurance applications, 256-bit symmetric keys and 2048-bit asymmetric keys are sufficient. Follow best practices for key storage, and ensure that plaintext data and key material are not inadvertently exposed.
Associated Flaws by CWE ID:
Insufficient Entropy (CWE ID 331)(25 flaws)
Description
Standard random number generators do not provide a sufficient amount of entropy when used for security purposes. Attackers can brute force the output of pseudorandom number generators such as rand().
Effort to Fix: 2 – Implementation error. Fix is approx. 6-50 lines of code. 1 day to fix.
Recommendations
If this random number is used where security is a concern, such as generating a session identifier or cryptographic key, use a trusted cryptographic random number generator instead.
Python files within followy-master.zip
JS files within followy-master.zip
JS files within followy-master.zip
/followy-master/bot.py 63 /…/debug/shared/debugger.js 76 /…/debug/shared/debugger.js 159
Veracode Detailed Report prepared for – Apr 5, 2018
implement authentication mechanisms and to ensure the confidentiality and
Instances found via Static Scan
Flaw Id Module # Class #
© 2018 Veracode, Inc.
65 Network Drive, Burlington, MA 01803
Python files within followy-master.zip
Location Fix By
/followy-master/…/arbiter.py 612
and Veracode Confidential Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com