Commit 417094e2 authored by Russ Fish's avatar Russ Fish
Browse files


parent c3ac79df
# Copyright (c) 2000-2006 University of Utah and the Flux Group.
# All rights reserved.
all: src_forms spider forms_coverage input_coverage probes
SRCDIR = @srcdir@
TESTBED_SRCDIR = @top_srcdir@
OBJDIR = ../..
SUBDIR = www/sec-check
EinE_proj = testbed
EinE_exp = vulnElab
EinE_boss = myboss
# Grep the sources for <form and make up a list of php form files.
src_forms: src_list src_count src_msg
# All of the forms lines.
SRC_FORMS = $(SRCSC)/src_forms.list
# Just the files list.
SRC_FILES = $(SRCSC)/src_files.list
src_list: $(SRC_FILES)
# Ignore any Emacs backup files with tilde's in the filenames.
(cd $(SRCWWW); \
find . -maxdepth 1 -name '*.php*' -print0 | \
xargs -0 grep -n '<form' | fgrep -v /save/ | \
sed '/^[^:]*~/d' | sort) > $(SRC_FORMS)
sed -e 's|^[^:]*/||' -e 's|:.*||' $(SRC_FORMS) > $(SRC_FILES)
SRC_COUNT = $(SRCSC)/src_files.count
src_count: $(SRC_COUNT)
sed 's|^\./\([^:]*\):.*|\1|' $(SRC_FILES) | \
sort -u | wc -l > $(SRC_COUNT)
src_msg: src_count
@echo "** `wc -l < $(SRC_FORMS)` separate forms" \
"are on `cat $(SRC_COUNT)` code pages. **"
# Spider a copy of the EinE site with wget and extract its forms list.
spider: clear_wget_dir login admin do_spider site_list site_count site_msg
WGETDIR = admin.wget
# Login info for the inner Emulab.
uid = $(USER)
### It's better to log in a browser and change your password in Edit Profile
### in the inner Elab to this string, than to put your real password here.
pswd = EinE_tmp
dom = $(EinE_proj).$(OURDOMAIN)
svr = $(EinE_boss).$(EinE_exp).$(dom)
root = http://$(svr)
sroot = https://$(svr)
# These are used only in the $(WGETDIR).
COOKIES = cookies.txt
sv_cookies = --save-cookies $(COOKIES)
ld_cookies = --load-cookies $(COOKIES)
wget_args = --keep-session-cookies --no-check-certificate
# Reject these links, which don't have any input fields,
# and don't ask for confirmation before taking action.
top_links = logout.php3,toggle.php
showexp_links = showlogfile.php3
shownode_links = nodetipacl.php3,showconlog.php3,nodessh.php3
rej_links = .txt,$(top_links),$(showexp_links),$(shownode_links)
# Clear out the wget directory.
clear_wget_dir: $(WGETDIR)
- rm -rf $(WGETDIR).prev
- mv -f $(WGETDIR) $(WGETDIR).prev
mkdir $(WGETDIR)
# Log in and create a current cookies.txt file.
login: $(WGETDIR) $(WGETDIR)/login.php3
cd $(WGETDIR); \
wget -S -dv $(wget_args) $(sv_cookies) -o login.log -O login.html \
--post-data "uid=$(uid)&password=$(pswd)&login=Login" \
# Log in above, then use this to toggle the admin bit on.
admin: login admin.html
cd $(WGETDIR); \
wget -S -dv $(wget_args) $(ld_cookies) -o admin.log -O admin.html \
# Finally ready to grab the whole site.
do_spider: $(WGETDIR)/wget.log
@echo "** Be patient, it's 25 megabytes, at maybe a meg a minute. **"
cd $(WGETDIR); \
wget -r -S $(wget_args) $(ld_cookies) -o wget.log \
-k -D $(dom) -R $(rej_links) -X /downloads,/gallery $(sroot)
du -s $(WGETDIR)
# Extract a list of the active forms in the site.
SITE_FORMS = $(SRCSC)/site_forms.list
SITE_FILES = $(SRCSC)/site_files.list
site_list: $(SITE_FILES)
# Ignore flyspray and Twiki for now.
# Ignore the search box form on every page, we'll treat it separately.
# Remove "get" arg lists following a question-mark from wget filenames.
(cd $(WGETDIR); \
find . \( -name distributions -prune \) \
-o \( -name flyspray -prune \) \
-o \( -name twiki -prune \) \
-o -type f -print0 | xargs -0 grep -n '<form ' | \
fgrep -v /search.php3 ) | sort -u > $(SITE_FORMS)
sed -e 's|^[^:]*/||' -e 's|[:?].*||' $(SITE_FORMS) | \
uniq > $(SITE_FILES)
SITE_COUNT = $(SRCSC)/site_forms.count
site_count: $(SITE_COUNT)
sed 's|^\./\([^:]*\):.*|\1|' $(SITE_FILES) | \
sort -u | wc -l > $(SITE_COUNT)
site_msg: site_count
@echo "** `wc -l < $(SITE_FORMS)` forms instances" \
"are in `cat $(SITE_COUNT)` web pages. **"
# Compare the two lists to find uncovered (unlinked) forms.
forms_coverage: files_missing forms_msg
FILES_MISSING = $(SRCSC)/files_missing.list
files_missing: $(FILES_MISSING)
$(FILES_MISSING): src_count site_count
diff $(SRC_FILES) $(SITE_FILES) | grep '^[<>]' > $(FILES_MISSING)
forms_msg: src_msg site_msg
@echo "** `wc -l < $(FILES_MISSING)` forms files are not covered. **"
# Look at files_missing.list and see README-howto.txt for the
# procedure to activate coverage of more forms.
# Grep spidered forms for <input definitions and devise acceptable values.
input_coverage: input_list input_msg gen_normal run_normal
SITE_INPUTS = $(SRCSC)/site_inputs.list
INPUT_NAMES = $(SRCSC)/input_names.list
INPUT_VALUES = $(SRCSC)/input_values.list
input_list: $(INPUT_NAMES)
# Extract input fields from the files from wget.
# Canonicalize and reorder: <input type=.* name=.* value=.* .*>
@(cd $(WGETDIR); \
gawk -f ../$(SRCSC)/form-input.awk \
$(shell sed -e "s/:.*//" -e "s/.*/'&'/" $(SITE_FORMS) ) \
# Get unique field names. We only care about type="text" for now.
awk '/type="text"/{print $$3}' $(SITE_INPUTS) | \
sort -u > $(INPUT_NAMES)
input_msg: input_list
@echo "** `wc -l < $(INPUT_NAMES)` unique input field names. **"
# Copy input_names.list to input_values.list .
# Edit value= clauses onto the lines.
# Convert the list to WebInject XML test cases submitting input field values.
NORMAL_URLS = $(SRCSC)/site_normal.urls
NORMAL_CASES = $(SRCSC)/normal_cases.xml
gen_normal: $(NORMAL_CASES)
gawk -f $(SRCSC)/forms-to-urls -v VALUES=$(SITE_VALUES) \
gawk -f $(SRCSC)/urls-to-webinject $(NORMAL_URLS) > $(NORMAL_CASES)
# Test using WebInject until "normal" input tests work properly in all forms.
NORMAL_OUTPUT = $(SRCSC)/normal_output.xml
run_normal: $(NORMAL_OUTPUT)
(cd $(SRCSC)/webinject; ../$(NORMAL_CASES);
mv results.xml ../$(NORMAL_OUTPUT)
# Probe the checking code of all input fields for SQL injection holes.
probes: gen_probes run_probes
# Generate WebInject cases with SQL injection probes in individual fields.
# Probe strings include form and field names that caused the hole.
PROBE_URLS = $(SRCSC)/site_probe.urls
PROBE_CASES = $(SRCSC)/probe_cases.xml
gen_probes: $(PROBE_CASES)
gawk -f $(SRCSC)/forms-to-urls -v PROBE=1 -v VALUES=$(SITE_VALUES) \
gawk -f $(SRCSC)/urls-to-webinject $(PROBE_URLS) > $(PROBE_CASES)
# Run the probes through webinject.
# Successfully caught cases should produce "invalid input" warnings.
# Potential penetrations will log SQL errors with the form/field name.
PROBE_OUTPUT = $(SRCSC)/probe_output.xml
run_probes: $(PROBE_OUTPUT)
(cd $(SRCSC)/webinject; ../$(PROBE_CASES);
mv results.xml ../$(PROBE_OUTPUT)
sec-check/README-howto.txt - Documentation outline.
- Overview
. Purpose: Locate and plug all SQL injection holes in the Emulab web pages.
- Guide plugging them and find any new ones we introduce.
. Method: Combine white-box and black-box testing, with automation.
- Background
. Ref "The OWASP Top Ten Project"
- "The OWASP Top Ten represents a broad consensus about what the most
critical web application security flaws are."
- The first flaw on the list (many others are consequences of this one.)
"A1 Unvalidated Input -
Information from web requests is not validated before being used by a
web application. Attackers can use these flaws to attack backend
components through a web application."
- One of the consequences:
"A6 Injection Flaws -
Web applications pass parameters when they access external systems
or the local operating system. If an attacker can embed malicious
commands in these parameters, the external system may execute those
commands on behalf of the web application."
- More details:
. The OWASP Guide Project
. Guide Table of Contents
- Data Validation
. Data Validation Strategies
. Prevent parameter tampering
. Hidden fields
- Interpreter Injection
. SQL Injection
- Forms coverage
. Grep the sources for <form and make up a list of php form files.
gmake src_forms
- 105 separate forms are on 95 php code pages (plus 7 "extras" on Boss.)
. Spider a copy of the EinE site with wget and extract its forms list.
gmake spider
gmake site_forms
- 40 "base" forms are visible once logged in as user, 47 with admin on.
. Compare the two lists to find uncovered (unlinked) forms.
gmake forms_coverage
. Create a script to activate the EinE site to turn on all forms.
- Look in the sources to find where the missing links should be.
- Connect to the EinE site from a browser through Spike Proxy.
- Interactively create DB state that will elicit the uncovered forms.
. Projects/users awaiting approval,
. Experiments swapped in with active nodes, and so on.
- Capture a list of URL's along with Get or Post inputs for automation.
- Convert the list into an wget script and/or WebInject test cases.
. Re-spider and compare until everything is covered (no more missing forms.)
gmake spider
gmake forms_msg
- Input fields coverage
. Grep spidered forms for <input definitions and devise acceptable values.
gmake input_coverage
- 1631 <input lines in admin-base, 511 unique, with 156 unique field names.
- But only 78 of the unique field names are text fields.
. Convert the list to WebInject XML test cases submitting input field values.
. Test using WebInject until "normal" input tests work properly in all forms.
- Probe the checking code of all input fields for SQL injection holes
. Generate WebInject cases with SQL injection probes in individual fields.
Probe strings include form and field names that caused the hole.
. Successfully caught cases should produce "invalid input" warnings.
. Potential penetrations will log SQL errors with the form/field name.
- Plug all of the holes by adding or fixing input validation logic.
. Re-run probes to check.
. Re-do it periodically, as the system evolves.
#! /usr/bin/awk -f
FNR == 1 {
# Exempt forms in twik and flyspray files.
exempt = FILENAME ~ "/(twiki|flyspray)/";
if ( exempt ) next;
if (NR != 1) printf "\n";
/<form/ && ! exempt && !/action=[^ ]*\/search.php3/ {
sub(".*<form", "<form"); # Put <form at beginning of line.
sub("[ \t]on[a-zA-Z]+=.*['\"]", "", $0 ); # Skip Javascript.
while ( !match($0, ">") ) { # Multi-line <form statements.
sub("[ \t]*$", " "); # Single space at end of line.
getline ln;
sub("[ \t]on[a-zA-Z]+=.*['\"]", "", ln ); # Skip Javascript.
sub("^[ \t]*", "", ln); # No space on start of new line.
$0 = $0 ln;
sub(">.*", ">"); # Leave only <form ... > on the line.
form && /<input/ {
sub(".*<input", "<input"); # Put <input at beginning of line.
sub("[ \t]on[a-zA-Z]+=.*['\"]", "", $0 ); # Skip Javascript.
while ( !match($0, ">") ) { # Multi-line <input statements.
sub("[ \t]*$", " "); # Single space at end of line.
getline ln;
sub("[ \t]on[a-zA-Z]+=.*['\"]", "", ln ); # Skip Javascript.
sub("^[ \t]*", "", ln); # No space on start of new line.
$0 = $0 ln;
sub(">.*", ">"); # Leave only <input ... > on the line.
# Canonicalize.
sub("type=readonly", "type=text"); # There is no readonly type, text is default.
# Convert single-quoted type and name values to double quotes.
$0 = gensub("(name|type)='([^']+)'", "\\1=\"\\2\"", "g");
# Quote unquoted values.
$0 = gensub("(name|type|value)=([^'\"][^ >]+)", "\\1=\"\\2\"", "g");
# Reorder: <input type=.* name=.* value=.* .*>
$0 = gensub("<input (.*)value=('[^']+'|\"[^\"]+\")", "<input value=\\2 \\1", 1);
$0 = gensub("<input (.*)name=('[^']+'|\"[^\"]+\")", "<input name=\\2 \\1", 1);
$0 = gensub("<input (.*)type=('[^']+'|\"[^\"]+\")", "<input type=\\2 \\1", 1);
gsub(" *", " "); # Collapse extra spaces.
/<\/form/ { form=0 }
source tb_compat.tcl
set ns [new Simulator]
tb-elab-in-elab 1
namespace eval TBCOMPAT {
set elabinelab_hardware("boss") pc3000
set elabinelab_hardware("ops") pc3000
set elabinelab_maxpcs 1
set elabinelab_nodeos("boss") FBSD61-STD
set elabinelab_nodeos("ops") FBSD61-STD
$ns run
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
10. If you wish to incorporate parts of the Program into other free