Commit 1897a772 authored by Russ Fish's avatar Russ Fish

Improved probe undoing and setup/teardown logic. Added some documentation.

parent dc52a1ea
This diff is collapsed.
#
# EMULAB-COPYRIGHT
# Copyright (c) 2007 University of Utah and the Flux Group.
# All rights reserved.
#
sec-check/README-FIRST.txt - Sec-check documentation outline.
. Goals
- Purpose: Locate and plug all SQL injection holes in the Emulab web pages.
Guide plugging them and repeat to find any new ones we introduce.
- Useful as a test harness, even if not probing.
- Method: Combine white-box and black-box testing, with much automation.
. Background (See sec-check/README-background.txt)
- SQL Injection vulnerabilities: Ref "The OWASP Top Ten Project"...
- Automated vulnerability scan tools, search and conclusions...
. Sec-check concepts. (See sec-check/README-concepts.txt)
- Overview of sec-check tool
. This is an SQL injection vulnerability scanner, built on top of an
automated test framework. It could be factored into generic and
Emulab-specific portions without much trouble.
. Drives the HTML server in an inner Emulab-in-Emulab experiment via wget,
using forms page URL's with input field values. Most forms-input values
are automatically mined from HTML results of spidering the web interface.
. This is "web scraping", not "screen scraping"...
. Implemented as an Emulab GNUmakefile.in for flexible control flow...
- Several stages of operation are supported, each with analysis and
summary...
. src_forms:
Grep the sources for <form and make up a list of php form files.
. activate:
Sets up the newly swapped-in ElabInElab site in the makefile...
. spider:
Recursively wget a copy of the ElabInElab site and extract a <forms list.
. forms_coverage:
Compare the two lists to find uncovered (unlinked) forms.
. input_coverage:
Extract <input fields from spidered forms.
. normal:
Create, run, and categorize "normal operations" test cases.
. probe:
Create and run probes to test the checking code of all input fields.
. Details of running and incremental development (See README-howto.txt)
- General
. Directories
. Inner Emulab-in-Emulab experiment
- High-level targets
. all: src_forms spider forms_coverage input_coverage normal probe
. msgs: src_msg site_msg forms_msg input_msg analyze probes_msg
- Stages of operation (makefile targets)
. src_forms: src_list src_msg
. activate: activate.wget $(activate_tasks) analyze_activate
. spider: clear_wget_dirs do_spider site_list site_msg
. forms_coverage: files_missing forms_msg
. input_coverage: input_list input_msg
. normal: gen_all run_all analyze
. probe: gen_probes probe_all probes_msg
#
# EMULAB-COPYRIGHT
# Copyright (c) 2007 University of Utah and the Flux Group.
# All rights reserved.
#
sec-check/README-background.txt
See README-FIRST.txt for a top-level overall outline.
- Background on SQL Injection vulnerabilities: Ref "The OWASP Top Ten Project"
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
. "The OWASP Top Ten represents a broad consensus about what the most
critical web application security flaws are."
. The first flaw on the list (many others are consequences of this one.)
"A1 Unvalidated Input -
Information from web requests is not validated before being used by a
web application. Attackers can use these flaws to attack backend
components through a web application."
http://www.owasp.org/index.php/Unvalidated_Input
. One of the consequences:
"A6 Injection Flaws -
Web applications pass parameters when they access external systems
or the local operating system. If an attacker can embed malicious
commands in these parameters, the external system may execute those
commands on behalf of the web application."
http://www.owasp.org/index.php/Injection_Flaws
. More details:
- The OWASP Guide Project
http://www.owasp.org/index.php/Category:OWASP_Guide_Project
- Guide Table of Contents
http://www.owasp.org/index.php/Guide_Table_of_Contents
. Data Validation
http://www.owasp.org/index.php/Data_Validation
- Data Validation Strategies
http://www.owasp.org/index.php/Data_Validation#Data_Validation_Strategies
- Prevent parameter tampering
http://www.owasp.org/index.php/Data_Validation#Prevent_parameter_tampering
- Hidden fields
http://www.owasp.org/index.php/Data_Validation#Hidden_fields
. Interpreter Injection
http://www.owasp.org/index.php/Interpreter_Injection
- SQL Injection
http://www.owasp.org/index.php/Interpreter_Injection#SQL_Injection
- Automated vulnerability scan tools, search and conclusions
. In July 2006, I surveyed 29 available free and commercial tools,
categorized as site mappers, scanners, http hacking tools, proxies,
exploits, and testing tools. 9 of them were worth a second look.
Many were Windows-only, or manual tools for "penetration testing" to find
a single unchecked query hole and then attack a database through it.
Some had automation specific to Microsoft SQL server, which is easy
because it reports SQL error messages through query results that can leak
onto HTML pages. These can easily be used to locate injection holes and
spill the internal details of the database schema; then the DB data is
siphoned out and/or mischief is done through the hole.
None of the tools targetted MySQL, but I verified that MySQL is still
vulnerable to SQL injection attack from any unchecked or unescaped inputs
to GET or POST forms. Trivially, just include an unmatched single-quote
in any input string that goes into a dynamically-built SQL query that has
argument strings delimited by single-quotes.
This is of course only useful if you have another way to know the
database schema. Such as an open-source distribution of our software,
which would also allow finding input checking holes by inspecting the PHP
code. Hence the goal to locate, plug, and verify *all* such holes before
open-source distribution.
Some site mappers are combined with plugins to generate "blind" SQL
injection probes against the input fields of forms. They might be
effective against a suicidal site with very little sanity checking on
inputs.
Our PHP code checks "almost all" inputs serially, so the first input that
is rejected short-circuits checking the rest of the inputs and generating
queries. But a clever penetrator could generate reasonable inputs and
get past that to find a hole and exploit it. We need an automated way to
provide some assurance that there are no holes to find.
. I selected several of the tools to try:
- Screaming Cobra - Mapper with form vulnerability "techniques". (Perl)
I tried it in the insulation of an Emulab-in-Emulab, with various
combinations of arguments. Not surprisingly, its blind thrashing
didn't penetrate any of the public Emulab pages.
But one could go much further with an Emulab login uid and password,
after adding necessary login session cookie logic. And further still
if admin mode were breached...
- Spike Proxy, an HTTP Hacking / Fuzzing proxy
(Open Source, Python, Windows/Linux) w/ SQL injection.
This is a good example of what a manual "penetration tester" (black or
white hat) would use to attack a web site.
I used it to record browsing sessions while manually operating the
Emulab web site. It also allows editing inputs and replaying attacks
but I didn't try that.
It was useful to determine exactly what POST arguments were passed and
their values. This broke a chicken-and-egg bootstrapping problem: I
had to script "activation" of the DB (creating "one of everything")
before I could spider the web site and enumerate the full set of forms
arguments.
- WebInject - Free automated test tool for web apps and services.
Perl/XML, GPL'ed.
This sounded perfect at first, particularly since it presents a GUI of
the test results. But to do that, it has to be provided with a
complete set of success and failure match strings, expressed along with
the URL's to probe in an XML file.
Unfortunately, it's made for monolithic runs, where everything is in a
single session. That's not useful for incremental development,
particularly since the the web pages are not retained to help
understand what happened.
Maybe this will be useful at some point though, so I kept it under
sec-check with some stubs in the makefile for generating the XML.
Meanwhile, I found that the (new version of the) venerable "wget"
command has the necessary options to retain login cookies, set
traversal limits for recursive spidering, and convert pages so they are
browsable from local directories. Far more convenient.
I wound up implementing logic similar to WebInject in a much simpler
way (but without a GUI.)
#
# EMULAB-COPYRIGHT
# Copyright (c) 2007 University of Utah and the Flux Group.
# All rights reserved.
#
sec-check/README-concepts.txt - Design and methods employed in sec-check.
For more details of running and incremental development, see README-howto.txt .
See README-FIRST.txt for a top-level outline.
- Overview of the sec-check tool
. This is an SQL injection vulnerability scanner, built on top of an
automated test framework. It could be factored into generic and
Emulab-specific portions without much difficulty.
. Drives the HTML server in an inner Emulab-in-Emulab experiment via wget,
using forms page URL's with input field values. Most forms-input values
are automatically mined from HTML results of spidering the web interface.
. This is "web scraping", not "screen scraping"
http://en.wikipedia.org/wiki/Web_scraping
Web scraping differs from screen scraping in the sense that a website
is really not a visual screen, but a live HTML/JavaScript-based
content, with a graphics interface in front of it. Therefore, web
scraping does not involve working at the visual interface as screen
scraping, but rather working on the underlying object structure
(Document Object Model) of the HTML and JavaScript.
. Implemented as an Emulab GNUmakefile.in for flexible control flow.
- Some actions use gawk scripts to filter the results at each stage,
generating inputs and/or scripts for the next state.
- Several stages of operation are supported, each with analysis and summary,
corresponding to the top-level sections of the GNUmakefile.in .
For more details of running and incremental development, see README-howto.txt .
"gmake all" to do everything after activation.
"gmake msgs" to see all of the summaries.
----------------
. src_forms:
Grep the sources for <form and make up a list of php form files.
Here's an example of the src_msg output:
** Sources: 107 separate forms are on 89 code pages. **
** (See src_forms.list and src_files.list
** in ../../../testbed/www/sec-check/results .) **
----------------
. activate:
Sets up the newly swapped-in ElabInElab site in the makefile to create
"one of everything" (or sometimes two in different states), thus turning
on as many forms as we can for spidering.
** Activation analysis: success 12, failure 0, problem 0, UNKNOWN 0 **
** (See analyze_activate.txt in ../../../../testbed/www/sec-check/results .) **
. Cookie logic for logout/login/admin actions is also in the makefile.
----------------
. spider:
Recursively wget a copy of the ElabInElab site and extract a <forms list.
** Spider: 1773 ( 3 + 1770 ) forms instances are in 55 ( 3 + 55 ) web pages. **
** (See *_{forms,files}.list in ../../../testbed/www/sec-check/results .) **
- Actually, spider it twice, once not logged in for the public view,
and again, logged in and with administrative privileges, for the
private view.
- Don't follow page links that change the login/admin state here.
- Also reject other links to pages which don't have any input fields,
and don't ask for confirmation before taking actions. These must be
tested specially.
----------------
. forms_coverage:
Compare the two lists to find uncovered (unlinked) forms.
** Forms: 34 out of 89 forms files are not covered. **
** (See ../../../testbed/www/sec-check/results/files_missing.list .) **
- Generally, unlinked forms are a symptom of an object type (or state)
that is not yet activated. Iterate on the activation logic.
----------------
. input_coverage:
Extract <input fields from spidered forms.
** Inputs: 9965 input fields, 343 unique, 123 over-ridden. **
** (See site_inputs.list and input_names.list
** in ../../../testbed/www/sec-check/results,
** and input_values.list in ../../../testbed/www/sec-check .) **
- form-input.gawk is applied to the spidered public and admin .html
files to extract forms/input lists.
- That process is generic, but there are a few little Emulab special
cases in the makefile where they are combined into a single list.
Special cases (hacks) are marked with XXX to make them easy to find.
- Start making an input values over-ride dictionary to point the pages
at the activation objects, using common input field names.
----------------
. normal:
Create, run, and categorize "normal operations" test cases.
** Run analysis: success 47, failure 6, problem 2, UNKNOWN 0 **
** (See analyze_output.txt in ../../../testbed/www/sec-check/results .) **
- The forms/inputs list is combined with the input value over-ride
dictionary using forms-to-urls.gawk, producing a list of forms page
URL's with GET and/or POST arguments.
- The url list is separated into setup, teardown, and show (other)
sections using the sep-urls.gawk script.
The {setup,teardown}_forms.list control files specify sequences of
PHP pages in the order that their operations must be performed,
e.g. creating a new project before making new experiments in the
project.
- A subtlety is that the activation objects are used by the "show"
script, where the setup and teardown scripts leave those alone and
suffix the ephemeral Emulab objects they create and delete with a
"3". There are many XXX special cases in sep-urls.gawk .
- The separated url lists are transformed into scripts containing wget
commands (generated by the urls-to-wget.gawk script) and run.
- Iterate until everything works, categorizing UNKNOWN results with
{success,failure,problem}.txt pattern lines until everything is
known. "Problems" are a small subset of failures, showing errors in
the sequencing of operations, or broken page logic due to the testing
environment, rather than input errors detected by the page logic.
- Additional commands, prefixed with a "!" character, are added to the
{setup,teardown}_forms.list files, which start to look more like
scripts.
Arbitrary commands can be ssh'ed to $MYBOSS and $MYOPS.
There's a special "sql" pseudo-command that can be used for select
queries to fetch values from the Emulab DB into shell variables, or
update queries to set DB state. (See urls-to-wget.gawk for details.)
It's also useful to surround sections with conditional logic to check
that necessary objects are in place to avoid a lot of unnecessary
collateral damage from page failures.
----------------
. probe:
Create and run probes to test the checking code of all input fields.
** Probe analysis: 408 probes out of 408 executed: 166 showed success,
** 242 failure (or probes caught), 38 dups, 0 UNKNOWN.
** Probes to 53 pages gave 13 hits: 13 backslashed, 0 UNCAUGHT in 0 pages.
** (See probe-labels.list and uncaught-files.list
** in ../../../testbed/www/sec-check/results .) **
- SQL injection probes are special strings substituted for individual
GET and POST arguments by the forms-to-urls.gawk script. They start
with an unmatched single-quote and are labeled with their form page
and input field name, for example:
query_type='**{kb-search.php3:query_type}**
- One page will be probed in the generated wget scripts as many times
as it has input fields (up to 30 in one case.) After the probes to a
page, one "normal" wget line is generated to perform the page
function and create the necessary conditions for going on to probe
the next page.
- A "probe catcher" is put into the underlying PHP common query
function to look in constructed SQL query strings for the probe
string prefix and throw an error if it's seen, with or without a
backslash escaping the single-quote. (This "hit" error message is
included in the failure.txt file, so probe hits are also failures.)
Obviously, the goal is to probe everything, and let no probe go
uncaught or unescaped.
- Sometimes, it's necessary to wait for a "backgrounded" page action to
complete before going on in the script. There's a "waitexp" helper
script for the common case of waiting for an Emulab experiment to be
in a particular state, "active" by default.
- Many probe strings will be ignored or escaped by the page logic,
causing the page to perform its function (such as creating or
deleting a user, project, or experiment.) There may some strange
text included (or not, if only the presence of the argument is
considered by the page logic.)
- The failure.txt file is used to determine whether the page performed
its function and if so to undo it. "Undo" command lines are added
after PHP page files in the {setup,teardown}_forms.list files,
prefixed with a "-" character. There's an undo_probes.pl script with
common logic for a variety of Emulab object types.
- Plug all of the holes by adding or fixing input validation logic.
. Re-run probes to check.
. Re-do it periodically, as the system evolves.
This diff is collapsed.
......@@ -51,3 +51,5 @@ is not currently reserved
must be active
does not have enough permission
Could not map page arguments
Undefined variable
No running delay nodes
......@@ -4,7 +4,7 @@
# Copyright (c) 2000-2006 University of Utah and the Flux Group.
# All rights reserved.
#
# forms-to-urls - Generate URL's for accessing the site.
# forms-to-urls.gawk - Generate URL's for accessing the site.
#
# form-input.gawk's output format is the input format for this script.
#
......@@ -181,14 +181,9 @@ form && /^$/ { # Blank line terminates each form section.
if (arg_vals) { # Ignore if no argument values to supply.
if ( ! PROBE ) {
# Not probing.
gsub("%d", "", arg_str);
print url arg_str;
}
else {
# Substitute a labeled mock SQL injection attack probe string for
# EACH ?argument value. Generates N urls.
if ( PROBE ) {
# When probing, generate N probe urls. Substitute a labeled mock SQL
# injection attack probe string for one ?argument value in each URL.
delete all_args;
for (arg in action_args) all_args[arg] = action_args[arg];
for (arg in args) all_args[arg] = args[arg];
......@@ -208,5 +203,12 @@ form && /^$/ { # Blank line terminates each form section.
print url probe_str;
}
}
# Not probing, or finished with probe URLs. Put out the unmodified URL
# *after* the probe URLs, since dependent actions later on will need the
# results of a setup/teardown action.
gsub("%d", "", arg_str);
print url arg_str;
}
}
......@@ -41,6 +41,7 @@ name="formfields[mtype_pc850]" !Yep
name="formfields[mtype_pc3000]" !Yep
name="formfields[new_section]" test_section
name="formfields[noidleswap_reason]" Testing.
name="formfields[node_id]" !
name="formfields[op_mode]" NORMALv2
name="formfields[os_name]" FreeBSD
name="formfields[os_version]" 666
......@@ -85,7 +86,7 @@ name="formfields[when]" 1
name="formfields[wikiname]" TestUser
name="formfields[xref_tag]" test_tag%d
name="gid" !testgroup
name="group" !@grpidx@
name="group" !testgroup
name="group_description" Testproj subgroup.
name="group_id" testgroup
name="group_leader" @uid@
......@@ -97,6 +98,9 @@ name="log_entry" Test log entry.
name="nextosid" !
!name="new_type"
name="new_uid" testuser2
name="newattribute_name" testattr
name="newattribute_type" integer
name="newattribute_value" 42
name="node" @pcnode@
name="node_id" !@pcnode@
name="node_type" !pctest
......
could not map
could not continue
already in use
you cannot modify
experiment in transition
undefined variable
uninitialized value
......@@ -27,7 +27,10 @@ newproj2.html
Your project request has been successfully queued.
newuser1.html
As a pending user of the Testbed you will receive a key via email.
application, and you will be notified via email as soon as
newuser2.html
As a pending user of the Testbed you will receive a key via email.
application, and you will be notified via email as soon as
================ failure ================
================ problem ================
================ UNKNOWN ================
......@@ -9,13 +9,14 @@ approveuser.php3.html
beginexp_html.php3.html
<b>Starting experiment configuration!</b> Since you are only pre-loading the experiment, this will typically
boot.php3.html
reboot (pc123): Attempting to reboot ...
reboot (pc153): Attempting to reboot ...
reboot (pc167): Attempting to reboot ...
reboot (pc153): Successful!
reboot (pc167): Successful!
delaycontrol.php3.html
Use this page to alter the traffic shaping parameters of your
reboot (pc120): Attempting to reboot ...
reboot (pc155): Attempting to reboot ...
reboot (pc165): Attempting to reboot ...
reboot (pc120): Successful!
reboot (pc155): Successful!
reboot (pc165): Successful!
changeuid.php.html
Please enter the new UID for user 'testusr3'<br><br>
deletegroup.php3.html
<b>Group 'testgroup3' in project 'testproj3' is being removed!</b> ...<br>
This will take a few moments; please be <em>patient</em>.<br>
......@@ -23,13 +24,15 @@ deletegroup.php3.html
deleteimageid.php3.html
This will take a few moments; please be <em>patient</em>.<br>
ClearBusyIndicators('<center><b>Done!</b></center>');
Image '10004' in project testproj3 has been deleted!
Image '10038' in project testproj3 has been deleted!
deleteosid.php3.html
OS Descriptor 'testosid3' in Project testproj3 has been deleted!
deleteproject.php3.html
This will take a few moments; please be <em>patient</em>.<br>
ClearBusyIndicators('<center><b>Done!</b></center>');
deletepubkey.php3.html
<title>MyEmulab.Net - SSH Public Keys for user: testusr3</title>
SSH Public Keys for user: testusr3</h2>
Current ssh public keys for user testusr3.
Enter ssh public keys for user
deleteuser.php3.html
......@@ -55,8 +58,7 @@ endexp.php3.html
feedback.php3.html
<center><h3><br>Done!</h3></center>
freenode.php3.html
This will take a few moments; please be <em>patient</em>.<br>
ClearBusyIndicators('<center><b>Done!</b></center>');
Operation canceled!
freezeuser.php3.html
This will take a few moments; please be <em>patient</em>.<br>
ClearBusyIndicators('<center><b>Done!</b></center>');
......@@ -65,14 +67,15 @@ gensslcert.php3.html
ClearBusyIndicators('<center><b>Done!</b></center>');
joinproject.php3.html
As a pending user of the Testbed you will receive a key via email.
application, and you will be notified via email as soon as
kb-manage.php3.html
<center><b>Knowledge Base Entry: 274 test_tag</b><br>(<a href="https://myboss.vulnelab.testbed.emulab.net/kb-search.php3">Search Again</a>)</center>
<center><b>Knowledge Base Entry: 282 test_tag</b><br>(<a href="https://myboss.vulnelab.testbed.emulab.net/kb-search.php3">Search Again</a>)</center>
kb-search.php3.html
<font size=+2>Knowledge Base search results</font>
linktest.php3.html
Are you <b>sure</b> you want to run linktest?
loadimage.php3.html
Taking a snapshot of node 'pc123' into image 'testimg3' ...
Taking a snapshot of node 'pc120' into image 'testimg3' ...
modifyexp.php3.html
<b>Your experiment is being modified!</b> You will be notified via email when the experiment has finished modifying and you are able to proceed. This typically takes less than 10 minutes, depending on the number of nodes in the experiment. If you do not receive email notification within a reasonable amount time, please contact <a href="mailto:testbed-ops@myops.vulnelab.testbed.emulab.net">
moduserinfo.php3.html
......@@ -86,10 +89,8 @@ newimageid.php3.html
<h3 class="submenuheader">More Options</h3>
newimageid_ez.php3.html
<h3 class="submenuheader">More Options</h3>
newmmlist.php3.html
<center><h2>testproj3-testlist mailing list administration<br>General Options Section</h2></center><hr>
newnodelog.php3.html
Log for node pc123.
Log for node pc120.
newosid.php3.html
<center><h3>Done!</h3></center>
newproject.php3.html
......@@ -106,7 +107,7 @@ nsgen.php3.html
plab_ez.php3.html
<p><b>To finish creating your slice, edit the
powertime.php3.html
<center>Updated power time for:<br><br><b>pc123</b><br></center><!-- end content -->
<center>Updated power time for:<br><br><b>pc120</b><br></center><!-- end content -->
prereserve_node.php3.html
<h3 class="submenuheader">Node Options</h3>
replayexp.php3.html
......@@ -115,6 +116,8 @@ replayexp.php3.html
resendapproval.php.html
<h2>Done!</h2>
showpubkeys.php3.html
<title>MyEmulab.Net - SSH Public Keys for user: testuser</title>
SSH Public Keys for user: testuser</h2>
Current ssh public keys for user testuser.
Enter ssh public keys for user
showsumstats.php3.html
......@@ -129,7 +132,14 @@ updateaccounts.php3.html
You will be notified via email when the update has completed on
================ failure ================
archive_tags.php3.html
<b>Notice</b>: Undefined variable: instance in <b>/usr/testbed/www/archive_tags.php3</b> on line <b>101</b><br />
<b>Notice</b>: Undefined variable: template in <b>/usr/testbed/www/archive_tags.php3</b> on line <b>105</b><br />
No tags for experiment testbed/testexp1
delaycontrol.php3.html
No running delay nodes with eid='testexp1' and pid='testbed'!
newmmlist.php3.html
&nbsp;Oops, please fix the following errors!&nbsp;
<font color=red>Name already in use; pick another</font></td>
newnodes_list.php3.html
At least one node must be selected!
swapexp.php3.html
......@@ -138,5 +148,10 @@ template_export.php.html
<title>MyEmulab.Net - Page Error</title>
Page Error</h2>
Invalid page arguments: /template_export.php?experiment=9<br><br>Must provide a template or an instance to export
================ problem ================
archive_tags.php3.html
<b>Notice</b>: Undefined variable: instance in <b>/usr/testbed/www/archive_tags.php3</b> on line <b>101</b><br />
<b>Notice</b>: Undefined variable: template in <b>/usr/testbed/www/archive_tags.php3</b> on line <b>105</b><br />
newmmlist.php3.html
<font color=red>Name already in use; pick another</font></td>
================ UNKNOWN ================
changeuid.php.html
This diff is collapsed.
......@@ -105,6 +105,7 @@ name="change_31217"
name="change_424"
name="change_501"
name="change_502"
name="clear"
name="clear_bootstrap"
name="clear_last"
name="def_boot_cmd_line"
......@@ -279,6 +280,7 @@ name="modbase"
name="name"
name="new_uid"
name="newattribute_name"
name="newattribute_type"
name="newattribute_value"
name="newprefix"
name="newtype"
......
** 107 separate forms are on 89 code pages. **
** (See src_forms.list and src_files.list in ../../../testbed/www/sec-check/results .) **
** Sources: 107 separate forms are on 89 code pages. **
** (See src_forms.list and src_files.list
** in ../../../testbed/www/sec-check/results .) **
**
** 1773 ( 3 + 1770 ) forms instances are in 55 ( 3 + 55 ) web pages. **
** Spider: 1773 ( 3 + 1770 ) forms instances are in 55 ( 3 + 55 ) web pages. **
** (See *_{forms,files}.list in ../../../testbed/www/sec-check/results .) **
**
** 34 forms files are not covered. **
** Forms: 34 out of 89 forms files are not covered. **
** (See ../../../testbed/www/sec-check/results/files_missing.list .) **
**
** 9956 input fields, 341 unique. **
** (See site_inputs.list and input_names.list in ../../../testbed/www/sec-check/results .) **
** Inputs: 9965 input fields, 343 unique, 123 over-ridden. **
** (See site_inputs.list and input_names.list
** in ../../../testbed/www/sec-check/results,
** and input_values.list in ../../../testbed/www/sec-check .) **
**
**
** Analysis: success 48, failure 4, UNKNOWN 1 **
** Run analysis: success 47, failure 6, problem 2, UNKNOWN 0 **
** (See analyze_output.txt in ../../../testbed/www/sec-check/results .) **
**
**
** Probe Analysis: success 67, failure 311, UNKNOWN 0 **
** (See analyze_probes.txt in ../../../../testbed/www/sec-check/results .) **
**
** 350 probes out of 353 executed: 39 showed success, 311 failure, 28 dups, 0 UNKNOWN.
**
** Probes to 53 pages gave 10 hits: 10 backslashed, 0 uncaught in 0 pages.
** (See probe-labels.list and uncaught-files.list in ../../../testbed/www/sec-check/results .) **
** Probe analysis: 408 probes out of 408 executed: 166 showed success,
** 242 failure (or probes caught), 38 dups, 0 UNKNOWN.
** Probes to 53 pages gave 13 hits: 13 backslashed, 0 UNCAUGHT in 0 pages.
** (See probe-labels.list and uncaught-files.list
** in ../../../testbed/www/sec-check/results .) **
**
......@@ -8,3 +8,6 @@
Probe label: \'**{kb-manage.php3:formfields[title]}**
Probe label: \'**{moduserinfo.php3:formfields[usr_country]}**
Probe label: \'**{newgroup.php3:group_description}**
Probe label: \'**{newimageid.php3:formfields[description]}**
Probe label: \'**{newimageid_ez.php3:formfields[description]}**
Probe label: \'**{newosid.php3:description}**
This diff is collapsed.
This diff is collapsed.
This source diff could not be displayed because it is too large. You can view the blob instead.
This source diff could not be displayed because it is too large. You can view the blob instead.
......@@ -3,19 +3,19 @@ https://myboss.vulnelab.testbed.emulab.net/template_export.php?experiment=9
https://myboss.vulnelab.testbed.emulab.net/archive_tags.php3?experiment=9
https://myboss.vulnelab.testbed.emulab.net/boot.php3?experiment=9?post:confirmed=Confirm
https://myboss.vulnelab.testbed.emulab.net/delaycontrol.php3?experiment=9?post:dochange=1
https://myboss.vulnelab.testbed.emulab.net/editnodetype.php3?node_type=pctest?post:formfields[isdynamic]=0&formfields[issubnode]=0&formfields[isplabdslice]=0&formfields[isjailed]=0&newattribute_name=&formfields[isremotenode]=0&formfields[isvirtnode]=0&submit=Submit&formfields[issimnode]=0&node_type=pctest&newattribute_value=&formfields[class]=pc
https://myboss.vulnelab.testbed.emulab.net/editnodetype.php3?node_type=pctest?post:formfields[isdynamic]=0&newattribute_type=integer&formfields[issubnode]=0&formfields[isplabdslice]=0&formfields[isjailed]=0&newattribute_name=testattr&formfields[isremotenode]=0&formfields[isvirtnode]=0&submit=Submit&formfields[issimnode]=0&node_type=pctest&newattribute_value=42&formfields[class]=pc
https://myboss.vulnelab.testbed.emulab.net/editsitevars.php3?post:name=batch/retry_wait&value=
https://myboss.vulnelab.testbed.emulab.net/feedback.php3?mode=clear&experiment=9?post:confirmed=Confirm&clear_last=1
https://myboss.vulnelab.testbed.emulab.net/gensslcert.php3?post:formfields[passphrase1]=EinE_tmp&submit=Create SSL Cert&formfields[passphrase2]=EinE_tmp&formfields[user]=10071
https://myboss.vulnelab.testbed.emulab.net/linktest.php3?post:level=1&eid=testexp1&pid=testbed
https://myboss.vulnelab.testbed.emulab.net/newnodelog.php3?post:log_type=misc&log_entry=Test log entry.&node_id=pc123
https://myboss.vulnelab.testbed.emulab.net/newnodelog.php3?post:log_type=misc&log_entry=Test log entry.&node_id=pc120
https://myboss.vulnelab.testbed.emulab.net/newnodes_list.php3?remap[4]=&remap[5]=&newprefix=&remap[6]=&newtype=&create=Create selected nodes&remap[0]=&remap[1]=&remap[2]=&remap[3]=&addnumber=
https://myboss.vulnelab.testbed.emulab.net/nodecontrol.php3?node_id=pc123?post:rpms=&next_boot_osid=&def_boot_osid=208&temp_boot_osid=&startupcmd=&tarballs=&next_boot_cmd_line=&def_boot_cmd_line=
https://myboss.vulnelab.testbed.emulab.net/nodecontrol.php3?node_id=pc120?post:rpms=&next_boot_osid=&def_boot_osid=208&temp_boot_osid=&startupcmd=&tarballs=&next_boot_cmd_line=&def_boot_cmd_line=
https://myboss.vulnelab.testbed.emulab.net/nscheck.php3?post:MAX_FILE_SIZE=1024&formfields[exp_localnsfile]=/users/fish/shaped-2-nodes.ns
https://myboss.vulnelab.testbed.emulab.net/nsgen.php3?template=plabdevbox&templatevalues[ImageName]=PLAB-DEVBOX&templatevalues[NodeName]=devbox&templatevalues[HWType]=pc
https://myboss.vulnelab.testbed.emulab.net/plab_ez.php3?formfields[rpm]=&formfields[count]=1&formfields[when]=1&formfields[tarball]=&submit=Create it&formfields[nodelist]=&formfields[type]=pcplab&formfields[nodeversion]=Production&formfields[canfail]=Yep&formfields[startupcmd]=&formfields[units]=168&formfields[resusage]=1
https://myboss.vulnelab.testbed.emulab.net/powertime.php3?nodes[]=pc123&poweron=Yep&confirmed=Confirm
https://myboss.vulnelab.testbed.emulab.net/prereserve_node.php3?node_id=pc123?post:submit=Submit&pid=testbed
https://myboss.vulnelab.testbed.emulab.net/powertime.php3?nodes[]=pc120&poweron=Yep&confirmed=Confirm
https://myboss.vulnelab.testbed.emulab.net/prereserve_node.php3?node_id=pc120?post:submit=Submit&clear=1&pid=testbed
https://myboss.vulnelab.testbed.emulab.net/replayexp.php3?experiment=9?post:confirmed=Confirm
https://myboss.vulnelab.testbed.emulab.net/resendapproval.php?pid=testbed?post:submit=Submit&message=
https://myboss.vulnelab.testbed.emulab.net/showpubkeys.php3?user=502?post:MAX_FILE_SIZE=1024
......
This diff is collapsed.
This diff is collapsed.