1、漏洞總數
AppScan Source:91
Fortify:121
2、Disclaimer.htm:34(Cross-Site Scripting:DOM)的漏洞Fortify能掃描出來,AppScan Source掃描不出來
另外,Fortify能掃描出比較多Persistent類型的XSS漏洞
并且歸類比較好(分DOM、Persistent、Reflected類型列出)
3、AdminLoginServlet.java:35(Password Management:Hardcoded Password)的漏洞Fortify能掃描出來,AppScan Source掃描不出來
4、Fortify掃出的DBUtil.java:238(Access Control:Database)在AppScan中被歸類到
SQL Injection
5、admin.jsp:18(Password Management:Empty Password)屬于誤報
<script language="javascript"> function confirmpass(myform) { if (myform.password1.value.length && (myform.password1.value==myform.password2.value)) { return true; } else { myform.password1.value=""; myform.password2.value=""; myform.password1.focus(); alert ("Passwords do not match"); return false; } } </script> |
6、Fortify會報比較多這類問題:
Code Correctness:Class Does Not Implement equals Hardcoded Domain in HTML Hidden Field J2EE Bad Practices J2EE Misconfiguration Missing Check against Null Password Management:Password in Comment Poor Error Handling System Information Leak:Incomplete Servlet Error Handling |
7、Fortify會報比較多transfer.jsp:32(Cross-Site Request Forgery)這類CSRF的問題,而AppScan Source沒有掃出來
8、Fortify有掃出ServletUtil.java(Missing XML Validation)的問題,而AppScan Source沒有掃出來
9、Fortify有掃出AdminServlet.java:65(Redundant Null Check)的問題,而AppScan Source沒有掃出來