Professional Documents
Culture Documents
Matthew Chiappone
Prof. Mozano
10/25/2021
2
Abstract
This report covers the scanning of an Open-Source Medical Device software
SecPump. “SecPump is an open wireless insulin pump system workbench that
models the insulin kinetics based on the modified Bergman's minimal model.”
(Bresch, 2020) The scan used is Static Application Security Testing. (SAST)
1. Introduction
3
Contents
About this report
Report description
Report parameters
Summaries
Alerts
Appendix
Alert types
4
Report parameters
Contexts
Sites
http://127.0.0.1:8080
An included site must also be within one of the included contexts for its data to be
included in the report.
Risk levels
Excluded: None
Confidence levels
Summaries
5
(The percentages in brackets represent the count as a percentage of the total number of alerts
included in the report, rounded to one decimal place.)
Confidence
Us
er
Confirm High Mediu Low Total
ed m
High 0 0 1 0 1
(0.0%) (0.0%) (7.1%) (0.0%) (7.1%)
Medium 0 0 1 0 1
(0.0%) (0.0%) (7.1%) (0.0%) (7.1%)
Low 0 0 7 5 12
Ris (0.0%) (0.0%) (50.0%) (35.7% (85.7%
k ) )
Information 0 0 0 0 0
al
(0.0%) (0.0%) (0.0%) (0.0%) (0.0%)
Total 0 0 9 5 14
(0.0%) (0.0%) (64.3%) (35.7% (100%)
)
This table shows, for each site for which one or more alerts were raised, the number of alerts
raised at each risk level.
6
Alerts with a confidence level of "False Positive" have been excluded from these counts.
(The numbers in brackets are the number of alerts raised for the site at or above that risk
level.)
Ris
k
Informational
High Medium Low (>=
Informa
( High) Medium) (> Low)
= (>= =
tional)
http://127.0.0.1:80 1 1 12 0
Site 80 (1) (2) (14)
(14)
This table shows the number of alerts of each alert type, together with the alert type's risk
level.
(The percentages in brackets represent each count as a percentage, rounded to one decimal
place, of the total number of alerts included in this report.)
(7.1%)
Total 14
8
Alerts
Risk=High, Confidence=Medium (1)
http://127.0.0.1:8080 (1)
POST http://127.0.0.1:8080/WebGoat/register.mvc
Alert tags
OWASP_2021_A0
3
OWASP_2017_A0
1
POST
http://127.0.0.1:8080/WebGoat/register.mv
c HTTP/1.1
9
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT
10.0; Win64; x64; rv:92.0)
Gecko/20100101 Firefox/92.0 Pragma:
no-cache
Cache-Control: no-cache
Content-Type: application/x-www-form-
urlencoded
Referer:
http://127.0.0.1:8080/WebGoat/registratio
n
Content-Length: 87
Cookie:
JSESSIONID=aI5PMM_strdZGAvEeErLIeV65uTEHs
-F1CQJcEBg
username=ZAP&password=ZAP&matchingPasswor
d=ZAP&agree=agree%27+AND+%271%27%3D%271%2
7+--+
HTTP/1.1 200 OK
Connection: keep-alive
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Content-Type: text/html;charset=UTF-8
Content-Language: en-
Date: Thu, 21 Oct 2021 17:49:50 GMT
Parameter agree
10
Solution Do not trust client side input, even if there is client side validation
in place.
http://127.0.0.1:8080(1)
POST http://127.0.0.1:8080/WebGoat/register.mvc
Alert tags
OWASP_2021_A0
4
OWASP_2017_A0
1
POST
http://127.0.0.1:8080/WebGoat/register.mv
c HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT
10.0; Win64; x64; rv:92.0)
Gecko/20100101 Firefox/92.0
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/x-www-form-
urlencoded
Referer:
http://127.0.0.1:8080/WebGoat/registratio
n
Content-Length: 39
Cookie:
JSESSIONID=aI5PMM_strdZGAvEeErLIeV65uTEHs
-F1CQJcEBg
12
username=ZAP&password=ZAP&=&agree=agree
Parameter matchingPassword
Evidence javax.servlet.http.HttpServlet.service(Ht
tpServlet.java:517)\n\tat
Solution Identify the cause of the error and fix it. Do not trust
client side input and enforce a tight check in the server
side. Besides, catch the exception properly. Use a
generic 500 error page for internal server error.
GET http://127.0.0.1:8080/WebGoat
HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT
10.0; Win64; x64; rv:92.0)
Gecko/20100101 Firefox/92.0
Pragma: no-cache
Cache-Control: no-cache
HTTP/1.1 200 OK
Connection: keep-alive
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Content-Type: text/html;charset=UTF-8
Content-Language: en-
Date: Thu, 21 Oct 2021 17:47:48 GMT
<!DOCTYPE html>
<html
xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Login Page</title>
<link rel="stylesheet"
type="text/css"
href="/WebGoat/css/main.css"/>
<link rel="stylesheet"
type="text/css"
16
href="/WebGoat/plugins/bootstrap/css/boot
17
strap.min.css"/>
<link rel="stylesheet"
type="text/css" href="/WebGoat/css/font-
awesome.min.css"/>
<link rel="stylesheet"
type="text/css"
href="/WebGoat/css/animate.css"/>
</head>
<body>
<section id="container">
<header id="header">
<div class="brand">
<a href="/WebGoat/start.mvc"
class="logo"><span>Web</span>Goat</a>
</div>
<div class="lessonTitle">
</div>
</header>
<section class="main-content-
wrapper">
<section id="main-content">
<br/><br/>
<form
action="/WebGoat/login" method='POST'
style="width: 200px;">
<div class="form-group">
<label
for="exampleInputEmail1">Username</label>
<input
autofocus="dummy_for_thymeleaf_parser"
type="text" class="form-control"
id="exampleInputEmail1"
placeholder="Username" name='username' />
</div>
18
<div class="form-group">
19
<label
for="exampleInputPassword1">Password</lab
el>
<input
type="password" class="form-control"
id="exampleInputPassword1"
placeholder="Password"
name='password' />
</div>
<button class="btn btn-
primary btn-block" type="submit">Sign
in</button>
<div class="text-center">
<a href="/WebGoat/registration">Register
new user</a></div>
</form>
<br/><br/>
</section>
</section>
</section>
</body>
</html>
Phase: Implementation
20
Do not use the GET method for any request that triggers
a state change.
Phase: Implementation
GET http://127.0.0.1:8080/WebGoat/login
Alert tags
21
OWASP_2021_A0
1
OWASP_2017_A0
5
22
GET http://127.0.0.1:8080/WebGoat/login
HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu;
Linux x86_64; rv:85.0) Gecko/20100101
Firefox/85.0
Accept:
text/html,application/xhtml+xml,applicati
on/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Cookie: JSESSIONID=SQeFoh-
IwI6ZzglEDTFxrDS_5EMhKxWs4tKpI0iq
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Connection: keep-alive
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Date: Thu, 21 Oct 2021 17:47:02 GMT
<!DOCTYPE html>
<html
xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Login Page</title>
<link rel="stylesheet"
type="text/css"
href="/WebGoat/css/main.css"/>
<link rel="stylesheet"
type="text/css"
href="/WebGoat/plugins/bootstrap/css/boot
strap.min.css"/>
<link rel="stylesheet"
type="text/css" href="/WebGoat/css/font-
awesome.min.css"/>
<link rel="stylesheet"
type="text/css"
href="/WebGoat/css/animate.css"/>
</head>
<body>
<section id="container">
<header id="header">
<div class="brand">
<a href="/WebGoat/start.mvc"
class="logo"><span>Web</span>Goat</a>
</div>
<div class="lessonTitle">
</div>
</header>
<section class="main-content-
wrapper">
<section id="main-content">
<br/><br/>
<form
action="/WebGoat/login" method='POST'
25
style="width: 200px;">
26
<div class="form-group">
<label
for="exampleInputEmail1">Username</label>
<input
autofocus="dummy_for_thymeleaf_parser"
type="text" class="form-control"
id="exampleInputEmail1"
placeholder="Username" name='username' />
</div>
<div class="form-group">
<label
for="exampleInputPassword1">Password</lab
el>
<input
type="password" class="form-control"
id="exampleInputPassword1"
placeholder="Password"
name='password' />
</div>
<button class="btn btn-
primary btn-block" type="submit">Sign
in</button>
<div class="text-center">
<a href="/WebGoat/registration">Register
new user</a></div>
</form>
<br/><br/>
</section>
</section>
</section>
</body>
</html>
Phase: Implementation
Do not use the GET method for any request that triggers
a state change.
Phase: Implementation
28
GET http://127.0.0.1:8080/WebGoat/login?error
Alert tags
OWASP_2021_A0
1
OWASP_2017_A0
5
GET http://127.0.0.1:8080/WebGoat/login?
error HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT
10.0; Win64; x64; rv:92.0)
Gecko/20100101 Firefox/92.0
Pragma: no-cache
Cache-Control: no-cache
Referer:
http://127.0.0.1:8080/WebGoat/login
Cookie:
JSESSIONID=aI5PMM_strdZGAvEeErLIeV65uTEHs
-F1CQJcEBg
HTTP/1.1 200 OK
Connection: keep-alive
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Content-Type: text/html;charset=UTF-8
Content-Language: en-
Date: Thu, 21 Oct 2021 17:48:06 GMT
<!DOCTYPE html>
<html
xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Login Page</title>
<link rel="stylesheet"
type="text/css"
href="/WebGoat/css/main.css"/>
<link rel="stylesheet"
type="text/css"
href="/WebGoat/plugins/bootstrap/css/boot
strap.min.css"/>
<link rel="stylesheet"
type="text/css" href="/WebGoat/css/font-
awesome.min.css"/>
<link rel="stylesheet"
type="text/css"
href="/WebGoat/css/animate.css"/>
</head>
<body>
<section id="container">
<header id="header">
<div class="brand">
<a href="/WebGoat/start.mvc"
class="logo"><span>Web</span>Goat</a>
</div>
<div class="lessonTitle">
31
</div>
32
</header>
<section class="main-content-
wrapper">
<section id="main-content">
<div>
<p>Invalid username and
password.</p>
</div>
<br/><br/>
<form
action="/WebGoat/login" method='POST'
style="width: 200px;">
<div class="form-group">
<label
for="exampleInputEmail1">Username</label>
<input
autofocus="dummy_for_thymeleaf_parser"
type="text" class="form-control"
id="exampleInputEmail1"
placeholder="Username" name='username' />
</div>
<div class="form-group">
<label
for="exampleInputPassword1">Password</lab
el>
<input
type="password" class="form-control"
id="exampleInputPassword1"
placeholder="Password"
name='password' />
</div>
<button class="btn btn-
primary btn-block" type="submit">Sign
in</button>
<div class="text-center">
33
<a href="/WebGoat/registration">Register
new user</a></div>
</form>
<br/><br/>
</section>
</section>
</section>
</body>
</html>
Phase: Implementation
Do not use the GET method for any request that triggers
a state change.
Phase: Implementation
GET http://127.0.0.1:8080/WebGoat/registration
Alert tags
OWASP_2021_A0
1
OWASP_2017_A0
5
GET
http://127.0.0.1:8080/WebGoat/registratio
n HTTP/1.1
Host: 127.0.0.1:8080
37
Gecko/20100101 Firefox/92.0
Pragma: no-cache
Cache-Control: no-cache
Referer:
http://127.0.0.1:8080/WebGoat/login
Cookie:
JSESSIONID=aI5PMM_strdZGAvEeErLIeV65uTEHs
-F1CQJcEBg
HTTP/1.1 200 OK
Connection: keep-alive
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Content-Type: text/html;charset=UTF-8
Content-Language: en-
Date: Thu, 21 Oct 2021 17:48:04 GMT
OWASP CSRFGuard.
40
Phase: Implementation
Do not use the GET method for any request that triggers
a state change.
Phase: Implementation
POST http://127.0.0.1:8080/WebGoat/register.mvc
41
OWASP_2017_A05
Alert description
CSRF attacks are effective
No Anti-CSRF tokens were
in a number of situations,
found in a HTML submission
including:
form.
RequestVerificationToken, csrfmiddlewaretoken,
authenticity_token, OWASP_CSRFTOKEN,
anoncsrf, csrf_token, _csrf, _csrfSecret,
csrf_magic, CSRF,
_token, _csrf_token] was found in the following HTML
form: [Form 1: "agree" "matchingPassword" "password"
"username" ].
POST
http://127.0.0.1:8080/WebGoat/register.mv
c HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT
10.0; Win64; x64; rv:92.0)
Gecko/20100101 Firefox/92.0
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/x-www-form-
urlencoded
Referer:
http://127.0.0.1:8080/WebGoat/registratio
n
Content-Length: 58
Cookie:
JSESSIONID=aI5PMM_strdZGAvEeErLIeV65uTEHs
-F1CQJcEBg
username=ZAP&password=ZAP&matchingPasswor
d=ZAP&agree=agree
HTTP/1.1 200 OK
Connection: keep-alive
44
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
45
X-Frame-Options: DENY
Content-Type: text/html;charset=UTF-8
Content-Language: en-
Date: Thu, 21 Oct 2021 17:48:06 GMT
Phase: Implementation
Do not use the GET method for any request that triggers
a state change.
Phase: Implementation
GET http://127.0.0.1:8080/WebGoat/
Alert tags
OWASP_2021_A0
5
OWASP_2017_A0
6
GET http://127.0.0.1:8080/WebGoat/
HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu;
48
Parameter JSESSIONID
Solution Ensure that the HttpOnly flag is set for all cookies.
49
GET http://127.0.0.1:8080/WebGoat/
Alert tags
OWASP_2021_A0
1
OWASP_2017_A0
5
GET http://127.0.0.1:8080/WebGoat/
HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu;
Linux x86_64; rv:85.0) Gecko/20100101
Firefox/85.0
Accept:
text/html,application/xhtml+xml,applicati
on/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Upgrade-Insecure-Requests: 1
IwI6ZzglEDTFxrDS_5EMhKxWs4tKpI0iq;
path=/WebGoat
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
52
Location:
http://127.0.0.1:8080/WebGoat/log
in Content-Length: 0
Date: Thu, 21 Oct 2021 17:47:01
GMT
Response body (0
bytes)
Parame JSESSION
ter ID
Eviden Set-Cookie:
ce JSESSIONID
Soluti Ensure that the SameSite attribute is set to either 'lax'
on or
ideally 'strict' for all cookies.
http://127.0.0.1:8080
(5)
Timestamp Disclosure - Unix
(5)
GET
http://127.0.0.1:8080/WebGoat/plugins/bootstrap/css/
bootstrap
.min.css
Alert OWASP_2021_A
tags 01
OWASP_2017_A
03
Alert A timestamp was disclosed by the
descripti application/web
on server - Unix
Other 00000000, which evaluates to: 1969-12-31
info 16:00:00
Requ Request line and header section (391
est bytes)
53
GET
http://127.0.0.1:8080/WebGoat/plugins/boo
tstrap/css/bootstrap.min.css HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu;
Linux x86_64; rv:85.0) Gecko/20100101
Firefox/85.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Referer:
https://127.0.0.1:8080/WebGoat/login
Cookie: JSESSIONID=SQeFoh-
IwI6ZzglEDTFxrDS_5EMhKxWs4tKpI0iq
HTTP/1.1 200 OK
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Accept-Ranges: bytes
Date: Thu, 21 Oct 2021 17:47:05 GMT
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Last-Modified: Sun, 05 Sep 2021 12:44:52
GMT
X-Content-Type-Options: nosniff
Content-Type: text/css
Content-Length: 99961
Evidence 00000000
GET
http://127.0.0.1:8080/WebGoat/plugins/bootstrap/css/bootstrap
.min.css
Alert tags
OWASP_2021_A0
1
OWASP_2017_A0
3
GET
http://127.0.0.1:8080/WebGoat/plugins/boo
tstrap/css/bootstrap.min.css HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu;
Linux x86_64; rv:85.0) Gecko/20100101
Firefox/85.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Referer:
https://127.0.0.1:8080/WebGoat/login
Cookie: JSESSIONID=SQeFoh-
55
IwI6ZzglEDTFxrDS_5EMhKxWs4tKpI0iq
HTTP/1.1 200 OK
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Accept-Ranges: bytes
Date: Thu, 21 Oct 2021 17:47:05 GMT
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Last-Modified: Sun, 05 Sep 2021 12:44:52
GMT
X-Content-Type-Options: nosniff
Content-Type: text/css
Content-Length: 99961
Evidence 33333333
GET
http://127.0.0.1:8080/WebGoat/plugins/bootstrap/css/bootstrap
.min.css
Alert tags
OWASP_2021_A0
1
OWASP_2017_A0
3
57
GET
http://127.0.0.1:8080/WebGoat/plugins/boo
tstrap/css/bootstrap.min.css HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu;
Linux x86_64; rv:85.0) Gecko/20100101
Firefox/85.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Referer:
https://127.0.0.1:8080/WebGoat/login
Cookie: JSESSIONID=SQeFoh-
IwI6ZzglEDTFxrDS_5EMhKxWs4tKpI0iq
HTTP/1.1 200 OK
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Accept-Ranges: bytes
Date: Thu, 21 Oct 2021 17:47:05 GMT
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Last-Modified: Sun, 05 Sep 2021 12:44:52
GMT
X-Content-Type-Options: nosniff
Content-Type: text/css
Content-Length: 99961
Evidence 42857143
GET
http://127.0.0.1:8080/WebGoat/plugins/bootstrap/css/bootstrap
.min.css
Alert tags
OWASP_2021_A0
1
OWASP_2017_A0
3
GET
http://127.0.0.1:8080/WebGoat/plugins/boo
tstrap/css/bootstrap.min.css HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu;
Linux x86_64; rv:85.0) Gecko/20100101
Firefox/85.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Referer:
https://127.0.0.1:8080/WebGoat/login
60
Cookie: JSESSIONID=SQeFoh-
IwI6ZzglEDTFxrDS_5EMhKxWs4tKpI0iq
HTTP/1.1 200 OK
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Accept-Ranges: bytes
Date: Thu, 21 Oct 2021 17:47:05 GMT
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Last-Modified: Sun, 05 Sep 2021 12:44:52
GMT
X-Content-Type-Options: nosniff
Content-Type: text/css
Content-Length: 99961
Evidence 66666667
GET
http://127.0.0.1:8080/WebGoat/plugins/bootstrap/css/bootstrap
.min.css
Alert tags
OWASP_2021_A0
1
OWASP_2017_A0
3
62
GET
http://127.0.0.1:8080/WebGoat/plugins/boo
tstrap/css/bootstrap.min.css HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu;
Linux x86_64; rv:85.0) Gecko/20100101
Firefox/85.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Referer:
https://127.0.0.1:8080/WebGoat/login
Cookie: JSESSIONID=SQeFoh-
IwI6ZzglEDTFxrDS_5EMhKxWs4tKpI0iq
HTTP/1.1 200 OK
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Accept-Ranges: bytes
Date: Thu, 21 Oct 2021 17:47:05 GMT
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Last-Modified: Sun, 05 Sep 2021 12:44:52
GMT
X-Content-Type-Options: nosniff
Content-Type: text/css
Content-Length: 99961
Eviden 800000
ce 00
Soluti Manually confirm that the timestamp data is not
on sensitive, and that the data cannot be aggregated
to
disclose exploitable patterns.
Appendix
Alert types
This section contains additional information on the types of alerts in the report.
SQL Injection
CWE ID 89
WASC ID 19
Reference
https://
cheatsheetseries.owasp.org/
cheatsheets/SQL_Injecti
on_Prevention_Cheat_Sheet.htm
l
Parameter Tampering
CWE ID 472
WASC ID 20
66
CWE ID 352
WASC ID 9
Reference http://projects.webappsec.org/Cross-Site-Request-
Forgery
http://cwe.mitre.org/data/definitions/352.html
CWE ID 1004
WASC ID 13
Reference https://owasp.org/www-community/HttpOnly
CWE ID 1275
WASC ID 13
Reference https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-
site
67
CWE ID 200
WASC ID 13
Reference
http://projects.webappsec.org/w/page/
13246936/Information
%20Leakage