HP Fortify rules for Tapestry framework
https://stackoverflow.com//questions/23063818
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I would like to use HP Fortify to scan a web-gui-project implemented with the tapestry framework. To test, if Fortify is able to find vulnerabilities in a tapestry-project I created a vulnerable project and scanned it. The project contained a reflected XSS vulnerability in a .tml-file:
<t:Form t:id="testXSSForm">
<t:label for="testinputfield" />
<t:TextField t:id="testinputfield" t:value="testInput" />
<input type="submit" value="submit" />
</t:Form>
<p>
Your input is <t:OutputRaw t:value="testInput"/>
</p>
(see more detailed example at http://www.disasterarea.co.uk/blog/xss-vulnerabilities-in-web-frameworks-2/)
The vulnerability was not found by Fortify and I think, Fortify doesn't understand the framework specific .tml-files at all.
I think it would be possible to create a Configuration rule for this specific case and flag all occurences of "t:OutputRaw" as potentially unsafe, but I think the correct way would consist of creating a datasource rule for the inputform and a datasink rule for the outputRaw field.
How can I do that? Is it possible to create dataflow rules for Tapestry's .tml-files in general?
Solution
Fortify Support states that currently tapestry is not supported. It is not possible to create (useful) rules for .tml files until a parser for those files has been provided by HP Fortify and this is not planned in the moment.
