1、漏洞总数
AppScan Source:91
Fortify:121
2、Disclaimer.htm:34(Cross-Site Scripting:DOM)的漏洞Fortify能扫描出来,AppScan Source扫描不出来
另外,Fortify能扫描出比较多Persistent类型的XSS漏洞
并且归类比较好(分DOM、Persistent、Reflected类型列出)
3、AdminLoginServlet.java:35(Password Management:Hardcoded Password)的漏洞Fortify能扫描出来,AppScan Source扫描不出来
4、Fortify扫出的DBUtil.java:238(Access Control:Database)在AppScan中被归类到
SQL Injection
5、admin.jsp:18(Password Management:Empty Password)属于误报
<script language="javascript"> function confirmpass(myform) { if (myform.password1.value.length && (myform.password1.value==myform.password2.value)) { return true; } else { myform.password1.value=""; myform.password2.value=""; myform.password1.focus(); alert ("Passwords do not match"); return false; } } </script> |
6、Fortify会报比较多这类问题:
Code Correctness:Class Does Not Implement equals Hardcoded Domain in HTML Hidden Field J2EE Bad Practices J2EE Misconfiguration Missing Check against Null Password Management:Password in Comment Poor Error Handling System Information Leak:Incomplete Servlet Error Handling |
7、Fortify会报比较多transfer.jsp:32(Cross-Site Request Forgery)这类CSRF的问题,而AppScan Source没有扫出来
8、Fortify有扫出ServletUtil.java(Missing XML Validation)的问题,而AppScan Source没有扫出来
9、Fortify有扫出AdminServlet.java:65(Redundant Null Check)的问题,而AppScan Source没有扫出来