The test case exposes a Cross-Site Scripting (XSS) in C/CGI programming.

The test case exposes an OS Command Injection.

CWE: 113 HTTP Response Splitting BadSource: console_readLine Read data from the console using readLine GoodSource: A hardcoded string Sinks: addCookieServlet GoodSink: URLEncode input BadSink : querystring to addCookie() Flow Variant: 02 Control flow: if(true) and if(false)

CWE: 78 OS Command Injection BadSource: Environment Read input from an environment variable GoodSource: Benign input Sinks: execv BadSink : execute command with execv Flow Variant: 66 Data flow: data passed in an array from one function to another in different source files

CWE: 762 Mismatched Memory Management Routines BadSource: Allocate data using new GoodSource: Allocate data using malloc() Sinks: GoodSink: Deallocate data using delete BadSink : Deallocate data using free() Flow Variant: 54 Data flow: data passed as an argument from one function through t...

CWE: 762 Mismatched Memory Management Routines BadSource: calloc Allocate data using calloc() GoodSource: Allocate data using new [] Sinks: GoodSink: Deallocate data using free() BadSink : Deallocate data using delete [] Flow Variant: 44 Data/control flow: data passed as an argument from on...

CWE: 762 Mismatched Memory Management Routines BadSource: malloc Allocate data using malloc() GoodSource: Allocate data using new [] Sinks: GoodSink: Deallocate data using free() BadSink : Deallocate data using delete [] Flow Variant: 17 Control flow: for loops

CWE: 761 Free Pointer Not At Start of Buffer BadSource: Environment Read input from an environment variable Sinks: GoodSink: free() memory correctly at the start of the buffer BadSink : free() memory not at the start of the buffer Flow Variant: 31 Data flow using a copy of data within the sa...

CWE: 617 Reachable Assertion BadSource: fscanf Read data from the console using fscanf() GoodSource: Number greater than ASSERT_VALUE Sink: BadSink : Assert if n is less than ASSERT_VALUE Flow Variant: 68 Data flow: data passed as a global variable from one function to another in different s...

CWE: 590 Free of Invalid Pointer Not on the Heap BadSource: static Data buffer is declared static on the stack GoodSource: Allocate memory on the heap Sink: BadSink : Print then free data Flow Variant: 41 Data flow: data passed as an argument from one function to another in the same source file

CWE: 590 Free of Invalid Pointer Not on the Heap BadSource: alloca Data buffer is allocated on the stack with alloca() GoodSource: Allocate memory on the heap Sink: BadSink : Print then free data Flow Variant: 19 Control flow: Dead code after a return

CWE: 481 Assigning instead of Comparing Sinks: GoodSink: Comparing BadSink : Assigning instead of comparing Flow Variant: 13 Control flow: if(global_const_five==5) and if(global_const_five!=5)

CWE: 416 Use After Free BadSource: Allocate data using new, initialize memory block, and Deallocate data using delete GoodSource: Allocate data using new and initialize memory block Sinks: GoodSink: Do nothing BadSink : Use data after free() Flow Variant: 44 Data/control flow: data passed ...

CWE: 36 Absolute Path Traversal BadSource: fromFile Read input from a file GoodSource: Full path and file name Sinks: open BadSink : Flow Variant: 67 Data flow: data passed in a struct from one function to another in different source files

CWE: 23 Relative Path Traversal BadSource: listen_socket Read data using a listen socket (server side) GoodSource: File name without a period or slash Sink: open BadSink : Flow Variant: 04 Control flow: if(static_const_t) and if(static_const_f)

CWE: 23 Relative Path Traversal BadSource: fromFile Read input from a file GoodSource: File name without a period or slash Sink: open BadSink : Flow Variant: 15 Control flow: switch(6)

CWE: 191 Integer Underflow BadSource: fscanf Read data from the console using fscanf() GoodSource: Small, non-zero Sinks: GoodSink: Ensure there is no underflow before performing the subtraction BadSink : Subtract 1 from data Flow Variant: 08 Control flow: if(static_returns_t()) and if(stat...

CWE: 134 Uncontrolled Format String BadSource: listen_socket Read data using a listen socket (server side) GoodSource: Copy a fixed string into data Sinks: vfprintf GoodSink: vfwprintf with a format string BadSink : vfwprintf without a format string Flow Variant: 54 Data flow: data passed a...

CWE: 134 Uncontrolled Format String BadSource: Environment Read input from an environment variable GoodSource: Copy a fixed string into data Sinks: vsnprintf GoodSink: _vsnwprintf with a format string BadSink : _vsnwprintf without a format string Flow Variant: 68 Data flow: data passed as a...

CWE: 124 Buffer Underwrite BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sink: memmove BadSink : Copy string to data using memmove Flow Variant: 68 Data flow: data passed as a global variable from one function t...

CWE: 124 Buffer Underwrite BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sink: loop BadSink : Copy string to data using a loop Flow Variant: 42 Data flow: data returned from one function to another in the same s...

CWE: 122 Heap Based Buffer Overflow BadSource: Allocate using malloc() and set data pointer to a small buffer GoodSource: Allocate using malloc() and set data pointer to a large buffer Sink: loop BadSink : Copy int array to data using a loop Flow Variant: 15 Control flow: switch(6)

CWE: 121 Stack Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sink: memcpy BadSink : Copy data to string using memcpy Flow Variant: 09 Control flow: if(global_const_t) and if(global_const_f)

CWE: 121 Stack Based Buffer Overflow BadSource: Set data pointer to the bad buffer GoodSource: Set data pointer to the good buffer Sink: loop BadSink : Copy twoints array to data using a loop Flow Variant: 02 Control flow: if(1) and if(0)

CWE: 121 Stack Based Buffer Overflow BadSource: Set data pointer to the bad buffer GoodSource: Set data pointer to the good buffer Sinks: memmove BadSink : Copy long long array to data using memmove Flow Variant: 63 Data flow: pointer to data passed from one function to another in different...