C Test Suite for Source Code Analyzer v2 - Vulnerable Test suite #100
DownloadDescription
This test suite replaces test suite 45 based on a collaboration with Alexander Hoole from University of Victoria, BC, Canada. The new test cases provided by these test suites contain the following improvements: removal of extraneous weaknesses, replacement of test cases to align with the CWEs specified in NIST SP 500-268 v1.1, creation of additional test cases to provide consistent BAD/GOOD pairings, application of minor improvements to code, renaming of files and the addition of FLAW/FIX comments to assist automation, and insertion of improved metadata to assist researchers using SARD. Please refer to the test case metadata fields to view additional information for each test case. Note: Some test cases have been deprecated and replaced with fixed versions since this test suite has been initially published.
-
The test case shows how it is easy to get a buffer overflow if a string function is misused when argv contains tainted data.
-
The test case exposes a null dereference with an address alias level as code complexity.
-
The test cases exposes a null dereference.
-
The test case exposes an OS Command Injection weakness in a local control flow.
-
The test case exposes an OS Command Injection weakness in a loop.
-
The test case exposes an OS Command Injection in scope complexity.
-
The test case shows a resource injection with an address alias level code complexity.
-
The test case shows a resource injection.
-
The test case shows a resource injection with a string which is in a structure.
-
The test case shows a resource injection weakness in a scoping context.
-
The test case shows a Stack Overflow with a bad array index.
-
The test case shows a Stack Overflow.
-
The test case shows a Stack Overflow.
-
The test case exposes a Cross-Site Scripting (XSS) in a C/CGI program with an address alias level code complexity.
-
The test case exposes a Cross-Site Scripting (XSS) in C/CGI programming.
-
The test case shows a Cross Site scripting weakness in a C/CGI application.
-
The test case shows a memory leak with a pointer which is in a structure.
-
The test case shows a memory leak occurring due to memory not being released inside of a loop.
-
The test case shows an unintentional pointer scaling.
-
Unchecked error condition; if we don\'t check the return of [em]scanf[/em] we don\'t know how many parameters have been passed.
-
The SQL Injection is possible because the arguments are not validated before the MySQL query.
-
Memory leak, the allocated memory is never freed.
-
Using the value of an unitialized variable is not safe.
-
Buffer overflow if the input is not validated. Every operation may write outside the bound of the statically allocated character array. From \"Secure Coding in C and C++\" by Robert C. Seacord. Page 28, Figure 2-2.
-
The test case shows a weakness of improper null termination with a buffer address type complexity.