The SAMATE Project

Department of Homeland Security

Back to the previous page

Test Case ID	156624
Bad / Good / Mixed	Bad
Author	IARPA STONESOUP Test and Evaluation team
Associations	Test suite: 102 Application: 12
Added by	Charles Oliveira
Language	Java
Type of test case	Source Code
Input string
Expected Output
Instructions	See src/build.xml.
Submission date	2015-10-06
Description	The system or application is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object. This test will accept input of a file to read, but prohibits access to file in the /etc directory. The input generates an equivalent name /////etc/////passwd which bypasses the filter. Metadata - Base program: Apache JMeter - Source Taint: SOCKET - Data Type: SIMPLE - Data Flow: BASIC - Control Flow: SEQUENCE
File(s)	GenericController.java (22.54 kB) service_mon.sh (100 B) http-test.jmx (9.25 kB) http-test.jmx (6.88 kB) http-test.jmx (7.28 kB) http-test.jmx (16.62 kB) http-test.jtl (1.77 kB) J-C041A-JMET-01-ST03-DT02-DF11-CF20-01.yaml (2.94 kB) runFifos.py (2.67 kB) J-C041A-JMET-01-ST03-DT02-DF11-CF20-01.xml (37.56 kB)
Flaw	CWE-041: Improper Resolution of Path Equivalence • 10

There are no comments

Have any comments on this test case? Please, .

GenericController.java
service_mon.sh
http-test.jmx
http-test.jmx
http-test.jmx
http-test.jmx
http-test.jtl
J-C041A-JMET-01-ST03-DT02-DF11-CF20-01.yaml
runFifos.py

File Contains:
CWE-041: Improper Resolution of Path Equivalence on line(s): 597, 598, 599, 600, 601, 602, 603, 604, 605, 606