About TEAM Mentor

Accessing and Reading Content

Installation

Administration

Editing Content

Eclipse for Fortify plugin

HP Fortify SCA UI Integration

Using the Jade Fail Safe Version

Using a Sample Vulnerable Application

To see the TEAM Mentor Eclipse Plugin for Fortify at work you can scan a sample, purposely vulnerable application. For this we have chosen “BodgeIt Store” – A vulnerable web application aimed at people new to pen testing. You can read more about the application here:

https://code.google.com/p/bodgeit/


Follow these steps to download, import and scan the application:

  1. We use SVN to checkout the latest source code version of the application. TortoiseSVN provides a nice graphical interface. The SVN source code repository is found here:

    http://bodgeit.googlecode.com/svn/trunk/




  2. TortoiseSVN will download the source code




  3. Open HP Fortify Audit Workbench. Choose File->Scan Java Project. Now open the directory where you have stored the source code. Choose Java Version to be 1.5. And take all the default scan settings. Then click on “Run Scan”




  4. Once the scan completes, you will see the findings on the left pane.




  5. Expand “Cross-Site Scripting: Persistent” folder in the category list on the right pane. Click on one of the findings. Click on the Details tab on the bottom. You will see TEAM Mentor guidance show up in the “Custom Explanation” Field




    You will also see further TEAM Mentor guidance on the “Recommendations” Tab




  6. Expand the “Race Condition: Singleton Member Field” in the category on the right pane. Click on one finding. You will notice that there is no TEAM Mentor guidance available for this finding. You may use regular Fortify guidance available on the bottom pane.