IWA-Java - A02:2021-Cryptographic Failures (full)

[fransvanbuul]

• Ensure that IWA-Java has at least one vulnerability in the category A02:2021-Cryptographic Failures in its Java code that meets the criteria below. This might be an insecure random tied to access control, or maybe AES with ECB mode... this will require some creativity, it's not easy to find one.
• Ensure that this is exploitable. The person running the demo must be able to show, using a browser or some other widely available tool, that the problem can be abused in a harmful way.
• Document the exploit procedure in a file "EXPLOITS.md" for IWA-Java. This will be one file for all exploits for IWA-Java.
• Ensure that the vulnerability can be found using a Fortify SCA scan. If this is not possible, find out why (ask for PM help as needed), and make any needed changes to make it detectable. As a matter of last resort, we can try to fix things in SCA and/or the rules, but the general idea is making a demo for Fortify SCA as-is.
• Ensure that the vulnerability can be found using a WebInspect scan. If this is not possible, find out why (ask for PM help as needed), and make any needed changes to make it detectable. As a matter of last resort, we can try to fix things in SCA and/or the rules, but the general idea is making a demo for WebInspect as-is.