Sample Vulnerable COBOL code

This is a Mainframe COBOL forum - you can post your queries on Mainframe COBOL, VS COBOL II, COBOL/370 , Enterprise COBOL

Moderators: dbzTHEdinosauer, Moderator Group

Post Reply
SAM_00879
Member
Posts: 5
Joined: Thu Dec 24, 2015 3:14 pm
Location: INDIA

Sample Vulnerable COBOL code

Post by SAM_00879 » Thu Dec 24, 2015 3:24 pm

Can someone please provide sample vulnerable code for COBOL programming?..I actually want complete code
Sam Jose

William Collins
Active Member
Posts: 732
Joined: Thu May 24, 2012 4:07 am

Post by William Collins » Thu Dec 24, 2015 8:54 pm

What do you mean by vulnerable code?

SAM_00879
Member
Posts: 5
Joined: Thu Dec 24, 2015 3:14 pm
Location: INDIA

Post by SAM_00879 » Tue Dec 29, 2015 10:50 am

A vulnerable code can compromise the security of a system..I can give an example as:
if the comments used for a cobol statement includes an username and password,it can be considered as vulnerable code..
So can someone pls suggest or provide such vulnerable code
Sam Jose

William Collins
Active Member
Posts: 732
Joined: Thu May 24, 2012 4:07 am

Post by William Collins » Thu Dec 31, 2015 8:54 am

I've never seen a Mainframe COBOL program do its own password-checking.

Even if one did, how would a comment be a vulnerability, since COBOL is a compiled language (so the comment is only in the source)?

The types of vulnerability that Linux/Unix/Windows programs face don't exist in Mainframe COBOL.

SAM_00879
Member
Posts: 5
Joined: Thu Dec 24, 2015 3:14 pm
Location: INDIA

Post by SAM_00879 » Thu Dec 31, 2015 5:46 pm

I have an opportunity to do POC on COBOL codebase and if the COBOL PoC works my team might be scanning 40mln lines of COBOL code every year using IBM AppScan Source TOOL.So I wanted to know if I could get sample vulnerability code in COBOL for IBMAPPSCAN SOURCE TOOL .

I gave u an example like:if someone puts username and password in the comments section,then IBM APPSCAN SOURCE TOOL raises a vulnerability alert..
Sam Jose

William Collins
Active Member
Posts: 732
Joined: Thu May 24, 2012 4:07 am

Post by William Collins » Thu Dec 31, 2015 9:40 pm

Well, the tool does not seem to cover COBOL or z/OS.

I doubt there is much Mainframe COBOL which is directly exposed on the internet.

SAM_00879
Member
Posts: 5
Joined: Thu Dec 24, 2015 3:14 pm
Location: INDIA

Post by SAM_00879 » Mon Jan 04, 2016 10:10 am

I have run sample cobol code with the help of IBMAPPSCAN SOURCE TOOL and the tool is yielding results..That's the reason i asked u for sample cobol code.
Sam Jose

William Collins
Active Member
Posts: 732
Joined: Thu May 24, 2012 4:07 am

Post by William Collins » Mon Jan 04, 2016 2:49 pm

OK then, from the documentation for the tool understand what the tool will find.

Take a sample COBOL program (one or more, your choice) and add code which should be found.

Run the tool with your sample COBOL program(s).

I can't really think of anything more useful than that.

academyindia4

Topic deleted by Admin

Post by academyindia4 » Tue Jan 19, 2016 7:06 pm

<< Content deleted By Admin >>

academyindia4

Topic deleted by Admin

Post by academyindia4 » Tue Jan 19, 2016 7:06 pm

<< Content deleted By Admin >>

academyindia4

Topic deleted by Admin

Post by academyindia4 » Tue Jan 19, 2016 7:08 pm

<< Content deleted By Admin >>

Post Reply

FREE TUTORIALS

Tutorials
Free tutorials from mainframegurukul
  • JCL Tutorial
    Covers all important JCL concepts.
  • Cobol Tutorial
    This tutorials covers all Cobol Topics from STRING to COMP-3.
  • DB2 Tutorial
    DB2 Tutorial focuses on DB2 COBOL Programming.
  • SORT Tutorial
    This Tutorial covers all important aspects of DFSORT with examples
  • CICS Tutorial
    This CICS tutorial covers CICS concepts and CICS Basics, CICS COBOL Programming.
Interview
Mainframe Interview questions



Other References
Mainframe Tools and others