| Abstract [eng] |
This thesis focuses on security vulnerability detection and responsible disclosure in open-source software projects. Most common web application vulnerabilities are analyzed, including recommendations on how to avoid such vulnerabilities. A selected open-source software project - the Odoo enterprise resource planning application is analized, also reviewing other open-source alternatives for this type of software. Also, available methods for detecting security vulnerabilites are reviewed, including whote-box testing (taint analysis, code review) and black-box testing (penetration testing). An automated XSS in Odoo HTML and PDF reports detection module is designed and implemented. During the research, the code review method was used to find possible vulnerabilities in the selected software project. A thorough analysis of the detected vulnerabilites was performed, including exploitation examples and, where possible, proposed vulnerability patches. Using a proposed format, the detected vulnerabilites were responsibly disclosed to the software maintainer, in this way improving the software security. Experimental results and conclusions are presented. |
