Application Security Testing: An Integral Part of DevOps
Ever wonder what goes on behind the scenes when you use an FTP client? What actually happens at the socket level, and what the program does in the background?
TJFTP is a CFormView-derived FTP (File Transfer Protocol) application written in Visual C++ 4 and 5. VC++ had no CInternetSession, CFtpConnection, CAsyncSocket, CSocket, or Socket MFC classes back then, so I wrote in the FTP functionality from scratch, creating custom sockets classes to handle the control and data connections. Then, I coded the GUI to manipulate directory and file creation, deletion, and transfer once I had the connection, and to stay updated with the progress of operations.
Back in 1996, I was writing some apps for a computer engineering master's final project. I decided to see whether I could write a fully functional FTP app that would incorporate some nice GUI stuff. Features I wanted included: a Connection dialog box to allow users to create and save connection profiles in the Registry; List Controls with in-place label editing and column sorting on both sides of the connection; double-clicking to initiate file transfers; selecting and transferring multiple files; and a progress indicator to show the user the status of file transfers. Having never programmed before, I bought VS 4 and, after mastering the "Hello World" beginner's app we all write, got to work.
Early in 2005, I stumbled on the source code to TJFTP, which I thought I'd lost. I considered recompiling it in VC++ .NET for fun, but I was sure it would blow up, after eight years and several iterations of Visual C++, Windows, and WinSock. However, it compiled under .NET with no errors, and ran fine on Windows XP.
Some of the Custom Classes
CWinsock (csock.cpp): Controls the Winsock subsystem with Startup(), Shutdown(), and ErrorBox() functions.
CStreamSocket (csock.cpp): Creates and destroys control and data sockets. Creates and accepts connections, and sends and receives data. Handles Winsock events, including asynchronous read and write events to prevent blocking (in other words, freezing until the Winsock calls were done).
CFtpConnect (ftpconn etc. cpp): A CDialog-based class that opens a dialog box for the user to input connection info into when the the app starts and when the "Connect" button is pushed. Stores connection "profiles" in the Registry so users can save their information from session to session.
CMainView (mainview.cpp): The real "guts" of the program. Handles all the GUI stuff for the main interface, including list controls, pushbuttons, and the progress indicator. Processes Winsock messages, creates sockets from CStreamSocket, listens to connections, and accepts connections and data. Allows user to select Binary or ASCII transfer, or lets the program auto detect the transfer mode.
Points of Interest
Because I was writing this app as part of a master's thesis, the project had to be documented to software engineering standards. Each subroutine has a complete header comment, and there are comment lines sprinkled liberally throughout the code explaining what's going on. In addition, I wrote a user's manual, and I've also extracted the portion of my thesis that deals with TJFTP. It has detailed information on each subroutine and program flow diagrams, such as the main flow diagram below (dotted lines are asynchronous Winsock callbacks):
TJFTP Main Program Flow Diagram
The flow diagrams show how convoluted the whole process is, and the difficulty in keeping track of everything going on. Code snippets aren't really appropriate for this article because there is so much going on. I suggest you grab the flow diagrams, open the code in VS, and dig around.
I've tested the recompiled program on Win XP SP1 and SP2, uploading files to my FTP server, then downloading them back to my local machine with both TJFTP and a commercial FTP client. Then, I checked the file to see whether it matched the original file. The largest file I tested was 300 Mb. As you can see from the screenshot above, I also logged on to a commercial server that allows anonymous connections and successfully downloaded files. TJFTP seems very stable; it hasn't crashed on me yet.
This program is provided for informational use only. Although I have used it without file corruption or other problems, I make no claims to this effect...do not use it as you would a commercial FTP app. Also, TJFTP is NOT secure...passwords are are sent in plain text and are NOT encrypted.
- Written Nov '96 - Feb '97 in Visual C++ 4 and 5
- Recompiled March, '05 in Visual Studio .NET 2003