Dissecting and digging application source code for vulnerabilities



Similar documents
Web Application Vulnerabilities

Web App Security Audit Services

Application Code Development Standards

Using Web Security Scanners to Detect Vulnerabilities in Web Services

KEN VAN WYK. Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)

Comparing the Effectiveness of Penetration Testing and Static Code Analysis

Attack Vector Detail Report Atlassian

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Automating Security Testing. Mark Fallon Senior Release Manager Oracle

Adobe Systems Incorporated

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Detecting SQL Injection Vulnerabilities in Web Services

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

Security Products Development. Leon Juranic

Exploiting Web 2.0 Next Generation Vulnerabilities

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Application Security Testing

Interactive Application Security Testing (IAST)

SAST, DAST and Vulnerability Assessments, = 4

Securing Web Services with ModSecurity

Web Applications The Hacker s New Target

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Penetration from application down to OS

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

2,000 Websites Later Which Web Programming Languages are Most Secure?

Using Nessus In Web Application Vulnerability Assessments

Automatic vs. Manual Code Analysis

STATE OF WASHINGTON DEPARTMENT OF SOCIAL AND HEALTH SERVICES P.O. Box 45810, Olympia, Washington October 21, 2013

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Columbia University Web Security Standards and Practices. Objective and Scope

The Top Web Application Attacks: Are you vulnerable?

(WAPT) Web Application Penetration Testing

CS 558 Internet Systems and Technologies

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Web application security: automated scanning versus manual penetration testing.

Early Vulnerability Detection for Supporting Secure Programming

Web Application Vulnerability Testing with Nessus

Chapter 1 Web Application (In)security 1

Java Program Vulnerabilities

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

Top 10 most interesting SAP vulnerabilities and attacks Alexander Polyakov

SAF: Static Analysis Improved Fuzzing

Turning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006

An Introduction to Application Security in J2EE Environments

New IBM Security Scanning Software Protects Businesses From Hackers

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Web Application Report

Passing PCI Compliance How to Address the Application Security Mandates

Web Application Penetration Testing

Analysis of SQL injection prevention using a proxy server

Web Application Security

Web application testing

locuz.com Professional Services Security Audit Services

SQL Injection Vulnerabilities in Desktop Applications

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

METHODS TO TEST WEB APPLICATION SCANNERS

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

Thick Client Application Security

Implementation of Web Application Firewall

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Java Web Application Security

Testing Web Applications for SQL Injection Sam Shober

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Client logo placeholder XXX REPORT. Page 1 of 37

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

SANDCAT THE WEB APPLICATION SECURITY ASSESSMENT SUITE WHAT IS SANDCAT? MAIN COMPONENTS. Web Application Security

Information Security. Training

Hacking the EULA: Reverse Benchmarking Web Application Security Scanners

Integrigy Corporate Overview

Secure in 2010? Broken in 2011!

OWASP Top Ten Tools and Tactics

Last update: February 23, 2004

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Application security testing: Protecting your application and data

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Strategic Information Security. Attacking and Defending Web Services

SQuAD: Application Security Testing

Columbia University Web Application Security Standards and Practices. Objective and Scope

How To Ensure That Your Computer System Is Safe

Rational AppScan & Ounce Products

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

Rapid Security Framework (RSF) Taxonomie, Bewertungsparameter und Marktanalyse zur Auswahl von Fuzzing-Tools

Web Engineering Web Application Security Issues

Security Solutions & Training. Exploit-Me. Open Source Firefox Plug-Ins for Penetration Testing

elearning for Secure Application Development

Magento Security and Vulnerabilities. Roman Stepanov

AppDefend Application Firewall Overview

Transcription:

1 Dissecting and digging application source code for vulnerabilities by Abstract Application source code scanning for vulnerability detection is an interesting challenge and relatively complex problem as well. There are several security issues which are difficult to identify using blackbox testing and these issues can be identified by using whitebox source code testing methodlogy. Application layer security issues may be residing at logical layer and it is very important to have source code audit done to unearth these categories of bugs. This paper is going to address following areas: 1. How to build simple rules using method and class signatures to identify possible weak links in the source code. 2. How to do source code walking across the entire source base to perform impact analysis. 3. How to use simple tool like AppCodeScan 1 or similar utility to perform effective source code analysis to detect possible vulnerability residing in your source base. Keywords Source code audit, Code analysis, Code walking and digging, SQL injection, Source code audit rules, AppCodeScan, WebGoat, Regex Author, B.E., MSCS, MBA, is the founder of Blueinfy, a company that provides application security services. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank and IBM in security space. He is also the author of popular books like Web 2.0 Security: Defending Ajax, RIA and SOA, Hacking Web Services (Thomson 06) and Web Hacking: Attacks and Defense (Addison-Wesley 03). In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA etc. His articles are regularly published on Securityfocus, InformIT, DevX, O reilly, HNS. His work has been quoted on BBC, Dark Reading, Bank Technology as an expert. [shreeraj@blueinfy.com (e)] [http://shreeraj.blogspot.com/ (b)] 1 AppCodeScan http://www.blueinfy.com/tools.html

2 Approach In whitebox testing we are assuming to have full access to source code and we use this source as our target to determine possible vulnerability. We are going to use OWASP s WebGoat 2 as sample application to understand methodology. We will use AppCodeScan to scan Java based source code of WebGoat. AppCodeScan is simple tool to assist in dissecting and digging the source code; it is not an automated source code scanner. Scanning the Source Source code of an application may be residing in multiple files with numerous lines of code. It is very important to define a start point for scanning. Application source may be vulnerable to several issues like SQL injection or Cross Site Scripting. First step is to identify possible line of code from which we want to start. Once we have that line of code we can do both forward and reverse tracking on it to unearth vulnerability or signing it off as secure call or code. As shown in Exhibit 1 we have several regex patterns for thorough analysis of source code. We will look at these patterns at the end of this paper in detail but at this point let s focus on one type of vulnerability to understand both approach and tool. For example, we are looking for SQL injection points in WebGoat application which is written in Java. We need to find high value call to analyze the source code and feed the rule to the AppCodeScan. Here is a simple method which we are looking at to see how SQL queries are implemented. #SQL injection.*\.createstatement executequery.* We are looking for how executequery method of Statement object is implemented in the source code. Above regex will find all possible matches in the source code and display on the tool s output. As shown in figure 1, we are supplying source code base along with rules file. At this point we just have one rule for SQL injection. We are scanning all Java files residing in the target folder. 2 WebGoat - http://www.owasp.org/index.php/category:owasp_webgoat_project

3 Figure 1 Scanning for SQL injection points of high value calls At this point we have several files where this target call is fetched and we can start analyzing them in detail. Let s take SqlStringInjection.java as our first target and try to identify its state with respect to vulnerability. Following line is interesting for us. [112] ResultSet results = statement.executequery(query); Now we want to track query variable. We can narrow our scope to that particular file and variable by using File extension input and Code Walker functionality as shown in figure 2.

4 Figure 2 Code Walking with query In this case we have SELECT query which is get executed with the executequery method. For us important line is 103 as below [103] String query = "SELECT * FROM user_data WHERE last_name = '" Line 103 is unfinished so we need to fetch line 104 and which looks like below. [104] + accountname + "'"; So entire query would look like below in this case: "SELECT * FROM user_data WHERE last_name = '"+ accountname + "'"; Now we need to track accountname to identify its origin by using Code Walker. The result is as below. >> D:\webgoat-source\lessons\SqlStringInjection.java [63] private String accountname; [104] + accountname + "'"; [193] statement.setstring(1, accountname); [234] accountname = s.getparser().getrawparameter(acct_name, "Your Name"); [235] Input input = new Input(Input.TEXT, ACCT_NAME, accountname.tostring()); [269] + "\"SELECT * FROM user_data WHERE last_name = \" + accountname "); Here line 234 is of our interest, [234] accountname = s.getparser().getrawparameter(acct_name, "Your Name"); Now we want to track ACCT_NAME and see from where it is coming, here is a result for it.

5 >> D:\webgoat-source\lessons\SqlStringInjection.java [57] private final static String ACCT_NAME = "account_name"; [167] if (s.getparser().getrawparameter(acct_name, "YOUR_NAME").equals( [234] accountname = s.getparser().getrawparameter(acct_name, "Your Name"); Here its value is static as account_name. Its trail ends here. Now let s focus on following: s.getparser().getrawparameter We need to find what is s here and we can fetch that information by doing walk for \bs\b or just s variable. The result is as follows. >> D:\webgoat-source\lessons\SqlStringInjection.java [69] * @param s Description of the Parameter [72] protected Element createcontent(websession s) [74] return super.createstagedcontent(s); [78] protected Element dostage1(websession s) throws Exception [80] return injectablequery(s); It is instance of WebSession object. Hence, now we need to dig into this object and its getparser method. >> D:\webgoat-source\lessons\SqlStringInjection.java [20] import org.owasp.webgoat.session.websession; [72] protected Element createcontent(websession s) WebSession is part of session so now we move to that file and look for getparser as shown in figure 3.

6 Figure 3 Looking for getparser() in WebSession.java getparser() is returning ParameterParser and we need to dig into getrawparameter() method of this class. We now search for it as shown in figure 4.

7 Figure 4 Looking for getrawparameter method [604] public String getrawparameter(string name, String def) [608] return getrawparameter(name); [624] public String getrawparameter(string name) Here in line 604 it has method with two arguments and in 608 it is calling same method name with one argument. This call is represented by line 624. It is clear now we need to track name and we can walk for that variable in the code, we get following result: [624] public String getrawparameter(string name) [627] String[] values = request.getparametervalues(name); [631] throw new ParameterNotFoundException(name + " not found"); We are interested in value after line 624 here and we got the usage of name in line 627 which going to request.getparametervalues call. Now we need to see type of request. We can dig for request and get following results. >> D:\webgoat-source\session\ParameterParser.java [8] import javax.servlet.servletrequest; [48] private ServletRequest request; At this point trail ends into native Java class and that is ServletRequest. Hence, value comes in the form of HTTP request as part of account_name and consumed in SELECT query without any sort of validations. We have confirmed candidate for SQL injection over here. We have touched minimum files and lines to dissect the actual call. This way it is possible to analyze source code very effectively with minimum effort. If we hit upon any validations then we can evaluate it as well and check its strength. This way it is possible to negate any false positives as well.

8 Scanning for other vulnerabilities In above section we covered SQL injection vulnerability in the source code. One can cook up many different rules as shown in Exhibit 1. They are simple regex patterns with different signatures. By using these rules we can identify entry points and some high value targets for evaluation. For example: Identifying entry points to the application using servlet request calls. # Entry points to Applications.*HttpServletRequest.* Tracing the responses by following calls can lead to XSS # HTTP servlet response.*httpservletresponse.*.*\.getwriter.*.*\.println.*.*redirect.* Remote command execution tracing #Command injection points.*\.getruntime\(.*.*runtime.exec\(.* File disclosure or traversal can be identify by following # File access and path injections.*file FileInputStream FileOutputStream InputStreamReader OutputStreamWriter R andomaccessfile.* LDAP calls and injection #LDAP injection points.*ldapconnection LDAPSearchResults InitialDirContext.* This is a small set of rules but one can build more on top of this. Source code analysis is customized effort and one needs to add rules on the basis of specific code base. Conclusion In this paper we discussed method of source code analysis and tracing for different set of vulnerabilities. The rules described in this paper are for Java source code and it is possible to build rules for several other languages as well. The simple tools like AppCodeScan or any other script which look for right patterns can help in source code analysis process and it can help in vulnerability detection process. Lately author used this methodology to dissect large code base for analysis and able to identify some of the vulnerabilities which were missed during the blackbox testing on the same application.

9 Exhibit 1 # Capturing public class.*public.*class.* # Capturing public methods and variables.*public.*\(.* # Entry points to Applications.*HttpServletRequest.* # Fetching get calls.*\.getparameter*\(.*.*getquesystring getcookies getheaders.* # HTTP servlet response.*httpservletresponse.*.*\.getwriter.*.*\.println.*.*redirect.* #Command injection points.*\.getruntime\(.*.*runtime.exec\(.* # File access and path injections.*file FileInputStream FileOutputStream InputStreamReader OutputStreamWriter R andomaccessfile.* #LDAP injection points.*ldapconnection LDAPSearchResults InitialDirContext.* #SQL injection.*\.createstatement executequery.*.*select update delete insert.* #Good SQL usage.*\.preparestatement.* #Buffer overflow from loading native libs.*\.loadlibrary \.load.* #try/catch/leaks calls.*try catch Finally.*.*\.printStackTrace.* # Session usage.*httpsession.* #Response splitting.*addcookie adddateheader addheader.*.*writeheader.*.*setdateheader setheader.* # Log/Console injections.*\.log.*.*println.* # Backdoors and Socket access.*serversocket Socket.* # Crypto usage.*random.* # Password usage/access.*properties getproperty.*.*password.* # Driver manager usage.*drivermanager.* #Path to DoS.*\.exit.*

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information