5. Methodology: Semantic Analysis
• Semantic Analysis
– looks for violations that represent a statically
detectable fault
– discovers basic structure and relation of each
function within the application
– Build abstract syntax tree to run simulations of
each function to calculate how the application will
execute after a build
– this additional information is then validated
against a set of rules
6. Methodology: Deep-flow Analysis
• Deep flow analysis
– extends semantic analysis to include control flow
graph generation and data flow analysis.
– can capture faults related to race conditions and
deadlocks, pointer misuses.
– employs meta compilation and abstract
interpretation to further improve analysis
capabilities
7. SCA Techniques
• Simplest tools
– search source code for text pattern matches
– calculate basic program metrics
(Cyclomatic complexity, Halstead complexity)
• Advanced tools
– act as advanced compiler for source code
– deeply analyze execution, data flow for faults
– include link information to determine higher-level
problems
9. Analyzing Source File
• It is possible to analyze source itself
• Source is in clear text
• Source is having methods, variables and calls
• One functionality or parameter may be
touching many files
• Code is on back burner or embedded
• Presentation is simple but code is complex at
the back
10. Simple presentation ASP.NET
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Cmdexec.aspx.cs" Inherits="Cmdexec" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
<title>Untitled Page</title>
</head>
<body style="font-size: 12pt">
<form id="form1" runat="server">
<div>
Enter the filename to view your contract:
<asp:TextBox ID="TextBox1" runat="server"></asp:TextBox>
<asp:Button ID="Button1" runat="server" OnClick="Button1_Click1" Text="Submit" /><br />
<br />
<asp:Label ID="Label1" runat="server" Height="355px" Text="Label" Width="544px"></asp:Label></div>
</form>
</body>
</html>
16. Attack Surface
• Source Code is having probable attack surface
• Attack surface is defined by entry points
• Entry points are exploited by attackers
• Attacker passes payload from these points
and try to exploit the system
• Attack surface determination and entry point
identification are very critical
22. JSON
message = {
from : "john@example.com",
to : "jerry@example.com",
subject : "I am fine",
body : "Long message here",
showsubject : function(){document.write(this.subject)}
};
23. File calls
<form name="Form1" method="post"
action="ContractUpload.aspx" id="Form1"
enctype="multipart/form-data">
It is taking input as file as below,
<input name="uplTheFile" type="file"
id="uplTheFile" />
25. Entry Points – Client Side
• HTTP response – All headers as well as HTML
content
• JavaScripts coming from server
• Ajax/RIA calls consuming different structures which
we have discussed like JSON, XML, JS-Object etc.
• Callbacks – Modern days applications are using
callback mechanism so data coming from browser
can be injected into DOM using script functions.
• Browser making API calls across domains
32. Simple scan…
import sys
import os
import re
def scan4request(file):
infile = open(file,"r")
s = infile.readlines()
linenum = 0
print 'Request Object Entry:'
for line in s:
linenum += 1
p = re.compile(".*.[Rr]equest.*[^n]n")
m = p.match(line)
if m:
print linenum,":",m.group()
file = sys.argv[1]
scan4request(file)
33. Rules…
# Rules file for AppCodeScan
# This file is specific for ASP/ASP.NET applications (Just a sample
rules) - all regex patterns
#Scanning for Request Object Entry Points
.*.Request.*
#Scanning for ASP.NET app entry points
.*.<asp:FileUpload.*?>
.*.<asp:TextBox.*?>
.*.<asp:HiddenField.*?>
.*.<asp:Login.*?>
.*.<asp:PasswordRecovery.*?>
.*.<asp:ChangePassword.*?>
34. Java
• <% if ( request.getParameter("username") != null )
{%>
• HttpServletRequest
• doGet
• doPost
• Request
• Struts
– public class NameAction extends Action {
35. PHP/Coldfusion
• PHP
– $_GET[“var”]
– $_POST[“var”]
– $_REQUEST[“var”]
• Coldfusion
– #URL.name# - Getting from querystring “name”
– Similarly we can identify entry points for other aspects like
POST or such by following list of key words
– FORM/form
– SERVER/server
– CLIENT/client
– SESSION/session
37. Making POST
POST /ws/dvds4less.asmx HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.1433)
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/getProductInfo"
Host: 192.168.1.50
Content-Length: 317
Expect: 100-continue
Connection: Keep-Alive
<?xml version="1.0" encoding="utf-8"?><soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><getProductInfo
xmlns="http://tempuri.org/"><id>1</id></getProductInfo></soap:Body></soap:Envelope>
38. Code for Web Services
<%@ WebService Language="c#" Class="dvds4less" %>
<%@ Assembly name="Microsoft.Data.SqlXml" %>
using Microsoft.Data.SqlXml;
using System.Xml;
using System;
using System.Web.Services;
using System.Data.SqlClient;
using System.IO;
public class dvds4less
{
[WebMethod]
public string Intro()
{
return "DVDs4LESS - Information APIs for web application usage and other business usage";
}
[WebMethod]
public string getProductInfo(string id)
{
…. Code for this function
}
39. JSON-RPC
<%@ WebHandler Class="JayrockWeb.DemoService" Language="C#" %>
namespace JayrockWeb
{
using System;
using System.Configuration;
using System.Data;
using System.Data.SqlClient;
using System.Collections;
using System.Collections.Specialized;
using System.Web;
using System.Web.SessionState;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Drawing;
using Jayrock.Json;
using Jayrock.JsonRpc;
using Jayrock.JsonRpc.Web;
[ JsonRpcHelp("This is a JSON-RPC service that demonstrates the basic features of the Jayrock library.") ]
public class DemoService : JsonRpcHandler, IRequiresSessionState
{
[JsonRpcMethod("getProduct", Idempotent = true)]
[ JsonRpcHelp("Returns Product Info") ]
public DataSet GetProductSet(string id)
{
…. Code goes here…
}
40. Java based
import org.apache.axis.AxisFault;
import org.apache.axis.MessageContext;
import org.apache.axis.transport.http.HTTPConstants;
public class echo {
public String echowebservices(String echo) {
return echo;
}
}
43. Entry Points…
• Entry points are source to the application
• Each source hits at some sink or end point in
the source code
• It traverses across the source code
• Entry point can be traced to its sink
• This tracing is very important aspect for code
analytics
44. Tainted variables
• If variable or entry point is injected with
payload then it can have significant impact
• Impact analysis needs to be done
• Impact is dependent on the hit points across
application
• Interesting for vulnerability scanning
perspective
46. End points / Sinks
• Language Calls – Application language say for example C# or
Java provides various classes and interfaces to access
resources from the system.
• These resources are outside application boundary.
Application may be passing value to SQL interface or system
level command.
• File system calls (Read/Write)
• Operating system calls
• Network/Socket calls
• SQL interfaces
• LDAP/Authentication interfaces
47. End points / Sinks
• Third party/Vendor interfaces – Application is using
some third party components and these are in binary
form.
• Applications to application – In recent time’s
applications are doing lot of intercommunication
across cross domains. In this case sink or end point
can be another application.
• Middleware call – Applications like banking or
trading uses middle ware extensively and several end
points are terminating into these middle ware calls.
48. End points / Sinks
• Response call back – In some cases entry point or
information coming through it is going back to the
client as response.
• Audit and Logs – In some cases application
information is going to logs or audit resources.
• Exception/Error message – This end point is special
and lot of application are taking value of entry point
and putting into exception or error message block.
49. End points / Sinks
• Business logic – Certain entry points are not
going out side application boundary but
staying in business logic space and get
processed inside application.
• Reflection level calls – Applications are
running in virtual machines and there are
certain reflection APIs which are responsible
for virtual machine processing.
Sink Scans
51. Types - Impact
• Three important aspects of entry points and process
towards end point,
– Data point – entry points are bringing simple new data to
the application and based on that it is going to database or
file system.
– Logic point – It has information which get consumed in the
business logic and it makes business decisions
– Event points – Certain information coming from user can
trigger an event inside the application. These are event
points, like calling LDAP server or such.
52. State Analysis
• Expected/Desired state – This is expected state by developer
and application’s behavior is absolutely legitimate.
• Unexpected legitimate state – In this state application goes to
unexpected state but it is legitimate and no objection with it.
• Exception/Error state – In this application ends with error or
exception and state may end up doing information leakage.
• Vulnerable state – In this state application goes into
vulnerable position where successful exploitation is possible.
Vulnerable state is our major concern.
Impact = Entry Point + End Point + State
56. Simple tracing…
import sys
import os
import re
def scan4trace(file,var):
infile = open(file,"r")
s = infile.readlines()
print 'Tracing variable:'+var
linenum=0
for line in s:
linenum += 1
p = re.compile(".*."+var+".*")
m = p.match(line)
if m:
print "[",linenum,"]",line
file = sys.argv[1]
var = sys.argv[2]
scan4trace(file,var)
58. Security Domains/Controls
• Authentication
• Authorization
• Error Handling
• Input Validations
• Data Validation
• Crypto and Secret Handling
• Business Logic Handling
• Session and Identity Handling
• Client Side Controls
• Auditing and Logging
59. Authentication
• Authentication disclosing sensitive information
• Not having auditing on the authentication
• No user lockdown policy in place
• Authentication bypass (SQL / LDAP interface)
• Password strength is poor
• No deployment of CAPTCHA or similar identification product
• Credential are not securely transmitted
• Credential are stored on client side which can be retrieved
• Authentication token or cookies are not well crafted
• Single Sign On (SSO) can be abused
• Deliberated backdoors are created
• Hidden fields and information exposure
60. Authorization
• Session tokens are insecure
• Weak authorization mechanism
• Client side tampering and manipulation possible
• Possible data and SQL injections
• Access to system level bypass
• Single place authorization bypass
• URL forcing and manipulation
• Guessable resources and access
• Role-based bypass exploitation and weakness
61. Error Handling
• Information leakage
• Logic bypass
• Internal logic and routine disclosure
• Stack trace enumeration
62. Input Validations
• Various injection vectors (SQL, LDAP, XPATH etc.)
• Cross Site Scripting (XSS)
• Cross Site Request Forgery (CSRF)
• Buffer overflows
• Denial of Services (DoS)
• Integer and logical boundary overrun
• Canonicalization issues
• Validation bypass (Client side)
• Serialization attacks
• Information leakage
63. Data Validations
• Proxy injections from third party stream
• XSS injection with RSS feeds
• Client side logic bypass
• Upload/download stream injections
• Remote command/code injection and
execution
• Callback manipulation in JavaScript
64. Crypto & Secrets
• Poor key generation
• Database fields are not well encrypted (password,
social security number etc.)
• Poor encryption (customized)
• Checksum spoofing
• Some secrets in source code itself
• Configuration file containing secrets
• Secret getting revealed in error message or some
other means
65. Business Logic
• Data type bypass
• ACLs manipulation
• Read/Write access
• Privilege escalation on application layer
• API abuse
• Cross Domain Call and API manipulation
• Client Side Logic reverse engineering
66. Session and Identity
• Session hijacking by eavesdropping
• Man in the middle attack
• Poor session identifier generation
• Browser hacks like XSS to gain cookies
• Predictable session identifier
• Session bypass and access
• Cookie scope and time abuse
• Abusing URL rewriting
• Local session storing access
67. Client Side Controls
• Client side validation bypass
• Reverse engineering of client side components
• Decompilation and knowledge gathering
• Cross Site Injections
• Abusing streams like JSON or RSS
• Local memory access and manipulation
• Desktop based offline module exploitation
• Browser exploits and hacking
• Information and identity theft
• Cross Site Request Forgery
• Exploiting callbacks and JavaScripts
68. Auditing and Logging
• Hacker’s attacks go without notice
• Successful hacks in the application
• No tracing of events
• Application layer bruteforcing
• Error message abuse
To determine the likelihood of problems arising from a given code segment
Simplest tools:
search source code for text pattern matches
calculate basic program metrics (Cyclomatic complexity, Halstead complexity)
Advanced tools:
- act as advanced compiler for the source code
- deeply analyze execution and data flow for faults
- include link information to determine higher-level problems
