SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Successfully reported this slideshow.
Activate your 14 day free trial to unlock unlimited reading.
4.
By methodology employed
• Style-checking
• Semantic Analysis
• Deep flow analysis
5.
Methodology: Semantic Analysis
• Semantic Analysis
– looks for violations that represent a statically
detectable fault
– discovers basic structure and relation of each
function within the application
– Build abstract syntax tree to run simulations of
each function to calculate how the application will
execute after a build
– this additional information is then validated
against a set of rules
6.
Methodology: Deep-flow Analysis
• Deep flow analysis
– extends semantic analysis to include control flow
graph generation and data flow analysis.
– can capture faults related to race conditions and
deadlocks, pointer misuses.
– employs meta compilation and abstract
interpretation to further improve analysis
capabilities
7.
SCA Techniques
• Simplest tools
– search source code for text pattern matches
– calculate basic program metrics
(Cyclomatic complexity, Halstead complexity)
• Advanced tools
– act as advanced compiler for source code
– deeply analyze execution, data flow for faults
– include link information to determine higher-level
problems
9.
Analyzing Source File
• It is possible to analyze source itself
• Source is in clear text
• Source is having methods, variables and calls
• One functionality or parameter may be
touching many files
• Code is on back burner or embedded
• Presentation is simple but code is complex at
the back
10.
Simple presentation ASP.NET
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Cmdexec.aspx.cs" Inherits="Cmdexec" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
<title>Untitled Page</title>
</head>
<body style="font-size: 12pt">
<form id="form1" runat="server">
<div>
Enter the filename to view your contract:
<asp:TextBox ID="TextBox1" runat="server"></asp:TextBox>
<asp:Button ID="Button1" runat="server" OnClick="Button1_Click1" Text="Submit" /><br />
<br />
<asp:Label ID="Label1" runat="server" Height="355px" Text="Label" Width="544px"></asp:Label></div>
</form>
</body>
</html>
16.
Attack Surface
• Source Code is having probable attack surface
• Attack surface is defined by entry points
• Entry points are exploited by attackers
• Attacker passes payload from these points
and try to exploit the system
• Attack surface determination and entry point
identification are very critical
22.
JSON
message = {
from : "john@example.com",
to : "jerry@example.com",
subject : "I am fine",
body : "Long message here",
showsubject : function(){document.write(this.subject)}
};
23.
File calls
<form name="Form1" method="post"
action="ContractUpload.aspx" id="Form1"
enctype="multipart/form-data">
It is taking input as file as below,
<input name="uplTheFile" type="file"
id="uplTheFile" />
25.
Entry Points – Client Side
• HTTP response – All headers as well as HTML
content
• JavaScripts coming from server
• Ajax/RIA calls consuming different structures which
we have discussed like JSON, XML, JS-Object etc.
• Callbacks – Modern days applications are using
callback mechanism so data coming from browser
can be injected into DOM using script functions.
• Browser making API calls across domains
26.
HTTP processing
Request
IIS
aspnet_isapi.dll
HttpApplication
HttpHandler
HttpModule
HttpModule
HttpModule
Response
Web Application Resource
Web Application Client
32.
Simple scan…
import sys
import os
import re
def scan4request(file):
infile = open(file,"r")
s = infile.readlines()
linenum = 0
print 'Request Object Entry:'
for line in s:
linenum += 1
p = re.compile(".*.[Rr]equest.*[^n]n")
m = p.match(line)
if m:
print linenum,":",m.group()
file = sys.argv[1]
scan4request(file)
33.
Rules…
# Rules file for AppCodeScan
# This file is specific for ASP/ASP.NET applications (Just a sample
rules) - all regex patterns
#Scanning for Request Object Entry Points
.*.Request.*
#Scanning for ASP.NET app entry points
.*.<asp:FileUpload.*?>
.*.<asp:TextBox.*?>
.*.<asp:HiddenField.*?>
.*.<asp:Login.*?>
.*.<asp:PasswordRecovery.*?>
.*.<asp:ChangePassword.*?>
34.
Java
• <% if ( request.getParameter("username") != null )
{%>
• HttpServletRequest
• doGet
• doPost
• Request
• Struts
– public class NameAction extends Action {
35.
PHP/Coldfusion
• PHP
– $_GET[“var”]
– $_POST[“var”]
– $_REQUEST[“var”]
• Coldfusion
– #URL.name# - Getting from querystring “name”
– Similarly we can identify entry points for other aspects like
POST or such by following list of key words
– FORM/form
– SERVER/server
– CLIENT/client
– SESSION/session
37.
Making POST
POST /ws/dvds4less.asmx HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.1433)
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/getProductInfo"
Host: 192.168.1.50
Content-Length: 317
Expect: 100-continue
Connection: Keep-Alive
<?xml version="1.0" encoding="utf-8"?><soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><getProductInfo
xmlns="http://tempuri.org/"><id>1</id></getProductInfo></soap:Body></soap:Envelope>
38.
Code for Web Services
<%@ WebService Language="c#" Class="dvds4less" %>
<%@ Assembly name="Microsoft.Data.SqlXml" %>
using Microsoft.Data.SqlXml;
using System.Xml;
using System;
using System.Web.Services;
using System.Data.SqlClient;
using System.IO;
public class dvds4less
{
[WebMethod]
public string Intro()
{
return "DVDs4LESS - Information APIs for web application usage and other business usage";
}
[WebMethod]
public string getProductInfo(string id)
{
…. Code for this function
}
39.
JSON-RPC
<%@ WebHandler Class="JayrockWeb.DemoService" Language="C#" %>
namespace JayrockWeb
{
using System;
using System.Configuration;
using System.Data;
using System.Data.SqlClient;
using System.Collections;
using System.Collections.Specialized;
using System.Web;
using System.Web.SessionState;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Drawing;
using Jayrock.Json;
using Jayrock.JsonRpc;
using Jayrock.JsonRpc.Web;
[ JsonRpcHelp("This is a JSON-RPC service that demonstrates the basic features of the Jayrock library.") ]
public class DemoService : JsonRpcHandler, IRequiresSessionState
{
[JsonRpcMethod("getProduct", Idempotent = true)]
[ JsonRpcHelp("Returns Product Info") ]
public DataSet GetProductSet(string id)
{
…. Code goes here…
}
40.
Java based
import org.apache.axis.AxisFault;
import org.apache.axis.MessageContext;
import org.apache.axis.transport.http.HTTPConstants;
public class echo {
public String echowebservices(String echo) {
return echo;
}
}
43.
Entry Points…
• Entry points are source to the application
• Each source hits at some sink or end point in
the source code
• It traverses across the source code
• Entry point can be traced to its sink
• This tracing is very important aspect for code
analytics
44.
Tainted variables
• If variable or entry point is injected with
payload then it can have significant impact
• Impact analysis needs to be done
• Impact is dependent on the hit points across
application
• Interesting for vulnerability scanning
perspective
46.
End points / Sinks
• Language Calls – Application language say for example C# or
Java provides various classes and interfaces to access
resources from the system.
• These resources are outside application boundary.
Application may be passing value to SQL interface or system
level command.
• File system calls (Read/Write)
• Operating system calls
• Network/Socket calls
• SQL interfaces
• LDAP/Authentication interfaces
47.
End points / Sinks
• Third party/Vendor interfaces – Application is using
some third party components and these are in binary
form.
• Applications to application – In recent time’s
applications are doing lot of intercommunication
across cross domains. In this case sink or end point
can be another application.
• Middleware call – Applications like banking or
trading uses middle ware extensively and several end
points are terminating into these middle ware calls.
48.
End points / Sinks
• Response call back – In some cases entry point or
information coming through it is going back to the
client as response.
• Audit and Logs – In some cases application
information is going to logs or audit resources.
• Exception/Error message – This end point is special
and lot of application are taking value of entry point
and putting into exception or error message block.
49.
End points / Sinks
• Business logic – Certain entry points are not
going out side application boundary but
staying in business logic space and get
processed inside application.
• Reflection level calls – Applications are
running in virtual machines and there are
certain reflection APIs which are responsible
for virtual machine processing.
Sink Scans
51.
Types - Impact
• Three important aspects of entry points and process
towards end point,
– Data point – entry points are bringing simple new data to
the application and based on that it is going to database or
file system.
– Logic point – It has information which get consumed in the
business logic and it makes business decisions
– Event points – Certain information coming from user can
trigger an event inside the application. These are event
points, like calling LDAP server or such.
52.
State Analysis
• Expected/Desired state – This is expected state by developer
and application’s behavior is absolutely legitimate.
• Unexpected legitimate state – In this state application goes to
unexpected state but it is legitimate and no objection with it.
• Exception/Error state – In this application ends with error or
exception and state may end up doing information leakage.
• Vulnerable state – In this state application goes into
vulnerable position where successful exploitation is possible.
Vulnerable state is our major concern.
Impact = Entry Point + End Point + State
56.
Simple tracing…
import sys
import os
import re
def scan4trace(file,var):
infile = open(file,"r")
s = infile.readlines()
print 'Tracing variable:'+var
linenum=0
for line in s:
linenum += 1
p = re.compile(".*."+var+".*")
m = p.match(line)
if m:
print "[",linenum,"]",line
file = sys.argv[1]
var = sys.argv[2]
scan4trace(file,var)
58.
Security Domains/Controls
• Authentication
• Authorization
• Error Handling
• Input Validations
• Data Validation
• Crypto and Secret Handling
• Business Logic Handling
• Session and Identity Handling
• Client Side Controls
• Auditing and Logging
59.
Authentication
• Authentication disclosing sensitive information
• Not having auditing on the authentication
• No user lockdown policy in place
• Authentication bypass (SQL / LDAP interface)
• Password strength is poor
• No deployment of CAPTCHA or similar identification product
• Credential are not securely transmitted
• Credential are stored on client side which can be retrieved
• Authentication token or cookies are not well crafted
• Single Sign On (SSO) can be abused
• Deliberated backdoors are created
• Hidden fields and information exposure
60.
Authorization
• Session tokens are insecure
• Weak authorization mechanism
• Client side tampering and manipulation possible
• Possible data and SQL injections
• Access to system level bypass
• Single place authorization bypass
• URL forcing and manipulation
• Guessable resources and access
• Role-based bypass exploitation and weakness
61.
Error Handling
• Information leakage
• Logic bypass
• Internal logic and routine disclosure
• Stack trace enumeration
62.
Input Validations
• Various injection vectors (SQL, LDAP, XPATH etc.)
• Cross Site Scripting (XSS)
• Cross Site Request Forgery (CSRF)
• Buffer overflows
• Denial of Services (DoS)
• Integer and logical boundary overrun
• Canonicalization issues
• Validation bypass (Client side)
• Serialization attacks
• Information leakage
63.
Data Validations
• Proxy injections from third party stream
• XSS injection with RSS feeds
• Client side logic bypass
• Upload/download stream injections
• Remote command/code injection and
execution
• Callback manipulation in JavaScript
64.
Crypto & Secrets
• Poor key generation
• Database fields are not well encrypted (password,
social security number etc.)
• Poor encryption (customized)
• Checksum spoofing
• Some secrets in source code itself
• Configuration file containing secrets
• Secret getting revealed in error message or some
other means
65.
Business Logic
• Data type bypass
• ACLs manipulation
• Read/Write access
• Privilege escalation on application layer
• API abuse
• Cross Domain Call and API manipulation
• Client Side Logic reverse engineering
66.
Session and Identity
• Session hijacking by eavesdropping
• Man in the middle attack
• Poor session identifier generation
• Browser hacks like XSS to gain cookies
• Predictable session identifier
• Session bypass and access
• Cookie scope and time abuse
• Abusing URL rewriting
• Local session storing access
67.
Client Side Controls
• Client side validation bypass
• Reverse engineering of client side components
• Decompilation and knowledge gathering
• Cross Site Injections
• Abusing streams like JSON or RSS
• Local memory access and manipulation
• Desktop based offline module exploitation
• Browser exploits and hacking
• Information and identity theft
• Cross Site Request Forgery
• Exploiting callbacks and JavaScripts
68.
Auditing and Logging
• Hacker’s attacks go without notice
• Successful hacks in the application
• No tracing of events
• Application layer bruteforcing
• Error message abuse
To determine the likelihood of problems arising from a given code segment Simplest tools: search source code for text pattern matches calculate basic program metrics (Cyclomatic complexity, Halstead complexity) Advanced tools: - act as advanced compiler for the source code - deeply analyze execution and data flow for faults - include link information to determine higher-level problems