Owasp lapse


Published on

null Bangalore Chapter - April 2013 Meet

Published in: Education, Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Owasp lapse

  1. 1. A review from an end-user perspectivebyPraveen P
  2. 2. Agenda Introduction Demo Loading LAPSE+ in Eclipse LAPSE+ Eclipse Plug-in Views Vulnerability Sources View Vulnerability Sinks View Provenance Tracker View Advantages Limitations Conclusion
  3. 3. Introducing LAPSE+ An eclipse IDE plug-in for Java. A static code analyzing software. A security scanner for detectingvulnerabilities of un-trusted datainjection in Java EE Applications. Developed by the SUIF CompilerGroup of Stanford University
  4. 4. LAPSE+ LAPSE+ is based on the static analysis of codeto detect the source and the sink of avulnerability. The source of a vulnerability refers to theinjection of un-trusted data in the parametersof an HTTP request, a Cookie, etc. The sink of a vulnerability refers to the processof data modification to manipulate the behaviorof the application, such as a servlet responseor a HTML page. The vulnerability sources can lead to sinks bysimple assignments, method calls orparameters passing.
  5. 5. Demo- Loading LAPSE+ in Eclipse D:techeclipse LAPSE+ plugin consists of a Java JARfile called LapsePlus_2.8.X.jar. To load the plugin we have to copy itin the plugins folder of our EclipseHelios Once we have copied the Java JAR filein plugins folder we can run Eclipse. LAPSE+ is ready!
  6. 6. LAPSE+ Eclipse Plug-in ViewsLAPSE+ provides three different views for the analysis ofvulnerabilities: Vulnerability Sources View: It shows the points ofcode that can be source of un-trusted data injection. Vulnerability Sinks View: It shows the points ofcode that can insert the un-trusted data in theapplication, manipulating its behavior. Provenance Tracker View: This view traces thebackward propagation tree from a vulnerability sink inorder to check if it reaches a vulnerability source. Ifthis happens we have a vulnerability in our code.
  7. 7. Advantages Accurate result. It automatically places cursor to therelevant source code. It helps you to test your validationlogic from a security perspective evenwithout compiling your code.
  8. 8. Limitations Limited to Java. Limited to eclipse environment hencecannot be triggered during build phase. Copy-to-clipboard functionality is notproper. Does not analyze JSP/web pages. Cannot identify whether a code containsany compilation errors. Cannot block a vulnerable code fromentering the code repository (subversion).
  9. 9. Conclusion LAPSE+ is not a complete fool proofsolution for static code analysis but itprovides very accurate results. LAPSE+ is better than YASCA andARACHNI in terms of results andconvenience.
  10. 10. THANK YOU