Secure SDLC for Software

1. <ul><li>Session E2 </li></ul><ul><li>Secure SDLC for Software Assurance </li></ul><ul><li>Date: Monday, 19 April 2010 Time: 1:30pm - 3pm </li></ul><ul><li>Shreeraj Shah </li></ul><ul><li>Founder and Director, Blueinfy; Author, Web 2.0 Security and Web Hacking: Attacks and Defense </li></ul>

2. Who Am I? <ul><li>Founder & Director </li></ul><ul><ul><li>Blueinfy Solutions Pvt. Ltd. (Brief) </li></ul></ul><ul><ul><li>SecurityExposure.com </li></ul></ul><ul><li>Past experience </li></ul><ul><ul><li>Net Square, Chase, IBM & Foundstone </li></ul></ul><ul><li>Interest </li></ul><ul><ul><li>Web security research </li></ul></ul><ul><li>Published research </li></ul><ul><ul><li>Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc. </li></ul></ul><ul><ul><li>Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc. </li></ul></ul><ul><ul><li>Advisories - .Net, Java servers etc. </li></ul></ul><ul><li>Books (Author) </li></ul><ul><ul><li>Web 2.0 Security – Defending Ajax, RIA and SOA </li></ul></ul><ul><ul><li>Hacking Web Services </li></ul></ul><ul><ul><li>Web Hacking </li></ul></ul>http://shreeraj.blogspot.com [email_address] http://www.blueinfy.com

3. SOFTWARE/APPLICATION SECURITY (STATE)

4. Data Breaches & Security

5. Hacks & Attacks

6. Security with Banks

9. Root cause of Vulnerabilities CSI Security Survey : Vulnerability Distribution misconfiguration, other problems 36% programming errors 64% misconfiguration, other problems programming errors

10. Source Code Issues <ul><li>1 Security defect per 10,000 lines </li></ul><ul><li>Reported </li></ul><ul><ul><li>30,000+ at CVE </li></ul></ul><ul><ul><li>6000+ at IBM X-Force </li></ul></ul><ul><li>70% developers are working on application coding </li></ul><ul><li>4 in top 5 vulnerabilities are on application layer </li></ul><ul><li>Expensive to fix them. </li></ul>

11. AppSec dynamics

12. Vulnerable State Expected State Exception Handler Decision Integer/ Number Special Characters A-Z Characters Input Potential Exploitation Enterprise level bugs

13. Top 10 & Bugs

14. Threats and Controls Source – Web Application Security Consortium

15. CVE/CWE - Errors <ul><li>Insecure Interaction Between Components </li></ul><ul><ul><li>These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems. </li></ul></ul><ul><ul><li>CWE-20 : Improper Input Validation </li></ul></ul><ul><ul><li>CWE-116 : Improper Encoding or Escaping of Output </li></ul></ul><ul><ul><li>CWE-89 : Failure to Preserve SQL Query Structure (aka 'SQL Injection') </li></ul></ul><ul><ul><li>CWE-79 : Failure to Preserve Web Page Structure (aka 'Cross-site Scripting') </li></ul></ul><ul><ul><li>CWE-78 : Failure to Preserve OS Command Structure (aka 'OS Command Injection') </li></ul></ul><ul><ul><li>CWE-319 : Cleartext Transmission of Sensitive Information </li></ul></ul><ul><ul><li>CWE-352 : Cross-Site Request Forgery (CSRF) </li></ul></ul><ul><ul><li>CWE-362 : Race Condition </li></ul></ul><ul><ul><li>CWE-209 : Error Message Information Leak </li></ul></ul>Source – CWE/CVE - http://cwe.mitre.org/top25/index.html

16. CVE/CWE - Errors <ul><li>Risky Resource Management </li></ul><ul><ul><li>The weaknesses in this category are related to ways in which software does not properly manage the creation, usage, transfer, or destruction of important system resources. </li></ul></ul><ul><ul><li>CWE-119 : Failure to Constrain Operations within the Bounds of a Memory Buffer </li></ul></ul><ul><ul><li>CWE-642 : External Control of Critical State Data </li></ul></ul><ul><ul><li>CWE-73 : External Control of File Name or Path </li></ul></ul><ul><ul><li>CWE-426 : Untrusted Search Path </li></ul></ul><ul><ul><li>CWE-94 : Failure to Control Generation of Code (aka 'Code Injection') </li></ul></ul><ul><ul><li>CWE-494 : Download of Code Without Integrity Check </li></ul></ul><ul><ul><li>CWE-404 : Improper Resource Shutdown or Release </li></ul></ul><ul><ul><li>CWE-665 : Improper Initialization </li></ul></ul><ul><ul><li>CWE-682 : Incorrect Calculation </li></ul></ul>Source – CWE/CVE - http://cwe.mitre.org/top25/index.html

17. CVE/CWE - Errors <ul><li>Porous Defenses </li></ul><ul><ul><li>The weaknesses in this category are related to defensive techniques that are often misused, abused, or just plain ignored. </li></ul></ul><ul><ul><li>CWE-285 : Improper Access Control (Authorization) </li></ul></ul><ul><ul><li>CWE-327 : Use of a Broken or Risky Cryptographic Algorithm </li></ul></ul><ul><ul><li>CWE-259 : Hard-Coded Password </li></ul></ul><ul><ul><li>CWE-732 : Insecure Permission Assignment for Critical Resource </li></ul></ul><ul><ul><li>CWE-330 : Use of Insufficiently Random Values </li></ul></ul><ul><ul><li>CWE-250 : Execution with Unnecessary Privileges </li></ul></ul><ul><ul><li>CWE-602 : Client-Side Enforcement of Server-Side Security </li></ul></ul>Source – CWE/CVE - http://cwe.mitre.org/top25/index.html

18. Mapping

19. SDLC – WHERE IS SECURITY?

20. Enterprise SDLC 1. Analysis and Assessment 2. Design Specification 3. Software Development 4. Implementation 5. Support 6. Performance Monitoring

21. Missing in SDLC <ul><li>SDLC is independent of security concerns </li></ul><ul><li>Analysis without security perspective </li></ul><ul><li>Vulnerabilities discovered after deployment and development </li></ul><ul><li>Hard and difficult to fix </li></ul><ul><li>Very costly to fix bugs </li></ul><ul><li>Industry is moving towards security aware SDLC </li></ul>

22. Application Security Cycle Architecture Blackbox Whitebox Defense Architecture Review Design Review Technology Review Threat modeling Assessment Audit controls Penetration tests Deployment tests Configuration review Deployment review Code review Threat correlation Secure coding Configuration lockdown Content filtering Threat mitigation

23. SAMM <ul><li>Software Assurance Maturity model (SAMM) </li></ul><ul><ul><li>OWASP is running with new project </li></ul></ul><ul><ul><li>Defining maturity of security in the organization </li></ul></ul><ul><ul><li>Specific domain based and activity driven </li></ul></ul><ul><ul><li>It is new approach </li></ul></ul><ul><ul><li>Need to see industry’s adaptation to it </li></ul></ul><ul><ul><li>http://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model </li></ul></ul>

24. SAMM in nutshell <ul><li>Governance </li></ul><ul><ul><li>Strategy and Metrics </li></ul></ul><ul><ul><li>Policy and Compliance </li></ul></ul><ul><ul><li>Education and Guidance </li></ul></ul><ul><li>Construction </li></ul><ul><ul><li>Threat Assessment </li></ul></ul><ul><ul><li>Security Requirement </li></ul></ul><ul><ul><li>Secure Architecture </li></ul></ul><ul><li>Verification </li></ul><ul><ul><li>Design Review </li></ul></ul><ul><ul><li>Code Review </li></ul></ul><ul><ul><li>Security Testing </li></ul></ul><ul><li>Deployment </li></ul><ul><ul><li>Vulnerability Management </li></ul></ul><ul><ul><li>Environment Hardening </li></ul></ul><ul><ul><li>Operational Enablement </li></ul></ul>

25. Different models

26. Methodology, Scan and Attacks Footprinting & Discovery Enumeration & Crawling Attacks and Scanning Config Scanning Web Firewall Secure Coding Assets Secure Assets Black White Defense Code Scanning

27. Black vs. White Architecture Review Scoping Footprinting Discovery Enumeration & Profiling Security Controls & Cases Vulnerability Assessment Threat Modeling Mitigation strategies Reporting Sample Security Control Categories – Authentication, Access Controls/Authorization, API misuse, Path traversal, Sensitive information leakage, Error handling, Session management, Protocol abuse, Input validations, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Logic bypass, Insecure crypto, Denial of Services, Malicious Code Injection, SQL injection, XPATH and LDAP injections, OS command injection, Parameter manipulations, Bruteforce, Buffer Overflow, Format string, HTTP response splitting, HTTP replay, XML injection, Canonicalization, Logging and auditing. Architecture Review Scoping Threat Modeling Code Enumeration Security Controls & Cases Entry Point Discoveries Class, Function & Variable Tracing Code Mapping and Functionality Vulnerability Detection Mitigation Controls Reporting Black White

28. White vs. Black <ul><li>Scope of coverage </li></ul><ul><ul><li>Blackbox method uses crawling and spidering to determine all possible resources </li></ul></ul><ul><ul><li>Application assets are residing in JavaScript and various other tags in HTML, it makes asset detection very difficult and blackbox approach fails in many cases. </li></ul></ul><ul><ul><li>If one is using whitebox approach then not a single line of code will get missed and scope can be covered at 100%. Whitebox can do much better job when comes to covering the scope of the source. </li></ul></ul>

29. White vs. Black <ul><li>Discovery and Detection </li></ul><ul><ul><li>Blackbox testing uses signature analysis for vulnerability detection. Example, it looks for ODBC error for SQL injection and so on. </li></ul></ul><ul><ul><li>If errrors are missing … </li></ul></ul><ul><ul><li>Blackbox fails in those cases </li></ul></ul><ul><ul><li>Whitebox good to go </li></ul></ul>

30. White vs. Black <ul><li>Accuracy of Vulnerability </li></ul><ul><ul><li>Accuracy of vulnerability is very important as well. </li></ul></ul><ul><ul><li>Blackbox is inaccurate in some cases </li></ul></ul><ul><ul><li>Came up false +/- </li></ul></ul>

31. White vs. Black <ul><li>Cause Identification </li></ul><ul><ul><li>One of the major challenges is to identify actual cause of the vulnerability. </li></ul></ul><ul><ul><li>Blackbox shows symptoms </li></ul></ul><ul><ul><li>Whitebox can pin point the cause </li></ul></ul>

32. Limitations <ul><li>Blackbox </li></ul><ul><ul><li>Vulnerabilities get missed </li></ul></ul><ul><ul><li>Not full coverage </li></ul></ul><ul><ul><li>Vuln found? But where is the source of it? </li></ul></ul><ul><ul><li>Developer’s question – where should I go and fix? – Location </li></ul></ul><ul><ul><li>WAF – easy to bypass </li></ul></ul><ul><ul><li>Missing rules </li></ul></ul><ul><ul><li>Too much to put on WAF, may not work … </li></ul></ul>

33. MISSING PARTS

34. Domain centric approach - MUSTs <ul><li>Authentication </li></ul><ul><li>Authorization </li></ul><ul><li>Error Handling </li></ul><ul><li>Input Validations </li></ul><ul><li>Data Validation </li></ul><ul><li>Crypto and Secret Handling </li></ul><ul><li>Business Logic Handling </li></ul><ul><li>Session and Identity Handling </li></ul><ul><li>Client Side Controls </li></ul><ul><li>Auditing and Logging </li></ul>

35. Two components <ul><li>SDLC should have two important components from software security perspective </li></ul><ul><ul><li>Threat modeling </li></ul></ul><ul><ul><li>Source code analysis </li></ul></ul>

36. Black-White-TM

37. Architecture review

38. QueryString POST name and value pairs XML/JSON etc. HTTP variables Cookie etc. File attachments uploads etc. Feeds and other party information Open APIs and integrated streams HTTP Response variables JSON/XML streams API - steams Entry Point Review

39. Use cases <ul><li>Example </li></ul>

40. Mapping Key Parameters Steps Input Output Identify Application objectives Business Requirements List of Key Objectives Overview of the Application Architecture <ul><li>Architecture diagrams </li></ul><ul><li>Functional specifications </li></ul><ul><li>List of Key Technologies </li></ul><ul><li>End to End Architecture implementation details </li></ul>In - depth Application Analysis: <ul><li>Data Flow diagrams </li></ul><ul><li>Technical specifications </li></ul><ul><li>Trust boundaries </li></ul><ul><li>Entry points </li></ul><ul><li>Exit points </li></ul><ul><li>Data flows </li></ul>Identify threats & vulnerabilities <ul><li>Well Known Threats/ Knowledge of the same from the Internet </li></ul><ul><li>Threat Trees </li></ul>Threat & Vulnerabilities list

41. Static Code Analysis <ul><li>Static code analysis is very old technique to determine code quality. </li></ul><ul><li>Analyzing compiled and object code </li></ul><ul><li>All analysis we can do without actually executing the application can be called static code analysis. </li></ul><ul><li>Static application code analysis with security perspective is one of the most powerful tools for whitebox analysis. </li></ul><ul><li>In this case there is no object code available but applications are in clear text in source only. </li></ul>

42. Traditional checks <ul><li>void temp( char *pszIn ) </li></ul><ul><li>{ </li></ul><ul><ul><li>char szBuff[10]; </li></ul></ul><ul><ul><li>strcpy(szBuff, pszIn); </li></ul></ul><ul><ul><li>. . . </li></ul></ul><ul><li>} </li></ul>

43. Application challenges <ul><li>Application entry points are scattered and multiple, number of entry points are coming over HTTP traffic and some times tricky to detect. </li></ul><ul><li>Web 2.0 applications are running with Web Services using protocols like SOAP, XML-RPC or REST. </li></ul><ul><li>Application layer tracing is also difficult and challenging since it is across multiple pages along with some intermediate framework code. </li></ul><ul><li>Source code analysis has different technologies and modules involved in the process and it makes very difficult. </li></ul><ul><li>One important aspect is client side coding and modules like Ajax, JavaScript, Flash and Silverlight. </li></ul><ul><li>Static code analysis needs some expertise in doing binary and object code analysis as well over application code. </li></ul>

44. Simple presentation ASP.NET <ul><li><%@ Page Language="C#" AutoEventWireup="true" CodeFile=" Cmdexec.aspx.cs " Inherits="Cmdexec" %> </li></ul><ul><li><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> </li></ul><ul><li><html xmlns="http://www.w3.org/1999/xhtml" > </li></ul><ul><li><head runat="server"> </li></ul><ul><li><title>Untitled Page</title> </li></ul><ul><li></head> </li></ul><ul><li><body style="font-size: 12pt"> </li></ul><ul><li><form id="form1" runat="server"> </li></ul><ul><li><div> </li></ul><ul><li>Enter the filename to view your contract: </li></ul><ul><li><asp:TextBox ID="TextBox1" runat="server"></asp:TextBox> </li></ul><ul><li><asp:Button ID="Button1" runat="server" OnClick="Button1_Click1" Text="Submit" /><br /> </li></ul><ul><li><br /> </li></ul><ul><li><asp:Label ID="Label1" runat="server" Height="355px" Text="Label" Width="544px"></asp:Label></div> </li></ul><ul><li></form> </li></ul><ul><li></body> </li></ul><ul><li></html> </li></ul>

45. Code behind calls <ul><li>using System; </li></ul><ul><li>… </li></ul><ul><li>… </li></ul><ul><li>using System.IO; </li></ul><ul><li>public partial class Cmdexec : System.Web.UI.Page </li></ul><ul><li>{ </li></ul><ul><li>protected void Page_Load(object sender, EventArgs e) </li></ul><ul><li>{ </li></ul><ul><li>Label1.Visible = false; </li></ul><ul><li>} </li></ul><ul><li>protected void Calendar1_SelectionChanged(object sender, EventArgs e) </li></ul><ul><li>{ </li></ul><ul><li>} </li></ul><ul><li>protected void Button1_Click1(object sender, EventArgs e) </li></ul><ul><li>{ </li></ul><ul><li>Label1.Visible = true; </li></ul><ul><li>Label1.Text = ""; </li></ul><ul><li>System.Diagnostics.ProcessStartInfo psi = new System.Diagnostics.ProcessStartInfo(); </li></ul><ul><li>psi.FileName = @"C:WINDOWSsystem32cmd.exe"; </li></ul><ul><li>psi.Arguments = @"/c type c:ontractsamp;quot; + TextBox1.Text + @" > c:ontractsontract.txt"; </li></ul><ul><li>psi.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden; </li></ul><ul><li>System.Diagnostics.Process.Start(psi); </li></ul><ul><li>System.Threading.Thread.Sleep(3000); </li></ul><ul><li>TextReader textRead = new StreamReader("c:ontractsontract.txt"); </li></ul><ul><li>Label1.Text = textRead.ReadToEnd(); </li></ul><ul><li>textRead.Close(); </li></ul><ul><li>} </li></ul><ul><li>} </li></ul>

46. Running on Object Code <ul><li>D:cmddeploy>dir /S </li></ul><ul><li>Volume in drive D has no label. </li></ul><ul><li>Volume Serial Number is 0859-A6D9 </li></ul><ul><li>Directory of D:cmddeploy </li></ul><ul><li>12/09/2008 01:58 PM <DIR> . </li></ul><ul><li>12/09/2008 01:58 PM <DIR> .. </li></ul><ul><li>12/09/2008 01:58 PM <DIR> bin </li></ul><ul><li>12/09/2008 01:58 PM 86 Cmdexec.aspx </li></ul><ul><li>12/09/2008 01:58 PM 50 PrecompiledApp.config </li></ul><ul><li>2 File(s) 136 bytes </li></ul><ul><li>Directory of D:cmddeployin </li></ul><ul><li>12/09/2008 01:58 PM <DIR> . </li></ul><ul><li>12/09/2008 01:58 PM <DIR> .. </li></ul><ul><li>12/09/2008 01:58 PM 7,680 App_Web_t_pyp492.dll </li></ul><ul><li>12/09/2008 01:58 PM 341 cmdexec.aspx.cdcab7d2.compiled </li></ul><ul><li>2 File(s) 8,021 bytes </li></ul><ul><li>Total Files Listed: </li></ul><ul><li>4 File(s) 8,157 bytes </li></ul><ul><li>5 Dir(s) 282,451,968 bytes free </li></ul>

47. Vulnerable and Exploit

48. Running on reverse engineering <ul><li>D:cmddeployin>ildasm /TEXT App_Web_t_pyp492.dll | grep System.Diagnostics.Pro </li></ul><ul><li>cess </li></ul><ul><li>.locals init (class [System]System.Diagnostics.ProcessStartInfo V_0, </li></ul><ul><li>IL_001c: newobj instance void [System]System.Diagnostics.ProcessStartIn </li></ul><ul><li>fo::.ctor() </li></ul><ul><li>IL_0028: callvirt instance void [System]System.Diagnostics.ProcessStartIn </li></ul><ul><li>fo::set_FileName(string) </li></ul><ul><li>IL_0048: callvirt instance void [System]System.Diagnostics.ProcessStartIn </li></ul><ul><li>fo::set_Arguments(string) </li></ul><ul><li>IL_004f: callvirt instance void [System]System.Diagnostics.ProcessStartIn </li></ul><ul><li>fo::set_WindowStyle(valuetype [System]System.Diagnostics.ProcessWindowStyle) </li></ul><ul><li>IL_0055: call class [System]System.Diagnostics.Process [System]System </li></ul><ul><li>.Diagnostics.Process::Start(class [System]System.Diagnostics.ProcessStartInfo) </li></ul>

49. Building code from object…

50. Object vs. Source <ul><li>Source code is in natural languages like C#, Java or PHP, while object code is lowered and optimized in intermediate or machine understandable languages. </li></ul><ul><li>Source code is easier to grasp and can help in identifying developer’s intent, logic and approach. </li></ul><ul><li>Object code just is not enough for security analysis, say for example we know there is simple vulnerability but we need to link to the actual source code line number. </li></ul><ul><li>Object code is easier to analyze as far as resolving perspective is concern. </li></ul><ul><li>Source code analysis needs powerful parser and it is very dependent on language to language. </li></ul><ul><li>Source code is actual code written by developers and full information is in it like comment or other intentions. </li></ul><ul><li>Also, for some one to share it is easier to ship object code compared to source code. (IP issues) </li></ul>

51. Techniques <ul><li>Data flow analysis </li></ul><ul><li>Tainted flow analysis </li></ul><ul><li>Signature analysis </li></ul><ul><li>Code Mapping and Layering </li></ul>

52. Attack Surface <ul><li>Source Code is having probable attack surface </li></ul><ul><li>Attack surface is defined by entry points </li></ul><ul><li>Entry points are exploited by attackers </li></ul><ul><li>Attacker passes payload from these points and try to exploit the system </li></ul><ul><li>Attack surface determination and entry point identification are very critical </li></ul>

53. Attack & Entry

54. GET/POST <ul><ul><li>GET /login.aspx? username=shah HTTP/1.1 </li></ul></ul><ul><ul><li>Host: example.com </li></ul></ul><ul><ul><li>User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1 </li></ul></ul><ul><ul><li>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 </li></ul></ul><ul><ul><li>Accept-Language: en-us,en;q=0.5 </li></ul></ul><ul><ul><li>Accept-Encoding: gzip,deflate </li></ul></ul><ul><ul><li>Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 </li></ul></ul><ul><ul><li>Keep-Alive: 300 </li></ul></ul><ul><ul><li>Connection: keep-alive </li></ul></ul><ul><li>POST http://example.com/cgi-bin/search.cgi HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3) Gecko/20040913 Firefox/0.10 Accept: text/xml, application/xml, application/xhtml+xml, text/html;q=0.9, text/plain;q=0.8, image/png, */*;q=0.5 Keep-Alive: 300 Referer: http://example.com/ Content-Type: application/x-www-form-urlencoded Content-Length: 17 </li></ul><ul><li>search=searchtext </li></ul>

55. XML-RPC <ul><li>POST /trade-rpc/getquote.rem HTTP/1.0 </li></ul><ul><li>TE: deflate,gzip;q=0.3 </li></ul><ul><li>Connection: TE, close </li></ul><ul><li>Host: xmlrpc.example.com </li></ul><ul><li>Content-Type: text/xml </li></ul><ul><li>Content-Length: 161 </li></ul><ul><li><?xml version="1.0"?> </li></ul><ul><li><methodCall> </li></ul><ul><li><methodName>stocks.getquote</methodName> </li></ul><ul><li><params> </li></ul><ul><li><param><value><string> MSFT </string></value></param> </li></ul><ul><li></params> </li></ul><ul><li></methodCall> </li></ul>

56. SOAP <ul><li><?xml version="1.0" encoding="utf-8"?> </li></ul><ul><li><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" </li></ul><ul><li>xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> </li></ul><ul><li><soap:Body> </li></ul><ul><li><getQuotes xmlns="http://tempuri.org/"> </li></ul><ul><li><compid>MSFT</compid> </li></ul><ul><li></getQuotes> </li></ul><ul><li></soap:Body> </li></ul><ul><li></soap:Envelope> </li></ul>

57. REST <ul><li><?xml version="1.0"?> </li></ul><ul><li><p:Laptops xmlns:p="http://laptops.example.com" </li></ul><ul><li>xmlns:xl="http://www.w3.org/1999/xlink"> </li></ul><ul><li><Laptop id="0123" xl:href="http://www.parts-depot.com/laptops/0123"/> </li></ul><ul><li>< Laptop id="0348" xl:href=" http://www.parts-depot.com laptops /0348 "/> </li></ul><ul><li>< Laptop id="0321" xl:href="http://www.parts-depot.com/ laptops /0321"/> </li></ul><ul><li>… </li></ul><ul><li>… </li></ul><ul><li></p:Laptops> </li></ul>

58. JSON <ul><li>message = { </li></ul><ul><li>from : "john@example.com", </li></ul><ul><li>to : "jerry@example.com", </li></ul><ul><li>subject : "I am fine", </li></ul><ul><li>body : "Long message here", </li></ul><ul><li>showsubject : function(){document.write(this.subject)} </li></ul><ul><li>}; </li></ul>

59. File calls <ul><li><form name="Form1" method="post" action="ContractUpload.aspx" id="Form1" enctype="multipart/form-data"> </li></ul><ul><li>It is taking input as file as below, </li></ul><ul><li><input name="uplTheFile" type="file" id="uplTheFile" /> </li></ul>

60. RSS - Feed <ul><li><rss version="2.0"> </li></ul><ul><li><channel> </li></ul><ul><li><title>Example News</title> </li></ul><ul><li><link>http://example.com/</link> </li></ul><ul><li><description>News feed</description> </li></ul><ul><li><language>en-us</language> </li></ul><ul><li><pubDate>Tue, 10 Jun 2006 04:00:00 GMT</pubDate> </li></ul><ul><li><lastBuildDate>Tue, 10 Jun 2006 09:41:01 </li></ul><ul><li>GMT</lastBuildDate> </li></ul><ul><li><docs>http://example.com/rss</docs> </li></ul><ul><li><generator>Weblog Editor 2.0</generator> </li></ul><ul><li><item> </li></ul><ul><li><title>Today's title</title> </li></ul><ul><li><link>http://example.com/10thjune.asp</link> </li></ul><ul><li><description>News goes here</description> </li></ul><ul><li><pubDate>Tue, 03 Jun 2006 09:39:21 GMT</pubDate> </li></ul><ul><li><guid>http://example.com/news.html#item300</guid> </li></ul><ul><li></item> </li></ul><ul><li>... </li></ul><ul><li></item> </li></ul>

61. Entry Points – Client Side <ul><li>HTTP response – All headers as well as HTML content </li></ul><ul><li>JavaScripts coming from server </li></ul><ul><li>Ajax/RIA calls consuming different structures which we have discussed like JSON, XML, JS-Object etc. </li></ul><ul><li>Callbacks – Modern days applications are using callback mechanism so data coming from browser can be injected into DOM using script functions. </li></ul><ul><li>Browser making API calls across domains </li></ul>

62. HTTP to Source <ul><li>http://192.168.1.50/Searchresult.aspx?ReferenceId=microsoft </li></ul><ul><li>GET /Searchresult.aspx?ReferenceId=microsoft HTTP/1.1 </li></ul><ul><li>Host: 192.168.1.50 </li></ul><ul><li>User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1 </li></ul><ul><li>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 </li></ul><ul><li>Accept-Language: en-us,en;q=0.5 </li></ul><ul><li>Accept-Encoding: gzip,deflate </li></ul><ul><li>Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 </li></ul><ul><li>Keep-Alive: 300 </li></ul><ul><li>Connection: keep-alive </li></ul><ul><li>Cache-Control: max-age=0 </li></ul><ul><li>protected void Page_Load(object sender, EventArgs e) </li></ul><ul><li>{ </li></ul><ul><li>if (!Page.IsPostBack) </li></ul><ul><li>{ </li></ul><ul><li>bindresult(Request.QueryString["ReferenceId"].ToString()); </li></ul><ul><li>} </li></ul><ul><li>} </li></ul>

63. Interesting… <ul><li>Request.Cookie – To access cookie values </li></ul><ul><li>Request.Form – Form parameters </li></ul><ul><li>Request.File – File parameter </li></ul><ul><li>Request.ServerVariables – Access to server variables </li></ul>

64. In compiled code <ul><li>IL_0007: callvirt instance class [System]System.Collections.Specialized.NameValueCollection [System.Web]System.Web.HttpRequest::get_QueryString() </li></ul><ul><li>IL_000c: ldstr "id" </li></ul>

65. Simple scan… <ul><li>import sys </li></ul><ul><li>import os </li></ul><ul><li>import re </li></ul><ul><li>def scan4request(file): </li></ul><ul><li>infile = open(file,"r") </li></ul><ul><li>s = infile.readlines() </li></ul><ul><li>linenum = 0 </li></ul><ul><li>print 'Request Object Entry:' </li></ul><ul><li>for line in s: </li></ul><ul><li>linenum += 1 </li></ul><ul><li>p = re.compile(".*.[Rr]equest.*[^ ] ") </li></ul><ul><li>m = p.match(line) </li></ul><ul><li>if m: </li></ul><ul><li>print linenum,":",m.group() </li></ul><ul><li>file = sys.argv[1] </li></ul><ul><li>scan4request(file) </li></ul>

66. AppCodeScan way…

67. Rules… <ul><li># Rules file for AppCodeScan </li></ul><ul><li># This file is specific for ASP/ASP.NET applications (Just a sample rules) - all regex patterns </li></ul><ul><li>#Scanning for Request Object Entry Points </li></ul><ul><li>.*.Request.* </li></ul><ul><li>#Scanning for ASP.NET app entry points </li></ul><ul><li>.*.<asp:FileUpload.*?> </li></ul><ul><li>.*.<asp:TextBox.*?> </li></ul><ul><li>.*.<asp:HiddenField.*?> </li></ul><ul><li>.*.<asp:Login.*?> </li></ul><ul><li>.*.<asp:PasswordRecovery.*?> </li></ul><ul><li>.*.<asp:ChangePassword.*?> </li></ul>

68. Java <ul><li><% if ( request.getParameter("username") != null ) {%> </li></ul><ul><li>HttpServletRequest </li></ul><ul><li>doGet </li></ul><ul><li>doPost </li></ul><ul><li>Request </li></ul><ul><li>Struts </li></ul><ul><ul><li>public class NameAction extends Action { </li></ul></ul>

69. PHP/Coldfusion <ul><li>PHP </li></ul><ul><ul><li>$_GET[“var”] </li></ul></ul><ul><ul><li>$_POST[“var”] </li></ul></ul><ul><ul><li>$_REQUEST[“var”] </li></ul></ul><ul><li>Coldfusion </li></ul><ul><ul><li>#URL.name# - Getting from querystring “name” </li></ul></ul><ul><ul><li>Similarly we can identify entry points for other aspects like POST or such by following list of key words </li></ul></ul><ul><ul><li>FORM/form </li></ul></ul><ul><ul><li>SERVER/server </li></ul></ul><ul><ul><li>CLIENT/client </li></ul></ul><ul><ul><li>SESSION/session </li></ul></ul>

70. Web 2.0 <ul><li>Web Services and SOA entry points </li></ul>

71. Making POST <ul><li>POST /ws/dvds4less.asmx HTTP/1.0 </li></ul><ul><li>User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.1433) </li></ul><ul><li>Content-Type: text/xml; charset=utf-8 </li></ul><ul><li>SOAPAction: "http://tempuri.org/getProductInfo" </li></ul><ul><li>Host: 192.168.1.50 </li></ul><ul><li>Content-Length: 317 </li></ul><ul><li>Expect: 100-continue </li></ul><ul><li>Connection: Keep-Alive </li></ul><ul><li><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><getProductInfo xmlns="http://tempuri.org/"><id>1</id></getProductInfo></soap:Body></soap:Envelope> </li></ul>

72. Code for Web Services <ul><li><%@ WebService Language="c#" Class="dvds4less" %> </li></ul><ul><li><%@ Assembly name="Microsoft.Data.SqlXml" %> </li></ul><ul><li>using Microsoft.Data.SqlXml; </li></ul><ul><li>using System.Xml; </li></ul><ul><li>using System; </li></ul><ul><li>using System.Web.Services; </li></ul><ul><li>using System.Data.SqlClient; </li></ul><ul><li>using System.IO; </li></ul><ul><li>public class dvds4less </li></ul><ul><li>{ </li></ul><ul><li>[WebMethod] </li></ul><ul><li>public string Intro() </li></ul><ul><li>{ </li></ul><ul><li>return "DVDs4LESS - Information APIs for web application usage and other business usage"; </li></ul><ul><li>} </li></ul><ul><li>[WebMethod] </li></ul><ul><li>public string getProductInfo(string id) </li></ul><ul><li>{ </li></ul><ul><li>… . Code for this function </li></ul><ul><li>} </li></ul>

73. JSON-RPC <ul><li><%@ WebHandler Class="JayrockWeb.DemoService" Language="C#" %> </li></ul><ul><li>namespace JayrockWeb </li></ul><ul><li>{ </li></ul><ul><li>using System; </li></ul><ul><li>using System.Configuration; </li></ul><ul><li>using System.Data; </li></ul><ul><li>using System.Data.SqlClient; </li></ul><ul><li>using System.Collections; </li></ul><ul><li>using System.Collections.Specialized; </li></ul><ul><li>using System.Web; </li></ul><ul><li>using System.Web.SessionState; </li></ul><ul><li>using System.Web.UI; </li></ul><ul><li>using System.Web.UI.WebControls; </li></ul><ul><li>using System.Drawing; </li></ul><ul><li>using Jayrock.Json; </li></ul><ul><li>using Jayrock.JsonRpc; </li></ul><ul><li>using Jayrock.JsonRpc.Web; </li></ul><ul><li>[ JsonRpcHelp("This is a JSON-RPC service that demonstrates the basic features of the Jayrock library.") ] </li></ul><ul><li>public class DemoService : JsonRpcHandler, IRequiresSessionState </li></ul><ul><li>{ </li></ul><ul><li>[JsonRpcMethod("getProduct", Idempotent = true)] </li></ul><ul><li>[ JsonRpcHelp("Returns Product Info") ] </li></ul><ul><li>public DataSet GetProductSet(string id) </li></ul><ul><li>{ </li></ul><ul><li>… . Code goes here… </li></ul><ul><li>} </li></ul>

74. Java based <ul><li>import org.apache.axis.AxisFault; </li></ul><ul><li>import org.apache.axis.MessageContext; </li></ul><ul><li>import org.apache.axis.transport.http.HTTPConstants; </li></ul><ul><li>public class echo { </li></ul><ul><li>public String echowebservices(String echo) { </li></ul><ul><li>return echo; </li></ul><ul><li>} </li></ul><ul><li>} </li></ul>

75. PHP <ul><li><?php </li></ul><ul><li>require_once('nusoap/nusoap.php'); </li></ul><ul><li>// ------ Implemention of method </li></ul><ul><li>// ---- getLang(langTo) </li></ul><ul><li>------------------------------------------------------ </li></ul><ul><li>function getLang($langTo) { </li></ul><ul><li>$trText = array( </li></ul><ul><li>"bonjour" => "french", </li></ul><ul><li>"ciao" => "italian", </li></ul><ul><li>"hallo" => "german", </li></ul><ul><li>"namaste" => "hindi" </li></ul><ul><li>); </li></ul><ul><li>$greeting = ""; </li></ul><ul><li>$key = array_search($langTo, $trText); </li></ul><ul><li>$greeting = array_keys($trText[$langTo]); </li></ul><ul><li>return $greeting; </li></ul><ul><li>} </li></ul>

76. Tainted variables <ul><li>If variable or entry point is injected with payload then it can have significant impact </li></ul><ul><li>Impact analysis needs to be done </li></ul><ul><li>Impact is dependent on the hit points across application </li></ul><ul><li>Interesting for vulnerability scanning perspective </li></ul>

77. Impact Analysis

78. Types - Impact <ul><li>Three important aspects of entry points and process towards end point, </li></ul><ul><ul><li>Data point – entry points are bringing simple new data to the application and based on that it is going to database or file system. </li></ul></ul><ul><ul><li>Logic point – It has information which get consumed in the business logic and it makes business decisions </li></ul></ul><ul><ul><li>Event points – Certain information coming from user can trigger an event inside the application. These are event points, like calling LDAP server or such. </li></ul></ul>

79. Impact

80. Impact

81. Tracing

82. Simple tracing… <ul><li>import sys </li></ul><ul><li>import os </li></ul><ul><li>import re </li></ul><ul><li>def scan4trace(file,var): </li></ul><ul><li>infile = open(file,"r") </li></ul><ul><li>s = infile.readlines() </li></ul><ul><li>print 'Tracing variable:'+var </li></ul><ul><li>linenum=0 </li></ul><ul><li>for line in s: </li></ul><ul><li>linenum += 1 </li></ul><ul><li>p = re.compile(".*."+var+".*") </li></ul><ul><li>m = p.match(line) </li></ul><ul><li>if m: </li></ul><ul><li>print "[",linenum,"]",line </li></ul><ul><li>file = sys.argv[1] </li></ul><ul><li>var = sys.argv[2] </li></ul><ul><li>scan4trace(file,var) </li></ul>

83. Running… <ul><li>D:sca-rb>trace.py d:cmdCmdexec.aspx.cs TextBox1 </li></ul><ul><li>Tracing variable:TextBox1 </li></ul><ul><li>[ 33 ] psi.Arguments = @"/c type c:ontractsamp;quot; + TextBox1.Text + @" > </li></ul><ul><li>c:ontractsontract.txt"; </li></ul><ul><li>D:sca-rb>trace.py d:cmdCmdexec.aspx.cs psi </li></ul><ul><li>Tracing variable:psi </li></ul><ul><li>[ 31 ] System.Diagnostics.ProcessStartInfo psi = new System.Diagnostics. </li></ul><ul><li>ProcessStartInfo(); </li></ul><ul><li>[ 32 ] psi.FileName = @"C:WINDOWSsystem32cmd.exe"; </li></ul><ul><li>[ 33 ] psi.Arguments = @"/c type c:ontractsamp;quot; + TextBox1.Text + @" > </li></ul><ul><li>c:ontractsontract.txt"; </li></ul><ul><li>[ 34 ] psi.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden; </li></ul><ul><li>[ 35 ] System.Diagnostics.Process.Start(psi); </li></ul>

84. Information Leaks <ul><li>.*.StackTrace.*? </li></ul><ul><li>.*.printStackTrace.*? </li></ul><ul><li>.*.response.write.*? </li></ul>

86. CONCLUSION – QUESTIONS! [email_address] http://www.blueinfy.com