Successfully reported this slideshow.

Secure SDLC for Software

14

Share

Apr. 21, 2010
14 likes 9,942 views
Upcoming SlideShare
Advanced applications-architecture-threats
Advanced applications-architecture-threats
Loading in …3
×
1 of 86
1 of 86

Secure SDLC for Software

Apr. 21, 2010
14 likes 9,942 views

14

Share

Securing SDLC and Software ...

Securing SDLC and Software ...

Recommended

More Related Content

Viewers also liked

Introduction to Web Application Penetration Testing
Anurag Srivastava
OWASP Top 10 Proactive Controls
Katy Anton
OWASP top 10-2013
tmd800
Application Security Workshop
Priyanka Aash
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
S5-Authorization
zakieh alizadeh
Web Application Security 101
Cybersecurity Education and Research Centre
Attques web
Tarek MOHAMED
Owasp first5 presentation
Ashwini Paranjpe
Owasp top 10 security threats
Vishal Kumar
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
Penetration testing web application web application (in) security
Nahidul Kibria
SecTor - The Search For Intelligent Life
Ed Bellis
Cyber ppt
karthik menon
Session3 data-validation-sql injection
zakieh alizadeh
Web application security
Kapil Sharma
Secure code practices
Hina Rawal
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
Andre Van Klaveren
Beyond the OWASP Top 10
iphonepentest

Similar to Secure SDLC for Software

Source Code Analysis with SAST
Blueinfy Solutions
Web Attacks - Top threats - 2010
Shreeraj Shah
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Shreeraj Shah
C#Web Sec Oct27 2010 Final
Rich Helton
Application Security
florinc
CNIT 129S: Ch 4: Mapping the Application
Sam Bowne
Owasp london training course 2010 - Matteo Meucci
Matteo Meucci
Web Security Threats and Solutions
Ivo Andreev
Hack applications
enrizmoore
04. xss and encoding
Eoin Keary
Web Application Security and Release of "WhiteHat Arsenal"
Jeremiah Grossman
Web security and OWASP
Isuru Samaraweera
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
All Things Open
Java application security the hard way - a workshop for the serious developer
Steve Poole
議題二:Web應用程式安全防護
Nicolas su
Web Application Security: The Land that Information Security Forgot
Jeremiah Grossman
Hacking Client Side Insecurities
amiable_indian
RSA Conference 2010 San Francisco
Aditya K Sood
Vulnerabilities in data processing levels
beched
Owasp web security
Pankaj Kumar Sharma

More from Shreeraj Shah

Html5 localstorage attack vectors
Shreeraj Shah
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
Shreeraj Shah
Top 10 HTML5 Threats - Whitepaper
Shreeraj Shah
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
Shreeraj Shah
Blackhat11 shreeraj reverse_engineering_browser
Shreeraj Shah
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Shreeraj Shah
Dom Hackking & Security - BlackHat Preso
Shreeraj Shah
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
Shreeraj Shah
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
Shreeraj Shah
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Shreeraj Shah
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Shreeraj Shah
Hacking and Securing .NET Apps (Infosecworld)
Shreeraj Shah
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Shreeraj Shah
Web Services Security Chess (RSA)
Shreeraj Shah
Advanced Web Hacking (EUSecWest 06)
Shreeraj Shah
Advanced Web Services Hacking (AusCERT 06)
Shreeraj Shah

Featured

What to Upload to SlideShare
SlideShare
Be A Great Product Leader (Amplify, Oct 2019)
Adam Nash
Trillion Dollar Coach Book (Bill Campbell)
Eric Schmidt
APIdays Paris 2019 - Innovation @ scale, APIs as Digital Factories' New Machi...
apidays
A few thoughts on work life-balance
Wim Vanderbauwhede
Is vc still a thing final
Mark Suster
The GaryVee Content Model
Gary Vaynerchuk
Mammalian Brain Chemistry Explains Everything
Loretta Breuning, PhD
Blockchain + AI + Crypto Economics Are We Creating a Code Tsunami?
Dinis Guarda
The AI Rush
Jean-Baptiste Dumont
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
10 facts about jobs in the future
Pew Research Center's Internet & American Life Project
Harry Surden - Artificial Intelligence and Law Overview
Harry Surden
Inside Google's Numbers in 2017
Rand Fishkin
Pinot: Realtime Distributed OLAP datastore
Kishore Gopalakrishna
How to Become a Thought Leader in Your Niche
Leslie Samuel
Visual Design with Data
Seth Familian
Designing Teams for Emerging Challenges
Aaron Irizarry
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
Winners and Losers - All the (Russian) President's Men
Ian Bremmer

Related Books

Free with a 14 day trial from Scribd

See all
Believe IT: How to Go from Underestimated to Unstoppable Jamie Kern Lima
(4.5/5)
Free
We Should All Be Millionaires: A Woman’s Guide to Earning More, Building Wealth, and Gaining Economic Power Rachel Rodgers
(4.5/5)
Free
The Ministry of Common Sense: How to Eliminate Bureaucratic Red Tape, Bad Excuses, and Corporate BS Martin Lindstrom
(4/5)
Free
Ladies Get Paid: The Ultimate Guide to Breaking Barriers, Owning Your Worth, and Taking Command of Your Career Claire Wasserman
(5/5)
Free
Hot Seat: What I Learned Leading a Great American Company Jeff Immelt
(4.5/5)
Free
Inclusify: The Power of Uniqueness and Belonging to Build Innovative Teams Stefanie K. Johnson
(0/5)
Free
Blue-Collar Cash: Love Your Work, Secure Your Future, and Find Happiness for Life Ken Rusk
(4/5)
Free
How I Built This: The Unexpected Paths to Success from the World's Most Inspiring Entrepreneurs Guy Raz
(4.5/5)
Free
Bezonomics: How Amazon Is Changing Our Lives and What the World's Best Companies Are Learning from It Brian Dumaine
(4/5)
Free
Ask for More: 10 Questions to Negotiate Anything Alexandra Carter
(4/5)
Free
How to Lead: Wisdom from the World's Greatest CEOs, Founders, and Game Changers David M. Rubenstein
(4.5/5)
Free
No Filter: The Inside Story of Instagram Sarah Frier
(4.5/5)
Free

Related Audiobooks

Free with a 14 day trial from Scribd

See all
The Power of Conflict: Speak Your Mind and Get the Results You Want Jon Taffer
(3/5)
Free
Four Thousand Weeks: Time Management for Mortals Oliver Burkeman
(5/5)
Free
Disrupting the Game: From the Bronx to the Top of Nintendo Reggie Fils-Aimé
(5/5)
Free
Business Networking for Introverts: How to Build Relationships the Authentic Way Karlo Krznarić
(4.5/5)
Free
Power, for All: How It Really Works and Why It's Everyone's Business Julie Battilana
(4/5)
Free
The Perfect Day to Boss Up Rick Ross
(4.5/5)
Free
Larger Than Yourself: Reimagine Industries, Lead with Purpose & Grow Ideas into Movements Thibault Manekin
(5/5)
Free
Winning: The Unforgiving Race to Greatness Tim S. Grover
(5/5)
Free
Impact Players: How to Take the Lead, Play Bigger, and Multiply Your Impact Findaway
(5/5)
Free
The One Week Marketing Plan: The Set It & Forget It Approach for Quickly Growing Your Business Mark Satterfield
(4.5/5)
Free
Everybody Has a Podcast (Except You): A How-To Guide from the First Family of Podcasting Justin McElroy
(5/5)
Free
Flex: Reinventing Work for a Smarter, Happier Life Findaway
(4.5/5)
Free
Nailing the Interview: A Comprehensive Guide to Job Interviewing Imran Afzal
(4.5/5)
Free
Create: Tools from Seriously Talented People to Unleash Your Creative Life Marc Silber
(4.5/5)
Free
You're Invited: The Art and Science of Connection, Trust, and Belonging Jon Levy
(4.5/5)
Free
Subtract: The Untapped Science of Less Leidy Klotz
(4/5)
Free

Secure SDLC for Software

  1. 1. <ul><li>Session E2 </li></ul><ul><li>Secure SDLC for Software Assurance </li></ul><ul><li>Date: Monday, 19 April 2010 Time: 1:30pm - 3pm </li></ul><ul><li>Shreeraj Shah </li></ul><ul><li>Founder and Director, Blueinfy; Author, Web 2.0 Security and Web Hacking: Attacks and Defense </li></ul>
  2. 2. Who Am I? <ul><li>Founder & Director </li></ul><ul><ul><li>Blueinfy Solutions Pvt. Ltd. (Brief) </li></ul></ul><ul><ul><li>SecurityExposure.com </li></ul></ul><ul><li>Past experience </li></ul><ul><ul><li>Net Square, Chase, IBM & Foundstone </li></ul></ul><ul><li>Interest </li></ul><ul><ul><li>Web security research </li></ul></ul><ul><li>Published research </li></ul><ul><ul><li>Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc. </li></ul></ul><ul><ul><li>Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc. </li></ul></ul><ul><ul><li>Advisories - .Net, Java servers etc. </li></ul></ul><ul><li>Books (Author) </li></ul><ul><ul><li>Web 2.0 Security – Defending Ajax, RIA and SOA </li></ul></ul><ul><ul><li>Hacking Web Services </li></ul></ul><ul><ul><li>Web Hacking </li></ul></ul>http://shreeraj.blogspot.com [email_address] http://www.blueinfy.com
  3. 3. SOFTWARE/APPLICATION SECURITY (STATE)
  4. 4. Data Breaches & Security
  5. 5. Hacks & Attacks
  6. 6. Security with Banks
  7. 7. Security with Banks
  8. 8. Security with Banks
  9. 9. Root cause of Vulnerabilities CSI Security Survey : Vulnerability Distribution misconfiguration, other problems 36% programming errors 64% misconfiguration, other problems programming errors
  10. 10. Source Code Issues <ul><li>1 Security defect per 10,000 lines </li></ul><ul><li>Reported </li></ul><ul><ul><li>30,000+ at CVE </li></ul></ul><ul><ul><li>6000+ at IBM X-Force </li></ul></ul><ul><li>70% developers are working on application coding </li></ul><ul><li>4 in top 5 vulnerabilities are on application layer </li></ul><ul><li>Expensive to fix them. </li></ul>
  11. 11. AppSec dynamics
  12. 12. Vulnerable State Expected State Exception Handler Decision Integer/ Number Special Characters A-Z Characters Input Potential Exploitation Enterprise level bugs
  13. 13. Top 10 & Bugs
  14. 14. Threats and Controls Source – Web Application Security Consortium
  15. 15. CVE/CWE - Errors <ul><li>Insecure Interaction Between Components </li></ul><ul><ul><li>These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems. </li></ul></ul><ul><ul><li>CWE-20 : Improper Input Validation </li></ul></ul><ul><ul><li>CWE-116 : Improper Encoding or Escaping of Output </li></ul></ul><ul><ul><li>CWE-89 : Failure to Preserve SQL Query Structure (aka 'SQL Injection') </li></ul></ul><ul><ul><li>CWE-79 : Failure to Preserve Web Page Structure (aka 'Cross-site Scripting') </li></ul></ul><ul><ul><li>CWE-78 : Failure to Preserve OS Command Structure (aka 'OS Command Injection') </li></ul></ul><ul><ul><li>CWE-319 : Cleartext Transmission of Sensitive Information </li></ul></ul><ul><ul><li>CWE-352 : Cross-Site Request Forgery (CSRF) </li></ul></ul><ul><ul><li>CWE-362 : Race Condition </li></ul></ul><ul><ul><li>CWE-209 : Error Message Information Leak </li></ul></ul>Source – CWE/CVE - http://cwe.mitre.org/top25/index.html
  16. 16. CVE/CWE - Errors <ul><li>Risky Resource Management </li></ul><ul><ul><li>The weaknesses in this category are related to ways in which software does not properly manage the creation, usage, transfer, or destruction of important system resources. </li></ul></ul><ul><ul><li>CWE-119 : Failure to Constrain Operations within the Bounds of a Memory Buffer </li></ul></ul><ul><ul><li>CWE-642 : External Control of Critical State Data </li></ul></ul><ul><ul><li>CWE-73 : External Control of File Name or Path </li></ul></ul><ul><ul><li>CWE-426 : Untrusted Search Path </li></ul></ul><ul><ul><li>CWE-94 : Failure to Control Generation of Code (aka 'Code Injection') </li></ul></ul><ul><ul><li>CWE-494 : Download of Code Without Integrity Check </li></ul></ul><ul><ul><li>CWE-404 : Improper Resource Shutdown or Release </li></ul></ul><ul><ul><li>CWE-665 : Improper Initialization </li></ul></ul><ul><ul><li>CWE-682 : Incorrect Calculation </li></ul></ul>Source – CWE/CVE - http://cwe.mitre.org/top25/index.html
  17. 17. CVE/CWE - Errors <ul><li>Porous Defenses </li></ul><ul><ul><li>The weaknesses in this category are related to defensive techniques that are often misused, abused, or just plain ignored. </li></ul></ul><ul><ul><li>CWE-285 : Improper Access Control (Authorization) </li></ul></ul><ul><ul><li>CWE-327 : Use of a Broken or Risky Cryptographic Algorithm </li></ul></ul><ul><ul><li>CWE-259 : Hard-Coded Password </li></ul></ul><ul><ul><li>CWE-732 : Insecure Permission Assignment for Critical Resource </li></ul></ul><ul><ul><li>CWE-330 : Use of Insufficiently Random Values </li></ul></ul><ul><ul><li>CWE-250 : Execution with Unnecessary Privileges </li></ul></ul><ul><ul><li>CWE-602 : Client-Side Enforcement of Server-Side Security </li></ul></ul>Source – CWE/CVE - http://cwe.mitre.org/top25/index.html
  18. 18. Mapping
  19. 19. SDLC – WHERE IS SECURITY?
  20. 20. Enterprise SDLC 1. Analysis and Assessment 2. Design Specification 3. Software Development 4. Implementation 5. Support 6. Performance Monitoring
  21. 21. Missing in SDLC <ul><li>SDLC is independent of security concerns </li></ul><ul><li>Analysis without security perspective </li></ul><ul><li>Vulnerabilities discovered after deployment and development </li></ul><ul><li>Hard and difficult to fix </li></ul><ul><li>Very costly to fix bugs </li></ul><ul><li>Industry is moving towards security aware SDLC </li></ul>
  22. 22. Application Security Cycle Architecture Blackbox Whitebox Defense Architecture Review Design Review Technology Review Threat modeling Assessment Audit controls Penetration tests Deployment tests Configuration review Deployment review Code review Threat correlation Secure coding Configuration lockdown Content filtering Threat mitigation
  23. 23. SAMM <ul><li>Software Assurance Maturity model (SAMM) </li></ul><ul><ul><li>OWASP is running with new project </li></ul></ul><ul><ul><li>Defining maturity of security in the organization </li></ul></ul><ul><ul><li>Specific domain based and activity driven </li></ul></ul><ul><ul><li>It is new approach </li></ul></ul><ul><ul><li>Need to see industry’s adaptation to it </li></ul></ul><ul><ul><li>http://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model </li></ul></ul>
  24. 24. SAMM in nutshell <ul><li>Governance </li></ul><ul><ul><li>Strategy and Metrics </li></ul></ul><ul><ul><li>Policy and Compliance </li></ul></ul><ul><ul><li>Education and Guidance </li></ul></ul><ul><li>Construction </li></ul><ul><ul><li>Threat Assessment </li></ul></ul><ul><ul><li>Security Requirement </li></ul></ul><ul><ul><li>Secure Architecture </li></ul></ul><ul><li>Verification </li></ul><ul><ul><li>Design Review </li></ul></ul><ul><ul><li>Code Review </li></ul></ul><ul><ul><li>Security Testing </li></ul></ul><ul><li>Deployment </li></ul><ul><ul><li>Vulnerability Management </li></ul></ul><ul><ul><li>Environment Hardening </li></ul></ul><ul><ul><li>Operational Enablement </li></ul></ul>
  25. 25. Different models
  26. 26. Methodology, Scan and Attacks Footprinting & Discovery Enumeration & Crawling Attacks and Scanning Config Scanning Web Firewall Secure Coding Assets Secure Assets Black White Defense Code Scanning
  27. 27. Black vs. White Architecture Review Scoping Footprinting Discovery Enumeration & Profiling Security Controls & Cases Vulnerability Assessment Threat Modeling Mitigation strategies Reporting Sample Security Control Categories – Authentication, Access Controls/Authorization, API misuse, Path traversal, Sensitive information leakage, Error handling, Session management, Protocol abuse, Input validations, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Logic bypass, Insecure crypto, Denial of Services, Malicious Code Injection, SQL injection, XPATH and LDAP injections, OS command injection, Parameter manipulations, Bruteforce, Buffer Overflow, Format string, HTTP response splitting, HTTP replay, XML injection, Canonicalization, Logging and auditing. Architecture Review Scoping Threat Modeling Code Enumeration Security Controls & Cases Entry Point Discoveries Class, Function & Variable Tracing Code Mapping and Functionality Vulnerability Detection Mitigation Controls Reporting Black White
  28. 28. White vs. Black <ul><li>Scope of coverage </li></ul><ul><ul><li>Blackbox method uses crawling and spidering to determine all possible resources </li></ul></ul><ul><ul><li>Application assets are residing in JavaScript and various other tags in HTML, it makes asset detection very difficult and blackbox approach fails in many cases. </li></ul></ul><ul><ul><li>If one is using whitebox approach then not a single line of code will get missed and scope can be covered at 100%. Whitebox can do much better job when comes to covering the scope of the source. </li></ul></ul>
  29. 29. White vs. Black <ul><li>Discovery and Detection </li></ul><ul><ul><li>Blackbox testing uses signature analysis for vulnerability detection. Example, it looks for ODBC error for SQL injection and so on. </li></ul></ul><ul><ul><li>If errrors are missing … </li></ul></ul><ul><ul><li>Blackbox fails in those cases </li></ul></ul><ul><ul><li>Whitebox good to go </li></ul></ul>
  30. 30. White vs. Black <ul><li>Accuracy of Vulnerability </li></ul><ul><ul><li>Accuracy of vulnerability is very important as well. </li></ul></ul><ul><ul><li>Blackbox is inaccurate in some cases </li></ul></ul><ul><ul><li>Came up false +/- </li></ul></ul>
  31. 31. White vs. Black <ul><li>Cause Identification </li></ul><ul><ul><li>One of the major challenges is to identify actual cause of the vulnerability. </li></ul></ul><ul><ul><li>Blackbox shows symptoms </li></ul></ul><ul><ul><li>Whitebox can pin point the cause </li></ul></ul>
  32. 32. Limitations <ul><li>Blackbox </li></ul><ul><ul><li>Vulnerabilities get missed </li></ul></ul><ul><ul><li>Not full coverage </li></ul></ul><ul><ul><li>Vuln found? But where is the source of it? </li></ul></ul><ul><ul><li>Developer’s question – where should I go and fix? – Location </li></ul></ul><ul><ul><li>WAF – easy to bypass </li></ul></ul><ul><ul><li>Missing rules </li></ul></ul><ul><ul><li>Too much to put on WAF, may not work … </li></ul></ul>
  33. 33. MISSING PARTS
  34. 34. Domain centric approach - MUSTs <ul><li>Authentication </li></ul><ul><li>Authorization </li></ul><ul><li>Error Handling </li></ul><ul><li>Input Validations </li></ul><ul><li>Data Validation </li></ul><ul><li>Crypto and Secret Handling </li></ul><ul><li>Business Logic Handling </li></ul><ul><li>Session and Identity Handling </li></ul><ul><li>Client Side Controls </li></ul><ul><li>Auditing and Logging </li></ul>
  35. 35. Two components <ul><li>SDLC should have two important components from software security perspective </li></ul><ul><ul><li>Threat modeling </li></ul></ul><ul><ul><li>Source code analysis </li></ul></ul>
  36. 36. Black-White-TM
  37. 37. Architecture review
  38. 38. QueryString POST name and value pairs XML/JSON etc. HTTP variables Cookie etc. File attachments uploads etc. Feeds and other party information Open APIs and integrated streams HTTP Response variables JSON/XML streams API - steams Entry Point Review
  39. 39. Use cases <ul><li>Example </li></ul>
  40. 40. Mapping Key Parameters Steps Input Output Identify Application objectives Business Requirements List of Key Objectives Overview of the Application Architecture <ul><li>Architecture diagrams </li></ul><ul><li>Functional specifications </li></ul><ul><li>List of Key Technologies </li></ul><ul><li>End to End Architecture implementation details </li></ul>In - depth Application Analysis: <ul><li>Data Flow diagrams </li></ul><ul><li>Technical specifications </li></ul><ul><li>Trust boundaries </li></ul><ul><li>Entry points </li></ul><ul><li>Exit points </li></ul><ul><li>Data flows </li></ul>Identify threats & vulnerabilities <ul><li>Well Known Threats/ Knowledge of the same from the Internet </li></ul><ul><li>Threat Trees </li></ul>Threat & Vulnerabilities list
  41. 41. Static Code Analysis <ul><li>Static code analysis is very old technique to determine code quality. </li></ul><ul><li>Analyzing compiled and object code </li></ul><ul><li>All analysis we can do without actually executing the application can be called static code analysis. </li></ul><ul><li>Static application code analysis with security perspective is one of the most powerful tools for whitebox analysis. </li></ul><ul><li>In this case there is no object code available but applications are in clear text in source only. </li></ul>
  42. 42. Traditional checks <ul><li>void temp( char *pszIn ) </li></ul><ul><li>{ </li></ul><ul><ul><li>char szBuff[10]; </li></ul></ul><ul><ul><li>strcpy(szBuff, pszIn); </li></ul></ul><ul><ul><li>. . . </li></ul></ul><ul><li>} </li></ul>
  43. 43. Application challenges <ul><li>Application entry points are scattered and multiple, number of entry points are coming over HTTP traffic and some times tricky to detect. </li></ul><ul><li>Web 2.0 applications are running with Web Services using protocols like SOAP, XML-RPC or REST. </li></ul><ul><li>Application layer tracing is also difficult and challenging since it is across multiple pages along with some intermediate framework code. </li></ul><ul><li>Source code analysis has different technologies and modules involved in the process and it makes very difficult. </li></ul><ul><li>One important aspect is client side coding and modules like Ajax, JavaScript, Flash and Silverlight. </li></ul><ul><li>Static code analysis needs some expertise in doing binary and object code analysis as well over application code. </li></ul>
  44. 44. Simple presentation ASP.NET <ul><li><%@ Page Language=&quot;C#&quot; AutoEventWireup=&quot;true&quot; CodeFile=&quot; Cmdexec.aspx.cs &quot; Inherits=&quot;Cmdexec&quot; %> </li></ul><ul><li><!DOCTYPE html PUBLIC &quot;-//W3C//DTD XHTML 1.0 Transitional//EN&quot; &quot;http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd&quot;> </li></ul><ul><li><html xmlns=&quot;http://www.w3.org/1999/xhtml&quot; > </li></ul><ul><li><head runat=&quot;server&quot;> </li></ul><ul><li><title>Untitled Page</title> </li></ul><ul><li></head> </li></ul><ul><li><body style=&quot;font-size: 12pt&quot;> </li></ul><ul><li><form id=&quot;form1&quot; runat=&quot;server&quot;> </li></ul><ul><li><div> </li></ul><ul><li>Enter the filename to view your contract: </li></ul><ul><li><asp:TextBox ID=&quot;TextBox1&quot; runat=&quot;server&quot;></asp:TextBox> </li></ul><ul><li><asp:Button ID=&quot;Button1&quot; runat=&quot;server&quot; OnClick=&quot;Button1_Click1&quot; Text=&quot;Submit&quot; /><br /> </li></ul><ul><li><br /> </li></ul><ul><li><asp:Label ID=&quot;Label1&quot; runat=&quot;server&quot; Height=&quot;355px&quot; Text=&quot;Label&quot; Width=&quot;544px&quot;></asp:Label></div> </li></ul><ul><li></form> </li></ul><ul><li></body> </li></ul><ul><li></html> </li></ul>
  45. 45. Code behind calls <ul><li>using System; </li></ul><ul><li>… </li></ul><ul><li>… </li></ul><ul><li>using System.IO; </li></ul><ul><li>public partial class Cmdexec : System.Web.UI.Page </li></ul><ul><li>{ </li></ul><ul><li>protected void Page_Load(object sender, EventArgs e) </li></ul><ul><li>{ </li></ul><ul><li>Label1.Visible = false; </li></ul><ul><li>} </li></ul><ul><li>protected void Calendar1_SelectionChanged(object sender, EventArgs e) </li></ul><ul><li>{ </li></ul><ul><li>} </li></ul><ul><li>protected void Button1_Click1(object sender, EventArgs e) </li></ul><ul><li>{ </li></ul><ul><li>Label1.Visible = true; </li></ul><ul><li>Label1.Text = &quot;&quot;; </li></ul><ul><li>System.Diagnostics.ProcessStartInfo psi = new System.Diagnostics.ProcessStartInfo(); </li></ul><ul><li>psi.FileName = @&quot;C:INDOWSystem32md.exe&quot;; </li></ul><ul><li>psi.Arguments = @&quot;/c type c:contracts&quot; + TextBox1.Text + @&quot; > c:contractscontract.txt&quot;; </li></ul><ul><li>psi.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden; </li></ul><ul><li>System.Diagnostics.Process.Start(psi); </li></ul><ul><li>System.Threading.Thread.Sleep(3000); </li></ul><ul><li>TextReader textRead = new StreamReader(&quot;c:contractscontract.txt&quot;); </li></ul><ul><li>Label1.Text = textRead.ReadToEnd(); </li></ul><ul><li>textRead.Close(); </li></ul><ul><li>} </li></ul><ul><li>} </li></ul>
  46. 46. Running on Object Code <ul><li>D:mddeploy>dir /S </li></ul><ul><li>Volume in drive D has no label. </li></ul><ul><li>Volume Serial Number is 0859-A6D9 </li></ul><ul><li>Directory of D:mddeploy </li></ul><ul><li>12/09/2008 01:58 PM <DIR> . </li></ul><ul><li>12/09/2008 01:58 PM <DIR> .. </li></ul><ul><li>12/09/2008 01:58 PM <DIR> bin </li></ul><ul><li>12/09/2008 01:58 PM 86 Cmdexec.aspx </li></ul><ul><li>12/09/2008 01:58 PM 50 PrecompiledApp.config </li></ul><ul><li>2 File(s) 136 bytes </li></ul><ul><li>Directory of D:mddeployin </li></ul><ul><li>12/09/2008 01:58 PM <DIR> . </li></ul><ul><li>12/09/2008 01:58 PM <DIR> .. </li></ul><ul><li>12/09/2008 01:58 PM 7,680 App_Web_t_pyp492.dll </li></ul><ul><li>12/09/2008 01:58 PM 341 cmdexec.aspx.cdcab7d2.compiled </li></ul><ul><li>2 File(s) 8,021 bytes </li></ul><ul><li>Total Files Listed: </li></ul><ul><li>4 File(s) 8,157 bytes </li></ul><ul><li>5 Dir(s) 282,451,968 bytes free </li></ul>
  47. 47. Vulnerable and Exploit
  48. 48. Running on reverse engineering <ul><li>D:mddeployin>ildasm /TEXT App_Web_t_pyp492.dll | grep System.Diagnostics.Pro </li></ul><ul><li>cess </li></ul><ul><li>.locals init (class [System]System.Diagnostics.ProcessStartInfo V_0, </li></ul><ul><li>IL_001c: newobj instance void [System]System.Diagnostics.ProcessStartIn </li></ul><ul><li>fo::.ctor() </li></ul><ul><li>IL_0028: callvirt instance void [System]System.Diagnostics.ProcessStartIn </li></ul><ul><li>fo::set_FileName(string) </li></ul><ul><li>IL_0048: callvirt instance void [System]System.Diagnostics.ProcessStartIn </li></ul><ul><li>fo::set_Arguments(string) </li></ul><ul><li>IL_004f: callvirt instance void [System]System.Diagnostics.ProcessStartIn </li></ul><ul><li>fo::set_WindowStyle(valuetype [System]System.Diagnostics.ProcessWindowStyle) </li></ul><ul><li>IL_0055: call class [System]System.Diagnostics.Process [System]System </li></ul><ul><li>.Diagnostics.Process::Start(class [System]System.Diagnostics.ProcessStartInfo) </li></ul>
  49. 49. Building code from object…
  50. 50. Object vs. Source <ul><li>Source code is in natural languages like C#, Java or PHP, while object code is lowered and optimized in intermediate or machine understandable languages. </li></ul><ul><li>Source code is easier to grasp and can help in identifying developer’s intent, logic and approach. </li></ul><ul><li>Object code just is not enough for security analysis, say for example we know there is simple vulnerability but we need to link to the actual source code line number. </li></ul><ul><li>Object code is easier to analyze as far as resolving perspective is concern. </li></ul><ul><li>Source code analysis needs powerful parser and it is very dependent on language to language. </li></ul><ul><li>Source code is actual code written by developers and full information is in it like comment or other intentions. </li></ul><ul><li>Also, for some one to share it is easier to ship object code compared to source code. (IP issues) </li></ul>
  51. 51. Techniques <ul><li>Data flow analysis </li></ul><ul><li>Tainted flow analysis </li></ul><ul><li>Signature analysis </li></ul><ul><li>Code Mapping and Layering </li></ul>
  52. 52. Attack Surface <ul><li>Source Code is having probable attack surface </li></ul><ul><li>Attack surface is defined by entry points </li></ul><ul><li>Entry points are exploited by attackers </li></ul><ul><li>Attacker passes payload from these points and try to exploit the system </li></ul><ul><li>Attack surface determination and entry point identification are very critical </li></ul>
  53. 53. Attack & Entry
  54. 54. GET/POST <ul><ul><li>GET /login.aspx? username=shah HTTP/1.1 </li></ul></ul><ul><ul><li>Host: example.com </li></ul></ul><ul><ul><li>User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1 </li></ul></ul><ul><ul><li>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 </li></ul></ul><ul><ul><li>Accept-Language: en-us,en;q=0.5 </li></ul></ul><ul><ul><li>Accept-Encoding: gzip,deflate </li></ul></ul><ul><ul><li>Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 </li></ul></ul><ul><ul><li>Keep-Alive: 300 </li></ul></ul><ul><ul><li>Connection: keep-alive </li></ul></ul><ul><li>POST http://example.com/cgi-bin/search.cgi HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3) Gecko/20040913 Firefox/0.10 Accept: text/xml, application/xml, application/xhtml+xml, text/html;q=0.9, text/plain;q=0.8, image/png, */*;q=0.5 Keep-Alive: 300 Referer: http://example.com/ Content-Type: application/x-www-form-urlencoded Content-Length: 17 </li></ul><ul><li>search=searchtext </li></ul>
  55. 55. XML-RPC <ul><li>POST /trade-rpc/getquote.rem HTTP/1.0 </li></ul><ul><li>TE: deflate,gzip;q=0.3 </li></ul><ul><li>Connection: TE, close </li></ul><ul><li>Host: xmlrpc.example.com </li></ul><ul><li>Content-Type: text/xml </li></ul><ul><li>Content-Length: 161 </li></ul><ul><li><?xml version=&quot;1.0&quot;?> </li></ul><ul><li><methodCall> </li></ul><ul><li><methodName>stocks.getquote</methodName> </li></ul><ul><li><params> </li></ul><ul><li><param><value><string> MSFT </string></value></param> </li></ul><ul><li></params> </li></ul><ul><li></methodCall> </li></ul>
  56. 56. SOAP <ul><li><?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?> </li></ul><ul><li><soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; </li></ul><ul><li>xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;> </li></ul><ul><li><soap:Body> </li></ul><ul><li><getQuotes xmlns=&quot;http://tempuri.org/&quot;> </li></ul><ul><li><compid>MSFT</compid> </li></ul><ul><li></getQuotes> </li></ul><ul><li></soap:Body> </li></ul><ul><li></soap:Envelope> </li></ul>
  57. 57. REST <ul><li><?xml version=&quot;1.0&quot;?> </li></ul><ul><li><p:Laptops xmlns:p=&quot;http://laptops.example.com&quot; </li></ul><ul><li>xmlns:xl=&quot;http://www.w3.org/1999/xlink&quot;> </li></ul><ul><li><Laptop id=&quot;0123&quot; xl:href=&quot;http://www.parts-depot.com/laptops/0123&quot;/> </li></ul><ul><li>< Laptop id=&quot;0348&quot; xl:href=&quot; http://www.parts-depot.com laptops /0348 &quot;/> </li></ul><ul><li>< Laptop id=&quot;0321&quot; xl:href=&quot;http://www.parts-depot.com/ laptops /0321&quot;/> </li></ul><ul><li>… </li></ul><ul><li>… </li></ul><ul><li></p:Laptops> </li></ul>
  58. 58. JSON <ul><li>message = { </li></ul><ul><li>from : &quot;john@example.com&quot;, </li></ul><ul><li>to : &quot;jerry@example.com&quot;, </li></ul><ul><li>subject : &quot;I am fine&quot;, </li></ul><ul><li>body : &quot;Long message here&quot;, </li></ul><ul><li>showsubject : function(){document.write(this.subject)} </li></ul><ul><li>}; </li></ul>
  59. 59. File calls <ul><li><form name=&quot;Form1&quot; method=&quot;post&quot; action=&quot;ContractUpload.aspx&quot; id=&quot;Form1&quot; enctype=&quot;multipart/form-data&quot;> </li></ul><ul><li>It is taking input as file as below, </li></ul><ul><li><input name=&quot;uplTheFile&quot; type=&quot;file&quot; id=&quot;uplTheFile&quot; /> </li></ul>
  60. 60. RSS - Feed <ul><li><rss version=&quot;2.0&quot;> </li></ul><ul><li><channel> </li></ul><ul><li><title>Example News</title> </li></ul><ul><li><link>http://example.com/</link> </li></ul><ul><li><description>News feed</description> </li></ul><ul><li><language>en-us</language> </li></ul><ul><li><pubDate>Tue, 10 Jun 2006 04:00:00 GMT</pubDate> </li></ul><ul><li><lastBuildDate>Tue, 10 Jun 2006 09:41:01 </li></ul><ul><li>GMT</lastBuildDate> </li></ul><ul><li><docs>http://example.com/rss</docs> </li></ul><ul><li><generator>Weblog Editor 2.0</generator> </li></ul><ul><li><item> </li></ul><ul><li><title>Today's title</title> </li></ul><ul><li><link>http://example.com/10thjune.asp</link> </li></ul><ul><li><description>News goes here</description> </li></ul><ul><li><pubDate>Tue, 03 Jun 2006 09:39:21 GMT</pubDate> </li></ul><ul><li><guid>http://example.com/news.html#item300</guid> </li></ul><ul><li></item> </li></ul><ul><li>... </li></ul><ul><li></item> </li></ul>
  61. 61. Entry Points – Client Side <ul><li>HTTP response – All headers as well as HTML content </li></ul><ul><li>JavaScripts coming from server </li></ul><ul><li>Ajax/RIA calls consuming different structures which we have discussed like JSON, XML, JS-Object etc. </li></ul><ul><li>Callbacks – Modern days applications are using callback mechanism so data coming from browser can be injected into DOM using script functions. </li></ul><ul><li>Browser making API calls across domains </li></ul>
  62. 62. HTTP to Source <ul><li>http://192.168.1.50/Searchresult.aspx?ReferenceId=microsoft </li></ul><ul><li>GET /Searchresult.aspx?ReferenceId=microsoft HTTP/1.1 </li></ul><ul><li>Host: 192.168.1.50 </li></ul><ul><li>User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1 </li></ul><ul><li>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 </li></ul><ul><li>Accept-Language: en-us,en;q=0.5 </li></ul><ul><li>Accept-Encoding: gzip,deflate </li></ul><ul><li>Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 </li></ul><ul><li>Keep-Alive: 300 </li></ul><ul><li>Connection: keep-alive </li></ul><ul><li>Cache-Control: max-age=0 </li></ul><ul><li>protected void Page_Load(object sender, EventArgs e) </li></ul><ul><li>{ </li></ul><ul><li>if (!Page.IsPostBack) </li></ul><ul><li>{ </li></ul><ul><li>bindresult(Request.QueryString[&quot;ReferenceId&quot;].ToString()); </li></ul><ul><li>} </li></ul><ul><li>} </li></ul>
  63. 63. Interesting… <ul><li>Request.Cookie – To access cookie values </li></ul><ul><li>Request.Form – Form parameters </li></ul><ul><li>Request.File – File parameter </li></ul><ul><li>Request.ServerVariables – Access to server variables </li></ul>
  64. 64. In compiled code <ul><li>IL_0007: callvirt instance class [System]System.Collections.Specialized.NameValueCollection [System.Web]System.Web.HttpRequest::get_QueryString() </li></ul><ul><li>IL_000c: ldstr &quot;id&quot; </li></ul>
  65. 65. Simple scan… <ul><li>import sys </li></ul><ul><li>import os </li></ul><ul><li>import re </li></ul><ul><li>def scan4request(file): </li></ul><ul><li>infile = open(file,&quot;r&quot;) </li></ul><ul><li>s = infile.readlines() </li></ul><ul><li>linenum = 0 </li></ul><ul><li>print 'Request Object Entry:' </li></ul><ul><li>for line in s: </li></ul><ul><li>linenum += 1 </li></ul><ul><li>p = re.compile(&quot;.*.[Rr]equest.*[^]&quot;) </li></ul><ul><li>m = p.match(line) </li></ul><ul><li>if m: </li></ul><ul><li>print linenum,&quot;:&quot;,m.group() </li></ul><ul><li>file = sys.argv[1] </li></ul><ul><li>scan4request(file) </li></ul>
  66. 66. AppCodeScan way…
  67. 67. Rules… <ul><li># Rules file for AppCodeScan </li></ul><ul><li># This file is specific for ASP/ASP.NET applications (Just a sample rules) - all regex patterns </li></ul><ul><li>#Scanning for Request Object Entry Points </li></ul><ul><li>.*.Request.* </li></ul><ul><li>#Scanning for ASP.NET app entry points </li></ul><ul><li>.*.<asp:FileUpload.*?> </li></ul><ul><li>.*.<asp:TextBox.*?> </li></ul><ul><li>.*.<asp:HiddenField.*?> </li></ul><ul><li>.*.<asp:Login.*?> </li></ul><ul><li>.*.<asp:PasswordRecovery.*?> </li></ul><ul><li>.*.<asp:ChangePassword.*?> </li></ul>
  68. 68. Java <ul><li><% if ( request.getParameter(&quot;username&quot;) != null ) {%> </li></ul><ul><li>HttpServletRequest </li></ul><ul><li>doGet </li></ul><ul><li>doPost </li></ul><ul><li>Request </li></ul><ul><li>Struts </li></ul><ul><ul><li>public class NameAction extends Action { </li></ul></ul>
  69. 69. PHP/Coldfusion <ul><li>PHP </li></ul><ul><ul><li>$_GET[“var”] </li></ul></ul><ul><ul><li>$_POST[“var”] </li></ul></ul><ul><ul><li>$_REQUEST[“var”] </li></ul></ul><ul><li>Coldfusion </li></ul><ul><ul><li>#URL.name# - Getting from querystring “name” </li></ul></ul><ul><ul><li>Similarly we can identify entry points for other aspects like POST or such by following list of key words </li></ul></ul><ul><ul><li>FORM/form </li></ul></ul><ul><ul><li>SERVER/server </li></ul></ul><ul><ul><li>CLIENT/client </li></ul></ul><ul><ul><li>SESSION/session </li></ul></ul>
  70. 70. Web 2.0 <ul><li>Web Services and SOA entry points </li></ul>
  71. 71. Making POST <ul><li>POST /ws/dvds4less.asmx HTTP/1.0 </li></ul><ul><li>User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.1433) </li></ul><ul><li>Content-Type: text/xml; charset=utf-8 </li></ul><ul><li>SOAPAction: &quot;http://tempuri.org/getProductInfo&quot; </li></ul><ul><li>Host: 192.168.1.50 </li></ul><ul><li>Content-Length: 317 </li></ul><ul><li>Expect: 100-continue </li></ul><ul><li>Connection: Keep-Alive </li></ul><ul><li><?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?><soap:Envelope xmlns:soap=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;><soap:Body><getProductInfo xmlns=&quot;http://tempuri.org/&quot;><id>1</id></getProductInfo></soap:Body></soap:Envelope> </li></ul>
  72. 72. Code for Web Services <ul><li><%@ WebService Language=&quot;c#&quot; Class=&quot;dvds4less&quot; %> </li></ul><ul><li><%@ Assembly name=&quot;Microsoft.Data.SqlXml&quot; %> </li></ul><ul><li>using Microsoft.Data.SqlXml; </li></ul><ul><li>using System.Xml; </li></ul><ul><li>using System; </li></ul><ul><li>using System.Web.Services; </li></ul><ul><li>using System.Data.SqlClient; </li></ul><ul><li>using System.IO; </li></ul><ul><li>public class dvds4less </li></ul><ul><li>{ </li></ul><ul><li>[WebMethod] </li></ul><ul><li>public string Intro() </li></ul><ul><li>{ </li></ul><ul><li>return &quot;DVDs4LESS - Information APIs for web application usage and other business usage&quot;; </li></ul><ul><li>} </li></ul><ul><li>[WebMethod] </li></ul><ul><li>public string getProductInfo(string id) </li></ul><ul><li>{ </li></ul><ul><li>… . Code for this function </li></ul><ul><li>} </li></ul>
  73. 73. JSON-RPC <ul><li><%@ WebHandler Class=&quot;JayrockWeb.DemoService&quot; Language=&quot;C#&quot; %> </li></ul><ul><li>namespace JayrockWeb </li></ul><ul><li>{ </li></ul><ul><li>using System; </li></ul><ul><li>using System.Configuration; </li></ul><ul><li>using System.Data; </li></ul><ul><li>using System.Data.SqlClient; </li></ul><ul><li>using System.Collections; </li></ul><ul><li>using System.Collections.Specialized; </li></ul><ul><li>using System.Web; </li></ul><ul><li>using System.Web.SessionState; </li></ul><ul><li>using System.Web.UI; </li></ul><ul><li>using System.Web.UI.WebControls; </li></ul><ul><li>using System.Drawing; </li></ul><ul><li>using Jayrock.Json; </li></ul><ul><li>using Jayrock.JsonRpc; </li></ul><ul><li>using Jayrock.JsonRpc.Web; </li></ul><ul><li>[ JsonRpcHelp(&quot;This is a JSON-RPC service that demonstrates the basic features of the Jayrock library.&quot;) ] </li></ul><ul><li>public class DemoService : JsonRpcHandler, IRequiresSessionState </li></ul><ul><li>{ </li></ul><ul><li>[JsonRpcMethod(&quot;getProduct&quot;, Idempotent = true)] </li></ul><ul><li>[ JsonRpcHelp(&quot;Returns Product Info&quot;) ] </li></ul><ul><li>public DataSet GetProductSet(string id) </li></ul><ul><li>{ </li></ul><ul><li>… . Code goes here… </li></ul><ul><li>} </li></ul>
  74. 74. Java based <ul><li>import org.apache.axis.AxisFault; </li></ul><ul><li>import org.apache.axis.MessageContext; </li></ul><ul><li>import org.apache.axis.transport.http.HTTPConstants; </li></ul><ul><li>public class echo { </li></ul><ul><li>public String echowebservices(String echo) { </li></ul><ul><li>return echo; </li></ul><ul><li>} </li></ul><ul><li>} </li></ul>
  75. 75. PHP <ul><li><?php </li></ul><ul><li>require_once('nusoap/nusoap.php'); </li></ul><ul><li>// ------ Implemention of method </li></ul><ul><li>// ---- getLang(langTo) </li></ul><ul><li>------------------------------------------------------ </li></ul><ul><li>function getLang($langTo) { </li></ul><ul><li>$trText = array( </li></ul><ul><li>&quot;bonjour&quot; => &quot;french&quot;, </li></ul><ul><li>&quot;ciao&quot; => &quot;italian&quot;, </li></ul><ul><li>&quot;hallo&quot; => &quot;german&quot;, </li></ul><ul><li>&quot;namaste&quot; => &quot;hindi&quot; </li></ul><ul><li>); </li></ul><ul><li>$greeting = &quot;&quot;; </li></ul><ul><li>$key = array_search($langTo, $trText); </li></ul><ul><li>$greeting = array_keys($trText[$langTo]); </li></ul><ul><li>return $greeting; </li></ul><ul><li>} </li></ul>
  76. 76. Tainted variables <ul><li>If variable or entry point is injected with payload then it can have significant impact </li></ul><ul><li>Impact analysis needs to be done </li></ul><ul><li>Impact is dependent on the hit points across application </li></ul><ul><li>Interesting for vulnerability scanning perspective </li></ul>
  77. 77. Impact Analysis
  78. 78. Types - Impact <ul><li>Three important aspects of entry points and process towards end point, </li></ul><ul><ul><li>Data point – entry points are bringing simple new data to the application and based on that it is going to database or file system. </li></ul></ul><ul><ul><li>Logic point – It has information which get consumed in the business logic and it makes business decisions </li></ul></ul><ul><ul><li>Event points – Certain information coming from user can trigger an event inside the application. These are event points, like calling LDAP server or such. </li></ul></ul>
  79. 79. Impact
  80. 80. Impact
  81. 81. Tracing
  82. 82. Simple tracing… <ul><li>import sys </li></ul><ul><li>import os </li></ul><ul><li>import re </li></ul><ul><li>def scan4trace(file,var): </li></ul><ul><li>infile = open(file,&quot;r&quot;) </li></ul><ul><li>s = infile.readlines() </li></ul><ul><li>print 'Tracing variable:'+var </li></ul><ul><li>linenum=0 </li></ul><ul><li>for line in s: </li></ul><ul><li>linenum += 1 </li></ul><ul><li>p = re.compile(&quot;.*.&quot;+var+&quot;.*&quot;) </li></ul><ul><li>m = p.match(line) </li></ul><ul><li>if m: </li></ul><ul><li>print &quot;[&quot;,linenum,&quot;]&quot;,line </li></ul><ul><li>file = sys.argv[1] </li></ul><ul><li>var = sys.argv[2] </li></ul><ul><li>scan4trace(file,var) </li></ul>
  83. 83. Running… <ul><li>D:ca-rb>trace.py d:mdmdexec.aspx.cs TextBox1 </li></ul><ul><li>Tracing variable:TextBox1 </li></ul><ul><li>[ 33 ] psi.Arguments = @&quot;/c type c:contracts&quot; + TextBox1.Text + @&quot; > </li></ul><ul><li>c:contractscontract.txt&quot;; </li></ul><ul><li>D:ca-rb>trace.py d:mdmdexec.aspx.cs psi </li></ul><ul><li>Tracing variable:psi </li></ul><ul><li>[ 31 ] System.Diagnostics.ProcessStartInfo psi = new System.Diagnostics. </li></ul><ul><li>ProcessStartInfo(); </li></ul><ul><li>[ 32 ] psi.FileName = @&quot;C:INDOWSystem32md.exe&quot;; </li></ul><ul><li>[ 33 ] psi.Arguments = @&quot;/c type c:contracts&quot; + TextBox1.Text + @&quot; > </li></ul><ul><li>c:contractscontract.txt&quot;; </li></ul><ul><li>[ 34 ] psi.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden; </li></ul><ul><li>[ 35 ] System.Diagnostics.Process.Start(psi); </li></ul>
  84. 84. Information Leaks <ul><li>.*.StackTrace.*? </li></ul><ul><li>.*.printStackTrace.*? </li></ul><ul><li>.*.response.write.*? </li></ul>
  85. 85. SQL Injection <ul><li>#Scanning for SQL injections </li></ul><ul><li>.*.SqlCommand.*?|.*.DbCommand.*?|.*.OleDbCommand.*?|.*.SqlUtility.*?|.*.OdbcCommand.*?|.*.OleDbDataAdapter.*?|.*.SqlDataSource.*? </li></ul>
  86. 86. CONCLUSION – QUESTIONS! [email_address] http://www.blueinfy.com

×