OWASP O2 Platform

2013-03-29T15:20:03Z

Slib: Fixed typos (availabled, GutHub)

<div style="font-size:125%;border:none;margin: 0;color:#000">
= Main =
Welcome to OWASP O2 Platform project.

''The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews.

O2 is designed to '''Automate Security Consultants Knowledge and Workflows''' and to '''Allow non-security experts to access and consume Security Knowledge'''''

== DOWNLOAD O2 ==
'''Latest Release: April 2013 - v5.1.1''': [https://o2platform.googlecode.com/files/O2%20Platform%20-%20Main%20O2%20Gui%20v5.1.1.exe O2 Platform - Main O2 Gui] - this is a '''Windows Stand-Alone exe''' which will create a number of folders on first load (dependencies and temp files)

[[Image:O2Download_Button_6_22_2010_7_07_03_PM_tmp9E0.jpg| link=https://o2platform.googlecode.com/files/O2%20Platform%20-%20Main%20O2%20Gui%20v5.1.1.exe]]

'''Requirements:'': Windows and .NET Framework 4.0

'''Source code''': The source code for the O2 Platform is available for download at GitHub:

'''Git Hub repositories'''
* Installer: https://github.com/o2platform/O2_Install/zipball/master
* FluentSharp: https://github.com/o2platform/O2.FluentSharp
* O2 Platform Projects: https://github.com/o2platform/O2.Platform.Projects
* O2 Platform Scripts: https://github.com/o2platform/O2.Platform.Scripts
* Misc and Legacy projects: https://github.com/o2platform/O2.Platform.Projects.Misc_and_Legacy

==O2-Platform.com website (external to owasp)==

For more details on the O2 Platform see http://o2platform.wordpress.com website which currently being used to host the help files and documentation pages.

[[Image:10_4_2010_1_54_50_PM_tmp472.jpg | link=http://o2platform.wordpress.com|200px|border=1]]

=== Mailing list===
The best place to keep updated with the lastest news and developers it to subscribe to the [https://lists.owasp.org/mailman/listinfo/owasp-o2-platform OWASP O2 Platform Mailing list] (you can read its [https://lists.owasp.org/mailman/listinfo/owasp-o2-platform archives here] )



= News =
'''Latest News:'''
* 2013/Feb/8 : Released version 5.1 of the [http://o2platform.googlecode.com/files/O2%20Platform%20-%20Main%20O2%20Gui%20v5.1.exe O2 Platform main GUI]
* 2013/Feb/8 : Helped [[UK]] Chapters to visualize its locations: [http://blog.diniscruz.com/2013/02/o2-script-to-create-google-static-map.html O2 Script to create Google Static map with OWASP UK Chapter locations]

= Project About =
{{:Projects/OWASP O2 Platform Project | Project About}}

</div>

__NOTOC__
<headertabs />

[[Category:OWASP_O2_Platform|O2 Platform]]

Java server (J2EE) code review

2008-04-24T14:45:01Z

Slib: fixed typos

==Introduction==

==Java EE Authentication Technologies==
The Java EE framework contains a number of options from an authentication standpoint, such as,

* Java Authentication and Authorization Service (JAAS)
* Java Secure Socket Extensions (JSSE.)
** Authentication and key exchange (RSA & DSA), SSL Authentication
* Java 2 Security Model

===Servlet Authentication===
The Java API javax.servlet.HttpServlet contains a number of methods to receive HTTP requests. One fundamental practice in application security is not to hue HTTP GET during the authentication sequence (This is because sensitive credentials may be logged inadvertently on the web server). HttpServlet harbours methods such as doPost(), doPut(), doDelete(), doGet() to name a few. These methods can be used to process incomming HTTP requests.

During the course of Servlet processing, the HttpServlet.service() method is called before the "do" methods (doGet(), doPost(), etc.) therefore no significant processing should be placed in HttpServlet.service() prior to validating that the correct HTTP method was used to submit the transaction. Therefore it is prudent to examine that the correct http method (doPost(), doGet() has been over-ridden as opposed to service() method.

In the case of an authentication servlet it would be recommended to assure that the doGet() method has been overridden.

One solution to prevent HTTP GET requests is to use the HTTPServletRequest.getMethod() to examine if the method is POST.

{
if( (request.getMethod()).compareTo(“POST”)) {
// POST submission processing . . .
}
else {
// not POST
throw new Exception(“HTTP method error”);
}

==J2EE Authorization Technologies==

==J2EE Session Management==

==J2EE Data Validation==

==J2EE Error Handling==

==Crypto in J2EE/Java==

Searching for Code in J2EE/Java

2008-04-22T12:23:31Z

Slib: fixed typo

== Searching for key indicators ==
The basis of the code review is to locate and analyse areas of code which may have application security implications.
Assuming the code reviewer has a thorough understanding of the code, what it is intended to do and the context upon which it is to be used, firstly one needs to sweep the code base for areas of interest.

This can be done by performing a text search on the code base looking for keywords relating to API's and functions.
Below is a guide for .NET framework 1.1 & 2.0

=== Searching for code in .NET ===

Firstly one needs to be familiar with the tools one can use in order to perform text searching following on from this one need to know what to look for.

In this section we will assume you have a copy of Visual Studio (VS) .NET at hand. VS has two types of search "'''Find in Files'''" and a cmd line tool called '''Findstr'''

The test search tools in XP is not great in my experience and if one has to use this make sure SP2 in installed as it works better.
To start off one should scan thorough the code looking for common patterns or keywords such as "User", "Password", "Pswd", "Key", "Http", etc...
This can be done using the "Find in Files" tool in VS or using findstring as follows:

[Find In Files HERE]

'''findstr /s /m /i /d:c:\projects\codebase\sec "http" *.*'''

====Http Request Strings====
Requests from external sources are onviously a key area of a secure code review. We need to ensure that all HTTP requests received are datavalidated for composition, max and min length and if the data falls with the relms of the parameter whitelist.
Bottom-line is this is a key area to look at and ensure security is enabled.

request.querystring
request.form
request.cookies
request.certificate
request.servervariables
request.IsSecureConnection
request.TotalBytes
request.BinaryRead

====HTML Output====
Here we are looking for responses to the client. Responses which go unvalidated or which echo external input without data validation are key areas to examine. Many client side attacks result from poor response validation. XSS relies on this somewhat.

response.write
<% =
HttpUtility
HtmlEncode
UrlEncode
innerText
innerHTML

====SQL & Database====
Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determine if the application is vulnerable to SQL injection. One aspect of this is to verify that the code uses either ''SqlParameter'', ''OleDbParameter'', or ''OdbcParameter''(System.Data.SqlClient). These are typed and treats parameters as the literal value and not executable code in the database.

exec sp_executesql
execute sp_executesql
select from
Insert
update
delete from where
delete
exec sp_
execute sp_
exec xp_
execute sp_
exec @
execute @
executestatement
executeSQL
setfilter
executeQuery
GetQueryResultInXML
adodb
sqloledb
sql server
driver
Server.CreateObject
.Provider
.Open
ADODB.recordset
New OleDbConnection
ExecuteReader
DataSource
SqlCommand
Microsoft.Jet
SqlDataReader
ExecuteReader
GetString
SqlDataAdapter
CommandType
StoredProcedure
System.Data.sql

====Cookies====
Cookie manipulation can be key to various application security exploits such as session hijacking/fixation and parameter manipulation. One should examine any code relating to cookie functionality as this would have a bearing on session security.
System.Net.Cookie
[[HTTPOnly]]
document.cookie

==== HTML Tags====
Many of the HTML tags below can be used for client side attacks such as cross site scritping. It is important to examine the context in which these tags are used and to examine any relevant data validation associated with the display and use of such tags withing a web application.

HtmlEncode
URLEncode
<applet>
<frameset>
<embed>
<frame>
<html>
<iframe>
<img>
<style>
<layer>
<ilayer>
<meta>
<object>
<body>
<frame security
<iframe security

====Input Controls====
The input controls below are server classes used to produce and display web application form fields. Looking for such references helps locate entry points into the application.

system.web.ui.htmlcontrols.htmlinputhidden
system.web.ui.webcontrols.textbox
system.web.ui.webcontrols.listbox
system.web.ui.webcontrols.checkboxlist
system.web.ui.webcontrols.dropdownlist

====web.config====
The .NET Framework relies on .config files to define configuration settings. The .config files are text-based XML files. Many .config files can, and typically do, exist on a single system. Web applications refer to a web.config file located in the application’s root directory. For ASP.NET applications, web.config contains information about most aspects of the application’s operation.

requestEncoding
responseEncoding
trace
authorization
CustomErrors
httpRuntime
maxRequestLength
debug
forms protection
appSettings
ConfigurationSettings
authentication mode
allow
deny
credentials
identity impersonate
timeout

====global.asax====
Each application has its own Global.asax if one is required. Global.asax sets the event code and values for an application using scripts. One must ensure that application variables do not contain sensitive information, as they are accessible to the whole application and to all users within it.

Application_OnAuthenticateRequest
Application_OnAuthorizeRequest
Session_OnStart
Session_OnEnd

====logging====
Logging can be a source of information leakage. It is important to examing all calls to the logging subsystem and to determine if any sensitive information is being logged. Common mistakes are logging userID in conjunction with passwords within the authentication functionality or logging database requests which may contains sensitive data.

log4net
Console.WriteLine
System.Diagnostics.Debug
System.Diagnostics.Trace

====Machine.config====
Its important that many variables in machine.config can be overridden in the web.config file for a particular application.
validateRequest
enableViewState
enableViewStateMac

====Threads and Concurrancy====
Locating code that contains multithreaded functions. Concurrancy issues can result in race conditions which may result in security vulnerabilities. The Thread keyword is where new threads objects are created. Code that uses static global variables which hold sensitive security information may cause session issues. Code that uses static constructors may also cause issues between threads. Not synchronizing the Dispose method may cause issues if a number of threads call Dispose at the same time, this may cause resource release issues.

Thread
Dispose

====Class Design====
Public and Sealed relate to the design at class level. Classes whicch are not intended to be derived from should be sealed. Make sure all class fields are Public for a reason. Dont expose anything you dont need to.

Public
Sealed

====Reflection, Serialization====
Code may be generated dynamically at runtime. Code that is generated dynamically as a function of external input may give rise to issues. If your code contains sensitive data does it need to be serialized.

Serializable
AllowPartiallyTrustedCallersAttribute
GetObjectData
StrongNameIdentityPermission
StrongNameIdentity
System.Reflection

====Exceptions & Errors====
Ensure that the catch blocks do not leak information to the user in the case of an exception. Ensure when dealing with resources that the finally block is used. Having trace enabled is not great from an information leakage perspective. Ensure custonised errors are properly implemented.

catch{
Finally
trace enabled
customErrors mode

====Crypto====
If cryptography is used then is a strong enough cipher used i.e. AES or 3DES. What size key is used, the larger the better. Where is hashing performed. Are passwords that are being persisted hashed, they should be.
How are random numbers generated? Is the PRNG "random enough"?

RNGCryptoServiceProvider
SHA
MD5
base64
xor
DES
RC2
System.Random
Random
System.Security.Cryptography

====Storage====
If storing sensitive data in memory recommend one uses the following.
SecureString
ProtectedMemory

====Authorization, Assert & Revert====
Bypassing the code access security permission? Not a good idea. Also below is a list of potentially dangerous permissions such as calling unmanaged code, outside the CLR.

.RequestMinimum
.RequestOptional
Assert
Debug.Assert
CodeAccessPermission
ReflectionPermission.MemberAccess
SecurityPermission.ControlAppDomain
SecurityPermission.UnmanagedCode
SecurityPermission.SkipVerification
SecurityPermission.ControlEvidence
SecurityPermission.SerializationFormatter
SecurityPermission.ControlPrincipal
SecurityPermission.ControlDomainPolicy
SecurityPermission.ControlPolicy

====Legacy methods====
printf
strcpy

=== Searching for code in J2EE/Java ===

====Input and Output Streams====
These are used to read data into ones application. They may be potential entry points into an application. The entry points may be from an external source and must be investigated. These may also be used in path traversal attacks or DoS attacks.

Java.io
FileInputStream
ObjectInputStream
FilterInputStream
PipedInputStream
SequenceInputStream
StringBufferInputStream
BufferedReader
ByteArrayInputStream
CharArrayReader
File
ObjectInputStream
PipedInputStream
StreamTokenizer
getResourceAsStream
java.io.FileReader
java.io.FileWriter
java.io.RandomAccessFile
java.io.File
java.io.FileOutputStream

====Servlets====
These API calls may be avenues for parameter, header, URL & cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as many of such API's obtain the parameters directly from HTTP requests.
javax.servlet.
getParameterNames
getParameterValues
getParameter
getParameterMap
getScheme
getProtocol
getContentType
getServerName
getRemoteAddr
getRemoteHost
getRealPath
getLocalName
getAttribute
getAttributeNames
getLocalAddr
getAuthType
getRemoteUser
getCookies
isSecure
HttpServletRequest
getQueryString
getHeader
getPrincipal
isUserInRole
getOutputStream
getWriter
addCookie
addHeader
setHeader
javax.servlet.http.Cookie
getName
getPath
getDomain
getComment
getValue
getRequestedSessionId
'''Cross site scripting'''
javax.servlet.ServletOutputStream.print
javax.servlet.jsp.JspWriter.print
java.io.PrintWriter.print

'''Response Splitting'''
javax.servlet.http.HttpServletResponse.sendRedirect

====SQL & Database====
Searching for Java Database related code this list should help you pinpoint classes/methods which are involved in the persistance layer of the application being reviewed.
jdbc
executeQuery
select
insert
update
delete
execute
executestatement
java.sql.ResultSet.getString
java.sql.ResultSet.getObject
java.sql.Statement.executeUpdate
java.sql.Statement.executeQuery
java.sql.Statement.execute
java.sql.Statement.addBatch
java.sql.Connection.prepareStatement
java.sql.Connection.prepareCall

====SSL====

Looking for code which utilises SSL as a medium for point to point encryption. The following fragments should indicate where SSL functionality has been developed.

com.sun.net.ssl
SSLContext
SSLSocketFactory
TrustManagerFactory
HttpsURLConnection
KeyManagerFactory

====Session Management====
getSession
invalidate
getId

====Data Validation====

====Legacy Interaction====
Here we may be vulnerable to command injection attacks or OS injection attacks. Java linking to the native OS can cause serious issues and potentially give rise to total server compromise.

java.lang.Runtime.exec

====Logging====
We may come across some information leakage by examining code below contained in ones application.

java.io.PrintStream.write
log4j
jLo
Lumberjack
MonoLog
qflog
just4log
log4Ant
JDLabAgent

====Architectural Analysis====
If we can identify major architectural components within that application (right away) it can help narrow our search, and we can then look for known vulnerabilities in those components and frameworks:

### Ajax
XMLHTTP
### Struts
org.apache.struts
### Spring
org.springframework
### Java Server Faces (JSF)
import javax.faces
### Hibernate
import org.hibernate
### Castor
org.exolab.castor
### JAXB
javax.xml
### JMS
JMS

===Generic keywords===
Developers say the darnedest things in their source code. Look for the following keywords as pointers to possible software vulnerabilities:

Hack
Kludge
Bypass
Steal
Stolen
Divert
Broke
Trick
Fix
ToDo

===Web 2.0===

====Ajax and JavaScript====
Look for Ajax usage, and possible JavaScript issues:

document.write
eval(
document.cookie
window.location
document.URL
XMLHTTP
window.createRequest

OWASP - User contributions [en]

OWASP O2 Platform

Java server (J2EE) code review

Searching for Code in J2EE/Java