This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Searching for Code in J2EE/Java"

From OWASP
Jump to: navigation, search
(Query Strings)
(Http Request Strings)
Line 31: Line 31:
  
 
====Http Request Strings====
 
====Http Request Strings====
request.querystring
+
request.querystring
request.form  
+
request.form  
request.cookies
+
request.cookies
request.certificate
+
request.certificate
request.servervariables
+
request.servervariables
request.IsSecureConnection
+
request.IsSecureConnection
request.TotalBytes
+
request.TotalBytes
request.BinaryRead
+
request.BinaryRead
  
 
====Cookies====
 
====Cookies====

Revision as of 14:33, 2 July 2007

Performing Text Searches

The basis of the code review is to locate and analyse areas of code which may have application security implications. Assuming the code reviewer has a thorough understanding of the code, what it is intended to do and the context upon which it is to be used, firstly one needs to sweep the code base for areas of interest.

This can be done by performing a text search on the code base looking for keywords relating to API's and functions. Below is a guide for .NET framework 1.1 & 2.0

Searching for code in .NET

Firstly one needs to be familiar with the tools one can use in order to perform text searching following on from this one need to know what to look for.

In this section we will assume you have a copy of Visual Studio (VS) .NET at hand. VS has two types of search "Find in Files" and a cmd line tool called Findstr

The test search tools in XP is not great in my experience and if one has to use this make sure SP2 in installed as it works better. To start off one should scan thorough the code looking for common patterns or keywords such as "User", "Password", "Pswd", "Key", "Http", etc... This can be done using the "Find in Files" tool in VS or using findstring as follows:

[Find In Files HERE]

findstr /s /m /i /d:c:\projects\codebase\sec "http" *.*

Looking for Keywords

Form Fields and user Input

Many of these function calls can be used for Cross-Site-Scripting attacks. One should search for them throughout the codebase and verify that thay are not vulnerable to XSS attacks or client side injection attacks.

Request.form
Request.write
<%=

Http Request Strings

request.querystring
request.form 
request.cookies
request.certificate
request.servervariables
request.IsSecureConnection
request.TotalBytes
request.BinaryRead

Cookies

SQL & Database

HTTP Requests

HTML Tags

HtmlEncode URLEncode

web.config settings

requestEncoding ,responseEncoding

global.asx

Threads and Concurrancy

Reflection, Serialization, Clones

Crypto

Authorization, Assert & Revert

Authentication