This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Searching for Code in J2EE/Java"
Line 135: | Line 135: | ||
StrongNameIdentity | StrongNameIdentity | ||
− | ====Exceptions==== | + | ====Exceptions & Errors==== |
catch{ | catch{ | ||
Finally | Finally | ||
+ | trace enabled | ||
+ | customErrors mode | ||
====Crypto==== | ====Crypto==== | ||
Line 143: | Line 145: | ||
xor | xor | ||
DES | DES | ||
+ | RC2 | ||
+ | System.Random | ||
+ | Random | ||
+ | |||
+ | ====Storage==== | ||
+ | SecureString | ||
+ | ProtectedMemory | ||
====Authorization, Assert & Revert==== | ====Authorization, Assert & Revert==== | ||
+ | .RequestMinimum | ||
+ | .RequestOptional | ||
+ | Assert | ||
+ | Debug.Assert | ||
+ | |||
+ | CodeAccessPermission | ||
+ | SecurityPermission.UnmanagedCode | ||
+ | SecurityPermission.SkipVerification | ||
+ | SecurityPermission.ControlEvidence | ||
+ | SecurityPermission.ControlPolicy | ||
+ | SecurityPermission.SerializationFormatter | ||
+ | SecurityPermission.ControlPrincipal | ||
+ | ReflectionPermission.MemberAccess | ||
+ | SecurityPermission.ControlAppDomain | ||
+ | SecurityPermission.ControlDomainPolicy | ||
====Authentication==== | ====Authentication==== | ||
Revision as of 09:11, 3 July 2007
- 1 Searching for key indicators
- 1.1 Searching for code in .NET
- 1.2 Looking for Keywords
- 1.2.1 Http Request Strings
- 1.2.2 HTML Output
- 1.2.3 SQL & Database
- 1.2.4 Cookies
- 1.2.5 HTML Tags
- 1.2.6 Input Controls
- 1.2.7 web.config settings
- 1.2.8 global.asx
- 1.2.9 Machine.config
- 1.2.10 Threads and Concurrancy
- 1.2.11 Class Design
- 1.2.12 Reflection, Serialization, Clones
- 1.2.13 Exceptions & Errors
- 1.2.14 Crypto
- 1.2.15 Storage
- 1.2.16 Authorization, Assert & Revert
- 1.2.17 Authentication
- 1.2.18 Leagcy methods
Searching for key indicators
The basis of the code review is to locate and analyse areas of code which may have application security implications. Assuming the code reviewer has a thorough understanding of the code, what it is intended to do and the context upon which it is to be used, firstly one needs to sweep the code base for areas of interest.
This can be done by performing a text search on the code base looking for keywords relating to API's and functions. Below is a guide for .NET framework 1.1 & 2.0
Searching for code in .NET
Firstly one needs to be familiar with the tools one can use in order to perform text searching following on from this one need to know what to look for.
In this section we will assume you have a copy of Visual Studio (VS) .NET at hand. VS has two types of search "Find in Files" and a cmd line tool called Findstr
The test search tools in XP is not great in my experience and if one has to use this make sure SP2 in installed as it works better. To start off one should scan thorough the code looking for common patterns or keywords such as "User", "Password", "Pswd", "Key", "Http", etc... This can be done using the "Find in Files" tool in VS or using findstring as follows:
[Find In Files HERE]
findstr /s /m /i /d:c:\projects\codebase\sec "http" *.*
Looking for Keywords
Http Request Strings
request.querystring request.form request.cookies request.certificate request.servervariables request.IsSecureConnection request.TotalBytes request.BinaryRead
HTML Output
response.write <% = HttpUtility HtmlEncode UrlEncode innerText innerHTML
SQL & Database
exec sp_executesql execute sp_executesql select from Insert update delete from where delete exec sp_ execute sp_ exec xp_ execute sp_ exec @ execute @ executestatement executeSQL setfilter executeQuery GetQueryResultInXML adodb sqloledb sql server driver Server.CreateObject .Provider .Open ADODB.recordset New OleDbConnection ExecuteReader DataSource Microsoft.Jet SqlDataReader cmd.ExecuteReader GetString SqlDataAdapter
Cookies
System.Net.Cookie HttpOnly document.cookie
HTML Tags
HtmlEncode URLEncode <applet> <frameset> <embed> <frame> <html> <iframe> <img> <style> <layer> <ilayer> <meta> <object> <body> <frame security <iframe security
Input Controls
system.web.ui.htmlcontrols.htmlinputhidden system.web.ui.webcontrols.textbox system.web.ui.webcontrols.listbox system.web.ui.webcontrols.checkboxlist system.web.ui.webcontrols.dropdownlist
web.config settings
requestEncoding responseEncoding
global.asx
Machine.config
validateRequest
Threads and Concurrancy
Thread Dispose
Class Design
Public Sealed
Reflection, Serialization, Clones
ISerializable AllowPartiallyTrustedCallersAttribute GetObjectData StrongNameIdentityPermission StrongNameIdentity
Exceptions & Errors
catch{ Finally trace enabled customErrors mode
Crypto
base64 xor DES RC2 System.Random Random
Storage
SecureString ProtectedMemory
Authorization, Assert & Revert
.RequestMinimum .RequestOptional Assert Debug.Assert
CodeAccessPermission SecurityPermission.UnmanagedCode SecurityPermission.SkipVerification SecurityPermission.ControlEvidence SecurityPermission.ControlPolicy SecurityPermission.SerializationFormatter SecurityPermission.ControlPrincipal ReflectionPermission.MemberAccess SecurityPermission.ControlAppDomain SecurityPermission.ControlDomainPolicy
Authentication
Leagcy methods
printf strcpy