This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Searching for Code in J2EE/Java"

From OWASP
Jump to: navigation, search
Line 25: Line 25:
  
 
====Http Request Strings====
 
====Http Request Strings====
 +
Requests from external sources are onviously a key area of a secure code review. We need to ensure that all HTTP requests received are datavalidated for composition, max and min length and if the data falls with the relms of the parameter whitelist.
 +
Bottom-line is this is a key area to look at and ensure security is enabled.
 +
 
  request.querystring
 
  request.querystring
 
  request.form  
 
  request.form  
Line 35: Line 38:
  
 
====HTML Output====
 
====HTML Output====
 +
Here we are looking for responses to the client. Responses which go unvalidated or which echo external input without data validation are key areas to examine. Many client side attacks result in poor response validation. XSS relies on this somewhat.
 +
 
  response.write
 
  response.write
 
  <% =
 
  <% =
Line 161: Line 166:
  
 
  CodeAccessPermission
 
  CodeAccessPermission
 +
ReflectionPermission.MemberAccess
 +
SecurityPermission.ControlAppDomain
 
  SecurityPermission.UnmanagedCode
 
  SecurityPermission.UnmanagedCode
 
  SecurityPermission.SkipVerification
 
  SecurityPermission.SkipVerification
 
  SecurityPermission.ControlEvidence
 
  SecurityPermission.ControlEvidence
SecurityPermission.ControlPolicy
 
 
  SecurityPermission.SerializationFormatter
 
  SecurityPermission.SerializationFormatter
 
  SecurityPermission.ControlPrincipal
 
  SecurityPermission.ControlPrincipal
ReflectionPermission.MemberAccess
 
SecurityPermission.ControlAppDomain
 
 
  SecurityPermission.ControlDomainPolicy
 
  SecurityPermission.ControlDomainPolicy
====Authentication====
+
SecurityPermission.ControlPolicy
  
 
====Leagcy methods====
 
====Leagcy methods====
printf
+
printf
strcpy
+
strcpy
 +
 
 +
=== Searching for code in J2EE/Java ===
 +
 
 +
====Input Streams====
 +
Java.io
 +
FileInputStream
 +
ObjectInputStream
 +
FilterInputStream
 +
PipedInputStream
 +
SequenceInputStream
 +
StringBufferInputStream
 +
BufferedReader
 +
ByteArrayInputStream
 +
CharArrayReader
 +
File
 +
ObjectInputStream
 +
PipedInputStream
 +
StreamTokenizer
 +
 
 +
====Servlets====
 +
 
 +
====HTTP====
 +
 
 +
====SQL & Database====
 +
 
 +
====JSSE====
 +
 
 +
====Session Management====
 +
 
 +
====Input Validation====
 +
 
 +
====Legacy Interaction====
 +
 
 +
====Crypto====
 +
 
 +
====Security Manager====
 +
 
 +
====System====
 +
 
 +
====Logging====

Revision as of 09:50, 3 July 2007

Searching for key indicators

The basis of the code review is to locate and analyse areas of code which may have application security implications. Assuming the code reviewer has a thorough understanding of the code, what it is intended to do and the context upon which it is to be used, firstly one needs to sweep the code base for areas of interest.

This can be done by performing a text search on the code base looking for keywords relating to API's and functions. Below is a guide for .NET framework 1.1 & 2.0

Searching for code in .NET

Firstly one needs to be familiar with the tools one can use in order to perform text searching following on from this one need to know what to look for.

In this section we will assume you have a copy of Visual Studio (VS) .NET at hand. VS has two types of search "Find in Files" and a cmd line tool called Findstr

The test search tools in XP is not great in my experience and if one has to use this make sure SP2 in installed as it works better. To start off one should scan thorough the code looking for common patterns or keywords such as "User", "Password", "Pswd", "Key", "Http", etc... This can be done using the "Find in Files" tool in VS or using findstring as follows:

[Find In Files HERE]

findstr /s /m /i /d:c:\projects\codebase\sec "http" *.*

Looking for Keywords

Http Request Strings

Requests from external sources are onviously a key area of a secure code review. We need to ensure that all HTTP requests received are datavalidated for composition, max and min length and if the data falls with the relms of the parameter whitelist. Bottom-line is this is a key area to look at and ensure security is enabled.

request.querystring
request.form 
request.cookies
request.certificate
request.servervariables
request.IsSecureConnection
request.TotalBytes
request.BinaryRead

HTML Output

Here we are looking for responses to the client. Responses which go unvalidated or which echo external input without data validation are key areas to examine. Many client side attacks result in poor response validation. XSS relies on this somewhat.

response.write
<% =
HttpUtility
HtmlEncode
UrlEncode
innerText
innerHTML

SQL & Database

exec sp_executesql
execute sp_executesql
select from
Insert
update
delete from where
delete
exec sp_
execute sp_
exec xp_
execute sp_
exec @
execute @
executestatement
executeSQL
setfilter
executeQuery
GetQueryResultInXML
adodb
sqloledb
sql server
driver
Server.CreateObject
.Provider
.Open
ADODB.recordset
New OleDbConnection
ExecuteReader
DataSource
Microsoft.Jet
SqlDataReader
cmd.ExecuteReader
GetString
SqlDataAdapter 

Cookies

System.Net.Cookie 
HttpOnly
document.cookie

HTML Tags

HtmlEncode 
URLEncode
<applet> 
<frameset> 
<embed> 
<frame> 
<html>
<iframe> 
<img> 
<style> 
<layer> 
<ilayer> 
<meta> 
<object> 
<body> 
<frame security
<iframe security

Input Controls

system.web.ui.htmlcontrols.htmlinputhidden
system.web.ui.webcontrols.textbox
system.web.ui.webcontrols.listbox
system.web.ui.webcontrols.checkboxlist
system.web.ui.webcontrols.dropdownlist


web.config settings

requestEncoding
responseEncoding

global.asx

Machine.config

validateRequest

Threads and Concurrancy

Thread
Dispose

Class Design

Public
Sealed

Reflection, Serialization, Clones

ISerializable 
AllowPartiallyTrustedCallersAttribute
GetObjectData 
StrongNameIdentityPermission
StrongNameIdentity

Exceptions & Errors

catch{
Finally
trace enabled
customErrors mode

Crypto

base64
xor
DES
RC2
System.Random
Random

Storage

SecureString
ProtectedMemory 

Authorization, Assert & Revert

.RequestMinimum
.RequestOptional
Assert
Debug.Assert
CodeAccessPermission
ReflectionPermission.MemberAccess
SecurityPermission.ControlAppDomain
SecurityPermission.UnmanagedCode
SecurityPermission.SkipVerification
SecurityPermission.ControlEvidence
SecurityPermission.SerializationFormatter
SecurityPermission.ControlPrincipal
SecurityPermission.ControlDomainPolicy
SecurityPermission.ControlPolicy

Leagcy methods

printf
strcpy

Searching for code in J2EE/Java

Input Streams

Java.io
FileInputStream
ObjectInputStream
FilterInputStream
PipedInputStream
SequenceInputStream
StringBufferInputStream
BufferedReader
ByteArrayInputStream
CharArrayReader
File
ObjectInputStream
PipedInputStream
StreamTokenizer

Servlets

HTTP

SQL & Database

JSSE

Session Management

Input Validation

Legacy Interaction

Crypto

Security Manager

System

Logging