This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Searching for Code in J2EE/Java"
m (fixed typo) |
(Classic ASP technology inclusion) |
||
Line 386: | Line 386: | ||
### JMS | ### JMS | ||
JMS | JMS | ||
+ | |||
+ | === Searching for code in Classic ASP === | ||
+ | |||
+ | ====Inputs==== | ||
+ | Request | ||
+ | Request.QueryString | ||
+ | Request.Form | ||
+ | Request.ServerVariables | ||
+ | Query_String | ||
+ | hidden | ||
+ | include | ||
+ | .inc | ||
+ | |||
+ | ====Output==== | ||
+ | response.write | ||
+ | <%= | ||
+ | HtmlEncode | ||
+ | UrlEncode | ||
+ | innerText | ||
+ | innerHTML | ||
+ | |||
+ | ====Cookies==== | ||
+ | .cookies | ||
+ | |||
+ | ====Error Handling==== | ||
+ | err. | ||
+ | Server.GetLastError | ||
+ | On Error Resume Next | ||
+ | On Error GoTo 0 | ||
+ | |||
+ | ====Information in URL==== | ||
+ | location.href | ||
+ | location.replace | ||
+ | method="GET" | ||
+ | |||
+ | ====Database==== | ||
+ | commandText | ||
+ | select from | ||
+ | update | ||
+ | insert into | ||
+ | delete from where | ||
+ | exec | ||
+ | execute | ||
+ | .execute | ||
+ | .open | ||
+ | ADODB. | ||
+ | commandtype | ||
+ | |||
+ | ====Session==== | ||
+ | session.timeout | ||
+ | session.abandon | ||
+ | session.removeall | ||
+ | |||
+ | ====DoS Prevention==== | ||
+ | server.ScriptTimeout | ||
+ | IsClientConnected | ||
+ | |||
+ | ====Logging==== | ||
+ | WriteEntry | ||
+ | |||
+ | ====Redirection==== | ||
+ | Response.Redirect | ||
+ | Server.Transfer | ||
+ | Server.Execute | ||
===Generic keywords=== | ===Generic keywords=== |
Revision as of 23:34, 12 June 2008
- 1 Searching for key indicators
- 1.1 Searching for code in .NET
- 1.1.1 Http Request Strings
- 1.1.2 HTML Output
- 1.1.3 SQL & Database
- 1.1.4 Cookies
- 1.1.5 HTML Tags
- 1.1.6 Input Controls
- 1.1.7 web.config
- 1.1.8 global.asax
- 1.1.9 logging
- 1.1.10 Machine.config
- 1.1.11 Threads and Concurrancy
- 1.1.12 Class Design
- 1.1.13 Reflection, Serialization
- 1.1.14 Exceptions & Errors
- 1.1.15 Crypto
- 1.1.16 Storage
- 1.1.17 Authorization, Assert & Revert
- 1.1.18 Legacy methods
- 1.2 Searching for code in J2EE/Java
- 1.3 Searching for code in Classic ASP
- 1.4 Generic keywords
- 1.5 Web 2.0
- 1.1 Searching for code in .NET
Searching for key indicators
The basis of the code review is to locate and analyse areas of code which may have application security implications. Assuming the code reviewer has a thorough understanding of the code, what it is intended to do and the context upon which it is to be used, firstly one needs to sweep the code base for areas of interest.
This can be done by performing a text search on the code base looking for keywords relating to API's and functions. Below is a guide for .NET framework 1.1 & 2.0
Searching for code in .NET
Firstly one needs to be familiar with the tools one can use in order to perform text searching following on from this one need to know what to look for.
In this section we will assume you have a copy of Visual Studio (VS) .NET at hand. VS has two types of search "Find in Files" and a cmd line tool called Findstr
The test search tools in XP is not great in my experience and if one has to use this make sure SP2 in installed as it works better. To start off one should scan thorough the code looking for common patterns or keywords such as "User", "Password", "Pswd", "Key", "Http", etc... This can be done using the "Find in Files" tool in VS or using findstring as follows:
[Find In Files HERE]
findstr /s /m /i /d:c:\projects\codebase\sec "http" *.*
Http Request Strings
Requests from external sources are onviously a key area of a secure code review. We need to ensure that all HTTP requests received are datavalidated for composition, max and min length and if the data falls with the relms of the parameter whitelist. Bottom-line is this is a key area to look at and ensure security is enabled.
request.querystring request.form request.cookies request.certificate request.servervariables request.IsSecureConnection request.TotalBytes request.BinaryRead
HTML Output
Here we are looking for responses to the client. Responses which go unvalidated or which echo external input without data validation are key areas to examine. Many client side attacks result from poor response validation. XSS relies on this somewhat.
response.write <% = HttpUtility HtmlEncode UrlEncode innerText innerHTML
SQL & Database
Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determine if the application is vulnerable to SQL injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter, or OdbcParameter(System.Data.SqlClient). These are typed and treats parameters as the literal value and not executable code in the database.
exec sp_executesql execute sp_executesql select from Insert update delete from where delete exec sp_ execute sp_ exec xp_ execute sp_ exec @ execute @ executestatement executeSQL setfilter executeQuery GetQueryResultInXML adodb sqloledb sql server driver Server.CreateObject .Provider .Open ADODB.recordset New OleDbConnection ExecuteReader DataSource SqlCommand Microsoft.Jet SqlDataReader ExecuteReader GetString SqlDataAdapter CommandType StoredProcedure System.Data.sql
Cookies
Cookie manipulation can be key to various application security exploits such as session hijacking/fixation and parameter manipulation. One should examine any code relating to cookie functionality as this would have a bearing on session security.
System.Net.Cookie HTTPOnly document.cookie
HTML Tags
Many of the HTML tags below can be used for client side attacks such as cross site scritping. It is important to examine the context in which these tags are used and to examine any relevant data validation associated with the display and use of such tags withing a web application.
HtmlEncode URLEncode <applet> <frameset> <embed> <frame> <html> <iframe> <img> <style> <layer> <ilayer> <meta> <object> <body> <frame security <iframe security
Input Controls
The input controls below are server classes used to produce and display web application form fields. Looking for such references helps locate entry points into the application.
system.web.ui.htmlcontrols.htmlinputhidden system.web.ui.webcontrols.textbox system.web.ui.webcontrols.listbox system.web.ui.webcontrols.checkboxlist system.web.ui.webcontrols.dropdownlist
web.config
The .NET Framework relies on .config files to define configuration settings. The .config files are text-based XML files. Many .config files can, and typically do, exist on a single system. Web applications refer to a web.config file located in the application’s root directory. For ASP.NET applications, web.config contains information about most aspects of the application’s operation.
requestEncoding responseEncoding trace authorization CustomErrors httpRuntime maxRequestLength debug forms protection appSettings ConfigurationSettings authentication mode allow deny credentials identity impersonate timeout
global.asax
Each application has its own Global.asax if one is required. Global.asax sets the event code and values for an application using scripts. One must ensure that application variables do not contain sensitive information, as they are accessible to the whole application and to all users within it.
Application_OnAuthenticateRequest Application_OnAuthorizeRequest Session_OnStart Session_OnEnd
logging
Logging can be a source of information leakage. It is important to examing all calls to the logging subsystem and to determine if any sensitive information is being logged. Common mistakes are logging userID in conjunction with passwords within the authentication functionality or logging database requests which may contains sensitive data.
log4net Console.WriteLine System.Diagnostics.Debug System.Diagnostics.Trace
Machine.config
Its important that many variables in machine.config can be overridden in the web.config file for a particular application.
validateRequest enableViewState enableViewStateMac
Threads and Concurrancy
Locating code that contains multithreaded functions. Concurrancy issues can result in race conditions which may result in security vulnerabilities. The Thread keyword is where new threads objects are created. Code that uses static global variables which hold sensitive security information may cause session issues. Code that uses static constructors may also cause issues between threads. Not synchronizing the Dispose method may cause issues if a number of threads call Dispose at the same time, this may cause resource release issues.
Thread Dispose
Class Design
Public and Sealed relate to the design at class level. Classes whicch are not intended to be derived from should be sealed. Make sure all class fields are Public for a reason. Dont expose anything you dont need to.
Public Sealed
Reflection, Serialization
Code may be generated dynamically at runtime. Code that is generated dynamically as a function of external input may give rise to issues. If your code contains sensitive data does it need to be serialized.
Serializable AllowPartiallyTrustedCallersAttribute GetObjectData StrongNameIdentityPermission StrongNameIdentity System.Reflection
Exceptions & Errors
Ensure that the catch blocks do not leak information to the user in the case of an exception. Ensure when dealing with resources that the finally block is used. Having trace enabled is not great from an information leakage perspective. Ensure custonised errors are properly implemented.
catch{ Finally trace enabled customErrors mode
Crypto
If cryptography is used then is a strong enough cipher used i.e. AES or 3DES. What size key is used, the larger the better. Where is hashing performed. Are passwords that are being persisted hashed, they should be. How are random numbers generated? Is the PRNG "random enough"?
RNGCryptoServiceProvider SHA MD5 base64 xor DES RC2 System.Random Random System.Security.Cryptography
Storage
If storing sensitive data in memory recommend one uses the following.
SecureString ProtectedMemory
Authorization, Assert & Revert
Bypassing the code access security permission? Not a good idea. Also below is a list of potentially dangerous permissions such as calling unmanaged code, outside the CLR.
.RequestMinimum .RequestOptional Assert Debug.Assert CodeAccessPermission ReflectionPermission.MemberAccess SecurityPermission.ControlAppDomain SecurityPermission.UnmanagedCode SecurityPermission.SkipVerification SecurityPermission.ControlEvidence SecurityPermission.SerializationFormatter SecurityPermission.ControlPrincipal SecurityPermission.ControlDomainPolicy SecurityPermission.ControlPolicy
Legacy methods
printf strcpy
Searching for code in J2EE/Java
Input and Output Streams
These are used to read data into ones application. They may be potential entry points into an application. The entry points may be from an external source and must be investigated. These may also be used in path traversal attacks or DoS attacks.
Java.io FileInputStream ObjectInputStream FilterInputStream PipedInputStream SequenceInputStream StringBufferInputStream BufferedReader ByteArrayInputStream CharArrayReader File ObjectInputStream PipedInputStream StreamTokenizer getResourceAsStream java.io.FileReader java.io.FileWriter java.io.RandomAccessFile java.io.File java.io.FileOutputStream
Servlets
These API calls may be avenues for parameter, header, URL & cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as many of such API's obtain the parameters directly from HTTP requests.
javax.servlet. getParameterNames getParameterValues getParameter getParameterMap getScheme getProtocol getContentType getServerName getRemoteAddr getRemoteHost getRealPath getLocalName getAttribute getAttributeNames getLocalAddr getAuthType getRemoteUser getCookies isSecure HttpServletRequest getQueryString getHeader getPrincipal isUserInRole getOutputStream getWriter addCookie addHeader setHeader javax.servlet.http.Cookie getName getPath getDomain getComment getValue getRequestedSessionId
Cross site scripting
javax.servlet.ServletOutputStream.print javax.servlet.jsp.JspWriter.print java.io.PrintWriter.print
Response Splitting
javax.servlet.http.HttpServletResponse.sendRedirect
SQL & Database
Searching for Java Database related code this list should help you pinpoint classes/methods which are involved in the persistance layer of the application being reviewed.
jdbc executeQuery select insert update delete execute executestatement java.sql.ResultSet.getString java.sql.ResultSet.getObject java.sql.Statement.executeUpdate java.sql.Statement.executeQuery java.sql.Statement.execute java.sql.Statement.addBatch java.sql.Connection.prepareStatement java.sql.Connection.prepareCall
SSL
Looking for code which utilises SSL as a medium for point to point encryption. The following fragments should indicate where SSL functionality has been developed.
com.sun.net.ssl SSLContext SSLSocketFactory TrustManagerFactory HttpsURLConnection KeyManagerFactory
Session Management
getSession invalidate getId
Data Validation
Legacy Interaction
Here we may be vulnerable to command injection attacks or OS injection attacks. Java linking to the native OS can cause serious issues and potentially give rise to total server compromise.
java.lang.Runtime.exec
Logging
We may come across some information leakage by examining code below contained in ones application.
java.io.PrintStream.write log4j jLo Lumberjack MonoLog qflog just4log log4Ant JDLabAgent
Architectural Analysis
If we can identify major architectural components within that application (right away) it can help narrow our search, and we can then look for known vulnerabilities in those components and frameworks:
### Ajax XMLHTTP ### Struts org.apache.struts ### Spring org.springframework ### Java Server Faces (JSF) import javax.faces ### Hibernate import org.hibernate ### Castor org.exolab.castor ### JAXB javax.xml ### JMS JMS
Searching for code in Classic ASP
Inputs
Request Request.QueryString Request.Form Request.ServerVariables Query_String hidden include .inc
Output
response.write <%= HtmlEncode UrlEncode innerText innerHTML
Cookies
.cookies
Error Handling
err. Server.GetLastError On Error Resume Next On Error GoTo 0
Information in URL
location.href location.replace method="GET"
Database
commandText select from update insert into delete from where exec execute .execute .open ADODB. commandtype
Session
session.timeout session.abandon session.removeall
DoS Prevention
server.ScriptTimeout IsClientConnected
Logging
WriteEntry
Redirection
Response.Redirect Server.Transfer Server.Execute
Generic keywords
Developers say the darnedest things in their source code. Look for the following keywords as pointers to possible software vulnerabilities:
Hack Kludge Bypass Steal Stolen Divert Broke Trick Fix ToDo
Web 2.0
Ajax and JavaScript
Look for Ajax usage, and possible JavaScript issues:
document.write eval( document.cookie window.location document.URL XMLHTTP window.createRequest