Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Similar presentations


Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP AppSecEU’08 http://www.owasp.org The Owasp Orizon Project internals Paolo Perego Owasp Orizon Project Leader Spike Reply thesp0nge@owasp.org

2 OWASP Owasp AppSec EU’08, Ghent 21st May 2 Agenda  some infos before we start...  the Owasp Orizon internals  so, next?

3 OWASP Owasp AppSec EU’08, Ghent 21st May $ whoami  Senior Security Consultant @ Spike Reply Srl  penetration testing  secure application building  code review & source code assessment  Owasp Orizon Project leader  Active member in  Owasp Italian chapter  Owasp Code Review Project 3

4 OWASP Owasp AppSec EU’08, Ghent 21st May Kickoff  A lot of commercial solutions are available for code reviewing  good in finding bugs  skilled support  expensive  Few open source solutions are available too  small number of security checks  good support from open source community  open 4 Why do I need Orizon?

5 OWASP Owasp AppSec EU’08, Ghent 21st May Some infos before we start…  In 2007...  more than 27.000 hits to http://orizon.sourceforge.net http://orizon.sourceforge.net  more than 700 downloads for Orizon package releases  v 0.50 downloaded 101 times in 3 months  In 2008…  More than 200 downloads in the first 4 month  v0.80 downloaded 63 times in the first month (from 4 April to 5 May) 5

6 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals  Few things to remember  Orizon is a framework, it is not a tool  details are hidden for developers  1 or 2 public classes for each engine  few public available methods  engines are intended to be used in stock  framework is in development  Most criticisms are related to  lack of documentation  lack of usage examples  missing framework design overview 6

7 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: the stack 7 XML Translator engine Jericho engineDawn engine Reporting engine Preprocessing Code reviewing Reporting Crawler engine Code crawling Plugin engine

8 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: XML translation  Independence from programming language  Source file needs to be translated to XML before review  Translator is an abstract class  for every supported language Translator class must be implemented accordingly  protected abstract boolean translate();  Used by Orizon hackers  AnyLanguage2XML implements Translator class  Used by people writing code review tool  Hide the preprocessing details to users 8

9 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: XML translation 9 import org.owasp.orizon.java.Java2XML; // java 2 xml translation... Java2XML j2xml = new Java2XML(fileName); if (!j2xml.exists()) { System.err.println("input file does not exist. Giving up."); return ; } if (j2xml.mustTranslate()) { if (!j2xml.translate()) { System.err.println(fileName + ": translation failed"); System.exit(-1); } System.out.println(j2xml.getOutputFilename() + " created"); } else System.out.println("XML file is up to date”);

10 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: XML translation 10 public class uno { public String a; private int b; public uno() { a = new String(); b = 2; } public uno(String a, int b) { this(); setA(a); setB(b); } public boolean areEqualBad(String b) { if (a==b) return true; else return false; } public boolean areEqualGood(String b) { if (a.equal(b)) return true; else return false; } public void setA(String a) { this.a = a; } public void setB(int b) { this.b = b; } thesp0nge@owasp.org XML Class preamble with some stats... Uncommented code... mmmh... this is no good! { a = new String(); b = 2; } This class has no modifiers but it has two fields: a public String variable named a a private int variable named b In the body we found two assignments. { if (a == b) return true; else return false; } true false This method contains a security violation... where?

11 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: crawling  Owasp Code Review project introduced source code crawling in its check list  Orizon v0.70 introduced  org.owasp.orizon.crawler package  An abstract source code crawling class  A set of dangerous keywords for Java and C# in default library  Key points  Good: a quick code review can be performed  Bad: results are more prone to false potives 11

12 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: crawling  AbstractCrawler  read(): reads the XML file containing the desired keyword list  check (): performs a pattern matching search over a specified file  getReport(): returns a report with found keywords if any 12

13 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: crawling 13 package org.owasp.orizon.java; import org.owasp.orizon.core.OrizonCons; import org.owasp.orizon.crawler.AbstractCrawler; public class JavaCrawler extends AbstractCrawler { public JavaCrawler(String xmlFile) { super(xmlFile, OrizonCons.O_JAVA); super.read(); } JavaCrawler class jC = new JavaCrawler("dangerous_java_keywords.xml"); if (jC.crawl(filename)) { r = jC.getReport(); if (r != null) { PlainFormatter p = new PlainFormatter(); r.report(p); } } else System.out.println("no dangerous keyword found during crawling"); JavaCrawler class usage sample. Developers just need to call crawl() method…

14 OWASP Owasp AppSec EU’08, Ghent 21st May DEMO Arachne: a source code crawling tool based upon Orizon 14

15 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: the plugin engine  An interface is provided and all plugins must implement it  org.owasp.orizon.plugin.Plugin  A loader class  Extract plugin class from a given jar file  Checks if the plugin is intended for this orizon version  Load the class and returns it to Jericho engine 15

16 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: the plugin engine  Jericho engine will  Instanciate a new object  Run the plugin via start() and stop() methods  The plugin will be called this way 16

17 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: the plugin engine 17 public class PluginDemo { public static void main(String args[]) { Loader l = new Loader("c:\\users\\thesp0nge\\test.jar"); try { // Plugin p = (Plugin)l.load("Test").newInstance(); Class c = l.load("Test"); if (c==null) return ; Plugin p = (Plugin)c.newInstance(); p.start(); p.stop(); System.out.println("here"); } catch (Exception e) { e.printStackTrace(); System.err.println("main: "+ e.getMessage()); return ; }

18 OWASP Owasp AppSec EU’08, Ghent 21st May DEMO Plugin: the new Orizon plugin engine 18

19 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: static review  The translated source code is read  org.owasp.orizon.core.Source.read()  initialize Jericho engine  initialize Dawn engine  adding XML nodes to Jericho engine  The security checks are applied  org.owasp.orizon.core.Source.review()  loop for security checks  add check to Jericho engine  call Jericho check() method 19

20 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: static review  Jericho engine internally is called  org.owasp.orizon.jericho.Jericho.check()  most important method  return true if a security violation has been found  it must be called from Source class due to read() method interoperability 20 public boolean check() { boolean ret = false; long startScan = 0, endScan = 0; if (!isInitialized()) return false; if (!checkLoaded) { log.error("aiee, load a check before with add() method"); return false; } startScan = Calendar.getInstance().getTimeInMillis(); if (statLoaded) ret ^= s.check(c); if (equals != null) ret ^= equals.check(c); if (imports != null && imports.length != 0) ret ^= loop(c, new Import()); if (classes != null && classes.length != 0) ret ^= loop(c, new Class()); if (methods != null && methods.length != 0) ret ^= loop(c, new Method()); ret ^= overlook(); endScan = Calendar.getInstance().getTimeInMillis(); report.setScanMillis(endScan - startScan); return (!(ret ^ c.getPositiveFail())); }

21 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: library 21 Library (ZIP file) Recipe 1 (XML file) Recipe 2 (XML file) Recipe n (XML file) Security check 1 Security check 2

22 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: library  The security library  is a ZIP file  contains one or more XML files  is used during static code review  A default library is provided  Developers can write their own library as well 22

23 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: recipes  The recipes  contain security checks  contain a checksum to prevent tampering  can contain encoded attack patterns 23 ...

24 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: security checks  The check  Describes a safe coding rule  Has its own severity and impact levels 24 If a class scope is different both from private than public, a security violation occurs

25 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: security checks 25... If a variable is an instance of Math.Random then an high impact error occurs. SecureRandom class has to be used instead If a class extends ClassLoader then an high impact error occurs because malicious classes can be loaded through custom class loaders Two Strings must not be compared using arithmetic operator, a ClassCastException can occur

26 OWASP Owasp AppSec EU’08, Ghent 21st May { if (a == b) return true; else return false; } true false The Owasp Orizon Internals: review applied 26 This method contains a security violation... where?... a class cast exception can occur comparing two objects with an arithmetical operator. Orizon is able to guess data type of both operands. For a variable is simple, for a method it will be the data type returned by the method itself.

27 OWASP Owasp AppSec EU’08, Ghent 21st May DEMO Milk: a Java source code review tool based upon Orizon 27

28 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: dynamic review  Developers need only to change a flag when calling Source.review()  Dawn parameters are the recipe to apply and the working directory to create helpers  An helper is created for each method in the source file being checked  The helper is a Java program that invokes the method giving its command line as argument 28

29 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: dynamic review 29 import org.owasp.orizon.core.Source; import org.owasp.orizon.report.*; // xml file reading Source s = new Source(j2xml.getOutputFilename(), "."+File.separator); s.read(); for (int count = 0; count < recipeCount; count++) { String rName = dl.getRecipeName(count); if (!dl.extract(rName)) { System.err.println("can't extract " + rName); System.exit(-1); } r = new Recipe(rName); org.owasp.orizon.report.Report report = s.review(r, true); if (report != null) { PlainFormatter p = new PlainFormatter(); report.report(p); } r.dispose(); } // for (int count = 0; count < recipeCount; count++) Static code review Dynamic code review import org.owasp.orizon.core.Source; import org.owasp.orizon.report.*; // xml file reading Source s = new Source(j2xml.getOutputFilename(), "."+File.separator); s.read(); for (int count = 0; count < recipeCount; count++) { String rName = dl.getRecipeName(count); if (!dl.extract(rName)) { System.err.println("can't extract " + rName); System.exit(-1); } r = new Recipe(rName); org.owasp.orizon.report.Report report = s.review(r, false); if (report != null) { PlainFormatter p = new PlainFormatter(); report.report(p); } r.dispose(); } // for (int count = 0; count < recipeCount; count++)

30 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: dynamic review  Helper is executed passing attack patterns as arguments  Helper output is collected and examined to understand how the method reacts to attack pattern  Dynamic code review concerns about:  cross site scripting attacks  sql injection attacks  unexpected inputs  null values  empty strings, negative integers,... 30

31 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: dynamic review 31 Source file method A method B Method A helper method A main() Method B helper method B main() Method A helper method A main() Attack patterns: “/> alert(‘xss here’); ‘ or 1=1; --... Evaluating output: are input strings filtered? are unhandled exceptions raised?...

32 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals  org.owasp.orizon.report package  Report is returned back to calling program with security checks that failed  Formatters are provided in order to take a Report and printing it out in:  plain text  file  XML + XSL  Next actions are to improve the number of report ouput format 32

33 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Project: the roadmap 33 May 2008 @ AppSec EU Conference (Belgium) Orizon v0.90 The first 2008 Orizon major change: plugins June 2008Orizon v0.99 API's freeze Source code review and cleanup Documentation review July 2008Orizon v1.0rc1 Support for C# Bug fixes Source code review and cleanup Documentation review September 2008 @ Owasp SOC ‘08 Orizon v1.0rc2 Bug fixes Source code review and cleanup Owasp Orizon Guide released as book September 2008 @ AppSec NY Conference Orizon v1.0rc3The second 2008 Orizon major change: to be announced 2 nd October 2008Orizon v1.02 nd birthday party, also code reviewers want to have fun

34 OWASP Owasp AppSec EU’08, Ghent 21st May some links before we leave…  Orizon site: http://orizon.sourceforge.nethttp://orizon.sourceforge.net  Orizon blog: http://blogs.owasp.org/orizonhttp://blogs.owasp.org/orizon  Orizon page @ Owasp: http://www.owasp.org/index.php/Category:OWA SP_Orizon_Project http://www.owasp.org/index.php/Category:OWA SP_Orizon_Project  Milk site (for milk and arachne): http://milk.sourceforge.net http://milk.sourceforge.net  Contact me: thesp0nge@owasp.org 34

35 OWASP Owasp AppSec EU’08, Ghent 21st May 35 Q&A

36 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP AppSecEU’08 http://www.owasp.org The Owasp Orizon Project internals Paolo Perego Owasp Orizon Project Leader Spike Reply thesp0nge@owasp.org


Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations


Ads by Google