Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Published byJayson Cox Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Hacking Owasp Orizon Paolo Perego Owasp Orizon Project Leader Spike Reply thesp0nge@owasp.org

2 OWASP Owasp EU Summit 08, Portugal – November 2 Agenda  Internals overview  XML Translator factory  Session Management  Static analysis  Reporting engine  Plugin engine

3 OWASP Owasp EU Summit 08, Portugal – November $ whoami  Senior Security Consultant @ Spike Reply Srl  penetration testing  secure application building  code review & source code assessment  Owasp Orizon Project leader  Active member in  Owasp Italian chapter  Owasp Code Review Project 3

4 OWASP Owasp EU Summit 08, Portugal – November Internals Overview  Framework to be used as engine in a static analysis tool creation  Written in Java  Each package devoted to a subsystem  Massive usage of XML  Write security check  Describe the source file 4

5 OWASP Owasp EU Summit 08, Portugal – November The Orizon 1.0 architecture 5 XML Translator factory Reporting engine Dynamic analysis Static analysis Statistics Control Flow Call Graph Data Graph

6 OWASP Owasp EU Summit 08, Portugal – November A source code review workflow with Orizon Session initialization Input type is detected A session Object is created For each input file a SessionInfo object is created as well Preprocessing Scan each file to build AST in memory Parse AST and create 4 different XML files Statistical information Methods and subroutine calls Variable instantiation and changes Control flow Static analysis Security checks are applied in accord to the given translated XML element Source code can be crawled to find some dangerous keywords Reporting Results are represented in different formats XML Plain Text 6

7 OWASP Owasp EU Summit 08, Portugal – November XML TRANSLATOR FACTORY 7

8 OWASP Owasp EU Summit 08, Portugal – November XML Translator factory  Input: the source code being reviewed  Output: a bunch of XML files  Goals  Describe the source code design  Collect statistics  Draw the flow of data  Collect the call graph  Enumerate keywords 8

9 OWASP Owasp EU Summit 08, Portugal – November XML Translator factory  Try to describe the source code in an intermediate language  The framework is independent from the programming language (Java, C, C#,…)  Easy to extend 9

10 OWASP Owasp EU Summit 08, Portugal – November XML Translator factory  scan() method  Parse source file  Build AST in memory  Very language dependent  translate() method  Take AST and for a given service write the correspondent XML file 10

11 OWASP Owasp EU Summit 08, Portugal – November XML Translator factory - statistics  DefaultTranslator method: statService()  Make some inference with a black box information gathering  Comments  Cyclomatic index  Method lenght 11

12 OWASP Owasp EU Summit 08, Portugal – November XML Translator Factory – call flow  DefaultTranslator method: callGraphService()  Every method invocation is tracked  The calling class  The return data type  The parameters … 12

13 OWASP Owasp EU Summit 08, Portugal – November XML Translator factory – design analysis  DefaultTranslator method: designService()  Close to stats gathering  Some inference is done looking at  Scope  Methods  Fields  Return type 13

14 OWASP Owasp EU Summit 08, Portugal – November XML Translator factory - keywords  DefaultTranslator method: keywordService()  Every call is stored with its returning type  Useful during source code crawling 14

15 OWASP Owasp EU Summit 08, Portugal – November XML Translator factory – how do I use it? The dirty way  Create a languageTranslator object  Invoke scan() method  Call the desired factory method  statService()  designService()  … 15 JavaTranslator t = new JavaTranslator(); if (!t.scan(getInFileName())) return System.err.println(“…”); t.dataFlowService(getInFileName(), getDataFlowFileName()); t.statService(getInFileName(), getStatFileName());

16 OWASP Owasp EU Summit 08, Portugal – November XML Translator factory – how do I use it? The suggested way  Create a SkyLine object  Invoke the launch(“init”) method  Framework will be initialized  Scan session is created  Invoke the launch(“translate”) method  Translation is performed  All supported XML files are created SkyLine skyLine = new SkyLine(); … if (!skyLine.launch("init")) { System.err.println(“…"); return; } if (!skyLine.launch(”translate")) { System.err.println(“…"); return; } 16

17 OWASP Owasp EU Summit 08, Portugal – November XML Translator factory – how can I hack it?  Add a service method in DefaultTranslator  eg. public asbstract boolean owaspService(String in, String out)  Implement the new service method in every class implementing DefaultTranslator  Returns true if the file can be created, false otherwise  The first parameter is the source filename  The second parameter is the output XML filename  org.owasp.core.SessionInfo  Create a new public boolean getService() method  If the language translator is initialized than return getService() or false otherwise  org.owasp.core.Session  Create a new public int collectService() method  For each SessionInfo call getService()  Count an return how many SessionInfo failed in getting the translation 17

18 OWASP Owasp EU Summit 08, Portugal – November HANDS ON XML Translator factory 18

19 OWASP Owasp EU Summit 08, Portugal – November XML Translator factory – hands on  In a XML file I need the number of declared method.  Suppose the JavaScanner object has a public int countMethod()  Implement the new translation service 19

20 OWASP Owasp EU Summit 08, Portugal – November SESSION MANAGEMENT 20

21 OWASP Owasp EU Summit 08, Portugal – November Session Management  Input: user parameters  Output  1 org.owasp.orizon.core.Session object  1+ org.owasp.orizon.core.SessionInfo objects dipending on how many source file you have to review  Goals  Provide an abstraction layer to internals  Make easy to implement the code review workflow 21

22 OWASP Owasp EU Summit 08, Portugal – November Session Management – Session  Manage framework properties  Specified at command line  Hardcoded in the tool  Manage per file scanning information  Call XML translator factory services  Call static code review  Generate the report 22

23 OWASP Owasp EU Summit 08, Portugal – November Session Management – SessionInfo  Manage a single source code file code review  Fire up:  AST creation: inspect()  Translation:  getVariableDeclaration()  getStats()  getDesign()  …  Code review: staticReview()  Report generation: getReport()  Actions are taken upon source code programming language detection 23

24 OWASP Owasp EU Summit 08, Portugal – November Session Management - SkyLine  Framework butler  A tool needs will use SkyLine to implement Orizon services  Manage command line  Create the Session  Get the report to the tool  “launch()” services 24

25 OWASP Owasp EU Summit 08, Portugal – November Session Management Tool creates a SkyLine SkyLine creates a Session Session creates one or more SessionInfo Tool ask SkyLine to “launch()” services 25

26 OWASP Owasp EU Summit 08, Portugal – November Session Management – how do I use it? The only way  Create a SkyLine object  Eventually give SkyLine command line arguments to process  Invoke launch(“init”) method and all the session management framework is set up SkyLine skyLine = new SkyLine(args); if (skyLine.processCommandLine() skyLine.consumeCommandLine(); if (!skyLine.launch("init")) { System.err.println(“..."); return; } 26

27 OWASP Owasp EU Summit 08, Portugal – November HANDS ON Session Management 27

28 OWASP Owasp EU Summit 08, Portugal – November Session Management – hands on  Write down a simple tool that create a scanning session and fire up a translation 28

29 OWASP Owasp EU Summit 08, Portugal – November Some code… 29

30 OWASP Owasp EU Summit 08, Portugal – November STATIC ANALYSIS 30

31 OWASP Owasp EU Summit 08, Portugal – November Static analysis  Input: translator factory output  Output: a security scan report  Goals  Statically analyze the code  Apply security check library to the code  Gathering results in a report 31

32 OWASP Owasp EU Summit 08, Portugal – November Static analysis Making the heartbeat SkyLine starts Session static analysis service Session loops for SessionInfo object asking to statically analize the code Setting up (SessionInfo) A Source object is created Source object reads the XML files A Jericho object is created The Source is loaded into the scanning engine Do the Job (Jericho) The Library is opened For every CookBook contained the review() method is invoked over the Source Results are collected into a Report Collecting the results (Session) A Folder is created Report objects are collected into the Folder Using a Formatter object the Folder is rendered into a security report 32

33 OWASP Owasp EU Summit 08, Portugal – November Static analysis – Making the heartbeat  A static analysis starts when the security tool ask to perform the “static analysis” service to SkyLine  SkyLine  Has no intelligence  It will act as butler  Asks the scanning Session it managed to perform a static analysis 33

34 OWASP Owasp EU Summit 08, Portugal – November Static analysis – Making the heartbeat  SkyLine invoke Session.staticReview()  Session  Has no intelligence as well  It manages SessionInfo objects  It asks the object it manage to make a static analysis  To each object the SessionInfo.staticReview () method is called 34

35 OWASP Owasp EU Summit 08, Portugal – November Static analysis – Setting up  First step: take the source  A Source object is created  Internal structures need to be filled  Source has some method to read XML translator factory output  XMLs are read 35

36 OWASP Owasp EU Summit 08, Portugal – November Static analysis – Setting up  Second step: ask Jericho to review it  Create a Jericho object  Passing the Source object as Jericho’s constructor  Call Jericho.review() method  Call Jericho.getReport() method to have the results 36

37 OWASP Owasp EU Summit 08, Portugal – November Static analysis – do the job  Jericho  Opens the Library  Reads it  Retrieves the cookbook list  Loops for each cookbook  Loads the Source into the cookbook  Asks the Cookbook to review it 37

38 OWASP Owasp EU Summit 08, Portugal – November Static analysis – do the job  Cookbook upon request  Loops for its Recipes  Asks Recipe to review the source  Recipe upon request  Loop for its Checks  Ask Check to apply themselves to the Source  Report is sent back to Jericho object 38

39 OWASP Owasp EU Summit 08, Portugal – November Just few words about the library…  Library is  A collection of Cookbook  A bunch of directories in the main JAR file  CookBook is  A collection of Recipe  A directory with a cookbook.xml descriptor 39

40 OWASP Owasp EU Summit 08, Portugal – November Just few words about the library…  Recipe is  A collection of Check  An XML file  Check is  An XML written sentence with  Subject  Verb  Direct object  Eventually other params  A safe coding best practice 40

41 OWASP Owasp EU Summit 08, Portugal – November Just few words about the library…  Library  Embedded in Orizon Jar file  Same flaw category layout as Owasp Code Review guide  library.xml is used as library descriptor 41

42 OWASP Owasp EU Summit 08, Portugal – November Just few words about the library…  A cookbook is a source flaws family  A file named cookbook.xml must be present and used as cookbook descriptor  A weight is given to each cookbook to better fine tuning code review score 42

43 OWASP Owasp EU Summit 08, Portugal – November Just few words about the library…  Recipes are XML files containing security checks  Each recipe and each check have got their own weight score  Checks are divided in family  Design  Keyword  Execution 43

44 OWASP Owasp EU Summit 08, Portugal – November Just few words about the library…   name is the statistics name and can be one of the following:  loc: line of code  loC: line of Comment  verb is the boolean comparison operator between the subject and the value: –lt: lesser than –gt: grater than –le: lesser or equal than –ge: greater or equal than –ne: not equal thaneq: equal than  ratio: indicates the ratio subj versus direct_object 44

45 OWASP Owasp EU Summit 08, Portugal – November Just few words about the library…  45

46 OWASP Owasp EU Summit 08, Portugal – November Just few words about the library… Keyword check   Used in code crawling Execution check  46

47 OWASP Owasp EU Summit 08, Portugal – November Collecting the results  Session object  Create a Folder  Collect SessionInfo reports  Make them available to the calling 47

48 OWASP Owasp EU Summit 08, Portugal – November HANDS ON Static Analysis 48

49 OWASP Owasp EU Summit 08, Portugal – November Static Analysis – hands on  Write down a simple tool that  Create a scanning session  Fire up a translation  Fire up a static analysis 49

50 OWASP Owasp EU Summit 08, Portugal – November Some code… 50

51 OWASP Owasp EU Summit 08, Portugal – November REPORTING ENGINE 51

52 OWASP Owasp EU Summit 08, Portugal – November Reporting engine  The needs: people wants security reports in different format  Starting from the findings a plain String must contain the report to be printed out  I don’t want to write a “formatThisWay()” method for  PDF  XML  LATEX  …  So? 52

53 OWASP Owasp EU Summit 08, Portugal – November Reporting engine  A Folder is a bunch of Report objects  A Report is a bunch of Reportable objects  A Reportable objects contains detail about what check has been failed  The idea is  A SessionInfo collects Reportable and build a Report for a single source code  A Session manage a Folder for all file’s Report 53

54 OWASP Owasp EU Summit 08, Portugal – November Reporting engine  Formatter interface  Provides prototypes used by Report or Folder objects  I don’t care about the implementation  It’s up to the subclasses 54

55 OWASP Owasp EU Summit 08, Portugal – November Reporting engine  In fact, formatting a report is independent of the formatter you choose  When Session generate the report knows that kind of Formatter has to use 55

56 OWASP Owasp EU Summit 08, Portugal – November Reporting engine  The magic starts when security tool ask SkyLine for “generate report” service  SkyLine, has no intelligence so asks Session to do it  Session take a Formatter subclass as parameter and apply it to the report Folder 56

57 OWASP Owasp EU Summit 08, Portugal – November CRAWLER ENGINE 57

58 OWASP Owasp EU Summit 08, Portugal – November Crawler engine  Until September ‘08  An abstract class DefaultCrawler  Reads the source file (NOT the XML)  Makes a pattern matching search agains a keyword list  Subclasses implement language specific crawlers just passing the list to the Superclass  It doesn’t fit with the framework design 58

59 OWASP Owasp EU Summit 08, Portugal – November Crawler engine  New design consistent with the framework  The engine is using the “keyword” XML file  Jericho will apply a specific Cookbook for crawling to that XML file  All works as it was a regular security check 59

60 OWASP Owasp EU Summit 08, Portugal – November PLUGIN ENGINE How plugins work before version 1.0 60

61 OWASP Owasp EU Summit 08, Portugal – November Plugin engine (Discontinued)  An interface is provided and all plugins must implement it  org.owasp.orizon.plugin.Plugin  A loader class  Extract plugin class from a given jar file  Checks if the plugin is intended for this orizon version  Load the class and returns it to Jericho engine 61

62 OWASP Owasp EU Summit 08, Portugal – November Plugin engine (Discontinued)  Jericho engine will  Instanciate a new object  Run the plugin via start() and stop() methods  The plugin will be called this way 62 <check id="O_EX_1" severity="error" impact="high" description="This check will be handled by an external piece of code" positive_fail="false" external="yes" jar="c:\users\thesp0nge\test.jar" package="" class="Test" >

63 OWASP Owasp EU Summit 08, Portugal – November Plugin engine (Discontinued) 63 public class PluginDemo { public static void main(String args[]) { Loader l = new Loader("c:\\users\\thesp0nge\\test.jar"); try { // Plugin p = (Plugin)l.load("Test").newInstance(); Class c = l.load("Test"); if (c==null) return ; Plugin p = (Plugin)c.newInstance(); p.start(); p.stop(); System.out.println("here"); } catch (Exception e) { e.printStackTrace(); System.err.println("main: "+ e.getMessage()); return ; }

64 OWASP Owasp EU Summit 08, Portugal – November some links before we leave…  Orizon site: http://orizon.sourceforge.nethttp://orizon.sourceforge.net  Orizon blog: http://blogs.owasp.org/orizonhttp://blogs.owasp.org/orizon  Orizon page @ Owasp: http://www.owasp.org/index.php/Category:OWA SP_Orizon_Project http://www.owasp.org/index.php/Category:OWA SP_Orizon_Project  Contact me: thesp0nge@owasp.org 64

65 OWASP Owasp EU Summit 08, Portugal – November 65 Q&A

66 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org The Owasp Orizon Project internals Paolo Perego Owasp Orizon Project Leader Spike Reply thesp0nge@owasp.org

Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Chapter 7 User-Defined Methods. Chapter Objectives  Understand how methods are used in Java programming  Learn about standard (predefined) methods and.

Chapter 7 User-Defined Methods. Chapter Objectives  Understand how methods are used in Java programming  Learn about standard (predefined) methods and.
Utilities (Part 3) Implementing static features 1.

Utilities (Part 3) Implementing static features 1.
Information Retrieval in Practice

Information Retrieval in Practice
George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.

George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.
Remote Method Invocation Chin-Chih Chang. Java Remote Object Invocation In Java, the object is serialized before being passed as a parameter to an RMI.

Remote Method Invocation Chin-Chih Chang. Java Remote Object Invocation In Java, the object is serialized before being passed as a parameter to an RMI.
Input Validation For Free Text Fields ADD Project Members: Hagar Offer & Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav.

Input Validation For Free Text Fields ADD Project Members: Hagar Offer & Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav.
Structured Programming and UML Overview Session 2 LBSC 790 / INFM 718B Building the Human-Computer Interface.

Structured Programming and UML Overview Session 2 LBSC 790 / INFM 718B Building the Human-Computer Interface.
Scott Grissom, copyright 2004Ch 3: Java Features Slide 1 Why Java? It is object-oriented provides many ready to use classes platform independent modern.

Scott Grissom, copyright 2004Ch 3: Java Features Slide 1 Why Java? It is object-oriented provides many ready to use classes platform independent modern.
1 More on Arrays Arrays of objects Command line arguments The ArrayList class Javadoc Review Lecture 8 notes and L&L 7.1 – 7.2 Reading for this lecture:

1 More on Arrays Arrays of objects Command line arguments The ArrayList class Javadoc Review Lecture 8 notes and L&L 7.1 – 7.2 Reading for this lecture:
Guide To UNIX Using Linux Third Edition

Guide To UNIX Using Linux Third Edition
Introduction to Classes and Objects CS-2303, C-Term 20101 Introduction to Classes and Objects CS-2303 System Programming Concepts (Slides include materials.

Introduction to Classes and Objects CS-2303, C-Term Introduction to Classes and Objects CS-2303 System Programming Concepts (Slides include materials.
JSP Architecture  JSP is a simple text file consisting of HTML or XML content along with JSP elements  JSP packages define the interface for the compiled.

JSP Architecture  JSP is a simple text file consisting of HTML or XML content along with JSP elements  JSP packages define the interface for the compiled.
Java 1234319 CourseWinter 2009/10. Introduction Object oriented, imperative programming language. Developed: 1990. Inspired by C++ programming language.

Java CourseWinter 2009/10. Introduction Object oriented, imperative programming language. Developed: Inspired by C++ programming language.
Overview of Search Engines

Overview of Search Engines
CSC 8310 Programming Languages Meeting 2 September 2/3, 2014.

CSC 8310 Programming Languages Meeting 2 September 2/3, 2014.
1 CIS336 Website design, implementation and management (also Semester 2 of CIS219, CIS221 and IT226) Lecture 9 JavaServer Pages (JSP) (Based on Møller.

1 CIS336 Website design, implementation and management (also Semester 2 of CIS219, CIS221 and IT226) Lecture 9 JavaServer Pages (JSP) (Based on Møller.

Similar presentations

Ads by Google