Securing WebApps – A Survey of Vulnerabilities & Static Analysis Tools Lewis Sykalski SMU D.E. Software Engineering Student Lockheed Martin - Flight Simulation Engineer lsykalski@smu.edu
OWASP 2013 Candidate List A1 – Injection A2 – Broken Authentication and Session Management A3 – Cross-Site Scripting (XSS) A4 – Insecure Direct Object References A5 – Security Misconfiguration A6 – Sensitive Data Exposure A7 – Missing Function Level Access Control A8 – Cross-Site Request Forgery (CSRF) A9 – Using Known Vulnerable Components A10 – Unvalidated Redirects and Forwards
Injection
Cross-Site Scripting
CSRF
Insecure Direct Object Reference
What is Static Analysis? Static program analysis is: an analysis method to determine whether vulnerabilities exist by simply looking at the code in a non-dynamic (running) state. Usually the source code is used, however some tools allow for analysis of object code. most successful tools are ones that analyze the whole scope of the program in relation to a line of code as opposed to only analyzing a single line of code at a time completely independent from the rest of the program.
Dynamic Analysis? Dynamic analysis: analysis of the software while the webapp is running. could be performed in either a white box situation where everything is known or from the black-box situation where nothing is very minimal is known.
Open Source Options Product License Type Languages Features LAPSE+ 2 GNU GPL Eclipse Plugin Java Variable Traceback, Good for analysis of injection & cross-site scripting FindBugs 2.0 3 GNU LGPL Good for general purpose bugs, slick interface, security specific detection under-developed Orizon 9 Standalone Text-based Java, Php,C Jsp Report-based scheme, under-developed, lacking nice UI, some security detection SWAAT 8 Custom License StandaloneHTML Report-based Java, C# Nice report based detection, .NET package out-of-date, tool not maintained. Does not necessarily focus on security problems PMD 5 BSD Java, JavaScript, XML, XSL Generic Code quality tool, High quality User Interface, Extensible to other security-specific rule-sets
Open Source Options (cont.) Product License Type Languages Features FxCop 4 Open Source MS-PL VS Plugin .NET Security-specific static analysis, UI built into Visual Studio RIPS 7 Open-Source GPL Standalone PHP Professional user-interface, Security-specific analysis FlawFinder 19 Text-based C++ Security-specific analysis, Injections, Overflow, etc. Dangerous function analysis PreFast 20 General static analysis, BrakeMan 21 MIT Ruby Strong following
LAPSE+ OWASP LAPSE+ Java plug-in which integrates tightly with the Eclipse IDE (Helios+, 1.6 JRE+). useful for detecting & subsequently analyzing security vulnerabilities due to untrusted data injection in Java webapps. operates on the concept of sinks and sources, the source referring to the injection of untrusted data (e.g. perhaps a cookie, parameters from HTTP, etc) and the sink referring to the process of data modification to manipulate the behavior of the application (e.g. servlet response or HTML page).
LAPSE+
FindBugs FindBugs: program which uses static analysis to look for bugs in Java code. relatively easy to install and purports to find all types of bugs. user interface, where one can filter between various bug categories that are found, a bug review panel which will describe the bug in detail with resolution measures, and a Bug Info Panel which shows a detailed stack trace and description.
FindBugs
Orizon OWASP Orizon: allows one to perform a security code review over your code making sure it fits recommendations contained into the Owasp Build Guide and the Owasp Code review Guide. standalone console-based tool with it's own shell engine. provides for certain commands which when executed allow one to model the code, crawl through all traces, and then subsequently generate a report for viewing.
Orizon
PMD PMD: static analysis tool for Java source code. identifies possible bugs, dead code, suboptimal code, high cyclomatic complexity, and duplicate code. extensible rule-set capability for one to create their own rules. supports a vulnerability view where aforementioned problems are displayed, and the Copy-Paste Detector (CPD) view, where one can view copy-pasted code (code that should likely be consolidated into a single logical block). GDS PMD Secure Coding Ruleset
PMD
PMD
PMD
FlawFinder Flawfinder: a tool that works on C++ source-code. console-based and specifically targets security vulnerabilities. works by using a built-in database of C/C++ functions with well-documented security problems, such “as buffer overflow risks (e.g., strcpy(), strcat(), gets(), sprintf(), and the scanf() family), format string problems ([v][f]printf(), [v]snprintf(), and syslog()), race conditions (such as access(), chown(), chgrp(), chmod(), tmpfile(), tmpnam(), tempnam(), and mktemp()), potential shell metacharacter dangers (most of the exec() family, system(), popen()), and poor random number acquisition (such as random())”. 19
FlawFinder
RIPS RIPS: written in PHP and for PHP specifically to find vulnerabilities.. can create a program model of the source code. can detect vulnerable functions (sinks) that can be utilized by malicious user-input. Additionally an audit framework is provided for further analysis in an IDE-style visual user- interface. claims to detect XSS, SQL Injection, LFI/RFI, and RCE vulnerabilities.
RIPS
Commercial Tools Fortify 10 Commercial Standalone 20 different languages Professional user interface, Security-specific detection/focus, Coverity 16 C++, Java, C# Security-specific detection/focus Insight 17 IDE & static code analyzer, Generic quality detection/focus Parasoft 18 C++, Java, .NET Security specific detection/focus Veracode 14 Professional User Interface, Security Specific detection/focus IBM Security AppScan 15 C++, Java, C#, Objective C Professional User Interface, Centralized security scanning, data consolidation Checkmarx 13 15 languages CodeSecure 12 10 languages CodeSonar 11 Standa Java, C++ General defect, Some security-specific & threading checkings
1 OWASP Top-10: https://www.owasp.org/index.p hp/Top_10_2013-Top_10 References 1 OWASP Top-10: https://www.owasp.org/index.p hp/Top_10_2013-Top_10 2. LAPSE+: http://evalues.es/downloads/o wasp/LapsePlus_Tutorial.pdf 3. FindBugs: http://findbugs.sourceforge.net / 4. FxCop: http://msdn.microsoft.com/en- us/library/bb429476(VS.80).as px 5. PMD: http://pmd.sourceforge.net/ 6. RATS: https://www.fortify.com/ssa- elements/threat- intelligence/rats.html 7. RIPS: http://rips- scanner.sourceforge.net/ 8. SWAAT: https://www.owasp.org/index.p hp/Category:OWASP_SWAAT _Project 9. Orizon: http://www.owasp.org/index.ph p/Category:OWASP_Orizon_P roject 10. HP Fortify: http://www8.hp.com/us/en/soft ware- solutions/software.html?comp URI=1338812#.UXvVjxzREQc 11. CodeSonar: http://www.grammatech.com/c odesonar
12. Amorize CodeSecure: http://www.armorize.com/code secure/ References (cont.) 12. Amorize CodeSecure: http://www.armorize.com/code secure/ 13. CheckMarx: http://www.checkmarx.com/tec hnology/static-code-analysis- sca/ 14. Veracode: http://www.veracode.com/ 15. IBM Security AppScan: http://www- 01.ibm.com/software/rational/p roducts/appscan/source/ 16. Coverity: http://www.coverity.com/produ cts/static-analysis.html 17. Klocwork Insight: http://www.klocwork.com/prod ucts/insight.asp 18. Parasoft Static Analysis: http://www.parasoft.com/jsp/ca pabilities/static_analysis.jsp?it emId=547 19. FlawFinder: http://www.dwheeler.com/flawfi nder/ 20. PreFast: http://msdn.microsoft.com/en- us/library/ms933794.aspx 21. BrakeMan: http://brakemanscanner.org/ 22. PMD GDS Ruleset: https://github.com/GDSSecurit y/GDSPMDSECRULES 23. PMD Rulesets http://pmd.sourceforge.net/pm d- 5.0.3/rules/index.html#Securit y_Code_Guidelines