Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Published byBrisa Chambless Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP AppSecEU’08 http://www.owasp.org The Owasp Orizon Project internals Paolo Perego Owasp Orizon Project Leader Spike Reply thesp0nge@owasp.org

2 OWASP Owasp AppSec EU’08, Ghent 21st May 2 Agenda  some infos before we start...  the Owasp Orizon internals  so, next?

3 OWASP Owasp AppSec EU’08, Ghent 21st May $ whoami  Senior Security Consultant @ Spike Reply Srl  penetration testing  secure application building  code review & source code assessment  Owasp Orizon Project leader  Active member in  Owasp Italian chapter  Owasp Code Review Project 3

4 OWASP Owasp AppSec EU’08, Ghent 21st May Kickoff  A lot of commercial solutions are available for code reviewing  good in finding bugs  skilled support  expensive  Few open source solutions are available too  small number of security checks  good support from open source community  open 4 Why do I need Orizon?

5 OWASP Owasp AppSec EU’08, Ghent 21st May Some infos before we start…  In 2007...  more than 27.000 hits to http://orizon.sourceforge.net http://orizon.sourceforge.net  more than 700 downloads for Orizon package releases  v 0.50 downloaded 101 times in 3 months  In 2008…  More than 200 downloads in the first 4 month  v0.80 downloaded 63 times in the first month (from 4 April to 5 May) 5

6 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals  Few things to remember  Orizon is a framework, it is not a tool  details are hidden for developers  1 or 2 public classes for each engine  few public available methods  engines are intended to be used in stock  framework is in development  Most criticisms are related to  lack of documentation  lack of usage examples  missing framework design overview 6

7 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: the stack 7 XML Translator engine Jericho engineDawn engine Reporting engine Preprocessing Code reviewing Reporting Crawler engine Code crawling Plugin engine

8 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: XML translation  Independence from programming language  Source file needs to be translated to XML before review  Translator is an abstract class  for every supported language Translator class must be implemented accordingly  protected abstract boolean translate();  Used by Orizon hackers  AnyLanguage2XML implements Translator class  Used by people writing code review tool  Hide the preprocessing details to users 8

9 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: XML translation 9 import org.owasp.orizon.java.Java2XML; // java 2 xml translation... Java2XML j2xml = new Java2XML(fileName); if (!j2xml.exists()) { System.err.println("input file does not exist. Giving up."); return ; } if (j2xml.mustTranslate()) { if (!j2xml.translate()) { System.err.println(fileName + ": translation failed"); System.exit(-1); } System.out.println(j2xml.getOutputFilename() + " created"); } else System.out.println("XML file is up to date”);

10 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: XML translation 10 public class uno { public String a; private int b; public uno() { a = new String(); b = 2; } public uno(String a, int b) { this(); setA(a); setB(b); } public boolean areEqualBad(String b) { if (a==b) return true; else return false; } public boolean areEqualGood(String b) { if (a.equal(b)) return true; else return false; } public void setA(String a) { this.a = a; } public void setB(int b) { this.b = b; } thesp0nge@owasp.org XML Class preamble with some stats... Uncommented code... mmmh... this is no good! { a = new String(); b = 2; } This class has no modifiers but it has two fields: a public String variable named a a private int variable named b In the body we found two assignments. { if (a == b) return true; else return false; } true false This method contains a security violation... where?

11 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: crawling  Owasp Code Review project introduced source code crawling in its check list  Orizon v0.70 introduced  org.owasp.orizon.crawler package  An abstract source code crawling class  A set of dangerous keywords for Java and C# in default library  Key points  Good: a quick code review can be performed  Bad: results are more prone to false potives 11

12 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: crawling  AbstractCrawler  read(): reads the XML file containing the desired keyword list  check (): performs a pattern matching search over a specified file  getReport(): returns a report with found keywords if any 12

13 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: crawling 13 package org.owasp.orizon.java; import org.owasp.orizon.core.OrizonCons; import org.owasp.orizon.crawler.AbstractCrawler; public class JavaCrawler extends AbstractCrawler { public JavaCrawler(String xmlFile) { super(xmlFile, OrizonCons.O_JAVA); super.read(); } JavaCrawler class jC = new JavaCrawler("dangerous_java_keywords.xml"); if (jC.crawl(filename)) { r = jC.getReport(); if (r != null) { PlainFormatter p = new PlainFormatter(); r.report(p); } } else System.out.println("no dangerous keyword found during crawling"); JavaCrawler class usage sample. Developers just need to call crawl() method…

14 OWASP Owasp AppSec EU’08, Ghent 21st May DEMO Arachne: a source code crawling tool based upon Orizon 14

15 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: the plugin engine  An interface is provided and all plugins must implement it  org.owasp.orizon.plugin.Plugin  A loader class  Extract plugin class from a given jar file  Checks if the plugin is intended for this orizon version  Load the class and returns it to Jericho engine 15

16 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: the plugin engine  Jericho engine will  Instanciate a new object  Run the plugin via start() and stop() methods  The plugin will be called this way 16 <check id="O_EX_1" severity="error" impact="high" description="This check will be handled by an external piece of code" positive_fail="false" external="yes" jar="c:\users\thesp0nge\test.jar" package="" class="Test" >

17 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: the plugin engine 17 public class PluginDemo { public static void main(String args[]) { Loader l = new Loader("c:\\users\\thesp0nge\\test.jar"); try { // Plugin p = (Plugin)l.load("Test").newInstance(); Class c = l.load("Test"); if (c==null) return ; Plugin p = (Plugin)c.newInstance(); p.start(); p.stop(); System.out.println("here"); } catch (Exception e) { e.printStackTrace(); System.err.println("main: "+ e.getMessage()); return ; }

18 OWASP Owasp AppSec EU’08, Ghent 21st May DEMO Plugin: the new Orizon plugin engine 18

19 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: static review  The translated source code is read  org.owasp.orizon.core.Source.read()  initialize Jericho engine  initialize Dawn engine  adding XML nodes to Jericho engine  The security checks are applied  org.owasp.orizon.core.Source.review()  loop for security checks  add check to Jericho engine  call Jericho check() method 19

20 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: static review  Jericho engine internally is called  org.owasp.orizon.jericho.Jericho.check()  most important method  return true if a security violation has been found  it must be called from Source class due to read() method interoperability 20 public boolean check() { boolean ret = false; long startScan = 0, endScan = 0; if (!isInitialized()) return false; if (!checkLoaded) { log.error("aiee, load a check before with add() method"); return false; } startScan = Calendar.getInstance().getTimeInMillis(); if (statLoaded) ret ^= s.check(c); if (equals != null) ret ^= equals.check(c); if (imports != null && imports.length != 0) ret ^= loop(c, new Import()); if (classes != null && classes.length != 0) ret ^= loop(c, new Class()); if (methods != null && methods.length != 0) ret ^= loop(c, new Method()); ret ^= overlook(); endScan = Calendar.getInstance().getTimeInMillis(); report.setScanMillis(endScan - startScan); return (!(ret ^ c.getPositiveFail())); }

21 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: library 21 Library (ZIP file) Recipe 1 (XML file) Recipe 2 (XML file) Recipe n (XML file) Security check 1 Security check 2

22 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: library  The security library  is a ZIP file  contains one or more XML files  is used during static code review  A default library is provided  Developers can write their own library as well 22

23 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: recipes  The recipes  contain security checks  contain a checksum to prevent tampering  can contain encoded attack patterns 23 <recipe family="Code design" name="Design classes with a safe access control policies over fields and methods" description="Code design issues related to methods and fields access control" applies="java" requires="0.63" dawn="false" jericho="true" crc="4005429572">...

24 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: security checks  The check  Describes a safe coding rule  Has its own severity and impact levels 24 <check id="O_AC_1" severity="error" impact="low" description="A class must be defined as private or public" positive_fail="false"> If a class scope is different both from private than public, a security violation occurs

25 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: security checks 25... If a variable is an instance of Math.Random then an high impact error occurs. SecureRandom class has to be used instead If a class extends ClassLoader then an high impact error occurs because malicious classes can be loaded through custom class loaders Two Strings must not be compared using arithmetic operator, a ClassCastException can occur

26 OWASP Owasp AppSec EU’08, Ghent 21st May { if (a == b) return true; else return false; } true false The Owasp Orizon Internals: review applied 26 This method contains a security violation... where?... a class cast exception can occur comparing two objects with an arithmetical operator. Orizon is able to guess data type of both operands. For a variable is simple, for a method it will be the data type returned by the method itself.

27 OWASP Owasp AppSec EU’08, Ghent 21st May DEMO Milk: a Java source code review tool based upon Orizon 27

28 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: dynamic review  Developers need only to change a flag when calling Source.review()  Dawn parameters are the recipe to apply and the working directory to create helpers  An helper is created for each method in the source file being checked  The helper is a Java program that invokes the method giving its command line as argument 28

29 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: dynamic review 29 import org.owasp.orizon.core.Source; import org.owasp.orizon.report.*; // xml file reading Source s = new Source(j2xml.getOutputFilename(), "."+File.separator); s.read(); for (int count = 0; count < recipeCount; count++) { String rName = dl.getRecipeName(count); if (!dl.extract(rName)) { System.err.println("can't extract " + rName); System.exit(-1); } r = new Recipe(rName); org.owasp.orizon.report.Report report = s.review(r, true); if (report != null) { PlainFormatter p = new PlainFormatter(); report.report(p); } r.dispose(); } // for (int count = 0; count < recipeCount; count++) Static code review Dynamic code review import org.owasp.orizon.core.Source; import org.owasp.orizon.report.*; // xml file reading Source s = new Source(j2xml.getOutputFilename(), "."+File.separator); s.read(); for (int count = 0; count < recipeCount; count++) { String rName = dl.getRecipeName(count); if (!dl.extract(rName)) { System.err.println("can't extract " + rName); System.exit(-1); } r = new Recipe(rName); org.owasp.orizon.report.Report report = s.review(r, false); if (report != null) { PlainFormatter p = new PlainFormatter(); report.report(p); } r.dispose(); } // for (int count = 0; count < recipeCount; count++)

30 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: dynamic review  Helper is executed passing attack patterns as arguments  Helper output is collected and examined to understand how the method reacts to attack pattern  Dynamic code review concerns about:  cross site scripting attacks  sql injection attacks  unexpected inputs  null values  empty strings, negative integers,... 30

31 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals: dynamic review 31 Source file method A method B Method A helper method A main() Method B helper method B main() Method A helper method A main() Attack patterns: “/> alert(‘xss here’); ‘ or 1=1; --... Evaluating output: are input strings filtered? are unhandled exceptions raised?...

32 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Internals  org.owasp.orizon.report package  Report is returned back to calling program with security checks that failed  Formatters are provided in order to take a Report and printing it out in:  plain text  file  XML + XSL  Next actions are to improve the number of report ouput format 32

33 OWASP Owasp AppSec EU’08, Ghent 21st May The Owasp Orizon Project: the roadmap 33 May 2008 @ AppSec EU Conference (Belgium) Orizon v0.90 The first 2008 Orizon major change: plugins June 2008Orizon v0.99 API's freeze Source code review and cleanup Documentation review July 2008Orizon v1.0rc1 Support for C# Bug fixes Source code review and cleanup Documentation review September 2008 @ Owasp SOC ‘08 Orizon v1.0rc2 Bug fixes Source code review and cleanup Owasp Orizon Guide released as book September 2008 @ AppSec NY Conference Orizon v1.0rc3The second 2008 Orizon major change: to be announced 2 nd October 2008Orizon v1.02 nd birthday party, also code reviewers want to have fun

34 OWASP Owasp AppSec EU’08, Ghent 21st May some links before we leave…  Orizon site: http://orizon.sourceforge.nethttp://orizon.sourceforge.net  Orizon blog: http://blogs.owasp.org/orizonhttp://blogs.owasp.org/orizon  Orizon page @ Owasp: http://www.owasp.org/index.php/Category:OWA SP_Orizon_Project http://www.owasp.org/index.php/Category:OWA SP_Orizon_Project  Milk site (for milk and arachne): http://milk.sourceforge.net http://milk.sourceforge.net  Contact me: thesp0nge@owasp.org 34

35 OWASP Owasp AppSec EU’08, Ghent 21st May 35 Q&A

36 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP AppSecEU’08 http://www.owasp.org The Owasp Orizon Project internals Paolo Perego Owasp Orizon Project Leader Spike Reply thesp0nge@owasp.org

Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Making Choices in C if/else statement logical operators break and continue statements switch statement the conditional operator.

Making Choices in C if/else statement logical operators break and continue statements switch statement the conditional operator.
Lecture 9: More on objects, classes, strings discuss hw3 assign hw4 default values for variables scope of variables and shadowing null reference and NullPointerException.

Lecture 9: More on objects, classes, strings discuss hw3 assign hw4 default values for variables scope of variables and shadowing null reference and NullPointerException.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © 2001 Qusay H. Mahmoud Case Study A Global Compute Engine Here we will discuss some implementation details: – Class Loaders – Compute Engine.

Copyright © 2001 Qusay H. Mahmoud Case Study A Global Compute Engine Here we will discuss some implementation details: – Class Loaders – Compute Engine.
1 Lecture 11 Interfaces and Exception Handling from Chapters 9 and 10.

1 Lecture 11 Interfaces and Exception Handling from Chapters 9 and 10.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Lecture 27 Exceptions COMP1681 / SE15 Introduction to Programming.

Lecture 27 Exceptions COMP1681 / SE15 Introduction to Programming.
George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.

George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.
Recommendation: Play the game and attempt to answer the questions yourself without looking at the answers. You’ll learn much less if you just look at the.

Recommendation: Play the game and attempt to answer the questions yourself without looking at the answers. You’ll learn much less if you just look at the.
CS-341 Dick Steflik Introduction. C++ General purpose programming language A superset of C (except for minor details) provides new flexible ways for defining.

CS-341 Dick Steflik Introduction. C++ General purpose programming language A superset of C (except for minor details) provides new flexible ways for defining.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Options for User Input Options for getting information from the user –Write event-driven code Con: requires a significant amount of new code to set-up.

Options for User Input Options for getting information from the user –Write event-driven code Con: requires a significant amount of new code to set-up.
Comp 248 Introduction to Programming Chapter 4 - Defining Classes Part A Dr. Aiman Hanna Department of Computer Science & Software Engineering Concordia.

Comp 248 Introduction to Programming Chapter 4 - Defining Classes Part A Dr. Aiman Hanna Department of Computer Science & Software Engineering Concordia.
JSP Standard Tag Library

JSP Standard Tag Library
220 FINAL TEST REVIEW SESSION Omar Abdelwahab. INHERITANCE AND POLYMORPHISM Suppose you have a class FunClass with public methods show, tell, and smile.

220 FINAL TEST REVIEW SESSION Omar Abdelwahab. INHERITANCE AND POLYMORPHISM Suppose you have a class FunClass with public methods show, tell, and smile.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Java: Chapter 1 Computer Systems Computer Programming II.

Java: Chapter 1 Computer Systems Computer Programming II.

Similar presentations

Ads by Google