Download presentation
Presentation is loading. Please wait.
Published byWinfred Cox Modified over 8 years ago
1
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Code Analysis with LAPSE+ Bruno Motta Rego bmr@attom.com.br June 2011
2
OWASP 2 Agenda Introduction Goals Hands On Case Challenges
3
OWASP 3 Introduction LAPSE+ is a eclipse plugin to static analysis of code for detecting vulnerabilities of untrusted data injection in Java EE Applications. LAPSE+ is inspired by existing lightweight security auditing tools such as FlawFinder. Developed by Group of Stanford University. GPL Software.
4
OWASP 4 Goals Introduction Lapse+ Practical Understanding Challenges
5
OWASP 5 Hands On
6
OWASP 6 LAPSE+ Vulnerabilities Detected URL Tampering Cookie Poisoning Parameter Tampering Header Manipulation Cross-site Scripting (XSS) HTTP Response Splitting Injections (SQL, Command, XPath, XML, LDAP) Path Traversal
7
OWASP 7 LAPSE+ Installation Eclipse Helios http://www.eclipse.org/downloads/ http://www.eclipse.org/downloads/ LAPSE+ 2.8.1 plugin for Eclipse Helios. http://evalues.es/downloads/owasp/LapsePlus_2.8.1.jar http://evalues.es/downloads/owasp/LapsePlus_2.8.1.jar
8
OWASP 8 LAPSE+ Configuration Drag and Drop Copy LAPSE+ to plugins folder of our Eclipse Helios LapsePlus_2.8.1.jar LapsePlus_2.8.1.jar Open Eclipse Go to Window / Show View / Lapse+ Vulnerability Source Vulnerability Sink Provenance Tracker
9
OWASP 9 LAPSE+ Demo response.setContentType("text/html"); PrintWriter out = response.getWriter(); for(String parametro : request.getParameterMap().keySet()) { out.println(parametro + ": " + request.getParameter(parametro)); }
10
OWASP 10 LAPSE+ Steps Vulnerability Source Points of code that can be source of an attack. Vulnerability Sink Points of code that can be target of data injection. Provenance Tracker Performing the backward propagation through the different assignations.
11
OWASP 11 LAPSE+ Challenges Requirements Eclipse Helios Java 1.6 or higher Support High Level Management Software developers have been proponents of using LAPSE+ Project
12
OWASP 12 Case
13
OWASP 13 Case
14
OWASP 14 Software Security Challenges Total Cost of Development
15
OWASP 15 Software Security Challenges Coding Reports claims that static analysis can remove upwards of 91% of errors within source code. Implementation Bugs found during this phase can be 5 to 10 times cheaper to repair than if left for the testing. Others The software developers have long been proponents of using static-analysis tools for critical applications.
16
OWASP 16 Questions and Answers
17
OWASP 17
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.