1. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Code Analysis with LAPSE+ Bruno Motta Rego bmr@attom.com.br June 2011

2. OWASP 2 Agenda  Introduction  Goals  Hands On  Case  Challenges

3. OWASP 3 Introduction  LAPSE+ is a eclipse plugin to static analysis of code for detecting vulnerabilities of untrusted data injection in Java EE Applications.  LAPSE+ is inspired by existing lightweight security auditing tools such as FlawFinder.  Developed by Group of Stanford University.  GPL Software.

4. OWASP 4 Goals  Introduction Lapse+  Practical Understanding  Challenges

5. OWASP 5 Hands On

6. OWASP 6 LAPSE+ Vulnerabilities Detected  URL Tampering  Cookie Poisoning  Parameter Tampering  Header Manipulation  Cross-site Scripting (XSS)  HTTP Response Splitting  Injections (SQL, Command, XPath, XML, LDAP)  Path Traversal

7. OWASP 7 LAPSE+ Installation  Eclipse Helios  http://www.eclipse.org/downloads/ http://www.eclipse.org/downloads/  LAPSE+ 2.8.1 plugin for Eclipse Helios.  http://evalues.es/downloads/owasp/LapsePlus_2.8.1.jar http://evalues.es/downloads/owasp/LapsePlus_2.8.1.jar

8. OWASP 8 LAPSE+ Configuration  Drag and Drop  Copy LAPSE+ to plugins folder of our Eclipse Helios  LapsePlus_2.8.1.jar LapsePlus_2.8.1.jar  Open Eclipse  Go to Window / Show View / Lapse+  Vulnerability Source  Vulnerability Sink  Provenance Tracker

9. OWASP 9 LAPSE+ Demo response.setContentType("text/html"); PrintWriter out = response.getWriter(); for(String parametro : request.getParameterMap().keySet()) { out.println(parametro + ": " + request.getParameter(parametro)); }

10. OWASP 10 LAPSE+ Steps  Vulnerability Source  Points of code that can be source of an attack.  Vulnerability Sink  Points of code that can be target of data injection.  Provenance Tracker  Performing the backward propagation through the different assignations.

11. OWASP 11 LAPSE+ Challenges  Requirements  Eclipse Helios  Java 1.6 or higher  Support  High Level Management  Software developers have been proponents of using  LAPSE+ Project

12. OWASP 12 Case

13. OWASP 13 Case

14. OWASP 14 Software Security Challenges Total Cost of Development

15. OWASP 15 Software Security Challenges  Coding  Reports claims that static analysis can remove upwards of 91% of errors within source code.  Implementation  Bugs found during this phase can be 5 to 10 times cheaper to repair than if left for the testing.  Others  The software developers have long been proponents of using static-analysis tools for critical applications.

16. OWASP 16 Questions and Answers

17. OWASP 17