Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Published byRaymond Price Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP Day http://www.owasp.org The Owasp Orizon Project - Internals and hands on Paolo Perego Owasp Orizon Project Leader Spike Reply thesp0nge@owasp.org 31st March 2008

2 OWASP - Italy Owasp Day II 2008, Roma 31st March 2 Agenda  some infos before we start...  the Owasp Orizon internals  so, next?

3 OWASP - Italy Owasp Day II 2008, Roma 31st March $ whoami  Senior Security Consultant @ Spike Reply Srl  penetration testing  secure application building  code review & source code assessment  Owasp Orizon Project leader  Active member in  Owasp Italy  Owasp Code Review Project 3

4 OWASP - Italy Owasp Day II 2008, Roma 31st March Kickoff  A lot of commercial solutions are available for code reviewing  good in finding bugs  skilled support  expensive  Few open source solutions are available too  small number of security checks  good support from open source community  open 4 Why do I need Orizon?

5 OWASP - Italy Owasp Day II 2008, Roma 31st March Some infos before we start…  In 2007...  more than 27.000 hits to http://orizon.sourceforge.net http://orizon.sourceforge.net  more than 700 downloads for Orizon package releases  v 0.50 downloaded 101 times in 3 months  In 2008…  v 0.60 downloaded approx 90 times in a month and an half  15 February, v0.70 was released and it’s as far from today the most downloaded Orizon version (approx. 100 downloads) 5

6 OWASP - Italy Owasp Day II 2008, Roma 31st March The Owasp Orizon Internals  Few things to remember  Orizon is a framework, it is not a tool  details are hidden for developers  1 or 2 public classes for each engine  few public available methods  engines are intended to be used in stock  framework is in development  Most criticisms are related to  lack of documentation  lack of usage examples  missing framework design overview 6

7 OWASP - Italy Owasp Day II 2008, Roma 31st March The Owasp Orizon Internals: the stack 7 XML Translator engine Jericho engineDawn engine Reporting engine Preprocessing Code reviewing Reporting Crawler engine Code crawling

8 OWASP - Italy Owasp Day II 2008, Roma 31st March The Owasp Orizon Internals: XML translation  Source file needs to be translated to XML before review  Translator is an abstract class  for every supported language Translator class must be implemented accordingly  protected abstract boolean translate(); 8

9 OWASP - Italy Owasp Day II 2008, Roma 31st March The Owasp Orizon Internals: XML translation  Developers (Orizon users)  don’t need to understand Translator class  just need to call translate() method from Java2XML, CSharp2XML,...  Developers (Orizon hackers)  need to describe new programming language in some way  need to implement Translator class and translate() 9

10 OWASP - Italy Owasp Day II 2008, Roma 31st March The Owasp Orizon Internals: XML translation 10 import org.owasp.orizon.java.Java2XML; // java 2 xml translation... Java2XML j2xml = new Java2XML(fileName); if (!j2xml.exists()) { System.err.println("input file does not exist. Giving up."); return ; } if (j2xml.mustTranslate()) { if (!j2xml.translate()) { System.err.println(fileName + ": translation failed"); System.exit(-1); } System.out.println(j2xml.getOutputFilename() + " created"); } else System.out.println("XML file is up to date”);

11 OWASP - Italy Owasp Day II 2008, Roma 31st March The Owasp Orizon Internals: XML translation 11 public class uno { public String a; private int b; public uno() { a = new String(); b = 2; } public uno(String a, int b) { this(); setA(a); setB(b); } public boolean areEqualBad(String b) { if (a==b) return true; else return false; } public boolean areEqualGood(String b) { if (a.equal(b)) return true; else return false; } public void setA(String a) { this.a = a; } public void setB(int b) { this.b = b; } thesp0nge@owasp.org XML Class preamble with some stats... Uncommented code... mmmh... this is no good! { a = new String(); b = 2; } This class has no modifiers but it has two fields: a public String variable named a a private int variable named b In the body we found two assignments. { if (a == b) return true; else return false; } true false This method contains a security violation... where?

12 OWASP - Italy Owasp Day II 2008, Roma 31st March The Owasp Orizon Internals: crawling  Owasp Code Review project introduced source code crawling in its check list  A quick source code review can be granted  Orizon v0.70 introduced  org.owasp.orizon.crawler package  An abstract source code crawling class  A set of dangerous keywords for Java and C# in default library  Major drawback: false positives 12

13 OWASP - Italy Owasp Day II 2008, Roma 31st March The Owasp Orizon Internals: crawling  AbstractCrawler  read(): reads the XML file containing the desired keyword list  check (): performs a pattern matching search over a specified file  getReport(): returns a report with found keywords if any  To use the crawler developers needs to implements AbstractCrawler  JavaCrawler and CSharpCrawler exists 13

14 OWASP - Italy Owasp Day II 2008, Roma 31st March The Owasp Orizon Internals: crawling 14 package org.owasp.orizon.java; import org.owasp.orizon.core.OrizonCons; import org.owasp.orizon.crawler.AbstractCrawler; public class JavaCrawler extends AbstractCrawler { public JavaCrawler(String xmlFile) { super(xmlFile, OrizonCons.O_JAVA); super.read(); } JavaCrawler class jC = new JavaCrawler("dangerous_java_keywords.xml"); if (jC.crawl(filename)) { r = jC.getReport(); if (r != null) { PlainFormatter p = new PlainFormatter(); r.report(p); } } else System.out.println("no dangerous keyword found during crawling"); JavaCrawler class usage sample. Developers just need to call crawl() method…

15 OWASP - Italy Owasp Day II 2008, Roma 31st March DEMO Arachne: a source code crawling tool based upon Orizon 15

16 OWASP - Italy Owasp Day II 2008, Roma 31st March The Owasp Orizon Internals: static review  org.owasp.orizon.core.Source.read()  initialize Jericho engine  initialize Dawn engine  adding XML nodes to Jericho engine  org.owasp.orizon.core.Source.review()  loop for security checks  add check to Jericho engine  call Jericho check() method 16

17 OWASP - Italy Owasp Day II 2008, Roma 31st March The Owasp Orizon Internals: static review  org.owasp.orizon.jericho.Jericho.check()  most important method  return true if a security violation has been found  it must be called from Source class due to read() method interoperability 17 public boolean check() { boolean ret = false; long startScan = 0, endScan = 0; if (!isInitialized()) return false; if (!checkLoaded) { log.error("aiee, load a check before with add() method"); return false; } startScan = Calendar.getInstance().getTimeInMillis(); if (statLoaded) ret ^= s.check(c); if (equals != null) ret ^= equals.check(c); if (imports != null && imports.length != 0) ret ^= loop(c, new Import()); if (classes != null && classes.length != 0) ret ^= loop(c, new Class()); if (methods != null && methods.length != 0) ret ^= loop(c, new Method()); ret ^= overlook(); endScan = Calendar.getInstance().getTimeInMillis(); report.setScanMillis(endScan - startScan); return (!(ret ^ c.getPositiveFail())); }

18 OWASP - Italy Owasp Day II 2008, Roma 31st March The Owasp Orizon Internals: library  The security library  is a ZIP file  contains one or more XML files  is used during static code review  A default library is provided  Developers can write their own library as well 18 import org.owasp.orizon.library.*;... DefaultLibrary dl = new DefaultLibrary("C:\\Users\\thesp0nge\\Src\\orizon_test_files");... if (!dl.exists()) { System.err.println("missing " + dl.getFullName()+", rebuilding it"); if (!dl.create()) { System.err.println("can't create orizon default library"); dl.clean(); System.exit(-1); } dl.clean(); System.out.println(dl.getFullName()+": created"); } int recipeCount = dl.index(); for (int count = 0; count < recipeCount; count++) { String rName = dl.getRecipeName(count); if (!dl.extract(rName)) { System.err.println("can't extract " + rName); System.exit(-1); } r = new Recipe(rName); r.dispose(); } // for (int count = 0; count < recipeCount; count++)

19 OWASP - Italy Owasp Day II 2008, Roma 31st March The Owasp Orizon Internals: recipes  The XML files  are called recipes  contain security checks  contain a checksum to prevent tampering  can contain encoded attack patterns 19 Recipes are divided in families...... with a name...... and a description. They could be applied to specific programming languages...... but they require a specific Orizon version. They can be used in dynamic code review...... or static code review. Each recipe has a CRC code to prevent it from tampering

20 OWASP - Italy Owasp Day II 2008, Roma 31st March The Owasp Orizon Internals: security checks 20 safe coding recipe Jericho engine Code reviewing XML Translator engine Preprocessing Every check has got...... a unique identifier...... a severity level saying if it is an error or just a warning...... an impact level about how dangerous is this security violation...... and a description. A flag is also present telling if the security violation occurs when rule are matched (false) or not (true). Of course a security check is present as well... This check says that if a Java class with an arbitrary name has got a scope different than private or public a security violation occurred. This violation is an error but with a low impact.

21 OWASP - Italy Owasp Day II 2008, Roma 31st March The Owasp Orizon Internals: security checks 21... If a variable is an instance of Math.Random then an high impact error occurs. SecureRandom class has to be used instead If a class extends ClassLoader then an high impact error occurs because malicious classes can be loaded through custom class loaders Two Strings must not be compared using arithmetic operator, a ClassCastException can occur

22 OWASP - Italy Owasp Day II 2008, Roma 31st March { if (a == b) return true; else return false; } true false The Owasp Orizon Internals: review applied 22 This method contains a security violation... where?... a class cast exception can occur comparing two objects with an arithmetical operator. Orizon is able to guess data type of both operands. For a variable is simple, for a method it will be the data type returned by the method itself.

23 OWASP - Italy Owasp Day II 2008, Roma 31st March DEMO Milk: a Java source code review tool based upon Orizon 23

24 OWASP - Italy Owasp Day II 2008, Roma 31st March The Owasp Orizon Internals: dynamic review  Developers need only to change a flag when calling Source.review()  Dawn parameters are the recipe to apply and the working directory to create helpers  An helper is created for each method in the source file being checked  The helper is a Java program that invokes the method giving its command line as argument 24

25 OWASP - Italy Owasp Day II 2008, Roma 31st March The Owasp Orizon Internals: dynamic review 25 import org.owasp.orizon.core.Source; import org.owasp.orizon.report.*; // xml file reading Source s = new Source(j2xml.getOutputFilename(), "."+File.separator); s.read(); for (int count = 0; count < recipeCount; count++) { String rName = dl.getRecipeName(count); if (!dl.extract(rName)) { System.err.println("can't extract " + rName); System.exit(-1); } r = new Recipe(rName); org.owasp.orizon.report.Report report = s.review(r, true); if (report != null) { PlainFormatter p = new PlainFormatter(); report.report(p); } r.dispose(); } // for (int count = 0; count < recipeCount; count++) Static code review Dynamic code review import org.owasp.orizon.core.Source; import org.owasp.orizon.report.*; // xml file reading Source s = new Source(j2xml.getOutputFilename(), "."+File.separator); s.read(); for (int count = 0; count < recipeCount; count++) { String rName = dl.getRecipeName(count); if (!dl.extract(rName)) { System.err.println("can't extract " + rName); System.exit(-1); } r = new Recipe(rName); org.owasp.orizon.report.Report report = s.review(r, false); if (report != null) { PlainFormatter p = new PlainFormatter(); report.report(p); } r.dispose(); } // for (int count = 0; count < recipeCount; count++)

26 OWASP - Italy Owasp Day II 2008, Roma 31st March The Owasp Orizon Internals: dynamic review  Helper is executed passing attack patterns as arguments  Helper output is collected and examined to understand how the method reacts to attack pattern  Dynamic code review concerns about:  cross site scripting attacks  sql injection attacks  unexpected inputs  null values  empty strings, negative integers,... 26

27 OWASP - Italy Owasp Day II 2008, Roma 31st March The Owasp Orizon Internals: dynamic review 27 Source file method A method B Method A helper method A main() Method B helper method B main() Method A helper method A main() Attack patterns: “/> alert(‘xss here’); ‘ or 1=1; --... Evaluating output: are input strings filtered? are unhandled exceptions raised?...

28 OWASP - Italy Owasp Day II 2008, Roma 31st March The Owasp Orizon Internals  org.owasp.orizon.report package  Report is returned back to calling program with security checks that failed  Formatters are provided in order to take a Report and printing it out in:  plain text  file  XML + XSL  Next actions are to improve the number of report ouput format 28

29 OWASP - Italy Owasp Day II 2008, Roma 31st March The Owasp Orizon Project: the roadmap 29 March 2008Orizon v0.80 Source code crawling Reports can be saved to file May 2008 @ AppSec EU Conference (Belgium) Orizon v0.90 A surprise that will make Orizon even more extensible… June 2008Orizon v0.99 C# will be supported API's freeze Source code review and cleanup Documentation review July 2008Orizon v1.0rc1 Bug fixes Source code review and cleanup Documentation review September 2008 @ Owasp SOC ‘08 Orizon v1.0rc2 Bug fixes Source code review and cleanup Owasp Orizon Guide released as book 2 nd October 2008Orizon v1.0rc32 nd birthday party, also code reviewers want to have fun October 2008 @ AppSec NY Conference Orizon v1.0A surprise that will make Orizon a tiny swiss army knife

30 OWASP - Italy Owasp Day II 2008, Roma 31st March some links before we leave…  Orizon site: http://orizon.sourceforge.nethttp://orizon.sourceforge.net  Orizon blog: http://blogs.owasp.org/orizonhttp://blogs.owasp.org/orizon  Orizon page @ Owasp: http://www.owasp.org/index.php/Category:OWA SP_Orizon_Project http://www.owasp.org/index.php/Category:OWA SP_Orizon_Project  Milk site (for milk and arachne): http://milk.sourceforge.net http://milk.sourceforge.net  Contact me: thesp0nge@owasp.org 30

31 OWASP - Italy Owasp Day II 2008, Roma 31st March 31 Q&A

32 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP Day http://www.owasp.org The Owasp Orizon Project - Internals and hands on Paolo Perego Owasp Orizon Project Leader Spike Reply thesp0nge@owasp.org 31 March 2008

Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Making Choices in C if/else statement logical operators break and continue statements switch statement the conditional operator.

Making Choices in C if/else statement logical operators break and continue statements switch statement the conditional operator.
Lecture 9: More on objects, classes, strings discuss hw3 assign hw4 default values for variables scope of variables and shadowing null reference and NullPointerException.

Lecture 9: More on objects, classes, strings discuss hw3 assign hw4 default values for variables scope of variables and shadowing null reference and NullPointerException.
Composition CMSC 202. Code Reuse Effective software development relies on reusing existing code. Code reuse must be more than just copying code and changing.

Composition CMSC 202. Code Reuse Effective software development relies on reusing existing code. Code reuse must be more than just copying code and changing.
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
 2005 Pearson Education, Inc. All rights reserved. 1 1 1 Introduction.

 2005 Pearson Education, Inc. All rights reserved Introduction.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.

George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.
Introduction to Classes and Objects CS-2303, C-Term 20101 Introduction to Classes and Objects CS-2303 System Programming Concepts (Slides include materials.

Introduction to Classes and Objects CS-2303, C-Term Introduction to Classes and Objects CS-2303 System Programming Concepts (Slides include materials.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
C++ Functions. 2 Agenda What is a function? What is a function? Types of C++ functions: Types of C++ functions: Standard functions Standard functions.

C++ Functions. 2 Agenda What is a function? What is a function? Types of C++ functions: Types of C++ functions: Standard functions Standard functions.
Review of C++ Programming Part II Sheng-Fang Huang.

Review of C++ Programming Part II Sheng-Fang Huang.
StringTemplate Terence Parr University of San Francisco

StringTemplate Terence Parr University of San Francisco
REFACTORING Lecture 4. Definition Refactoring is a process of changing the internal structure of the program, not affecting its external behavior and.

REFACTORING Lecture 4. Definition Refactoring is a process of changing the internal structure of the program, not affecting its external behavior and.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Similar presentations

Ads by Google