Re: java source code audit

From: Brian Toovey (admin@vulntrac.com)
Date: Thu Oct 04 2007 - 18:22:39 EDT

• Next message: Jorge Hoya: "Re: SQL Injection- Bypassing magic_quotes"
• Previous message: Andrew Court: "RE: SQL Injection- Bypassing magic_quotes"
• Maybe in reply to: Guillermo Caminer: "java source code audit"
• Next in thread: SD List: "Re: java source code audit"
• Reply: SD List: "Re: java source code audit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Anna,

Well I dont know that a specific tool is warranted for this exact situation.

First things first - I would start to learn the protocol the client
and server speak. What does the client do to start the communication?
Does this client have to provide a username / password? Is there a
delay after authentication attempt to slow down a dictionary attack?
Is there any authentication at all?

Hopefully the communication from client to server is clear text and
easy to understand with ethereal - that can that help become intimate
with the way they communicate.

>From the black box perspective, I would probably start modifying the
source code to the client, or build my own dummy client quickly with
perl. Start the process of building a malicious client - your going
to have to proof of concept any vulnerability you find in an audit of
the source code of the server. This process will allow the auditor to
become more acquainted with the protocol the client and server speak.

Then it becomes a matter of checking every time the server takes input
from the client - what sanity checks are performed in the input? If
the server expects in a particular input a hostname to connect to for
example, and you supply some kind of bs string like
japofpoaief83810984fr2iuqhp - will the server try to connect to that?
Will that cause the server to crash?

Your basically trying to find where you can cause the server to trip
up on itself - this may or may not lead to a security issue.

Maybe the author of the server has commands that can be run, but didnt
program them into the client, and just left them in the server. Can
you run them with your newfound client? Programmers are lazy - and
dont like to destroy their own code.

So you answer your question what tool would I use? I haven't found
automated scanners usefull - This kind of thing just requires the
labor of love of understanding why the architecture or behavior of a
particular application sucks - most do - and exploit it.

There are automated source code scanners out there - google can point
you to some - but my testing of the open source ones was that they
were too noisy to proove usefull, and miss to much.

Brian

On 10/4/07, Angelacci, Anna M CTR SPAWAR, J616 <anna.angelacci@navy.mil> wrote:
> Mr. Brian, I would be interested in what tools you find to audit your
> applications. My team performs C & A work. We also produce Application
> Security Plans and have no clue right now what to use to scan the source
> code and associated libs.
> Sharing of your data collection on this issue would be greatly
> appreciated.
> Respectfully requesting,
> Annie
>
> -----Original Message-----
> From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
> On Behalf Of Brian Toovey
> Sent: Wednesday, October 03, 2007 9:12 PM
> To: Guillermo Caminer
> Cc: pen-test@securityfocus.com
> Subject: Re: java source code audit
>
>
> > I'm doing a source code audit of a client-server application developed
>
> > in Java.
>
> I guess my response is - from the perspective of the server: don't trust
> the client. I would concentrate on the source code of the server,
> assuming a malicous client can throw anything at it that it wants to.
>
> At every instance where the client is supposed to supply input to the
> server, is this input saitized / checked? What can happen if malformed
> input is passed?
>
> Depending on the application type, simply crashing it can be enough, in
> which case unexpected client input can be enough. From there you should
> start to see possible issues if you find functions taking input where
> sanity isn't checked.
>
> In a sense, you must become intimate with the protocol this client /
> server speak - then fuzz it / check every instance of input.
>
> Although thats just how I would approach it - I am sure others have
> their opinions...
>
>
>
> --
> Brian Toovey
> admin@vulntrac.com
> http://vulntrac.com
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>

-- 
Brian Toovey
admin@vulntrac.com
http://vulntrac.com
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: Jorge Hoya: "Re: SQL Injection- Bypassing magic_quotes"
• Previous message: Andrew Court: "RE: SQL Injection- Bypassing magic_quotes"
• Maybe in reply to: Guillermo Caminer: "java source code audit"
• Next in thread: SD List: "Re: java source code audit"
• Reply: SD List: "Re: java source code audit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:09 EDT