Re: java source code audit

From: SD List (list@security-database.com)
Date: Fri Oct 05 2007 - 04:42:49 EDT


Hi there,

I posted an news about OWASP CLASP on sept 2nd.
This framework could be a great help for auditing code (any language)

You can find here my post
http://www.security-database.com/toolswatch/OWASP-CLASP-V-1-2-Integrating.html

As for myself, this is the best method to follow. Automated softwares
could miss stuffs.

Any way, here are two programs i found in my tools database

http://findbugs.sourceforge.net/ (open source and sponsored by
fortifysoftware.com)
http://www.spidynamics.com/products/devinspect/index.html
(commercial)

cheers

N.O
Security-database.com

> Anna,
>
> Well I dont know that a specific tool is warranted for this exact
> situation.
>
> First things first - I would start to learn the protocol the client
> and server speak. What does the client do to start the communication?
> Does this client have to provide a username / password? Is there a
> delay after authentication attempt to slow down a dictionary attack?
> Is there any authentication at all?
>
> Hopefully the communication from client to server is clear text and
> easy to understand with ethereal - that can that help become intimate
> with the way they communicate.
>
> From the black box perspective, I would probably start modifying the
> source code to the client, or build my own dummy client quickly with
> perl. Start the process of building a malicious client - your going
> to have to proof of concept any vulnerability you find in an audit of
> the source code of the server. This process will allow the auditor to
> become more acquainted with the protocol the client and server speak.
>
> Then it becomes a matter of checking every time the server takes input
> from the client - what sanity checks are performed in the input? If
> the server expects in a particular input a hostname to connect to for
> example, and you supply some kind of bs string like
> japofpoaief83810984fr2iuqhp - will the server try to connect to that?
> Will that cause the server to crash?
>
> Your basically trying to find where you can cause the server to trip
> up on itself - this may or may not lead to a security issue.
>
> Maybe the author of the server has commands that can be run, but didnt
> program them into the client, and just left them in the server. Can
> you run them with your newfound client? Programmers are lazy - and
> dont like to destroy their own code.
>
> So you answer your question what tool would I use? I haven't found
> automated scanners usefull - This kind of thing just requires the
> labor of love of understanding why the architecture or behavior of a
> particular application sucks - most do - and exploit it.
>
> There are automated source code scanners out there - google can point
> you to some - but my testing of the open source ones was that they
> were too noisy to proove usefull, and miss to much.
>
> Brian
>
> On 10/4/07, Angelacci, Anna M CTR SPAWAR, J616 <anna.angelacci@navy.mil>
> wrote:
>> Mr. Brian, I would be interested in what tools you find to audit your
>> applications. My team performs C & A work. We also produce Application
>> Security Plans and have no clue right now what to use to scan the source
>> code and associated libs.
>> Sharing of your data collection on this issue would be greatly
>> appreciated.
>> Respectfully requesting,
>> Annie
>>
>> -----Original Message-----
>> From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
>> On Behalf Of Brian Toovey
>> Sent: Wednesday, October 03, 2007 9:12 PM
>> To: Guillermo Caminer
>> Cc: pen-test@securityfocus.com
>> Subject: Re: java source code audit
>>
>>
>> > I'm doing a source code audit of a client-server application developed
>>
>> > in Java.
>>
>> I guess my response is - from the perspective of the server: don't trust
>> the client. I would concentrate on the source code of the server,
>> assuming a malicous client can throw anything at it that it wants to.
>>
>> At every instance where the client is supposed to supply input to the
>> server, is this input saitized / checked? What can happen if malformed
>> input is passed?
>>
>> Depending on the application type, simply crashing it can be enough, in
>> which case unexpected client input can be enough. From there you should
>> start to see possible issues if you find functions taking input where
>> sanity isn't checked.
>>
>> In a sense, you must become intimate with the protocol this client /
>> server speak - then fuzz it / check every instance of input.
>>
>> Although thats just how I would approach it - I am sure others have
>> their opinions...
>>
>>
>>
>> --
>> Brian Toovey
>> admin@vulntrac.com
>> http://vulntrac.com
>>
>> ------------------------------------------------------------------------
>> This list is sponsored by: Cenzic
>>
>> Need to secure your web apps NOW?
>> Cenzic finds more, "real" vulnerabilities fast.
>> Click to try it, buy it or download a solution FREE today!
>>
>> http://www.cenzic.com/downloads
>> ------------------------------------------------------------------------
>>
>
>
> --
> Brian Toovey
> admin@vulntrac.com
> http://vulntrac.com
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:09 EDT