Frameworks & Security How web applications frameworks kill your security scanning

Transcription

1 Frameworks & Security How web applications frameworks kill your security scanning Christian Hang Armorize Technologies 173

2 Motivation > Web application security concerns you > Complex issue, but tools available > Understand analysis tool limitations > Frameworks make scanning difficult > Help to understand reasons & solutions

3 Web Application Security > Your web application is under attack! > Security affects the complete stack

4 DataSource ds; public void doget(httpservletrequest req, HttpServletResponse resp) { String password = req.getparameter("password"); String sql = "SELECT * FROM user WHERE name='admin' AND " + "password='" + password + "'"; Statement stmt = ds.getconnection().createstatement(); ResultSet res = stmt.executequery(sql); if (res.next()) { resp.getwriter().println("welcome"); } else { resp.getwriter().println("wrong password"); } }

5 Injection Vulnerability > Possible SQL Injection > Unvalidated user input: Tainted Source req.getparameter("password"); > Tainted data propagates: Dataflow path String password = req.getparameter("password"); String sql = "SELECT * FROM user WHERE name='admin' AND " + "password='" + password + "'"; > Unescaped tainted data is processed: Sink stmt.executequery(sql); "SELECT * FROM user WHERE AND password='' password='" OR + password 1=1 --'"; + "'";

6 Preventing Injection Vulnerabilities > Principles are simple: Don t trust user data! Validate against expected data Sanitize for output/processing > Applying them is difficult: Data flow can be complex Simple approaches don t work > Automate! Tools can help

7 Security Tools > Three types & technologies: Black box Penetration testing White box Static Code Analysis (SCA) Dynamic Analysis Runtime Guard/Monitor > Not one perfect solution

8 Security Tools > Standard: Testing after implementation Lots of findings, time constraints > Better: Testing during development > Developers likely to encounter SCA

9 Static Code Analysis > Compile time analysis > Operates on source code or binaries > Points to vulnerability on code line > Often provides traces > Can be integrated in development process

10 What can be detected by SCA? > Open Example: WebOWASP Application Top Security 10 Project > Automatic detection hard Configuration Issues (other stack areas) Business Logic Issues (a pplic a tio n dependa nt) Automatic detection feasible Validation/Sanitization Programming Practices

11 SCA Technology Limits > SCA is compile-time no runtime data > Runtime types unknown flow unclear > Execution environment not accessible > Code might be incomplete Results may not be fully accurate You ll have to know how to interpret results

12 Metrics & Terminology Code is Tool reports safe vulnerable True Negative False Negative Tool fails False sense of security nothing False Positive Vulnerability Waste of time & money True Positive

13 Where do Web Frameworks come in? > Web Frameworks omnipresent > Web Frameworks want to help you Figure out action based on URL Prepare user input to be easily accessible Separate Business Logic and Views > Magic happening in the background > A lot of runtime behavior that s opaque

14 Example: A Struts Request

15 What s the problem? > Reflection program can modify its structure and behavior at runtime > Static = Runtime type unknown > Where do I go from here? > Flow trace is > Potential for False broken / unclear Negative / Positive ((Action) Class.forName(??????????).newInstance()).execute(req); Class.forName("MyAction").newInstance()).execute(req);

16 What s the problem? > Invocation Sequence > Cross-Context-Propagation Servlet public void doget(httpservletrequest req, HttpServletResponse resp) { String user = req.getparameter("user"); req.setattribute("user_" + "data", user); req.setattribute(????????????????, getservletconfig().getservletcontext().getrequestdispatcher( "show.jsp").forward(req,resp);??????????).forward(req,resp); } JSP <p><%= request.getattribute(???????????) request.getattribute("user_data") %></p>

17 SCA Scan results > Tainted Source req.getparameter("user"); > Dataflow path String user = req.getparameter("user"); req.setattribute(????????????????, user); > Is this a sink? <%= request.getattribute(???????????) %> > Assume attribute is > Potential for False clean / tainted Negative / Positive

18 Summary of Flow Disruptions > URL invokes Actions Not obvious from source code: See XML > Actions forward to Views Not obvious from source code: See XML > Views output data from Action Cross-Context Propagation XML key to understanding the application SCA tool needs to understand framework!

19 Possible Solutions? > Require user to hardcode configuration > Tools hardcode support for framework > Dynamically translate magic into code

20 Glue Code Generation > Resolve reflection ambiguity <struts-config> <form-beans> <form-bean name="registrationform type="com.domain.form.registrationform" /> </form-beans> <action-mappings> <action attribute="registrationform input="registrationinput.jsp name="registrationform path="/registration" scope="request type="com.domain.action.registrationaction"> <forward name="success" path="/registrationsuccess.jsp" /> <forward name="fail" path="/registrationfail.jsp"/> </action> </action-mappings> </struts-config> RegistrationAction ra = new RegistrationAction(); ActionForward fwd = ra.execute( );

21 Glue Code Generation > Connect controller & views <struts-config> <form-beans> <form-bean name="registrationform type="com.domain.form.registrationform" /> </form-beans> <action-mappings> <action attribute="registrationform input="registrationinput.jsp name="registrationform path="/registration" scope="request type="com.domain.action.registrationaction"> <forward name="success" path="/registrationsuccess.jsp" /> <forward name="success" path="/registrationsuccess.jsp" /> <forward name="fail" path="/registrationfail.jsp"/> <forward name="fail" path="/registrationfail.jsp"/> </action> </action-mappings> </struts-config> RegistrationAction ra = new RegistrationAction(); ActionForward fwd = ra.execute( ); if ( ) { req.getrequestdispatcher("registrationsuccess.jsp").forward(req, res); } else { req.getrequestdispatcher("registrationfail.jsp").forward(req, res); }

22 Simple & Effective Workaround > No impact on implementation or code > Several Options Standalone (3rd party) infrastructure Bundled with tool > Not perfect, but easily extendable > Applicable to home-grown frameworks > Extends coverage of automatic analysis

23 Extended Coverage RegistrationAction ra = new RegistrationAction(); ActionForward fwd = ra.execute( ); public ActionForward execute(actionmapping map, ) { String firstname = req.getparameter("firstname"); req.setattribute("new_user", firstname); return map.findforward("success"); } if ( ) { req.getrequestdispatcher("registrationsuccess.jsp").forward(req, res); } else { req.getrequestdispatcher("registrationfail.jsp").forward(req, res); } Welcome <%= request.getattribute("new_user") %>!

24 Conclusion > You need to be aware of web security issues > Automation can help you. Know your tools > Frameworks make scanning hard > On the fly translation increases coverage

25 Christian Hang Armorize Technologies, Inc.