Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: Java Code Scanning

RE: Java Code Scanning

From: Mark Curphey <mark_at_curphey.com>
Date: Wed, 07 Jan 2004 12:49:40 -0500 (EST)

I am sure you understand the limitations of just grepping for strings etc but that said a while back when I was teahcing myself Java I wrote a small app to automate finding the Ten Issues in the Securing Java book.

www.securingjava.com

I checked the online version and I can't see the checks now but . the app I wrote is ....

http://cvs.sourceforge.net/viewcvs.py/owasp/codespy/

It looks for things like access modifiers and so on. May be of help.

---- "Scovetta, Michael V" <Michael.Scovetta_at_ca.com> wrote:
> Peter,
> If your application is running in a "secure" context (applet or with
> a specific security manager in place) then there shouldn't be anything that
> could be malicious (you can disable the ability to access the filesystem and
> network). If not, then you might want to look for calls using:
> java.io.File
> java.net.*
> keyword 'native' (implied JNI calls, which are not protected
> by the Java security model)
> java.lang.Process
> java.lang.Runtime
>
> I'm sure there are more, but other than running up your CPU, if an application
> can't use the network or the file system, can't break out to another process,
> and can't use JNI, I think you might be maybe 90% safe.
>
> Michael Scovetta
>
> -----Original Message-----
> From: Peter Lee, Kah Chen [mailto:peterlee_at_crimsonlogic.com]
> Sent: Wednesday, January 07, 2004 1:57 AM
> To: webappsec_at_securityfocus.com
> Subject: Java Code Scanning
>
>
> Hi there and a good day to you,
>
> Cutting to the chase; if I am to do a textual scan of a piece of Java
> application code for potential malicious code embedded, what are the key
> words to scan for?
>
> For example in the case of C/C++ program; I might look for memory
> handling code i.e memcpy(), strcpy(), strdup(), memset(), system
> execution code sys(), exec(), fork(), etc. IPC & RPC calls. Codes which
> try to access password directory that sort of thing.
>
> The idea is not to look for bad code writing, but to identify/flag code
> which may have security implications for more detailed sturdy or even
> code walkthrough.
>
> Anyone have a list of keywords to search with?
>
> Thanks!
>
> Peter
>
>
>
Received on Jan 07 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]