
Penetration Testing mailing list archives
Re: java source code audit
From: "SD List" <list () security-database com>
Date: Fri, 5 Oct 2007 10:42:49 +0200 (CEST)
Hi there, I posted an news about OWASP CLASP on sept 2nd. This framework could be a great help for auditing code (any language) You can find here my post http://www.security-database.com/toolswatch/OWASP-CLASP-V-1-2-Integrating.html As for myself, this is the best method to follow. Automated softwares could miss stuffs. Any way, here are two programs i found in my tools database http://findbugs.sourceforge.net/ (open source and sponsored by fortifysoftware.com) http://www.spidynamics.com/products/devinspect/index.html (commercial) cheers N.O Security-database.com
Anna, Well I dont know that a specific tool is warranted for this exact situation. First things first - I would start to learn the protocol the client and server speak. What does the client do to start the communication? Does this client have to provide a username / password? Is there a delay after authentication attempt to slow down a dictionary attack? Is there any authentication at all? Hopefully the communication from client to server is clear text and easy to understand with ethereal - that can that help become intimate with the way they communicate. From the black box perspective, I would probably start modifying the source code to the client, or build my own dummy client quickly with perl. Start the process of building a malicious client - your going to have to proof of concept any vulnerability you find in an audit of the source code of the server. This process will allow the auditor to become more acquainted with the protocol the client and server speak. Then it becomes a matter of checking every time the server takes input from the client - what sanity checks are performed in the input? If the server expects in a particular input a hostname to connect to for example, and you supply some kind of bs string like japofpoaief83810984fr2iuqhp - will the server try to connect to that? Will that cause the server to crash? Your basically trying to find where you can cause the server to trip up on itself - this may or may not lead to a security issue. Maybe the author of the server has commands that can be run, but didnt program them into the client, and just left them in the server. Can you run them with your newfound client? Programmers are lazy - and dont like to destroy their own code. So you answer your question what tool would I use? I haven't found automated scanners usefull - This kind of thing just requires the labor of love of understanding why the architecture or behavior of a particular application sucks - most do - and exploit it. There are automated source code scanners out there - google can point you to some - but my testing of the open source ones was that they were too noisy to proove usefull, and miss to much. Brian On 10/4/07, Angelacci, Anna M CTR SPAWAR, J616 <anna.angelacci () navy mil> wrote:Mr. Brian, I would be interested in what tools you find to audit your applications. My team performs C & A work. We also produce Application Security Plans and have no clue right now what to use to scan the source code and associated libs. Sharing of your data collection on this issue would be greatly appreciated. Respectfully requesting, Annie -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Brian Toovey Sent: Wednesday, October 03, 2007 9:12 PM To: Guillermo Caminer Cc: pen-test () securityfocus com Subject: Re: java source code auditI'm doing a source code audit of a client-server application developedin Java.I guess my response is - from the perspective of the server: don't trust the client. I would concentrate on the source code of the server, assuming a malicous client can throw anything at it that it wants to. At every instance where the client is supposed to supply input to the server, is this input saitized / checked? What can happen if malformed input is passed? Depending on the application type, simply crashing it can be enough, in which case unexpected client input can be enough. From there you should start to see possible issues if you find functions taking input where sanity isn't checked. In a sense, you must become intimate with the protocol this client / server speak - then fuzz it / check every instance of input. Although thats just how I would approach it - I am sure others have their opinions... -- Brian Toovey admin () vulntrac com http://vulntrac.com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads -------------------------------------------------------------------------- Brian Toovey admin () vulntrac com http://vulntrac.com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- java source code audit Guillermo Caminer (Oct 03)
- Re: java source code audit Robin Sheat (Oct 03)
- Re: java source code audit David M. Zendzian (Oct 04)
- Re: java source code audit Brian Toovey (Oct 03)
- Message not available
- Re: java source code audit Brian Toovey (Oct 04)
- Re: java source code audit SD List (Oct 05)
- Message not available
- Re: java source code audit Robin Sheat (Oct 03)
- Re: java source code audit AdityaK (Oct 04)
- RE: java source code audit Debasis Mohanty (Oct 04)
- <Possible follow-ups>
- Re: java source code audit nmonkee (Oct 04)
- Re: java source code audit cwright (Oct 04)