bytecode injection
TRANSCRIPT
-
8/7/2019 Bytecode Injection
1/41
Escape From theBlack Box
Brian Chess
Fortify Software
Countering the faults of typical webscanners through bytecode injection
-
8/7/2019 Bytecode Injection
2/41
Agenda Problems With Black Box Testing
Approaches To Finding Security Issues
4 Problems With Black Box Testing
Solution: White Box Testing
Bytecode Injection
Demo
-
8/7/2019 Bytecode Injection
3/41
Black Box Testing
Today
-
8/7/2019 Bytecode Injection
4/41
Black Box Testing TodayHow Do You Find Security Issues?
Looking at architectural / design documents
Looking at the source code
Static Analysis
Looking at a running application
Dynamic Analysis
-
8/7/2019 Bytecode Injection
5/41
Static Analysis
Analysis Of Source Code and Configuration Files
Manual Source Code Reviews Automated Tools
Commercial Static Analysis Tools
Coverity
Fortify Software Klocwork
Ounce Labs
-
8/7/2019 Bytecode Injection
6/41
Dynamic Analysis Testing & Analysis Of Running Application
Find Input
Fuzz Input
Analyze Response
Commercial Web Scanners Cenzic
SPIDynamics
Watchfire ...
-
8/7/2019 Bytecode Injection
7/41
Most People Use Web Scanners
Because Easy To Run
Fast To Run
Someone Told Me To
-
8/7/2019 Bytecode Injection
8/41
But ...Did I Do A Good Job?
-
8/7/2019 Bytecode Injection
9/41
Q1: How Thorough Was My Test? Do You Know How Much Of Your
Application Was Tested?
0%
5%
10%
15%
20%
25%
30%
35%
40%
No Idea Very
uncertain
Could guess
within 30%
Could guess
within 15%
Extremely
confident
-
8/7/2019 Bytecode Injection
10/41
Q1: How Thorough Was My Test? How Much Of The Application Do You
Think You Tested?
0%
10%
20%
30%
40%
50%
0-20% of the
Application
21-40 41-60 61-80 81-100
-
8/7/2019 Bytecode Injection
11/41
Truth About Thoroughness We ran a Version 7.0 Scanner on the
following:
Application EMMA Code Coverage Tool Web SourceHacmeBooks 34% classes
12% blocks
14% lines
30.5%
JCVS Web 45% classes
19% blocks
22% lines
31.2%
Java PetStore 2 70% classes
20% blocks
23% lines
18%
-
8/7/2019 Bytecode Injection
12/41
Web Scanner Review Good
Found Real Vulnerabilities
Was Easy To Run
Bad
How Thorough Was My Test?
No Way To Tell, And Actual Coverage Is Often Low
-
8/7/2019 Bytecode Injection
13/41
Q2:Did I Find All Vulnerabilities? 3 Ways To Fail
Didnt Test
Tested But Couldnt Conclude Cant Test
-
8/7/2019 Bytecode Injection
14/41
Q2:Did I Find All Vulnerabilities?1. Didnt Test
If The Web Scanner Didnt Even Reach That
Area, It Cannot Test!
Application
TestedVulnerabilities
Not Found
Untested
Vulnerabilities
Found
-
8/7/2019 Bytecode Injection
15/41
Q2:Did I Find All Vulnerabilities?2. Tested, But Couldnt Conclude
Blind SQL Injection Vulnerabilities That Did Not
Return With A Known Signature
-
8/7/2019 Bytecode Injection
16/41
Q2:Did I Find All Vulnerabilities?2. Tested, But Couldnt Conclude
Certain Classes Of Vulnerabilities Sometimes
Can Be Detected Through HTTP Response SQL Injection
Command Injection
LDAP Injection
-
8/7/2019 Bytecode Injection
17/41
Q2:Did I Find All Vulnerabilities?3. Cant Test
Some Vulnerabilities Have No Manifestation In
Http Response
Application
Log
File
Client
I hope theyre not
logging my CC# into
plaintext log file
cc num
cc num
Your order will be
processed in 2 days
HTTP
Response
-
8/7/2019 Bytecode Injection
18/41
-
8/7/2019 Bytecode Injection
19/41
Web Scanner Review Good
Found Real Vulnerabilities
Was Easy To Run
Bad How Thorough Was My Test?
No Way To Tell, And Actual Coverage Is Often Low
Did I Find All My Vulnerabilities?
Didnt Test, Tested But Couldnt Conclude, Cant Test
-
8/7/2019 Bytecode Injection
20/41
-
8/7/2019 Bytecode Injection
21/41
Matching Signature On A Valid Page
Q3:Are The Results Reported True?
-
8/7/2019 Bytecode Injection
22/41
Q3:Are The Results Reported True? Matching Behavior On A Valid Page
To determine if the application is vulnerable to SQLinjection, try injecting an extra true condition into the
WHERE clause and if this query also returns thesame , then the application is susceptible to SQLinjection (from paper on Blind SQL Injection)
E.g. http://www.server.com/getCC.jsp?id=5
select ccnum from table where id=5 http://www.server.com/getCC.jsp?id=5 AND 1=1
select ccnum from table where id=5 AND 1=1
-
8/7/2019 Bytecode Injection
23/41
Q3:Are The Results Reported True? E.g.
http://www.server.com/getCC.jsp?id=5 select ccnum from table where id=5
Response:
No match found (No one with id 5) http://www.server.com/getCC.jsp?id=5 AND 1=1
select ccnum from table where id=5\ AND \1\=\1
Response No match found (No one with id 5 AND 1=1)
All single quotes were escaped.
According To The Algorithm (inject a true clause andlook for same response), This Is SQL InjectionVulnerability!
-
8/7/2019 Bytecode Injection
24/41
Web Scanner Review Good
Found Real Vulnerabilities
Was Easy To Run
Bad1. How Thorough Was My Test?
No Way To Tell, And Actual Coverage Is Often Low
2. Did I Find All My Vulnerabilities? Didnt Test, Tested But Couldnt Conclude, Cant Test
3. Are All The Results Reported True? Susceptible To False Signature & Behavior Matching
-
8/7/2019 Bytecode Injection
25/41
Q4: How Do I Fix The Problem? Security Issues Must Be Fixed In Source Code
Information Given
URL Parameter
General Vulnerability Description
HTTP Request/Response
But Where In My Source Code Should I Look?
-
8/7/2019 Bytecode Injection
26/41
Question 4: How Do I Fix The
Problem? Incomplete Vulnerability Report -> Bad Fixes
Report:
Injecting AAAAA..AAAAA Caused Application ToCrash
Solution By Developers:
.
if (input.equals(AAAAA..AAAAA))
return;
..
-
8/7/2019 Bytecode Injection
27/41
Web Scanner Review Good
Found Real Vulnerabilities
Was Easy To Run
Bad1. How Thorough Was My Test?
No Way To Tell, And Actual Coverage Is Often Low
2. Did I Find All My Vulnerabilities? Didnt Test, Tested But Couldnt Conclude, Cant Test
3. Are All The Results Reported True?
Susceptible To Signature & Behavior Matching
4. How Do I Fix The Problem? No Source Code / Root Cause Information
-
8/7/2019 Bytecode Injection
28/41
Attacking The ProblemsWhite Box Testing With
Bytecode Injection
-
8/7/2019 Bytecode Injection
29/41
-
8/7/2019 Bytecode Injection
30/41
How Will Monitors Solve The
Problems? How Thorough Was
My Test?
Did I Find All My
Vulnerabilities? Are All The Results
Reported True?
How Do I Fix TheP
roblem?
Monitors Inside Will Tell
Which Parts Was Hit
Monitors Inside Detects
More Vulnerabilities Very Low False Positive
By Looking At Source Of
Vulnerabilities
Monitors Inside Can GiveRoot Cause Information
-
8/7/2019 Bytecode Injection
31/41
How To Build The Solution How Do You Inject The Monitors Inside
The Application?
Where Do You Inject The MonitorsInside The Application?
What Should The Monitors Do Inside
The Application?
-
8/7/2019 Bytecode Injection
32/41
How Do You Inject The Monitors? Problem: How Do You Put The Monitors Into The
Application?
Assumption: You Do Not Have Source Code,Only Deployed Java / .NET Application
Solution: Bytecode Weaving AspectJ for Java
AspectDNG for .NET
-
8/7/2019 Bytecode Injection
33/41
How Does Bytecode Weaving Work?
Original.class
AspectJ New.class
New Code &Location Spec.
Similar process for .NET
-
8/7/2019 Bytecode Injection
34/41
How Does Bytecode Weaving Work?List getStuff(String id) {
List list = new ArrayList();
try {
String sql = select stuff frommytable where id= + id + ;
JDBCstmt.executeQuery(sql);
} catch (Exception ex) {
log.log(ex);
}
return list;
}
List getStuff(String id) {
List list = new ArrayList();
try {
String sql = select stuff frommytable where id= + id + ;
MyLibrary.doCheck(sql);
JDBCstmt.executeQuery(sql);
} catch (Exception ex) {
log.log(ex);
}
return list;
}
BeforeexecuteQuery()
Call
MyLibrary.doCheck()
-
8/7/2019 Bytecode Injection
35/41
Applying Byte-Code Injection To
Enhance Security Testing How Do You Inject The Monitors Inside
The Application?
Where Do You Inject The MonitorsInside The Application?
What Should The Monitors Do Inside
The Application?
-
8/7/2019 Bytecode Injection
36/41
-
8/7/2019 Bytecode Injection
37/41
-
8/7/2019 Bytecode Injection
38/41
aspect SQLInjection {
pointcut sqlExec(String sql):call(ResultSet Statement.executeQuery(String))
&& args(sql);
before(String sql) : sqlExec(sql) { checkInjection(sql, thisJoinPoint); }
void checkInjection(String sql, JoinPoint thisJoinPoint){System.out.println("HIT:" +
thisJoinPoint.getSourceLocation().getFileName() +
thisJoinPoint.getSourceLocation().getLine());
if (count(sql, '\'')%2 == 1) {
System.out.println("*** SQL Injection detected. SQL statement
being executed as follows: + sql);}
..
What Should The Monitors Do?
1) Report whether API was hit or not
2) Analyze The Content Of The API Call
3) Report Code-Level Information
-
8/7/2019 Bytecode Injection
39/41
Conclusions Web Scanners Good
Easy To Use
Finding Smoking Gun Bad
Lack Of Coverage Information
False Negatives
False Positives Lack Of Code-Level / Root Cause Information
-
8/7/2019 Bytecode Injection
40/41
Conclusions White Box Testing Bytecode Injection Require Access To
Running Application
In Exchange Gain Coverage Information
Find More Vulnerabilities, More Accurately
Determine Root Cause Information
-
8/7/2019 Bytecode Injection
41/41
Conclusions Use YourAdvantageAttacker Defender
Time
Attempts
Security
KnowledgeAccess To
Application