Cert-In Training Program

for
Government, PSUs and Critical Infrastructure companies

Organized By: Data Security Council of India

Under the Project

Cyber-Security Awareness Program,
(A DIT-NASSCOM Project)

Secure Code Review for Java Applications

20th November 2009

Jaykishan Nirmal
Consultant, Trainer and Forensic Investigator
Aujas Confidential
Disclaimer

The aspects discussed in this presentation are

purely my observations and opinions. They may
not be necessarily correct, specially when
generalization is used.

Incidents, examples, people, organizations etc. are

used only to illustrate the points of discussion.

we do not claim any rights on any proprietary

content used for illustrations.

Aujas Confidential
Agenda

09:30 Registration and Welcome

10:00 Application Code Review Basics
10:30 Secure handling of User input in Java based Applications
11:15 Pause (15 Minutes)
11:30 Session Management in Java based Applications
13:00 Lunch Break
14:00 Authentication & Authorization in Java web Applications
15:30 Pause (15 Minutes)
15:45 Secure code review techniques/Methodologies for Java based
Applications
17:00 Q&A
17:15 Closing and End

Aujas Confidential
Disclaimer

Famous Buddha Quote-

“Believe nothing, no matter where you

read it, or who said it, no matter if I have
said it, unless it agrees with your own
reason and your own common sense.”

Hence, Whatever I say, may not be “right” but I think, it is “real” and “practical”.

Aujas Confidential
Sun Tzu

“如果你知道敌人知道，你不必担心的结
果， 很多的 战役。如果你知道你自己而
不是敌人，取得的每一个胜利你同样会遭
受失败。如果你知道无论是敌人还是自己，
你会屈服于在每一个战役。 “

孙子兵法-孙子兵法

Aujas Confidential
Sun Tzu – Chinese Military General

“If you know the enemy and know yourself,

you need not fear the result of a hundred

battles. If you know yourself but not the

enemy, for every victory gained you will

also suffer a defeat. If you know neither the

enemy nor yourself, you will succumb in

every battle.”

Sun Tzu – The Art of War

Aujas Confidential
Security

Aujas Confidential
What is Security?

 Freedom from risk or danger; safety

 Freedom from doubt, anxiety, or fear; confidence

 Something that gives or assures safety

 In the computer industry, refers to techniques for ensuring that data

stored in a computer cannot be read or compromised by any individuals
without authorization

 A state of well-being of information and infrastructure

Aujas Confidential
Security Terminology

 Asset – An asset is a resource of value

 Threat – Any undesired event which might compromise the security of an

asset.

 Vulnerability – Inherent weakness or flaw in the system.

 Attack/Exploit – Action that utilizes one or more vulnerabilities to realize a

threat.

 Adversary – Someone who offers opposition – Opponent

 Countermeasure – defense put in place to minimize the impact of threats.

Aujas Confidential
Application Security

Aujas Confidential
Some Statistics

The security of a software-intensive system is directly related to the quality of its

software1.

• Over 90% of software security incidents are caused by attackers exploiting

known software defects.

• Analysis of 45 e-business applications showed that 70% of security defects

were design defects.

• Experienced and capable software engineers unintentionally inject, on

average, one defect every nine lines of code.

• A one million line of code systems typically contains 1,000-5,000 defects when
shipped.

1 http://www.sei.cmu.edu/tsp/tsp-security.html

Aujas Confidential
SANS Common Coding Errors

Aujas Confidential
Application Security Trends : Q3-Q4 2008

Source: Application Security Trends Report Q3-Q4 2008, Cenzic

Aujas Confidential
Software Development – Perfect World

Aujas Confidential
Software Development – Real World

Aujas Confidential
Cost Matters!

Aujas Confidential
Why to Worry

 Applications are protection layer for –

 Intellectual Property
 Customer/Partner/Employee Private Information

 Internet Facing applications expose a greater “attack surface”

 Impact/ Ramifications of breaches is high

 Laws and Regulations such as HIPAA, SOX, GLBA, DPA, IPR etc.
 Financial implications of unauthorized disclosure
 Damage to business reputation
 System down time
 Lost Consumer Confidence

 Cost

 No Standard Patches Available for Customized Application

Aujas Confidential
Case Study : CardSystems Inc.

Aujas Confidential
Few Millions SQL Injection Attack

Aujas Confidential
Application Security & CIA

Aujas Confidential
Core Principles of Security

Confidentiality

Availability Integrity

Aujas Confidential
What is CIA?

• Confidentiality
Confidentiality means prevention of disclosure of information to
unauthorized individuals or systems.

• Integrity
Integrity means data cannot be modified without authorization

• Availability
Availability means Information should be available whenever needed or
requested.

Aujas Confidential
• Authenticity
It is also important for authenticity to validate that both parties involved
are who they claim they are

• Non-repudiation
In law, non-repudiation implies one's intention to fulfill their obligations to
a contract.

It also implies that one party of a transaction can not deny having received
a transaction nor can the other party deny having sent a transaction.

Aujas Confidential
Secure Code Review

Aujas Confidential
Definition

 Secure code review is the process of auditing code for an application on a

line by line basis for its security quality

 It’s manual process

 It’s labor intensive but accurate if performed by humans (and mixture of

expensive and inexpensive tools)

 Writing a code is easy, but secure code requires proper homework

Aujas Confidential
Secure Code Review Objectives

 Idea is to uncover possible potential flaws early in software development

life cycle

 A general rule of thumb is that a Penetration Testing should not discover

any additional application vulnerabilities relating to the developed code
after the application has undergone a proper secure code review

 Assures that Developers follow Secure Practices

Aujas Confidential
Then Start !

Aujas Confidential
Bug Vs. Flaw

• Bug – A implementation level software security Problem (e.g. SQL

Injection)

• Flaw – A design level software security problem (e.g. Insecure

Authorization Implementation)

• Bug is subset of Flaw

• A bug is error in Code, while Flaw is any defect in the Program

Aujas Confidential
Aujas Confidential
Aujas Confidential
Aujas Confidential
Methodology

Application Understanding

Threat Modeling

White Box Code Review

Gap Analysis

Reporting

Aujas Confidential
Understand

 Code

 Context

 Audience

 Importance

Aujas Confidential
Threat Modeling

 STRIDE – classify threats

 Spoofing Identity
 Tampering with Data
 Repudiation
 Information Disclosure
 Denial of Service
 Elevation of Privilege

 DREAD – rank vulnerabilities

 Damage Potential
 Reproducibility
 Exploitability
 Affected Users
 Discoverability
Aujas Confidential
Known Vulnerabilities In Software

 Injection Flaws
 Cross Site Scripting
 Malicious File Execution
 Insecure Direct Object Reference
 Cross Site Request Forgery (CSRF)
 Information Leakage and Improper Error Handling
 Broken Authentication and Session Management
 Insecure Cryptographic Storage
 Insecure Communications
 Failure to restrict URL Access

Aujas Confidential
Way Around + Checklist

• Multiple-Pass Approach
• Keyword Search Approach

Aujas Confidential
Keyword Search Approach

Generic Keywords Legacy Interaction SQL & Database

 Hack  Java.lang.run  jdbc
 Kludge time.exec  executeQuery
 Bypass  Select
 Steal Session  insert
Management  update
 Stolen
 delete
 Divert  invalidate  execute
 Broke  getId  executestatement
 Trick  getSession  java.sql.ResultSet.getString
 java.sql.ResultSet.getObject
 Fix
 java.sql.Statement.executeUpdate
 ToDo  java.sql.Statement.executeQuery
 java.sql.Statement.execute
 java.sql.Statement.addBatch
 java.sql.Connection.prepareStatement
 java.sql.Connection.prepareCall
Aujas Confidential
 Cross Site Scripting File

 javax.servlet.ServletOutputStream.  ObjectInputStream
print  PipedInputStream
 javax.servlet.jsp.JspWriter.print  StreamTokenizer
 java.io.PrintWriter.print  getResourceAsStream
 java.io.FileReader
 java.io.FileWriter
Legacy Methods
 java.io.RandomAccessFile
 printf  java.io.File
 strcpy  java.io.FileOutputStream

Aujas Confidential
 Error Handling Input Output Streams

 catch{  Java.io
 Finally  FileInputStream
 ObjectInputStream
 FilterInputStream
 PipedInputStream
 SequenceInputStream
 StringBufferInputStream
 BufferedReader
 ByteArrayInputStream
 CharArrayReader

Aujas Confidential
 Servlets Servlets Servlets

javax.servlet. Javax.servlet. Javax.servlet.

 getParameterNames  getLocalName  isUserInRole
 getParameterValues  getAttribute  getOutputStream
 getParameter  getAttributeNames  getWriter
 getParameterMap  getLocalAddr  addCookie
 getScheme  getAuthType  addHeader
 getProtocol  getRemoteUser  setHeader
 getContentType  getCookies  javax.servlet.http.Co
 getServerName  isSecure okie
 getRemoteAddr  HttpServletRequest  getName
 getRemoteHost  getQueryString  getPath
 getRealPath  getHeader  getDomain
 getRequestedSessionId  getPrincipal  getComment
 getValue Aujas Confidential
How to Do It -

 Pair Programming

 Team Review

 Peer Review

 Individual Review

Aujas Confidential
Pair Programming

 Pair programming is a software

development technique in which
two programmers work together
at one work station.

 One types in code while the other

reviews each line of code as it is
typed in.

 The person typing is called the

driver.

 The person reviewing the code is

called the observer or navigator.

Aujas Confidential
Team Code Review – Formal Team

 A team of at least 5 people in conference room with a whiteboard and a

Projector

 5 Roles should be –
 Moderator
 Narrator/Reader
 Author
 Subject Matter Expert
 Recorder

Aujas Confidential
Focus is important!

Aujas Confidential
Rapid Peer Reviews

• Developers sit together

• Each take turns in

questioning code written by
others

Aujas Confidential
Individual Review

 Try to look a code from an

attacker perspective

 May use automated tools

Aujas Confidential
Secure Code Review – How to Start with

 Collect list of threats identified during Threat Modeling Phase – Prioritize

which code to look first and deep

 Formal Review Team should know what common security bugs look like

 Decide on Approach to follow

 Follow checklists to drive Code Review

 Reporting format is important !

Aujas Confidential
How to Report

 Description of Vulnerability
 Severity
 Complexity
 Impact
 Affected URL(s)/Page(s)
 Line No. of Vulnerable Code
 Recommendations
 References

Aujas Confidential
Aujas Confidential
Spot the Bug!

Aujas Confidential
Spot the Bug!

boolean theTruth = false;

if (theTruth = true)
{
System.out.println("theTruth is true");
}
else
{
System.out.println("theTruth is
false;");
}

Aujas Confidential
Spot the Bug!

int x = 3;
if (x==5) {}
else if (x<9)
{
System.out.println("x is less than 9");
}
else if (x<6)
{
System.out.println("x is less than 6");
}
else
{
System.out.println("else");
}
Aujas Confidential
Spot the Bug !

int x = 2, y = 3;
if (x == y)
if (y == 3)
x = 3;
else
x = 4;

What is the value of X ?

Aujas Confidential
Spot the Bug !

public static String hashMD5(String str)

{
byte[] b = str.getBytes();
MessageDigest md = null;
try
{
md = MessageDigest.getInstance("MD5");
md.update(b);
} catch (NoSuchAlgorithmException e)
{
// it's got to be there
e.printStackTrace();
}
return (base64Encode(md.digest()));
}

Aujas Confidential
Spot the Bug !

public final class BrokenPerson

{
private String firstName;
private String lastName;
private Date dob;
public BrokenPerson( )
{

}
public String getFirstName()
{
return this.firstName;
}
public void setFirstName(String firstName)
{
this.firstName = firstName;
}
}

Aujas Confidential
Spot the Bug !

HttpCookie cookie = Request.Cookies*“Login Attempts”+;

cookie.expires = now. addHours(10);
int logattemtps = convert.toInteger(cookie.value.toString());
cookieval=Integer.parse(cookie.value.toString());
if (cookieval >0)
cookieVal-=1;
HttpCookie attemptCookie = new HttpCookie (“Login Attempts”);
attemptCookie.value = cookieval.toString();

Aujas Confidential
Spot the Bug !

String Uname = request.getParameter (“User”);

String Pword =request.getParameter (Password”);
String s = “SELECT * FROM Table WHERE Username = ‘ “ + UName + “ “ AND
Password = ‘ “ + Pword “ ‘ “;
Statement stmt = connection.createStatement ();
ResultSet rs = stmt.executeQuery (s);
If (rs.next ()) {
UID = rs.getInt (1)
User = rs.getString (2)
}
PrintWriter writer= response.getWriter ();
writer.println (“User Name: “+ User);
}

Aujas Confidential
Spot the Bug !

public ArrayList<HashMap<String, String>> searchItems(String productName)

{
ResultSet resultSet = null;
ArrayList<HashMap<String, String>> items = new ArrayList<HashMap<String,String>>();
HashMap<String, String> result = new HashMap<String, String>();
String query = "Select * from items where productName like '%"+ productName+"%' and
forsale = 'Y' ";
try {
resultSet = getResultSet(query);
while(resultSet.next())
{
result.put("Id", Integer.toString(resultSet.getInt("id")));
result.put("Name", resultSet.getString("productName"));
result.put("Price", Integer.toString(resultSet.getInt("price")));
result.put("Desc", resultSet.getString("prodDesc"));
items.add(result);
result = new HashMap<String, String>();
}
closeConnection();
}
catch(Exception e)
{
System.out.println(e);
}
return items; Aujas Confidential
}
Spot the Bug !

Iterator iter = request.getParameterNames ();

While (iter.hasNext ())

{
String paramName = (String) iter.next ();
out.println (paramName +request.getParameter (paramName));
}

Aujas Confidential
Spot the Bug !

public class DoStuff {

public string executeCommand(String userName)
{
try {
String myUid = userName;
Runtime rt = Runtime.getRuntime();
rt.exec("doStuff.exe " +”-“ +myUid); // Call exe with userID
} catch(Exception e) {
e.printStackTrace();
}
}
}

Aujas Confidential
Spot the Bug !
public void doPost(HttpServletRequest req,…) ,

String customerId = req.getParameter(“customerId”);

String productId= req.getParameter(“prodId”);

String Price = req.getParameter(“price”);

Integer price = Integer.valueOf(stringPrice);

// Order will be processed in SubmitOrder Function

orderManager.submitOrder(prodId,customerId,price);

} // end doPost

Aujas Confidential
 Spot the Bug!
protected void doPost(HttpServletRequest req, HttpServletResponse res) {
try {
String username = req.getParameter(“USERNAME”);
String password = req.getParameter(“PASSWORD”);
try {
Connection connection = DatabaseUtilities.makeConnection();
PreparedStatement statement = connection.prepareStatement
("SELECT * FROM user_system_data WHERE user_name = ? AND password = ?”);
statement.setString(1,username);
statement.setString(2,password);
ResultSet results = statement.executeQuery(query);
results.first();
if (results.getString(1).equals(“”)) ,
s.setMessage("Invalid username and password entered.");
return (makeLogin(s));
} // end results check
} catch (Exception e) {}
// continue and display the page
if (username != null && username.length() > 0) {
return (makeUser(s, username, "PARAMETERS"));
} // end username test
} catch (Exception e) {
s.setMessage("Error generating " + this.getClass().getName());
} // end try/catch
Aujas Confidential
return (makeLogin(s));
Spot the Bug !

protected void doPost(HttpServletRequest req, HttpServletResponse res) {

String title = req.getParameter(“TITLE”);
String message = req.getParameter(“MESSAGE”);
try {
connection = DatabaseUtilities.makeConnection(s);
PreparedStatement statement =
connection.prepareStatement
(“INSERT INTO messages VALUES(?,?)”);
statement.setString(1,title);
statement.setString(2,message);
statement.executeUpdate();
} catch (Exception e) {
…
} // end catch
} // end doPost

Aujas Confidential
protected void doPost(HttpServletRequest req, HttpServletResponse res) {
try {
String username = req.getParameter(“USERNAME”);
String password = req.getParameter(“PASSWORD”);
try {
Connection connection = DatabaseUtilities.makeConnection();
PreparedStatement statement = connection.prepareStatement
("SELECT * FROM user_system_data WHERE user_name = “ + username +
AND password = ” + password);
ResultSet results = statement.executeQuery(query);
if(results.next())
{
successLogin();
}
} // end results check
catch (Exception e)
{

Aujas Confidential
 Spot the Bug !
protected void doPost(HttpServletRequest req, HttpServletResponse res) {
String query =
"SELECT userid, name FROM user_data WHERE accountnum = '"
+ req.getParameter(“ACCT_NUM”)
+ “’”;
PrintWriter out = res.getWriter();
// HTML stuff to out.println…
try {
connection = DatabaseUtilities.makeConnection(s);
Statement statement = connection.createStatement();
ResultSet results = statement.executeQuery(query);
while (results.next ()) {
out.println("<TR><TD>“ + rset.getString(1) + “</TD>”);
out.println("<TD>“ + rset.getString(2) + “</TD>”);
} // end while
} catch (Exception e) {
// exception handling…
} // end catch
} // end doPost
Aujas Confidential
Spot the Bug !

if (session.getCurrentUser().isAdmin())
{
MenuList.add("View Profile ","/jsp/Profile.do?action=view&id=" + Id);
MenuList.add("Edit Profile","/jsp/Profile.do?action=edit&id=" + Id);
MenuList.add("Delete Profile","/jsp/Profile.do?action=delete&id=“ + Id);
}
else
{
MenuList.add("View Profile","/jsp/Profile.do?action=view&id=" + Id);
}

Aujas Confidential
Spot the Bug !

Try
{
ElevatePrivilege();
ReadSecretFile();
LowerPrivilege();
}
Catch (Exception e)
{
CatchException();
}

Aujas Confidential
Is there anything wrong with error Msgs ?

“The password is Invalid”

“Username does not exist”

“bad admin password”

Aujas Confidential
 Spot the Bug!

protected void doPost(HttpServletRequest req, HttpServletResponse res) {

String query =
"SELECT userid, name FROM user_data WHERE accountnum = '"
+ req.getParameter(“ACCT_NUM”) + “’”;
PrintWriter out = res.getWriter();
// HTML stuff to out.println…
try {
connection = DatabaseUtilities.makeConnection(s);
Statement statement = connection.createStatement();
ResultSet results = statement.executeQuery(query);
while (results.next()) {
out.println("<TR><TD>“ + rset.getString(1) + “</TD>”);
out.println("<TD>“ + rset.getString(2) + “</TD>”);
} // end while
} catch (Exception e) {
e.printStackTrace(out);
} // end catch
Aujas Confidential
} // end doPost
Spot the Bug!

Private void Log_Function (DataObject obj, System.EventArgs exp)

{
LogData (“User ” + obj.txtUserName + “ with Password ” + obj.txtPassword
+ “ Logged in at “ + getCurrentDate&Time();
}

try {
DataObject data = GetLoginDetails();
//..
if(data.success())
Log_Function(data);
}
Catch {}

Aujas Confidential
Spot the Bug ! – FinalPayment.jsp

<html>
<script>
function purchase(ids, price) {
if(validate())
{
document.forms['payment'].ids.value = ids;
document.forms['payment'].price.value = price;
document.forms['payment'].submit();
}}
</script>

<form method="post" action="http://www.shoppingcart.com/process">

………………………………
…………………………………
………………………………..
<input type="hidden" name="ids" value="1,23,2">
<input type="hidden" name="describe" value="Some Book Name">
<input type="hidden" name="Qty" value="3">
<input type="hidden" name="Price" value="200.00">
</html>
Aujas Confidential
Checklists

Aujas Confidential
 Authentication
 Authorization
 Cookie Management
 Data Validation
 Error Handling/Information Leakage

Note : visit references to download OWASP Code Review Guide

Aujas Confidential
Static Code Analysis

 Static code analysis is the analysis of computer software that is performed

without actually executing programs built from that software.

Open Source Tools Commercial Tools

 Findbugs  CodeSecure
 FlawFinder  Coverity
 CheckStyle  Fortify
 OWASPCodeCrawler  CodeScan
 PMD  Klockwork
 Hammurapi  …
 ITS4
 RATS
 ….

Aujas Confidential
Stastics

Source :“Secure Programming with Static Analysis”

Aujas Confidential
Static Analysis Tools

 Advantages -
 Can scan large amount of code
 Results are consistent
 Identify common security mistakes
 Coverage is possible maximum

 Disadvantages-
 Do not find all security flaws
 So many False Positives
 Sometime may provide false sense of security

Aujas Confidential
Best Hybrid Approach

Automated + Manual

Aujas Confidential
Dynamic Code Analysis

 Dynamic analysis is the analysis of computer software that is performed

by executing programs built from that software system on a real or virtual
processor

 Reduce Debugging Time

 Pinpoint error as and when it occurs

 Tools like –
 Coverity etc.

Aujas Confidential
Dynamic Code Analysis

 Advantages
 Runtime Defect Detection
 Improve Security of Multi-Threaded Applications
 Control Multi-core Complexity

 Disadvantages
 Much more complex to work with
 Cannot guarantee the full coverage of the source code, as is runs
based on user interaction or automatic tests

Aujas Confidential
Automated Vs. Manual Review Approach
Automated Review
 Much Faster
 Can not detect
semantic/logic flaws
 Need human intervention to
remove false positives
 Have list of standard
solutions embedded into it
 Very easily deal with large
amount of code
 Maintains consistency of the
Review
 Improves coverage/accuracy
of the review
 Tools do not understand
Context
Manual Review
 Slower
 Can understand code and
detect semantic/logic flaws
 Can recommend best
solution for the problem
 Fails when no of lines of
code
 Consistency can not be
guaranteed
 Coverage depends on
reviewer
 Human do understand
context
Aujas Confidential
References

• OSSTMM
http://www.osstmm.org

• OWASP
http://www.owasp.org

• OSVDB
http://osvdb.org/
•
• CVE
http://cve.mitre.org/

• Secunia
http://www.secunia.com

Aujas Confidential
References

 OWASP Code Crawler Project

http://www.owasp.org/index.php/Category:OWASP_Code_Crawler

 OWASP Code Review

http://www.owasp.org/index.php/OWASP_Code_Review_Guide_Table_of_
Contents

 OWASP Code Review Guide

http://www.lulu.com/content/5678680

Aujas Confidential
Thanks

Jaykishan.nirmal@aujas.com

Aujas Confidential