gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built...
Transcript of gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built...
![Page 1: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/1.jpg)
GLOBAL APPSEC DCTM
OWASP Find Security Bugs
The community static code analyzer
{ }
![Page 2: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/2.jpg)
OWASP GLOBAL APPSEC - DC
Agenda
• Introduction to Find Security Bugs• Why use it?
• How does it work?
• Integrations
• “Hidden” features
• Vulnerabilities found
• Conclusion
![Page 3: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/3.jpg)
OWASP GLOBAL APPSEC - DC
Who I am
• Philippe Arteau
• Security Researcher at GoSecure
• Past experiences:• Developer• Pentester• Security Code Review
• Open-source developer• Find Security Bugs (SpotBugs - Static Analysis for Java)• Burp and ZAP Plugins (Retire.js, CSP Auditor, Request Reissue Scripter)
Security Code Scan (Roslyn – Static Analysis for .NET)
![Page 4: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/4.jpg)
GLOBAL APPSEC DCTM
Introduction
![Page 5: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/5.jpg)
OWASP GLOBAL APPSEC - DC
Find Security Bugs in a nutshell
• Detectors built around the SpotBugs engine with a focus on security issues
• Open-source
• OWASP project since 2019
• 131 bug patterns
• Works great with Java, Kotlin and JSP• Works ok with Groovy and Scala
![Page 6: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/6.jpg)
OWASP GLOBAL APPSEC - DC
How does it work?
.
Core Detectors
BytecodeJava CodeSpotBugs Core
Find Security Bugs
Report
![Page 7: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/7.jpg)
OWASP GLOBAL APPSEC - DC
Vulnerability types
Command Injection
Cross-Site Scripting
SQL/HQL Injection
Path Traversal
Cryptography Weaknesses
Hard Coded Password
Predictable Random Generator
XML External EntityInsecure Configuration
Template Injection
![Page 8: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/8.jpg)
OWASP GLOBAL APPSEC - DC
Advantages
• High code coverage
• Source code level identification
• Help find vulnerabilities early in the SDLC
• Consistency
Disadvantages
• Does not cover:• Logic flaws
• Sensitive information leakage
• Production configuration
• Technology specific
• False positive (Potential vulnerabilities only)
![Page 9: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/9.jpg)
GLOBAL APPSEC DCTM
Integration
![Page 10: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/10.jpg)
OWASP GLOBAL APPSEC - DC
Integration In IDE
• IntelliJ
• Eclipse
• NetBeans
![Page 11: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/11.jpg)
OWASP GLOBAL APPSEC - DC
Continuous Integration
![Page 12: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/12.jpg)
OWASP GLOBAL APPSEC - DC
Continuous Integration
• Many free and open-source options• SonarQube (with Sonar-FindBugs)
• Jenkins (with Warnings-NG)
• Integrated in many commercial solutions• Gitlab
• CodeDX
![Page 13: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/13.jpg)
OWASP GLOBAL APPSEC - DC
Demonstration
Scanning the WebGoat project with Spotbugs integration for IntelliJ
{ }
![Page 14: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/14.jpg)
GLOBAL APPSEC DCTM
Hidden FeaturesMuch more than source code scanning…
![Page 15: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/15.jpg)
OWASP GLOBAL APPSEC - DC
Analyzing compiled libraries
• Allows rapid assessment of potential risks• Does not require original source code
• Able to scan classes from:• Android APK files (dex to jar required)
• WAR or EAR files
findsecbugs.bat -html -output report.htm third-party-lib.jar
![Page 16: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/16.jpg)
OWASP GLOBAL APPSEC - DC
Scanning without build configuration
• Complex builds are common in large enterprises
• The code reviewer can end up with• Missing dependencies or dependencies hosted on a
private repository• Custom build steps• Use of a proprietary tool
Solution
• Ask the developer to provide pre-built code
• Import inside IntelliJ (No need to recompile it)
![Page 17: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/17.jpg)
GLOBAL APPSEC DCTM
Vulnerabilities Found
![Page 18: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/18.jpg)
GLOBAL APPSEC DCTM
Struts CSRF Token Prediction
CVE-2014-7809
![Page 19: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/19.jpg)
OWASP GLOBAL APPSEC - DC
Code sample from Struts 2.3.17
![Page 20: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/20.jpg)
OWASP GLOBAL APPSEC - DC
Struts 2.3.17: FSB report
![Page 21: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/21.jpg)
OWASP GLOBAL APPSEC - DC
Java PRNG (java.util.Random)
![Page 22: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/22.jpg)
GLOBAL APPSEC DCTM
DerbyDB XXE
CVE-2015-1832
![Page 23: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/23.jpg)
OWASP GLOBAL APPSEC - DC
Code sample from DerbyDB 10.12.1.1
https://apache.googlesource.com/derby/+/6f55de19d898430fec96d3041a03b25fd218454f/java/engine/org/apache/derby/vti/XmlVTI.java
![Page 24: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/24.jpg)
OWASP GLOBAL APPSEC - DC
DerbyDB 10.12.1.1: Exploitation
Impact: Privilege escalation from basic SQL access to file access and directory listing
CREATE TABLE xml_data(xml_col XML);
DELETE FROM xml_data;INSERT INTO xml_data(xml_col) VALUES(XMLPARSE(DOCUMENT '<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd" > ]><yolo>&xxe;</yolo>' PRESERVE WHITESPACE));
SELECT XMLSERIALIZE(xml_col AS CLOB) FROM xml_data;
![Page 25: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/25.jpg)
GLOBAL APPSEC DCTM
Spring Expression Language (SPEL) injection
CVE-2018-1273
![Page 26: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/26.jpg)
OWASP GLOBAL APPSEC - DC
Spring Data Commons 2.0.5
![Page 27: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/27.jpg)
OWASP GLOBAL APPSEC - DC
Spring Data Commons 2.0.5
Expected property path:
property1.property2
• In practice:• property[0].property• property[code()].property
![Page 28: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/28.jpg)
OWASP GLOBAL APPSEC - DC
Spring Data Commons: Exploitation
[…]&password[T(java.lang.Runtime).getRuntime().exec("calc")]=abc
![Page 29: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/29.jpg)
GLOBAL APPSEC DCTM
Conclusion
![Page 30: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/30.jpg)
OWASP GLOBAL APPSEC - DC
Lessons learned (What worked)
• Unit testing is key for a static code analysis tool• Regression tests with samples for every detector and heuristic
• Make test cases easy to write with DSL
• Documentation• Code has to be obvious (naming, structure, comments)
• Developer guide to contribute
• Find existing tool before building a new one• Shopping for existing frameworks
![Page 31: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/31.jpg)
OWASP GLOBAL APPSEC - DC
How to contribute?
Code contribution• Bug fixes• New vulnerability patterns• Code samples for new bug patterns
Help others• Answer question on StackOverflow [find-sec-
bugs] and [spotbugs]
Improve the documentation• Improve the English descriptions• (If really really motivated) Translate descriptions
![Page 32: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/32.jpg)
OWASP GLOBAL APPSEC - DC
Different language different OS tool
Java, PHP, …
Python
C#, VB.net
Ruby
![Page 33: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/33.jpg)
GLOBAL APPSEC DC
SCAN THE QR CODE TO COMPLETE THE SURVEY
Rate this Session
Thank You!
TM
OWASP, Open Web Application Security Project, Global AppSec and AppSec Days are Trademarks of the OWASP Foundation, Inc.
Philippe Arteau
• @GoSecure_Inc
• @h3xStream
Questions?
![Page 34: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/34.jpg)
GLOBAL APPSEC DCTM
References
![Page 35: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/35.jpg)
OWASP GLOBAL APPSEC - DC
Find Security Bugs related
• Official website/documentation http://find-sec-bugs.github.io/
• SpotBugs website: https://spotbugs.github.io/
• SonarQube plugin https://github.com/spotbugs/sonar-findbugs
![Page 36: gosecure.github.io · OWASP GLOBAL APPSEC - DC Find Security Bugs in a nutshell •Detectors built around the SpotBugs engine with a focus on security issues •Open-source •OWASP](https://reader034.fdocuments.in/reader034/viewer/2022042109/5e893b1f0c40f4738432131f/html5/thumbnails/36.jpg)
OWASP GLOBAL APPSEC - DC
Vulnerabilities found
• Struts CSRF Token https://blog.h3xstream.com/2014/12/predicting-struts-csrf-token-cve-2014.html
• XXE in DebyDB https://issues.apache.org/jira/browse/DERBY-6807
• Spring Data Commons Vulnerability: https://www.gosecure.net/blog/2018/05/15/beware-of-the-magic-spell-part-1-cve-2018-1273