IBM Rational Application Security Insider

Why Your Static Analysis Scanner Should Use String Analysis

2009-11-17T23:44:27+02:00

I just read an awesome blog post at “Schmoilitos Way”, that describes a scenario, in which, someone ran a static analysis tool, found a vulnerability, patched it using a faulty input validation routine, and then re-ran the scan, this time telling the scanner that the validation routine clears taint input – Big Mistake!

This application had been pen-tested before. It had also been scanned using a popular commercial static analysis tool, and had gotten a clean bill of health. So, let's just say that management was a little, um, curious about why this bug was still alive and well. And by curious, I actually mean furious.

So what went wrong? After the first pen-test, the blatant directory traversal bug was "fixed" with a new validation routine that scrutinized the end of the file name. This new routine was declared a validation routine in the static analysis tool, and any subsequent data flows that passed through it were considered safe. Game over. Hooray for tools!

Last year, when IBM came out with the first edition of AppScan developer edition, it contained a new and promising technology called “String Analysis”. There was some buzz around it, but most people didn’t quite understand why they need it, and what is it good for. The scenario described in the blog post above, is a text-book example for why String Analysis is important.

String analysis removes the need to configure input sanitizers and validators when scanning your code. This is done by understanding the limitations on a certain string, and the possible value a string might have at a certain point in the program.

This basically means, that even if a developer wrote a piece of code, that performs input validation, String analysis will be able to validate this code, and see if the vulnerability still exists.

Make sure to check AppScan Source Edition’s upcoming versions, which will probably include more cutting edge technologies from IBM research.

Technical Logical Vulnerabilities == Design Implementation Vulnerabilities

2009-11-13T20:06:44+02:00

Hi,

While at the OWASP DC conference, an interesting thought came to me, which I’d like to hear people’s opinion about. So you all probably know about technical vs. logical vulnerabilities, right? I think it was Jeremiah Grossman who came up with this classification. Anyway, while thinking about this classification, I noticed that (almost) all technical vulnerabilities stem from insecure software implementation and (almost) all logical vulnerabilities, stem from insecure software design and/or architecture. If you think about it some more, most technical vulnerabilities, are fixed by repairing your code, and most logical vulnerabilities, are fixed by applying secure design patterns (fixing your design), or modifying your architecture to be more secure.

So, IMHO:

Technical vulnerabilities == Implementation vulnerabilities

Logical vulnerabilities == Design & Architecture vulnerabilities

What do you think? I’d love to hear your comments.

Web Application Security Scanner Evaluation Criteria v1.0 released!

2009-10-10T09:43:57+03:00

Hey there,

I’m happy to announce the availability of a new WASC project I have been working on for a long time – WASSEC:

The Web Application Security Scanner Evaluation Criteria (WASSEC) is a set of guidelines to evaluate web application scanners on their ability to effectively test web applications and identify vulnerabilities. It covers areas such as crawling, parsing, session handling, testing, and reporting.

The goal of the WASSEC is to create a vendor-neutral document to help guide web application security professionals during web application scanner evaluations. This document provides a comprehensive list of features that should be considered when conducting a web application security scanner evaluation. Different users will place varying levels of importance on each feature, and the WASSEC provides the user with the flexibility to take this comprehensive list of potential scanner features, narrow it down to a shorter list of features that are important to the user, assign weights to each feature, and conduct a formal evaluation to determine which scanning solution best meets the user's needs.

The aim of this document is not to define a list of requirements that all web application security scanners must provide in order to be considered a "complete" scanner, and evaluating specific products and providing the results of such an evaluation is outside the scope of the WASSEC project. Instead, this project provides the tools and documentation to enable anyone to evaluate web application security scanners and choose the product that best fits their needs. NIST Special Publication 500-269, "Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0", contains minimal requirements for mandatory and optional web application scanner features. This document can be found at https://samate.nist.gov.

Some of the sharpest minds in the webappsec industry contributed to this (group) effort, and I hope you will find it useful when evaluating scanning products. If you’d like to discuss this document in person, I will be at the OWASP AppSec DC conference next month, and would gladly answer any questions you might have.

-Ory

IBM Acquires Ounce Labs, Inc.

2009-07-28T16:47:23+03:00

http://finance.yahoo.com/news/IBM-Acquires-Ounce-Labs-prnews-3505446639.html?x=0&.v=1

ARMONK, N.Y., July 28 /PRNewswire-FirstCall/ -- IBM (NYSE: IBM) today announced it has acquired Ounce Labs, Inc., a privately-held company based in Waltham, Massachusetts, whose software helps companies reduce the risks and costs associated with security and compliance concerns. IBM will integrate Ounce Labs, a leading provider of enterprise source code security testing, into its Rational software business. Financial terms were not disclosed.

Exciting news!

Windows Desktop Search Indirect Script Injection

2009-06-10T13:53:35+03:00

Background

Windows Desktop Search (WDS) is a popular desktop search tool released by Microsoft. WDS indexes a large variety of files located on the user's computer (as well as network shares, if configured to do so by the user). It then offers fast searching capabilities over these files. Like some of its competitors, WDS uses an embedded Internet-Explorer browser component in order to preview the search results to the user.

Browsers embedded within Desktop Applications have been a favorite research topic of mine for some time now, due to the special security-context issues posed by the embedded-browsers.

One of the interesting challenges of trying to attack Desktop Applications that use Embedded Browser components is trying to discover the injection vector – and it usually requires unusual measures to mount a successful script injection attack in such cases.

A while ago I found a way of indirectly injecting JavaScript code into the WDS embedded-browser. Because of its security-context, I discovered it was possible to access data on any domain (bypassing the Same Origin Policy) and therefore gather some very interesting data from the attacked box.

A fix for the attack described below has been just released by Microsoft. If you use WDS, it is advisable to install the fix.

Vulnerability

WDS previews the search results to the user via an embedded-browser. In order to support non-HTML/XML files, WDS uses converters that transform the files into HTML. As part of this process, potentially hazardous characters are escaped by the converters.

However, it turns out that HTML files do not undergo any sanitation process before being presented. Instead, WDS simply loads the files into its embedded browser from the local hard-drive.

In accordance with the security settings of the embedded browser, the aforementioned local HTML files are loaded with partial JavaScript execution permissions that require no user-approval.

While the ActiveX implementation of XMLHTTP (e.g. new ActiveXObject("Msxml2.XMLHTTP")…) cannot be initiated automatically due to a security restriction, it turns out that the XMLHttpRequest JS object (new XMLHttpRequest()…) can be initiated and used without limitations.

What makes this vulnerability particularly interesting is the fact that in this context the XMLHttpRequest object can freely interact with any domain; sending on the victim's persistent cookies (if there are any). In other words, an attacker exploiting the aforementioned vulnerability can impersonate the victim on sites for which the victim is authenticated. "Example of a Possible Attack" below shows how sensitive information might be hijacked from a Gmail account.

Attack Flow

A remote attacker puts a specially crafted HTML file in a directory indexed by WDS. This phase can be accomplished in either of the following ways:
- Exploiting a "File Dropping" vulnerability (such as the recent "Carpet-Bombing" vulnerabilities in Safari & Google Chrome).
  - Anecdote: Due to the security evolution of Google Chrome, up-to-date versions ask for user-approval when an .HTM file download attempt takes place (instead of auto-downloading it, as it used to):
    
    However, I discovered that it is still possible to drop MHTML files by causing an automatic download attempt of an *.mht file:
- Taking advantage of the fact HTML files are presumed by many to be harmless (especially if not even directly loaded by a browser) to mount a social engineering attack.
Let's assume the specially crafted HTML filename is: mal.html.
- The file should contain some likely-to-be-queried keywords as well as JavaScript code. (e.g. "Watchfire IBM Microsoft <script>alert(123)</script>").
At that point, mal.html is already indexed by Windows Desktop Search.
At some point, the user queries for a word that shows up in mal.html ("Microsoft", for example) via Windows Desktop Search.
Due to the lack of sanitation, when mal.html is displayed via the preview pane (which is in fact an embedded IE browser) the script within mal.html is automatically executed.

NOTES:

If the results pane is ordered by date, it is very likely that mal.html will be selected automatically, without any user interaction.
In order to amplify the success rate of the attack, multiple files that contain malicious JavaScript code along with likely-to-be-queried keywords can be dropped to the victim's hard-drive.

Example of a Possible Attack

In this scenario, our victim has a Google account (an.innocent.user@gmail.com) with one mail filled with secret passwords in its inbox.

Like many users, the victim uses the "Remember me on this computer" feature, and persistent Google account authentication cookies are therefore stored on his/her system.

At some point, the victim uses WDS and queries a "poisoned" keyword (in this example, the keyword is "Microsoft").

While the victim views this file via WDS, the following happens:
1. An XMLHttpRequest object is created.
2. Due to the security context of the embedded-browser, a bi-directional connection to Gmail is successfully established (Same-Origin Policy is not enforced).
3. The contents of the inbox page are retrieved (The XMLHttpRequest object uses the persistent cookies for the an.innocent.user@gmail.com account).
4. The response is parsed and information about the "Secret Stuff" mail message is presented.

Final Remarks

Since various Desktop Search Tools use a mechanism similar to Windows Desktop Search in order to present search results to the user it is very likely that similar vulnerabilities and attack vectors might apply to these products too.

Acknowledgments

I would like to acknowledge and thank Microsoft for the highly professional way in which they had handled this security issue.

Proactive Malware Scanning

2009-05-20T15:58:29+03:00

I'll start with a short personal angle -

I have a friend that works as a freelance web site developer and webmaster. Once in a few weeks he gives me a call, telling me that one of the sites he manages seems to be serving malicious JavaScript code to its users. It appears to me that this problem is getting out of hand these days, sites are getting (silently) hacked into, and JavaScript code is injected and later on served to users.

From what I hear and read, more than 70% of the Malware today is being served or linked from legitimate web sites.

Take a look at this article from InformationWeek, which was posted in January 2009:

Seventy percent of the top 100 Web sites either hosted malicious content or contained a link designed to redirect site visitors to a malicious Web site during the second half of 2008

The common approach to Malware protection and Malware scanning today, puts the (security) responsibility on the end users (browser protections, A/V, etc.) or the organizations (content filtering gateways, A/V gateways) from which the end users browse the web from.

I think that web site owners should start taking responsibility for the contents they are serving to users, and a simple way to do that, is to constantly monitor or scan your own web application for malicious contents.

About two years ago, I had an interesting thought - if you are already scanning your web application with an automated scanner, that has the capability to perform deep crawling and analysis (using automatic form filling, JavaScript and Flash execution, etc.), why not attempt to locate malicious code that is being served to your web users?!

BTW, malicious code can end up in your application in different ways such as -

Someone hacked into your application and put it there
You are including web contents (or application code) from a 3rd party. This is oftentimes the case in Web 2.0 scenarios
You pissed off one of your web developers, and they decided to get back at you by infecting your users with Malware

Enter Malware Scanner AppScan eXtension

The Malware Scanner AppScan eXtension helps you verify that your application is not hosting or linking to malware. The extension couples the deep-scanning capabilities of IBM Rational AppScan with ISS X-Force technology that is used to identify malicious content and links.

The Malware Scanner checks these conditions:

Files hosted on your application are malicious or not
Files that are "one click" away from your application are malicious or not
Links on your site lead to malicious domains (malware sites or phishing sites, for example)
Links on your site lead to unwanted content (illegal sites, hate sites, adult content, and so forth).

The Malware Scanner works in two phases:

It passes all of the visited links through the ISS Virus Prevention System (VPS) engine, to determine whether they are malicious or not. This is similar to browsing every page in your application, including clicking every button and downloading every file, using a machine with updated antivirus software.
It passes all of the links that lead to external domains through the ISS WebFilter SDK. This SDK then fetches the classification of each link (news site, porn site, malware site, illegal site, and so forth), based on the constantly updated online classification database. Links that are deemed malicious or unwanted are flagged for your attention.

When something needs to be brought to your attention, a security issue is created in Rational AppScan so that you can benefit from the strength of Rational AppScan results management capabilities, such as creating reports, saving and loading scans, and so forth.

You can read more about the Malware Scanner eXtension and download it from our eXtensions web site (you need to have AppScan installed to run it).

WAF Wars

2009-05-14T09:53:54+03:00

Dark Reading just posted a news article titled "Researchers Hack Web Application Firewalls", here's a short excerpt:

A pair of researchers at the OWASP Europe 2009 conference on Wednesday showed how some Web application firewalls (WAFs) are prone to attack.
Wendel Henrique, a member of SpiderLabs (Trustwave's advanced security team), and Sandro Gauci, founder and CSO for EnableSecurity, also found some WAFs vulnerable to the same types of exploits they are supposed to protect Web apps from, such as cross-site scripting (XSS) attacks.

Hacking WAFs is an old art form, which I'm glad to see is picking up again. WAFs are extremely delicate pieces of software, which require thorough and precise configuration in order to provide the security they promise. Since the WAF market is finally picking up, I expect to see more security advisories related to vulnerabilities in such products in the near future.

I wish the WASC WHID project would have a listing of web sites that were hacked, even though they had a WAF installed, just so we'll have an insight to the real techniques used to bypass them, although I'm not optimistic about such information being released to the public.

Disclaimer - I am a WAF supporter.

* until OWASP releases the full presentation online, I think you can get a glimpse of it here.

Google Chrome Universal XSS Vulnerability

2009-04-24T15:12:23+03:00

I wanted to wait a bit, but since the fix is out:

During unrelated research, I came across a number of security issues that reside in various parts of Google's web browser - Google Chrome.

These issues pose a major threat to any user that browses a maliciously crafted page using Internet Explorer and has Google Chrome installed alongside.

Using a vulnerability in the ChromeHTML URL handler, it is possible to force Google Chrome load arbitrary URIs when it is launched through IE. Combined with other issues, this seemingly harmless vulnerability opens the door to two major attack vectors:

Bypass the Same Origin Policy restrictions for any site (this has the same impact as Universal XSS)
Enumerate victim's local files and directories

A thorough explanation of the issues, attack vectors and impact can be found in the following advisory.

It is important to note that the way Internet Explorer processes URL protocol handlers is a known Achilles' heel and has been widely used previously to attack other various applications.

Proof Of Concept:
A Universal XSS PoC is available here (Open with Internet Explorer)
File Enumeration PoC is available here (Open with Internet Explore)

Fix:
Version 1.0.154.59 of Chrome has been released to fix the vulnerability.

Acknowledgments:
I would like to thank the Google Chrome team for their quick response and the highly professional way in which they had handled this security issue.

Active Man in the Middle Attacks

2009-02-27T10:24:52+02:00

Adi Sharabani, manager of our own IBM Rational Security Group, gave a keynote presentation on the subject of Active Man in the Middle attacks at the recent OWASP AU conference that was held yesterday.

With an Active MitM attack targeting Web Applications, an attacker can steal users' private data for any site he chooses if his victim uses a public network to read the latest news headlines or weather report on an 'uninteresting' site. In addition, the attack could also be made persistent, even after the victim has left the MitM influence. These attacks are a product of a serious design flaw and not an implementation error or bug.

Although MitM attacks against Web Applications have been partially discussed before with similar issues such as "SideJacking" and "Surf Jacking", a comprehensive full research has yet to have been performed.

The presentation attached gives an overview of the subject while the paper gives thorough in-depth description of this dangerous category of attacks and proposed remedies.

You can download the presentation in PPT format here, or download the full version of the whitepaper as PDF here.

There's a New AppScan In Town

2009-01-14T15:43:16+02:00

I usually don't tend to blog about our product releases, but yesterday we have launched the official new version of IBM Rational AppScan Standard Edition (version 7.8), which includes some capabilities that I believe are worth blogging about.

Here's a short list of the interesting new features and capabilities:

Flash execution & Testing: AppScan now automatically crawls Flash applications to reveal web application vulnerabilities, including vulnerabilities unique to Flash such as XSS in Flash, Phishing through Flash (Redirections), Cross Site Flashing, Insecure Direct Object Reference, Over permissive Flash Sandbox, Over permissive crossdomain.xml files
AMF Parsing & Testing: On the same subject of Flash testing, AppScan is now capable of parsing and analyzing AMF communications between Flash applications and their back-end server side application.
Content-based Application Mapping: many modern web applications (especially those designed with the MVC paradigm) make use of a single URL, and serve contents based upon different parameters. In such scenarios, it is irrelevant to report vulnerabilities based on URLs. AppScan 7.8 allows you to create or modify the application tree by defining a criteria by which AppScan will assign content elements to the application tree. This allows for a more clear and real view of the results.
Support for widget-based and Mashup sites: The new Content-Based configuration (see previous item) view lets you define the structure of widget-based and Mashup sites and display their structure logically.
WebSphere Portal support: Dedicated template for WebSphere Portal applications incorporating a WebSphere Portal Test Policy and other configurations designed to increase performance and accuracy. The same capability can be adjusted for other Java Portlet based web applications
Improved Web services support: The new GSC utility replaces "Web Services Explorer" (a WSDL analyzer that generates SOAP traffic) to provide improved Web Services scanning, including support for MIME attachments, WS encryption and WS signatures. This means you can now test SOAP Web Services that make use of WS-Security standards.
IPv6 Support: no need to explain
CVSS-based Severity Reporting & Configuration: AppScan is now capable of reporting vulnerability severity using CVSS. In addition, users can modify CVSS settings as they wish, in order to create more accurate reports

These are just some of the major improvements and new features in AppScan Standard Edition v7.8

You can download a trial version of AppScan here.

BTW - for those of you who haven't been following our recent product announcements, we also recently shipped AppScan Developer Edition, which includes Static Analysis of JAVA (more languages to follow) applications, in conjunction with Dynamic (Blackbox) and Runtime Analysis. This composite type of analysis, enables developers to get a full view of the vulnerabilities, both from the web front end point of view, as well as at the source code level, in a correlated manner.