Tuesday, 17 July 2012
For those of you going to BlackHat, I am running a 3-hour work shop on Code Reviewing Web App Framework Based Applications on July 25 from 2:15-5:15 in Florentine.
Frameworks have often been viewed with disdain in the security community. Often times you are just getting to know the in’s and out’s of the current web framework when developers decide to switch to another one with more development features. And just your luck, each successive framework is larger and more complicated than its predecessor; often times written in a totally different language. It is a bit over whelming as a security practitioner to have to pick up the new framework and language by yourself while having to find vulnerabilities. The 3 hour workshop that I am giving aims to give you an introduction to the most popular web frameworks in use by enterprises (Struts 1 and 2, Spring MVC, .NET MVC, Ruby on Rails, and to a lesser extent Groovy on Grails and Zend PJHP). In addition, we will go over an overall process of code reviewing applications built on web frameworks and help you identify common vulnerabilities associated with them.
Here is a high level preview of what is going to be covered:
1. Architectures of the web frameworks.
a. Architecture relates to the big picture of how different components within the framework work together with your application’s business logic to handle a request.
2. Dataflow paths through individual web frameworks.
a. In order to effectively prioritize findings a code reviewer needs to be able to trace sources of untrusted data to the sinks (points where vulnerabilities can occur).
3. Recognizing the language and framework constructs that can lead to vulnerabilities.
4. Discuss non-dataflow based vulnerabilities in framework-based applications.
a. Some examples of this are understanding where password management, authorization, and authentication logic usually reside.
5. Discuss inter-framework dependencies.
a. Often times web framework based applications are built on or actively utilize other frameworks. These other frameworks can introduce separate exploitable vulnerabilities when used within the web app framework.
6. Review combined and server-side blended threats.
a. It is great to find vulnerabilities but we need to take a step back and see how individual vulnerabilities can interact with each other to create new vulnerabilities.
If you don’t attend the workshop but have questions about Fortify, I will be volunteering at the OWASP Booth Wednesday morning.