Friday, 13 April 2012
RTA Customization: The power of being inside the application
« The Emerging WebSocket Protocol | Main | HTML5 »
HP Fortify RTA is very similar to a WAF, but it has one big advantage: Where a WAF protects outside of the perimeter, RTA protects from within the application. As always, we recommend to fix the known problems in code first, but when that’s not immediately possible, an RTA tool can help you out. On top of that, RTA can also be seen as an additional layer of protection.
In this blog post, I would like to show you an example of customization. More specific, let’s show an example how to protect by means of white-listing against command injection. Let’s say our customer has a web application which executes a couple of OS and other application commands where each command takes exactly one argument from the user. Taking data from the user, database, WS call or any other input and bluntly adding it to the command line will expose the application to command injection of course.
By default, RTA protects against Command Injection by parsing the command and validating it. However, as this default mechanisms does not take the entire context of the application in to consideration, it may be a good idea to add a white-listing rule to tighten the security. Assume that all commands executed in your application look like:
Then, the following rule can be inserted:
<Rule>
<RuleID>RULE_ID_CUSTOM1</RuleID>
<ProgramPoints>
<SetReference id="CommandInjection"/>
</ProgramPoints>
<Monitors>
<MonitorSpec class="com.fortify.runtime.monitor.Guard" monitorID="MONITOR_ID_CUSTOM1">
<Attributes>
<Attribute name="category">Command Injection</Attribute>
</Attributes>
<Predicate>
not input matches /(backup\.exe|whois|ping) [^a-zA-Z0-9_\.\/\-]/
</Predicate>
<Configuration>
<Property name="TriggerPicture">
<Value>The executed command %{input} did not match the predefined white-list</Value>
</Property>
</Configuration>
<Bindings>
<Binding name="input" capture-ref="execute"/>
</Bindings>
</MonitorSpec>
</Monitors>
</Rule>
Simply put, this rule will look at all the API’s that can lead to a Command Injection (like java.lang.runtime.Exec(), … ) and check if the executed command matches the predefined white-list ((backup\.exe|whois|ping) [^a-zA-Z0-9_\.\/\-]). If it does not match, the command will not be executed and an event will be generated which states that “The executed command %{input} did not match the predefined white-list”.
In this blog post, I would like to show you an example of customization. More specific, let’s show an example how to protect by means of white-listing against command injection. Let’s say our customer has a web application which executes a couple of OS and other application commands where each command takes exactly one argument from the user. Taking data from the user, database, WS call or any other input and bluntly adding it to the command line will expose the application to command injection of course.
By default, RTA protects against Command Injection by parsing the command and validating it. However, as this default mechanisms does not take the entire context of the application in to consideration, it may be a good idea to add a white-listing rule to tighten the security. Assume that all commands executed in your application look like:
- backup.exe user_provided_backup_file.backup
- ping user_provided_host_or_ip_address
- whois user_provided user_provided_domain_name
- …
Then, the following rule can be inserted:
<Rule>
<RuleID>RULE_ID_CUSTOM1</RuleID>
<ProgramPoints>
<SetReference id="CommandInjection"/>
</ProgramPoints>
<Monitors>
<MonitorSpec class="com.fortify.runtime.monitor.Guard" monitorID="MONITOR_ID_CUSTOM1">
<Attributes>
<Attribute name="category">Command Injection</Attribute>
</Attributes>
<Predicate>
not input matches /(backup\.exe|whois|ping) [^a-zA-Z0-9_\.\/\-]/
</Predicate>
<Configuration>
<Property name="TriggerPicture">
<Value>The executed command %{input} did not match the predefined white-list</Value>
</Property>
</Configuration>
<Bindings>
<Binding name="input" capture-ref="execute"/>
</Bindings>
</MonitorSpec>
</Monitors>
</Rule>
Simply put, this rule will look at all the API’s that can lead to a Command Injection (like java.lang.runtime.Exec(), … ) and check if the executed command matches the predefined white-list ((backup\.exe|whois|ping) [^a-zA-Z0-9_\.\/\-]). If it does not match, the command will not be executed and an event will be generated which states that “The executed command %{input} did not match the predefined white-list”.
Posted by at 10:06 AM in Fortify
