Static Analysis: Find Metacharacter Vulnerabilities with Taint Propagation in Java

Printer Code 3/9 in Java Static Analysis: Find Metacharacter Vulnerabilities with Taint Propagation
Static Analysis: Find Metacharacter Vulnerabilities with Taint Propagation
Code 3/9 Generation In Java
Using Barcode creation for Java Control to generate, create Code 39 Extended image in Java applications.
Many input validation vulnerabilities can be identi ed using taint propagation Consider these four lines of Java:
Bar Code Encoder In Java
Using Barcode drawer for Java Control to generate, create bar code image in Java applications.
lastName = requestgetParameter("last_name"); query = "SELECT phone FROM phnbk WHERE lnam = '" +lastName+"'"; rs = stmtexecuteQuery(query);
Bar Code Scanner In Java
Using Barcode scanner for Java Control to read, scan read, scan image in Java applications.
To correctly identify the SQL injection vulnerability, a taint propagation algorithm needs to be armed with three rules:
Code 39 Full ASCII Generation In Visual C#
Using Barcode generation for .NET framework Control to generate, create Code39 image in VS .NET applications.
Source rule:
Draw Code 3 Of 9 In Visual Studio .NET
Using Barcode creator for ASP.NET Control to generate, create Code 39 Full ASCII image in ASP.NET applications.
Function: javaxservlethttpHttpServletRequestgetParameter() Postcondition: return value is tainted
Drawing Code 39 Full ASCII In .NET
Using Barcode generator for VS .NET Control to generate, create Code 3/9 image in .NET framework applications.
Pass-through rule:
Code 3/9 Drawer In Visual Basic .NET
Using Barcode encoder for .NET framework Control to generate, create USS Code 39 image in .NET applications.
Function: string concatenation Postcondition: result is tainted if either input string is tainted
Barcode Creation In Java
Using Barcode drawer for Java Control to generate, create barcode image in Java applications.
Sink rule:
Barcode Printer In Java
Using Barcode creation for Java Control to generate, create bar code image in Java applications.
Function: javasqlStatementexecuteQuery() Precondition: argument must not be tainted
Barcode Printer In Java
Using Barcode printer for Java Control to generate, create bar code image in Java applications.
Preventing Metacharacter Vulnerabilities
Creating Data Matrix In Java
Using Barcode drawer for Java Control to generate, create Data Matrix image in Java applications.
With these rules, the taint propagation algorithm can connect the unchecked input with the database query and call out the vulnerability along with the path the tainted data will take through the program Of course, a well-written program validates its input To reduce false positives, a tool might attempt to identify validation logic There is some precedent for this approach; Perl s taint mode considers input to be tainted until it has been passed through a regular expression We think it s a bad idea Good input validation is usually tailored closely to the task at hand It is not fruitful to ask a static analysis tool to determine whether all of an application s input validation needs have been met Instead, input validation routines should be manually audited, and the static analysis tool should be capable of accepting the auditor s input about which pieces of data in the program are trusted If you nd that the static analysis tool is asking you to sign off on dozens of input validation routines, it s a sure sign that the application is lacking a centralized validation mechanism Take a closer look at all the validation code Does it really do the same thing in every case If so, it should be easy to merge into a centralized framework If not, there are likely to be some unintended holes in the multitude of validation methods
Encode UPC - 13 In Java
Using Barcode drawer for Java Control to generate, create EAN13 image in Java applications.
Path Manipulation If user input is allowed to include le system metacharacters such as a forward slash (/), backslash (\), or period (), an attacker might be able to specify an absolute path where a relative path is expected or traverse the le system to an unintended location by moving up the directory tree Unauthorized le system access of this type is called path manipulation The code in Example 531 uses input from an HTTP request to create a filename The programmer has not considered the possibility that an attacker could provide a lename such as //tomcat/conf/serverxml, which causes the application to delete one of its own con guration les
Paint Delivery Point Barcode (DPBC) In Java
Using Barcode generator for Java Control to generate, create Postnet image in Java applications.
Example 531 A path manipulation vulnerability in a Web application
Barcode Generation In .NET Framework
Using Barcode creation for ASP.NET Control to generate, create barcode image in ASP.NET applications.
String rName = requestgetParameter("reportName"); File rFile = new File("/usr/local/apfr/reports/" + rName); rFiledelete();
Encode Barcode In .NET
Using Barcode generation for VS .NET Control to generate, create bar code image in .NET framework applications.
Path manipulation vulnerabilities are relatively easy to prevent with a whitelist The method in Example 532 uses a regular expression to ensure
Barcode Printer In VS .NET
Using Barcode generator for ASP.NET Control to generate, create barcode image in ASP.NET applications.
5 Handling Input
Code 39 Full ASCII Maker In C#
Using Barcode generation for .NET framework Control to generate, create Code 39 Full ASCII image in Visual Studio .NET applications.
that lenames can be only up to 50 alphanumeric characters, followed by an optional dot and up to a 5-character extension
Code 128 Creation In VS .NET
Using Barcode creation for .NET framework Control to generate, create Code 128 Code Set B image in .NET applications.
Example 532 This code uses a whitelist to prevent path manipulation
Scan UPC - 13 In .NET
Using Barcode decoder for VS .NET Control to read, scan read, scan image in .NET framework applications.
final static int MAXNAME = 50; final static int MAXSUFFIX = 5; final static String FILE_REGEX = "[a-zA-Z0-9]{1,"+MAXNAME+"}" // vanilla chars in prefix + "\\ " // optional dot + "[a-zA-Z0-9]{0,"+MAXSUFFIX+"}"; // optional extension final static Pattern FILE_PATTERN = Patterncompile(FILE_REGEX); public void validateFilename(String filename) { if (!FILE_PATTERNmatcher(filename)matches()) { throw new ValidationException("illegal filename"); } }
EAN / UCC - 13 Maker In Visual Studio .NET
Using Barcode printer for ASP.NET Control to generate, create EAN-13 image in ASP.NET applications.
Command Injection If user input is allowed to specify system commands your program executes, attackers might be able to cause the system to carry out malicious commands on their behalf If the input can include le system or shell metacharacters, an attacker could specify an absolute path where a relative path is expected or append a second malicious command following the command your program intends to execute Unauthorized command execution is called command injection The code in Example 533 is from an administrative Web application that runs under Windows It is designed to allow users to kick off a backup of an Oracle database using a batch- le wrapper around the rman utility and then run a cleanupbat script to delete some temporary les The script rmanDBbat accepts a single command-line parameter, which speci es the type of backup to perform Because access to the database is restricted, the application runs the backup as a privileged user