Find security bugs学习笔记V1.0.docx

简介http:/h3xstream.github.io/find-sec-bugs/find security bugs is a plugin for findbugs that aim to help security audit on java web application.some vulnerability categories covered:endpoints from various frameworkcommand injectionxpath injectionxml external entity (xxe)weak cryptographytainted inputspredictable randomspecific library weaknessxss in jsp pagesql/hql injectionredospath traversalframeworks support:spring mvcapache tapestry 5struts 1struts 2jaxrs (jersey)jaxws (axis2, metro)j2ee classic web apiapache wicketfind security bugs has a total of 38 detectors and 45 different bug patterns. the complete list of bug patterns are list in this section：http:/h3xstream.github.io/find-sec-bugs/bugs.htmfindbugs/experience with findbugs（google的findbugs实践） google findbugs fixit: google has a tradition ofengineering fixits, special days where they try to get all of their engineers focused on some specific problem or technique for improving the systems at google. a fixit might work to improve web accessibility, internal testing, removing todos from internal software, etc.in 2009, google held a global fixit for umds findbugs tool a static analysis tool for finding coding mistakes in java software. the focus of the fixit was to get feedback on the 4,000 highest confidence issues found by findbugs at google, and let google engineers decide which issues, if any, needed fixing.more than 700 engineers ran findbugs from dozens of offices. more than 250 of them entered more than 8,000 reviews of the issues. a review is a classification of an issue as must-fix, should-fix, mostly-harmless, not-a-bug, and several other categories. more than 75% of the reviews classified issues as must fix, should fix or i will fix. many of the scariest issues received more than 10 reviews each.engineers have already submitted changes that made more than 1,100 of the 3,800 issues go away. engineers filed more than 1,700 bug reports, of which 600 have already been marked as fixed work continues on addressing the issues raised by the fixit, and on supporting the integration of findbugs into the software development process at google.the fixit at google showcased new capabilities of findbugs that provide a cloud computing / social networking backdrop. reviews of issues are immediately persisted into a central store, where they can be seen by other developers, and findbugs is integrated into the internal google tools for filing and viewing bug reports and for viewing the version control history of source files. for the fixit, findbugs was configured in a mode where engineers could not see reviews from other engineers until they had entered their own; after the fixit, the configuration will be changed to a more open configuration where engineers can see reviews from others without having to provide their own review first. these capabilities have all been contributed to umds open source findbugs tool, although a fair bit of engineering remains to prepare the capabilities for general release and make sure they can integrate into systems outside of google. the new capabilities are expected to be ready for general release in fall 2009.eclipse中使用find security bugs/h3xstream/find-sec-bugs/wiki/eclipse-tutorial作为find bugs的插件独立使用find bugs：/findbugs-1.3.6测试webgaot，找到16个安全问题：findbugs-1.3.6没有插件功能：下载最新的2.0.3安装插件发现42个安全问题：注意添加servlet相关jar包，否则提示：从findbugs命令行调用file:/c:/findbugs/doc/manual/running.html#commandlineoptionsc:findbugsbinfindbugs -textuino files to be analyzedusage: findbugs general options -textui command line options. jar/zip/class files, directories.general options: -jvmargs args pass args to jvm -maxheap size maximum java heap size in megabytes (default=768) -javahome specify location of jre general findbugs options: -project analyze given project -home specify findbugs home directory -pluginlist specify list of plugin jar files to load -effort:min|less|default|more|max set analysis effort level -adjustexperimental lower priority of experimental bug patterns -workhard ensure analysis effort is at least default -conservespace same as -effort:min (for backward compatibility) -showplugins show list of available detector plugins-userprefs user preferences file, e.g /path/to/project/.settings/edu.umd.cs.findbugs.core.prefs for eclipse projects output options: -timestampnow set timestamp of results to be current time -quiet suppress error messages -longbugcodes report long bug codes -progress display progress in terminal window -release set the release name of the analyzed application -experimental report of any confidence level including experimental bug patterns -low report warnings of any confidence level -medium report only medium and high confidence warnings default -high report only high confidence warnings -maxrank only report issues with a bug rank at least as scary as that provided -dontcombinewarnings dont combine warnings that differ only in line number -sortbyclass sort warnings by class -xml:withmessages xml output (optionally with messages) -xdocs xdoc xml output to use with apache maven -html:stylesheet generate html output (default style sheet is default.xsl) -emacs use emacs reporting format -relaxed relaxed reporting mode (more false positives!) -train:outputdir save training data (experimental);output dir defaults to . -usetraining:inputdir use training data (experimental); input dir defaults to . -redoanalysis redo analysis using configureation from previous analysis -sourceinfo specify source info file (line numbers for fields/classes) -projectname descriptive name of project -reanalyze redo analysis in provided file -output save output in named file -nested:true|false analyze nested jar/zip archives (default=true) output filtering options: -bugcategories only report bugs in given categories -onlyanalyze only analyze given classes and packages; end with .* to indicate classes in a package, .- to indicate a package prefix -excludebugs exclude bugs that are also reported in the baseline xml output -exclude exclude bugs matching given filter -include include only bugs matching given filter -applysuppression exclude any bugs that match suppression filter loaded from fbp file detector (visitor) configuration options: -visitors run only named visitors -omitvisitors omit named visitors -choosevisitors selectively enable/disable detectors -chooseplugins selectively enable/disable plugins -adjustpriority raise/lower priority of warnings for given visitor(s) project configuration options: -auxclasspath set aux classpath for analysis -auxclasspathfrominput read aux classpath from standard input -sourcepath set source path for analyzed classes -exitcode set exit code of process -noclassok output empty warning file if no classes are specified -xargs get list of classfiles/jarfiles from standard input rather than command line -cloud set cloud id -cloudproperty set cloud property -bugreporters bug reporter decorators to explicitly enable/disable -printconfiguration print configuration and exit, without running analysis -version print version, check for updates and exit, without running analysis输出结果c:findbugsbinfindbugs -textui -project c:findsecuritybugswebgaot.fbp结果输出到命令行c:findbugsbinfindbugs -textui -xml -output c:test1.xml -project c:findsecuritybugswebgaot.fbp结果输出到xml文件 c:findbugsbinfindbugs -textui -xml:withmessages -output c:test2.xml -project c:findsecuritybugswebgaot.fbp加入详细的问题信息 field should be package protected com.ibm.wsdl.constants.fault_attr_names should be package protected in <unknown> in class com.ibm.wsdl.constants in <unknown> field com.ibm.wsdl.constants.fault_attr_names in <unknown> c:findbugsbinfindbugs -textui -html -output c:test3.html -project c:findsecuritybugswebgaot.fbp输出html格式的结果仅扫描安全类问题：c:findbugsbinfindbugs -textui -html -output c:test4_filter.html -project c:findsecuritybugswebgaot.fbp -include c:findsecuritybugsmyfilter.xmlmyfilter.xml： 指定find security bugs插件c:findbugsbinfindbugs -textui -html -output c:test4_filter.html -project c:findsecuritybugswebgaot.fbp -include c:findsecuritybugsmyfilter.xml -pluginlist c:findsecuritybugsfindsecbugs-plugin-1.2.0.jar规则分析（案例 webgoat）find security bugs支持的规则：http:/h3xstream.github.io/find-sec-bugs/bugs.htmfind security bugs has a total of 38 detectors and 45 different bug patterns.dmi_constant_db_password: hardcoded constant database password this code creates a database connect using a hardcoded, constant password. anyone with access to either the source code or the compiled code can easily learn the password. command_injection: command injection the api highlight is used to executed system command. if unfiltered input is passed to this api, it can lead arbitrary command execution.referenceowasp : command injection predictable_random: predictable pseudo random generator (prg) the use of a predictable random value can lead to vulnerability in those contexts:csrf token password reset token (sent by email) or any other secret value a quick fix would be to replace the instanciation of java.util.random by java.security.securerandom. referencescracking random number generators - part 1 (http:/jazzy.id.au)cert: msc02-j. generate strong random numberscwe-330: use of insufficiently random values path_traversal_in: potential path traversal (read file) a file is open to read its content. the path given is a dynamic parameter.if unfiltered parameter is pass to this file api, content from an arbitrary path could be read.this detector identify potential path transversal. in many case, the construct file path is not control by the user. if it is the case, this bug instance can be ignored.referenceswasc : path traversalowasp : path traversalcapec-126: path traversalcwe-99: improper control of resource identifiers (resource injection) path_traversal_out: potential path traversal (write file) the class selected is use to open a file handle using a dynamic parameter.if unfiltered input is pass to this function, content could be writen to an arbitrary path.referenceswasc-33 : path traversalowasp : path traversalcapec-126: path traversalcwe-99: improper control of resource identifiers (resource injection) redos: redos redos stands for regular expression denial of service. the regular expression (regex) identify may take a large amount of time when analysing certain strings. for example the following regex, the input aaaaaaaaaaaaaaaax will cause the regex engine to analyse 65536 different paths.1 example taken from owasp reference (a+)+$therefore, it is possible that a single request cause a large amount of computation on the server side. referencessebastian kubecks weblog: detecting and preventing redos vulnerabilities1 owasp : regular expression denial of service unvalidated_redirect: unvalidated redirect unvalidated request is a vulnerability that facilitate fishing attack. scenario1. a user is requested to visit the malicious url : /login?redirect=/fake/login2. the user is redirect to a fake login. (/fake/login)3. the user enter his credentials.4. he is redirect to the original website.this is attack is plausible because most users dont double check the url after the redirection. also, redirection to authenticate are very common. counter measureswhite list urls (if possible) validate that the beginning of the url is part of white list referenceswasc-38 : url redirector abuseowasp top 10 a10: unvalidated redirects and forwards unencrypted_socket: unencrypted socket the communication started will not be encrypted. the traffic could be red by an attacker intercepting the communication. plain socket (clear text communication): socket soc = new socket(,80);ssl socket (secure communication): socket soc = sslsocketfactory.getdefault().createsocket(, 443);referenceowasp : insufficient transport layer protectionwasc-04 : insufficient transport layer protectionweak_message_digest: weak messagedigest the algorithm used is not a recommended messagedigest.the nist recommended to use either sha-1, sha-224*, sha-256, sha-384 or sha-512.* sha-224 algorithm is not provided by sun provider.referencenist approved algorithms xxe: xml parsing vulnerable to xxe attacks xml external entity attacks can occurs when the xml parsers support xml entities and received user input as xml content.risk 1: expose local file content (xxe : xml external entity) !doctype foo &xxe;risk 2: denial of service (xee : xml entity expansion) !doctype s &x; &x; .referencescert: ids10-j. prevent xml external entity attacksowasp : testing for xml injectionws-a: xml generic entity expansionws-a: xml external entity dos sql_prepared_statement_generated_from_nonconstant_string: a prepared statement is generated from a nonconstant string the code creates an sql prepared statement from a nonconstant string. if unchecked, tainted data from a user is used in building this string, sql injection could be used to make the prepared statement do something unexpected and undesirable. sql_nonconstant_string_passed_to_execute: nonconstant string passed to execute method on an sql statement the method invokes the execute method on an sql statement with a string that seems to be dynamically generated. consider using a prepared statement instead. it is more efficient and less vulnerable to sql injection attacks.规则扩展基于findbugs进行规则扩展/lywybo/article/details/5335748代码质量管理平台整合find security的方法1、平台提供界面，以findbugs的fbp项目文件为模板编辑维护项目信息fbp后缀xml格式包括项目名称、aut的jar包路径、源码路径fbp项目文件后台数据库存储例： .webgaotautwebgoat5.0 .program filesmyeclipsecommonpluginscom.genuitec.ec