Beruflich Dokumente
Kultur Dokumente
Index
1. Introduction................................................................................................ 3 2. Tutorial....................................................................................................... 3 2.1 How to load LAPSE+ in Eclipse Helios...................................................3 2.2 LAPSE+ Plugin Views............................................................................. 6 2.2.1 Vulnerability Sources View..............................................................6 2.2.2 Vulnerability Sinks View..................................................................7 2.2.3 Provenance Tracker View..............................................................10
2011 evalues
Page 2
1. Introduction
LAPSE+ is a security scanner for detecting vulnerabilities of untrusted data injection in Java EE Applications. It has been developed as a plugin for Eclipse Java Development Environment, working specifically with Eclipse Helios and Java 1.6 or higher. LAPSE+ is based on the GPL software LAPSE, developed by the SUIF Compiler Group of Stanford University. This new release of the plugin developed by Evalues Lab of Universidad Carlos III de Madrid provides more features to analyze the propagation of the malicious data through the application and includes the identification of new vulnerabilities. LAPSE+ is based on the static analysis of code to detect the source and the sink of a vulnerability. The source of a vulnerability refers to the injection of untrusted data in the parameters of an HTTP request, a Cookie, etc. The sink of a vulnerability refers to the process of data modification to manipulate the behaviour of the application, such as a servlet response or a HTML page. The vulnerability sources can lead to sinks by simple assignments, method calls or parameters passing. This document explains how to load LAPSE+ plugin in Eclipse Helios, describing its features and the options that it provides.
2. Tutorial
2.1 How to load LAPSE+ in Eclipse Helios
LAPSE+ plugin consists of a Java JAR file called LapsePlus_2.8.X.jar. To load the plugin we have to copy it in the plugins folder of our Eclipse Helios, as we can see in the following figures.
2011 evalues
Page 3
LAPSE+: The Security Scanner for Java EE Applications LAPSE+: The Security Scanner for Java EE Applications
LAPSE+: The Security Scanner for Java EE Applications Once we have copied the Java JAR file in plugins folder we can run Eclipse. In the top menu of Eclipse Workbench we go to Windows | Show View | Other.
2011 evalues
Page 5
LAPSE+: The Security Scanner for Java EE Applications Header Manipulation. HTTP headers are not commonly visible for the end user. However, there are web applications that process these headers and it is possible for the user to inject malicious data into it. Cookie Poisoning. This attack is a variant of HTTP header tampering, since the user can inject malicious data in the web application through the fields of a cookie.
Filter Menu
Copy to Clipboard
2011 evalues
Page 7
2011 evalues
Page 8
LAPSE+: The Security Scanner for Java EE Applications XPath Injection. XPath is the query language for managing the information of a XML document. Web applications which use XML databases to store their data, communicate with them by XPath queries. XPath Injection attacks are based on embedding XPath code into the input data of the web application in order to exploit the parameters of the XPath queries. Thus, the user can extract sensitive information from the database or alter it. XML Injection. This is an attack based on the injection of malicious data in the fields of a XML message. The injected inputs can change the structure of the XML fields, not only its content, but also its tags. These malicious data can manipulate the logic of the application and compromise its behaviour. LDAP Injection. This sort of attacks is based on similar techniques to XPath Injection. The aim is to take advantage on the parameters in the LDAP query to extract sensitive information. Also, the user can get permissions on the LDAP server to modify the content inside the LDAP tree.
Vulnerabilities Sinks View Options Icon Title Find Sinks Description By clicking this button LAPSE+ searches all the vulnerability sinks in the Eclipse Java EE Projects that are opened. This option lets you change to safe the state of the vulnerability sinks detected, in order to track the vulnerabilities that we have already controlled. We can filter the results to show the vulnerability sinks that not correspond to source code, such as the libraries used in the project. Besides, this view allows to filter the results by category of vulnerability. This option copies to clipboard the data of the vulnerability sink selected on the view.
Filter Menu
Copy to Clipboard
2011 evalues
Page 9
LAPSE+: The Security Scanner for Java EE Applications Icon Title Get Sinks Statistics Description This option shows the statistics of the vulnerability sinks detected. It shows the total number of vulnerability sinks and unsafe objects of each category of attack, indicating which corresponds to source code vulnerabilities.
Other important option in Vulnerability Sinks View is the Perform backward propagation from sink option in the contextual menu that we have at our disposal when we click the mouse right button.
When the user chooses this option on a vulnerability sink result, the view changes to Provenance Tracker, showing the backward propagation tree from this vulnerability sink.
2011 evalues
Page 10
Copy to Clipboard
2011 evalues
Page 11