LAPSE+: The Security Scanner for Java EE Applications

Index
1. Introduction................................................................................................ 3 2. Tutorial....................................................................................................... 3 2.1 How to load LAPSE+ in Eclipse Helios...................................................3 2.2 LAPSE+ Plugin Views............................................................................. 6 2.2.1 Vulnerability Sources View..............................................................6 2.2.2 Vulnerability Sinks View..................................................................7 2.2.3 Provenance Tracker View..............................................................10

2011 evalues

OWASP LAPSE Project

Page 2

LAPSE+: The Security Scanner for Java EE Applications

1. Introduction
LAPSE+ is a security scanner for detecting vulnerabilities of untrusted data injection in Java EE Applications. It has been developed as a plugin for Eclipse Java Development Environment, working specifically with Eclipse Helios and Java 1.6 or higher. LAPSE+ is based on the GPL software LAPSE, developed by the SUIF Compiler Group of Stanford University. This new release of the plugin developed by Evalues Lab of Universidad Carlos III de Madrid provides more features to analyze the propagation of the malicious data through the application and includes the identification of new vulnerabilities. LAPSE+ is based on the static analysis of code to detect the source and the sink of a vulnerability. The source of a vulnerability refers to the injection of untrusted data in the parameters of an HTTP request, a Cookie, etc. The sink of a vulnerability refers to the process of data modification to manipulate the behaviour of the application, such as a servlet response or a HTML page. The vulnerability sources can lead to sinks by simple assignments, method calls or parameters passing. This document explains how to load LAPSE+ plugin in Eclipse Helios, describing its features and the options that it provides.

2. Tutorial
2.1 How to load LAPSE+ in Eclipse Helios
LAPSE+ plugin consists of a Java JAR file called LapsePlus_2.8.X.jar. To load the plugin we have to copy it in the plugins folder of our Eclipse Helios, as we can see in the following figures.

2011 evalues

OWASP LAPSE Project

Page 3

LAPSE+: The Security Scanner for Java EE Applications LAPSE+: The Security Scanner for Java EE Applications

Figure 1: Eclipse plugins folder

Figure 2: Including LAPSE+ JAR file in plugins folder

2011 evalues OWASP LAPSE Project Page 4

LAPSE+: The Security Scanner for Java EE Applications Once we have copied the Java JAR file in plugins folder we can run Eclipse. In the top menu of Eclipse Workbench we go to Windows | Show View | Other.

Figure 3: Loading LAPSE+ plugin in Eclipse

We select the three views of the folder Lapse+ 2.8 and press OK. Then, we open the Eclipse projects that we want to analyze in search of vulnerabilities. We have to check that our projects are properly configured and don't have compilation errors. Compilation errors will prevent LAPSE+ from detecting all the potential vulnerabilities.

2011 evalues

OWASP LAPSE Project

Page 5

LAPSE+: The Security Scanner for Java EE Applications

2.2 LAPSE+ Plugin Views

LAPSE+ provides three different views for the analysis of vulnerabilities: Vulnerability Sources View. It shows the points of code that can be source of untrusted data injection. Vulnerability Sinks View. It shows the points of code that can insert the untrusted data in the application, manipulating its behaviour. Provenance Tracker View. This view traces the backward propagation tree from a vulnerability sink in order to check if it reaches a vulnerability source. If this happens we have a vulnerability in our code.

2.2.1 Vulnerability Sources View

This view shows all the possible sources of an injection attack.

Figure 4: Vulnerability Sources View

The categories of Vulnerability Sources that LAPSE+ detects correspond to: Parameter Tampering. This attack is based on the injection of untrusted data in the parameters of the requests and responses exchanged between the client and the server of a web application, e.g. HTML form or Cookie parameters. URL Tampering. This attack occurs when the parameters of a HTML form appear as part of the URL after having sent the form with HTTP GET. The user can edit the URL, adding malicious data to get sensitive information. 2011 evalues OWASP LAPSE Project Page 6

LAPSE+: The Security Scanner for Java EE Applications Header Manipulation. HTTP headers are not commonly visible for the end user. However, there are web applications that process these headers and it is possible for the user to inject malicious data into it. Cookie Poisoning. This attack is a variant of HTTP header tampering, since the user can inject malicious data in the web application through the fields of a cookie.

Vulnerabilities Source View Options

Icon Title Find Sources Description By clicking this option LAPSE+ looks for all the vulnerability sources in the Eclipse Java EE Projects that are opened. We can filter the results to show the sources that not correspond to source code, for example, vulnerabilities in the libraries used by the application. We can also show the main method calls of our application, that are considered vulnerability sources since they can receive untrusted data in its parameters. This option copies to clipboard the data of the vulnerability source selected on the view.

Filter Menu

Copy to Clipboard

2011 evalues

OWASP LAPSE Project

Page 7

LAPSE+: The Security Scanner for Java EE Applications

2.2.2 Vulnerability Sinks View

This view shows the points of the code that can sink malicious data in our application and manipulate its behaviour.

Figure 5: Vulnerability Sinks View

The categories of Vulnerability Sinks that LAPSE+ detects correspond to: SQL Injection. This attack consists of injection of a SQL query via the input data to get sensitive data from the database of the web application, modify the data or gain privileges over the database. Cross-site Scripting. It consists of the injection of malicious scripts in the code of the web application to trick the user into executing it. HTTP Response Splitting. This attack consists of attaching malicious data in the header of a HTTP Response making use of line breaks. Thus, the attacker achieves to create two responses for an unique request, being the second one compound of malicious data that can be incorrectly associated to the following request. Command Injection. This attack occurs when the user exploits the input of the web application to execute shell commands and take advantage it. Path Traversal. This attack aims to access directories and files out of the root path of the web application, by manipulating the variables that reference files, using dot-dot-slash (../) sequences and its variations.

2011 evalues

OWASP LAPSE Project

Page 8

LAPSE+: The Security Scanner for Java EE Applications XPath Injection. XPath is the query language for managing the information of a XML document. Web applications which use XML databases to store their data, communicate with them by XPath queries. XPath Injection attacks are based on embedding XPath code into the input data of the web application in order to exploit the parameters of the XPath queries. Thus, the user can extract sensitive information from the database or alter it. XML Injection. This is an attack based on the injection of malicious data in the fields of a XML message. The injected inputs can change the structure of the XML fields, not only its content, but also its tags. These malicious data can manipulate the logic of the application and compromise its behaviour. LDAP Injection. This sort of attacks is based on similar techniques to XPath Injection. The aim is to take advantage on the parameters in the LDAP query to extract sensitive information. Also, the user can get permissions on the LDAP server to modify the content inside the LDAP tree.

Vulnerabilities Sinks View Options Icon Title Find Sinks Description By clicking this button LAPSE+ searches all the vulnerability sinks in the Eclipse Java EE Projects that are opened. This option lets you change to safe the state of the vulnerability sinks detected, in order to track the vulnerabilities that we have already controlled. We can filter the results to show the vulnerability sinks that not correspond to source code, such as the libraries used in the project. Besides, this view allows to filter the results by category of vulnerability. This option copies to clipboard the data of the vulnerability sink selected on the view.

Toggle Safe Status

Filter Menu

Copy to Clipboard

2011 evalues

OWASP LAPSE Project

Page 9

LAPSE+: The Security Scanner for Java EE Applications Icon Title Get Sinks Statistics Description This option shows the statistics of the vulnerability sinks detected. It shows the total number of vulnerability sinks and unsafe objects of each category of attack, indicating which corresponds to source code vulnerabilities.

Other important option in Vulnerability Sinks View is the Perform backward propagation from sink option in the contextual menu that we have at our disposal when we click the mouse right button.

Figure 6: Backward Propagation from a sink

When the user chooses this option on a vulnerability sink result, the view changes to Provenance Tracker, showing the backward propagation tree from this vulnerability sink.

2.2.3 Provenance Tracker View

This view allows to find the values that a variable takes by the different assignations along the code. It shows the propagation path to reach the source of the variable. Thus, this method is used to know the source of the vulnerability sinks results.

2011 evalues

OWASP LAPSE Project

Page 10

LAPSE+: The Security Scanner for Java EE Applications

Figure 7: Provenance Tracker View

If it is possible to reach a vulnerability source from a vulnerability sink result then we have a vulnerability in our code. When this occurs, Provenance Tracker View shows the matches in red. On the other hand, if it reaches a safe source it shows it in blue. Provenance Tracker View Options Icon Title Compute Backward Slice Expand all Collapse all Set slicing preferences Description This option performs the backward propagation from a variable selected on Eclipse Code Editor. This option allows to expand all the branches of the backward propagation tree. This option allows to collapse all the branches of the backward propagation tree. This option allows to limit the depth of the backward propagation tree, indicating if we want to perform the propagation through the results returned by methods. By default we have a maximum depth of 10. This option shows a historical of all the propagations performed. This option allows to show the hierarchical structure of the tree or show only the leaves. This option copies to clipboard the data of a node selected on the provenance tracker view.

Slicing history Filter Menu

Copy to Clipboard

2011 evalues

OWASP LAPSE Project

Page 11