Searching for Code in J2EE/Java

Searching for key indicators
The basis of the code review is to locate and analyse areas of code which may have application security implications. Assuming the code reviewer has a thorough understanding of the code, what it is intended to do and the context upon which it is to be used, firstly one needs to sweep the code base for areas of interest.

This can be done by performing a text search on the code base looking for keywords relating to API's and functions. Below is a guide for .NET framework 1.1 & 2.0

Searching for code in .NET
Firstly one needs to be familiar with the tools one can use in order to perform text searching following on from this one need to know what to look for. In this section we will assume you have a copy of Visual Studio (VS) .NET at hand. VS has two types of search "Find in Files" and a cmd line tool called Findstr The test search tools in XP is not great in my experience and if one has to use this make sure SP2 in installed as it works better. To start off one should scan thorough the code looking for common patterns or keywords such as "User", "Password", "Pswd", "Key", "Http", etc... This can be done using the "Find in Files" tool in VS or using findstring as follows: [Find In Files HERE]

findstr /s /m /i /d:c:\projects\codebase\sec "http" *.*

Http Request Strings
Requests from external sources are onviously a key area of a secure code review. We need to ensure that all HTTP requests received are datavalidated for composition, max and min length and if the data falls with the relms of the parameter whitelist. Bottom-line is this is a key area to look at and ensure security is enabled.

request.querystring request.form request.cookies request.certificate request.servervariables request.IsSecureConnection request.TotalBytes request.BinaryRead

HTML Output
Here we are looking for responses to the client. Responses which go unvalidated or which echo external input without data validation are key areas to examine. Many client side attacks result from poor response validation. XSS relies on this somewhat.

response.write <% = HttpUtility HtmlEncode UrlEncode innerText innerHTML

SQL & Database
Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determine if the application is vulnerable to SQL injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter, or OdbcParameter(System.Data.SqlClient). These are typed and treats parameters as the literal value and not executable code in the database.

exec sp_executesql execute sp_executesql select from Insert update delete from where delete exec sp_ execute sp_ exec xp_ execute sp_ exec @ execute @ executestatement executeSQL setfilter executeQuery GetQueryResultInXML adodb sqloledb sql server driver Server.CreateObject .Provider .Open ADODB.recordset New OleDbConnection ExecuteReader DataSource Microsoft.Jet SqlDataReader ExecuteReader GetString SqlDataAdapter CommandType StoredProcedure System.Data.sql

Cookies
Cookie manipulation can be key to various application security exploits such as session hijacking/fixation and parameter manipulation. One should examine any code relating to cookie functionality as this would have a bearing on session security. System.Net.Cookie HttpOnly document.cookie

HTML Tags
Many of the HTML tags below can be used for client side attacks such as cross site scritping. It is important to examine the context in which these tags are used and to examine any relevant data validation associated with the display and use of such tags withing a web application.

HtmlEncode URLEncode <frame security <iframe security

Input Controls
The input controls below are server classes used to produce and display web application form fields. Looking for such references helps locate entry points into the application.

system.web.ui.htmlcontrols.htmlinputhidden system.web.ui.webcontrols.textbox system.web.ui.webcontrols.listbox system.web.ui.webcontrols.checkboxlist system.web.ui.webcontrols.dropdownlist

web.config
requestEncoding responseEncoding trace authorization CustomErrors httpRuntime maxRequestLength debug forms protection

logging
log4net

Machine.config
validateRequest enableViewState enableViewStateMac

Threads and Concurrancy
Thread Dispose

Class Design
Public Sealed

Reflection, Serialization
ISerializable AllowPartiallyTrustedCallersAttribute GetObjectData StrongNameIdentityPermission StrongNameIdentity

Exceptions & Errors
catch{ Finally trace enabled customErrors mode

Crypto
base64 xor DES RC2 System.Random Random

Storage
SecureString ProtectedMemory

Authorization, Assert & Revert
.RequestMinimum .RequestOptional Assert Debug.Assert CodeAccessPermission ReflectionPermission.MemberAccess SecurityPermission.ControlAppDomain SecurityPermission.UnmanagedCode SecurityPermission.SkipVerification SecurityPermission.ControlEvidence SecurityPermission.SerializationFormatter SecurityPermission.ControlPrincipal SecurityPermission.ControlDomainPolicy SecurityPermission.ControlPolicy

Leagcy methods
printf strcpy

Input Streams
Java.io FileInputStream ObjectInputStream FilterInputStream PipedInputStream SequenceInputStream StringBufferInputStream BufferedReader ByteArrayInputStream CharArrayReader File ObjectInputStream PipedInputStream StreamTokenizer getResourceAsStream

Servlets
javax.servlet. getParameterNames getParameterValues getAttribute getAttributeNames isSecure HttpServletRequest getQueryString getHeader getPrincipal isUserInRole getOutputStream getWriter addCookie addHeader setHeader

SQL & Database
Searching for Java Database related code this list should help you pinpoint classes/methods which are involved in the persistance layer of the application being reviewed. jdbc executeQuery select insert update delete execute executestatement

SSL
com.sun.net.ssl SSLContext SSLSocketFactory TrustManagerFactory HttpsURLConnection KeyManagerFactory

Session Management
getSession invalidate getId