Dernière édition Attention: Le pdf pèse environ 17 - BFH-TI - Berner ...

BIBEBUVABSc in Computer ScienceFaces Input Validator TesterIT Security / Thesis Advisor: Prof. Dr. Emmanuel BenoistExpert: Dr. Igor MetzFIVT is a code analysis plugin for the popular Java Integrated Development Environment (IDE) NetBeans.The FIVT plugin identifies input tags and their validators in Java Server Faces (JSF 2) applications and teststhe validators for SQL injection and cross-site scripting (XSS) vulnerabilities. Through this analysis, webdevelopers are able to pinpoint otherwise unknown weaknesses in their applications giving them theopportunity to provide more secure interfaces for users of their software.James HulkaContextDespite being known problemssince 1998 and since the birth ofjavascript, respectively, SQL injectionand XSS are both still commonlyoverlooked vulnerabilitiesduring the development of a webapplication. According to the WebApplication Security Consortium’s«Web Hacks Incident Database»,22.6 % of incidents reported aredue to improper input handling,with 20.1 % of total incident attackmethods being SQL injection relatedand 9.4 % being cross-sitescripting related.Thesis ObjectivesThe goal of this thesis was to producea prototype of a plugin thatcan help JSF 2 web developersidentify input validators within theirapplications that have SQL injectionand XSS weaknesses.Thesis RealizationAs JSF 2 deals with xhtml elementsrendered and used by clientbrowsers as well as server sideJava classes, the solution was dividedinto smaller modules performingspecific tasks within thecode analysis.A parser module identifies individualJSF 2 inputs and their validatorswithin the xhtml code of aproject using predefined JSF 2 librarydefinitions. Managed beanclasses are also searched by theparser to map the variable typeslinked to inputs values.Parsed inputs and validators arethen passed to a tester modulewhich identifies unique validators,writing and compiling test classeson the fly. Each test run requires amock JSF 2 context be created inorder to execute the validationmethod of the validator class.Mock contexts are achievedthrough the MyFaces Test Frameworkfrom the Apache Foundation.Were it not possible to create themock context a J2EE containerserver would have to be started inorder to run the tests. In doing thisthe resource usage advantage ofusing static code analysis wouldhave been lost. When the testcases are run they access listscontaining up to date SQL injectionand XSS input values recordinghow many of the values arerejected by each validator.All of the information gathered bythe parser and tester modules isorganized by a control moduleand then passed on to the pluginmodule which handles the interactionwith NetBeans and the user.Through the APIs provided by Net-Beans the plugin module has accessto project information suchas the location of source files aswell as other IDE tools. Throughthis the plugin module is able toprovide direct linkage allowing auser to open a file containing atested input, as well as add a FIVTSQL injection or XSS validator toan input.ConclusionThe realization of the thesis showsgreat promise for the use of staticcode analysis in identifying specificvulnerabilities within J2EEapplications. The particular solutiondeveloped for JSF 2 providesa generalized API that couldbe adapted for other J2EE webframeworks. Beyond input validationtesting, the thesis also uncoveredthe usefulness of a possiblefollowup project involving trackingvariable usage inside the Javaserver side code.Information flow in FIVTAnalysis results list166 ti.bfh.ch