to present Findings with Disconnected Data-Flows
Any time I've found
myself faced with a real-world, web application, scanning and
presenting the AppScan Source Edition Findings, I always arrive
at the point at which I have Triaged, Analyzed, Filtered and otherwise
massaged the raw results into the 'data-flow pieces', which in totality represent
the true vulnerabilities that I've found. The most difficult
part of this exercise is then to construct [for the results consumer] a realistic picture of what an actual round trip of user controllable from the outside world, exploiting the given vulnerability, would look like as a Trace through the relevant source code (in a XSS Finding, for example).
One of the most common sets of Traces that must be Joined together to properly interpret data flows in even the most simplistic of J2EE web applications, are the ServletRequest.setAttribute() and ServletRequest.getAttribute() calls. Below is a Stand Alone Utility that takes these 2 sets of Findings (as created in the Findings Viewer Post) and stitches them together, according to the name of the attribute being accessed:
Basic Version of Trace Stitching Utility
Here are some screenshots of the Tool in action:
Drag and Drop .ozasmt files with Sinks with calls to setAttribute() and Sources with calls to getAttribute()
Once you've clicked on the subtly indicated link...
In the case above, I filtered by "print" to get at the true XSS traces I was looking for...
Below is another nice example of algorithmically 'finding the needle in the haystack'...juicy Findings!!
Questions? Comments? Please send all criticisms (constructive or otherwise) to Jeff Ross.