130 likes | 455 Vues
OWASP LAPSE+ Project. Bruno Motta Rego bmr@attom.com.br. June 2011. Agenda. Introduction Vulnerabilities Detected Goals Hands On Case Challenges. Introduction.
E N D
OWASP LAPSE+ Project Bruno Motta Rego bmr@attom.com.br June 2011
Agenda • Introduction • Vulnerabilities Detected • Goals • Hands On • Case • Challenges
Introduction • LAPSE+ is a static analysis of code Eclipse plugin for detecting vulnerabilities of untrusted data injection in Java EE Applications. • LAPSE+ is inspired by existing lightweight security auditing tools such as FlawFinder. • Developed by Group of Stanford University. • GPL Software.
Vulnerabilities Detected • URL Tampering • Cookie Poisoning • Parameter Tampering • Header Manipulation • Cross-site Scripting (XSS) • HTTP Response Splitting • Injections (SQL, Command, XPath, XML, LDAP) • Path Traversal
Goals • Practical Understanding • Challenges
LAPSE+ Installation • Eclipse Helios • http://www.eclipse.org/downloads/ • LAPSE+ 2.8.1 plugin for Eclipse Helios. • http://evalues.es/downloads/owasp/LapsePlus_2.8.1.jar
LAPSE+ Configuration • Drag and Drop • Copy it in the plugins folder of our Eclipse Helios
LAPSE+ Steps • Vulnerability Source • Vulnerability Sink • Provenance Tracker
Challenges • Requirements • Eclipse Helios • Java 1.6 or higher • Support • Senior Management • Developers approve and use • LAPSE+ Project • Troughput down
Software Security Challenge Total Cost of Development