[Owasp-leaders] Code review for backdoors

John Patrick Lita john.patrick.lita at owasp.org
Thu May 28 19:38:39 UTC 2015


in my experience this backdoor can perform if the web application is
vulnerable is PHP injection, Cross-Site Scripting or event in File Upload
like Uploading a photo that you can upload malicious file.

On Thu, May 28, 2015 at 11:56 AM, Gregory Disney <gregory.disney at owasp.org>
wrote:

> From my experience backdoors come from much more unchecked interpreted
> languages being available, such as python with os and socket libraries
> available. So for in the wild case the usual case is, system is breached
> then a malicous code is ran to maintain access
>
> On Sat, Apr 4, 2015 at 6:18 AM, Yiannis Pavlosoglou <yiannis at owasp.org>
> wrote:
>
>> This is a very specialised review that you seek guidance on and not a
>> code review per say.
>>
>> A traditional code review has the objective of determining if a
>> vulnerability is present within the code, further to this if the
>> vulnerability is exploitable and under what conditions.
>>
>> A code review for backdoors has the objective to determine if a
>> certain portion of the codebase is carrying code that is unnecessary
>> for the logic and implementation of the use cases it serves.
>>
>> Further to this, the reviewer, looks for the trigger points of that
>> logic. From experience in a previous life, typical examples serve as a
>> branch statement going off to a part of assembly or obfuscated code.
>>
>> Please note, the latter has no mention of vulnerability in its method
>> description. There is a whole world of "hybrid code auditing" that
>> DeepSec Vienna saw on how to combine today's rather dumb code tools to
>> spot such patterns. You can see how traditional source-to-sink
>> analysis would fall quite flat on its head here.
>>
>> Maybe a project or two in this as well, for the adventurous and
>> committed..
>>
>> On 11 March 2015 at 21:26, Ali Khalfan <ali.khalfan at owasp.org> wrote:
>> > Looks very helpful , thanks . I'll see if I can come up with a guideline
>> > based on it.
>> >
>> > On 12 مارس، 2015 12:00:08 ص GMT+03:00, Jeff Williams
>> > <jeff.williams at owasp.org> wrote:
>> >>
>> >> You may find some interesting guidance in a paper I did at BlackHat.
>> >> Remember that any vulnerability might be put there on purpose.  So a
>> >> malicious code review has to include a regular code review.
>> >>
>> >>
>> >>
>> https://www.blackhat.com/presentations/bh-usa-09/WILLIAMS/BHUSA09-Williams-EnterpriseJavaRootkits-PAPER.pdf
>> >>
>> >> --Jeff
>> >>
>> >> Jeff Williams | CTO
>> >> Contrast Security
>> >> @planetlevel @contrastsec
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> On Wed, Mar 11, 2015 at 1:51 PM -0700, "Ali Khalfan"
>> >> <ali.khalfan at owasp.org> wrote:
>> >>
>> >>> yes,
>> >>>
>> >>> one reason I wanted to setup some sort of guideline is for peer
>> >>> reviewing.  The last thing a developer would want to do is read code
>> they
>> >>> did not create prior to deployment.  So, it would be easier to have a
>> >>> guideline telling the developer what to look for (e.g. hard-coded
>> values,
>> >>> encoded string,..etc).   Another reason would be for the security
>> reviews
>> >>> and auditors who have tools, but of course tools may detect security
>> >>> weaknesses not backdoors or logic bombs.  Thus, I think giving the
>> reviewers
>> >>> general 'hints' on what to look for would be very helpful.
>> >>>
>> >>>
>> >>> If you have a link or summary of the Cigital session, please do share.
>> >>>
>> >>>
>> >>>
>> >>> Ali
>> >>>
>> >>>
>> >>> On 03/11/2015 10:38 PM, Gary Robinson wrote:
>> >>>
>> >>> Hi Ali,
>> >>>
>> >>> I can confirm the latest version of the code review guide (in
>> progress)
>> >>> doesn't mention intentional backdoors either.  This does tie in with
>> an
>> >>> interesting session Cigital put on last week about developers (in
>> house or
>> >>> 3rd party) being the 'bad guy' inserting vulnerabilities/backdoors.
>> >>>
>> >>> If you have some technical ideas or content let us know.  I've never
>> seen
>> >>> any technical advice on spotting intentional backdoors, however peer
>> source
>> >>> code review (and audit or security reviews) would be the best way of
>> >>> catching this.
>> >>>
>> >>> Gary
>> >>>
>> >>> On Wed, Mar 11, 2015 at 7:06 PM, Azzeddine Ramrami
>> >>> <azzeddine.ramrami at owasp.org> wrote:
>> >>>>
>> >>>> All backdoor exploit the security flaw in the apps. A good code
>> review
>> >>>> can detect security flaw in the code.
>> >>>> You can also do a reverse engineering technique or fuzzy testing to
>> >>>> detect security bugs in the apps.
>> >>>> Azzeddine
>> >>>>
>> >>>> On Wed, Mar 11, 2015 at 8:02 PM, Aaron Guzman <
>> aaron.guzman at owasp.org>
>> >>>> wrote:
>> >>>>>
>> >>>>> Backdoors are typically at the hardware or embedded level where its
>> >>>>> harder to locate. Usually ODMs and OEMs fall victim to this.
>> Typically
>> >>>>> because they use “backdoors” for debugging and testing purposes
>> during
>> >>>>> manufacturing. A solution is to test and analyze your code from
>> third
>> >>>>> parties. Whether thats though IDA or other means.
>> >>>>> --
>> >>>>> Aaron G
>> >>>>> OWASP-LA Board Member
>> >>>>> Twitter: @scriptingxss
>> >>>>> Linkedin: http://lnkd.in/bds3MgN
>> >>>>>
>> >>>>> On Mar 11, 2015, at 11:27 AM, psiinon <psiinon at gmail.com> wrote:
>> >>>>>
>> >>>>> How about: "Dont put them in" ??
>> >>>>>
>> >>>>> ;)
>> >>>>>
>> >>>>> On Wed, Mar 11, 2015 at 6:22 PM, Ali Khalfan <ali.khalfan at owasp.org
>> >
>> >>>>> wrote:
>> >>>>>>
>> >>>>>> The owasp code review guidelines do a great job at looking for
>> >>>>>> vulnerabilities. However, the will not address intentional
>> vulnerabilities
>> >>>>>> such as backdoors and logic bombs.
>> >>>>>>
>> >>>>>> I wanted to establish such a guideline, but I was wondering if
>> there
>> >>>>>> is any reference I could fall back on ?
>> >>>>>>
>> >>>>>> Ali
>> >>>>>> --
>> >>>>>> Sent from my Android device with K-9 Mail. Please excuse my
>> brevity.
>> >>>>>> _______________________________________________
>> >>>>>> OWASP-Leaders mailing list
>> >>>>>> OWASP-Leaders at lists.owasp.org
>> >>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >>>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> --
>> >>>>> OWASP ZAP Project leader
>> >>>>> _______________________________________________
>> >>>>> OWASP-Leaders mailing list
>> >>>>> OWASP-Leaders at lists.owasp.org
>> >>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> _______________________________________________
>> >>>>> OWASP-Leaders mailing list
>> >>>>> OWASP-Leaders at lists.owasp.org
>> >>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >>>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> --
>> >>>> Azzeddine RAMRAMI
>> >>>> +33 6 65 48 90 04.
>> >>>> Enterprise Security Architect
>> >>>> OWASP Leader (Morocco Chapter)
>> >>>> Mozilla Security Projects Mentor
>> >>>>
>> >>>> _______________________________________________
>> >>>> OWASP-Leaders mailing list
>> >>>> OWASP-Leaders at lists.owasp.org
>> >>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >>>>
>> >>>
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> OWASP-Leaders mailing list
>> >>> OWASP-Leaders at lists.owasp.org
>> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >>>
>> >>>
>> >
>> > --
>> > Sent from my Android device with K-9 Mail. Please excuse my brevity.
>> >
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
Best Regrads
John Patrick Lita
*Chapter Leader OWASP Manila*
FB Page @OwaspManila <https://www.facebook.com/OwaspManila>
https://www.owasp.org/index.php/Manila
https://lists.owasp.org/mailman/listinfo/owasp-manila
<https://lists.owasp.org/mailman/listinfo/owasp-manila>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150528/7435b3df/attachment.html>


More information about the OWASP-Leaders mailing list