A while ago, I've been experimenting with using Android Studio for refactoring decompiled code.
- Export Java sources, from whatever decompiler works
- "Import project" from sources in Android Studio
- Use Shift-Fn-F6 to rename classes, methods etc
Showing posts with label java. Show all posts
Showing posts with label java. Show all posts
Saturday, 5 March 2016
Android Studio for refactoring obscure decompiled code
"It's in Foreign" @thegrugq
A while ago, I've been experimenting with using Android Studio for refactoring decompiled code.
A while ago, I've been experimenting with using Android Studio for refactoring decompiled code.
Wednesday, 12 December 2012
Focused code reviews - a followup
I promised something more technical than book reviews, so here it goes.
Earlier I posted about how to limit the amount of code for day-to-day security reviews if the code base is huge. I took Confluence (I work for Atlassian) as an example. The application uses Webworks 2, and other frameworks. Source code is not entirely free or public, but you can get it if you have almost any kind of Confluence license. I will keep some details out of this example.
Here are some things to trigger security reviews on this codebase.
Java generalities
Monitor for these being added, but there is no urgent need to review code if any of these get removed by developers. The list in this section is Java generic (and incomplete) and can be used for other apps, the other sections are more Confluence-specific. You might not need to trigger on all of these strings. You can also try structures from the IntelliJ searches from another blog entry.Class.forName ZipFile Statement Math.random sendRedirect "SELECT " java.sql.Statement java.sql.Connection executeQuery Runtime. java.lang.Runtime getRequestURI java.sql BeanUtils.setProp java.lang.reflect
...
Sanitizers
Monitor for disappearance of any sanitisers from your code. There are legitimate reasons for this - for example a sanitiser in a view disappears but the corresponding model starts escaping or filtering data.htmlEncode
...others skipped...
Filters
Being a Webwork2 webapp, Confluence utilises a number of filters and interceptors. You can get a list of filters your application uses with something like
grep -Rh --include=*.xml "<filter-name" . |sed -e 's/<filter-name>//'|sed -e 's/<\/filter-name>//'|sed -e 's/^[ \t]*//' |sort |uniqReview the list and decide which ones have important security function. Monitor any change mentioning interceptors (both in web.xml files and for any change of their source)
HeaderSanitisingFilter SecurityFilter ... SafeParametersInterceptor PermissionCheckInterceptor ...
Annotations
Some of these are generic, some are Confluence specific. One way of getting a list of all annotations is
grep -Rh --include=*.java "^\s\+@" . |sed -e 's/^[ \t]*//' |sort |uniq
@AnonymousAllowed
|
adding
|
@GET
|
adding
|
@POST
|
adding
|
@HttpMethodRequired
|
any change
|
@ParameterSafe
|
removal
|
@Path
|
adding
|
@RequireSecurityToken
|
removal
|
| ... |
XML config files (new endpoints)
Action mapping etc - they introduce new URL endpoints. Monitor for adding, not removal.
"<action name" ...
Other XML
Any change mentioning your filters or interceptors in web.xml, for example
<filter-name>header-sanitiser <filter-name>request-param-cleaner <filter-name>login
<interceptor-ref name="params"/> <interceptor-ref name="permissions"/> <interceptor-ref name="xsrfToken"/>
<interceptor-stack name
...
Files and path
Look for any change in files used to implement crucial security features - login, session management, authorisation, sanitizers, CSRF protection and so on.
confluence-core/confluence-webapp/src/main/webapp/WEB-INF/web.xml confluence-core/confluence/src/etc/standalone/tomcat/web.xml confluence-core/confluence/src/java/com/atlassian/confluence/security/login/* confluence-core/confluence/src/java/com/atlassian/confluence/rpc/auth/* confluence-core/confluence/src/java/com/atlassian/confluence/security/* ...
Monitoring for any web.xml changes is probably an overkill, you will catch interesting stuff with the items from other sections above).
Tuesday, 20 November 2012
Auditing Java code, or IntelliJ IDEA as poor man's Fortify
This Twitter exchange got me to look at IDEA. The below are a few tips and config files that can get you started with using IDEA for manual audits. IMHO the results will be close to what you get from commercial code scanner, albeit slightly slower :)
IntelliJ features useful for code auditing
- "Analyze" ->"Data flow to here" or "Data flow from here" https://www.jetbrains.com/idea/webhelp/analyzing-data-flow.html
- "Analyze" -> "Inspect code"(next section below)
- All kinds of source navigation - to definition, to usages etc. Shortcuts below.
Custom code inspections
One of good starting points for basic concepts of code audits is Chapter 19 of "Web Application Hacker's Handbook" 2ed. You obviously have to have a clue what this security thing is all about, and this post is not an audit tutorial.
I've created some custom inspections for IDEA, as its original "Security" set is quite arbitrary and if it targets anything, it is applets, not web apps. My inspection policies are based on the WAHH2E book and are geared towards identifying user input, dodgy file operations and so on.
You can get the policies from https://github.com/agelastic/intellij-code-audit
Installing the inspection policies
Open Options / Inspections. Import the policy you want to use (the full policy may produce a lot of results on very large projects, e.g. full Confluence produces about 2000 results, so I made partial policies as well), check "Share Profile", or you won't be able to use this policy.
 |
| Configuring custom code inspections in IDEA |
TIP: For some reason IntelliJ sometimes ignores the imported policy and as a result you will have no findings. What seems to work is to scan the code with any builtin policy, for example, "Default", and then run the security one. If you do not see the "Inspecting code..." progress window, then analysis did not happen.
Templates will find points in code that are interesting for security auditor - HTTP parameters, file access, sessions, SQL queries, etc. Then you can use data flow analysis (point 1 in the list above) or simply navigate through source (below).
Running an analysis
Open "Analyze" / "Inspect code", select the policy, scope etc, run, check results. There are various ways of marking things as reviewed - see "suppress" options in the results pane. They are the same as with any other alerts produced by code inspection engine.
It may be useful (depending on a kind of the finding) to investigate data flow to and from the found input/output point.
IntelliJ's docs for this feature, which in turn uses very powerful Structural Search & Replace engine are at https://www.jetbrains.com/idea/webhelp/creating-own-inspections.html
Code navigation shortcuts
Cmd + Shift + A - opens a window where you can search for GUI commandsCmd + Alt + Left to get back, Cmd + Alt + Right to “go forward”
Cmd + B - Go to declaration
Cmd + Alt + B - Go to implementation
Cmd + U - Go to super-method/super-class
Cmd + Alt + F7 - Show usages
Cmd + N - Go to class
Cmd + P - Parameter info
Cmd-F - Find, F3/Shift + F3 - Find next/previous, Ctrl + Shift + F - Find in path
F2/Shift + F2 - Next/previous highlighted error
Cmd + E - recently used files
Cmd + P - Parameter info
Ctrl + Shift + Q - Context info
Ctrl + J - Quick documentation
Learning shortcuts
There is a great plugin that will teach you shortcuts fast - Key Promoter. Any time you do something with menus, it will show you what shortcut you could use to achieve the same effect.
Bonus: Code Reviewing Web App Framework Based Applications
Subscribe to:
Posts (Atom)