Secure Coding mailing list archives
Re: [WEB SECURITY] Re: Backdoors in custom software applications
From: Chris Wysopal <cwysopal () veracode com>
Date: Mon, 20 Dec 2010 11:11:36 -0500
Our black hat presentation describes how to look for many backdoor categories through static analysis. http://www.veracode.com/images/stories/static-detection-of-backdoors-1.0-blackhat2007-slides.pdf The Veracode static analysis service implements many of these techniques. Finding hidden commands and functionality with static analysis is difficult because the correct commands/functionality needs to be defined. We discuss a potential way to do this for web apps which is to detect the set of commands and parameters available through the UI and then determine if the app has additional commands in a switch statement or table for instance. You could also look to see if additional parameters in web requests are used by the applications logic that do not show up in the UI. We define these as "invisible" parameters. -Chris -----Original Message----- From: Prasad N Shenoy [mailto:prasad.shenoy () gmail com] Sent: Friday, December 17, 2010 8:21 PM To: ivan.arce () coresecurity com Cc: Secure Coding; websecurity Subject: Re: [WEB SECURITY] Re: [SC-L] Backdoors in custom software applications I second that. Mostly pages that do not appear to be reachable from application menus but are only know to the attacker/insider/perp who created the backdoor. On that note ( hope I am not hijacking the thread) are there any automated ways to detect backdoors and logic bombs? Static Analysis anyone? Sent from my iPhone On Dec 16, 2010, at 6:01 PM, Ivan Arce <ivan.arce () coresecurity com> wrote:
On 12/16/2010 05:18 PM, Sebastian Schinzel wrote:Hi all, I am looking for ideas how intentional backdoors in real software applications may look like. Wikipedia already provides a good list of backdoors that were found in software applications: http://en.wikipedia.org/wiki/Backdoor_(computing) Has anyone encountered backdoors during code audits, penetration tests, data breaches? Could you share some details of how the backdoor looked like? I am really interested in a technical and abstract description of the backdoor (e.g. informal descriptions or pseudo-code). Anonymized and off-list replies are also very welcome. Thanks, SebastianI'd risk to say that the most common case is simply finding authentication credentials hard-coded in the application (CWE-798) There is a large list of applications that suffer from this problem, for example: http://www.us-cert.gov/cas/techalerts/TA05-224A.html There are more sophisticated backdoors of course but I think hard-coded credentials is the most common case by far. -ivan ---------------------------------------------------------------------- ------ Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] To unsubscribe email websecurity-unsubscribe () webappsec org and reply to the confirmation email Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates
---------------------------------------------------------------------------- Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] To unsubscribe email websecurity-unsubscribe () webappsec org and reply to the confirmation email Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates _______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
Current thread:
- Backdoors in custom software applications Sebastian Schinzel (Dec 16)
- Re: Backdoors in custom software applications Jeremy Epstein (Dec 16)
- Re: [WEB SECURITY] Re: Backdoors in custom software applications Chris Wysopal (Dec 17)
- Re: [WEB SECURITY] Re: Backdoors in custom software applications Chris Schmidt (Dec 23)
- Re: [WEB SECURITY] Re: Backdoors in custom software applications Chris Wysopal (Dec 17)
- Message not available
- Re: [WEB SECURITY] Re: Backdoors in custom software applications Prasad N Shenoy (Dec 23)
- Re: [WEB SECURITY] Re: Backdoors in custom software applications Chris Wysopal (Dec 23)
- Re: [WEB SECURITY] Re: Backdoors in custom software applications Prasad N Shenoy (Dec 23)
- Re: Backdoors in custom software applications Jeremy Epstein (Dec 16)
- Re: [WEB SECURITY] Backdoors in custom software applications Arian J. Evans (Dec 23)
- Re: [WEB SECURITY] Backdoors in custom software applications Steven M. Christey (Dec 23)