AppScan Source for the Developer

Going from “I don't know this” to “wow, it found this

vulnerability I didn't believe I had”

Ori Pomerantz
orip@us.ibm.com

Abstract:
In this white paper you learn how to scan your web applications using IBM Security AppScan Source to identify
vulnerabilities.
• Table of Contents
1Introduction..............................................................................................................................................3
1.1Assumptions.....................................................................................................................................3
2Installation................................................................................................................................................3
2.1Obtain the license.............................................................................................................................3
2.2Install the software...........................................................................................................................3
2.3Verify the installation.......................................................................................................................3
2.4Install the Eclipse plug-in.................................................................................................................4
3Scanning a very simple application..........................................................................................................4
3.1Create a simple application to scan..................................................................................................4
3.2Scan the application..........................................................................................................................5
3.3Interpret the scan..............................................................................................................................5
3.4How does it work?............................................................................................................................6
4Manage findings.......................................................................................................................................6
4.1Filter findings...................................................................................................................................6
4.2Modify findings manually................................................................................................................7
5Resources.................................................................................................................................................7
6About the author.......................................................................................................................................8

• Table of Figures
Figure 1: The Security Analysis Perspective.............................................................................................5
Figure 2: WebGoat findings.......................................................................................................................6
Figure 3: Filtered WebGoat findings..........................................................................................................7

• Index of Tables

• Table of Listings
1 Introduction
In this white paper you learn how to use IBM Security AppScan Source as a developer. This paper
focuses on JEE applications developed in Eclipse.
Hopefully, even if you use a different environment these examples would be enough to show you what
to do.

1.1 Assumptions
I am going to assume that you are experienced in using Eclipse, or a derived product such as IBM
Rational Application Developer. I am also going to assume that you already have IBM Security
AppScan Enterprise running in your environment, and you just need to install the IBM AppScan Source
software on your own machine.

2 Installation
2.1 Obtain the license
1. Browse to https://licensing.subscribenet.com/control/ibmr/general_content?
partnerContentId=GenerateLicensesHostIDHelp and follow the directions to obtain the host ID
for the license.
2. Provide the host name and host ID to your AppScan administrator. You probably need part
number D0BR3LL, AppScan Source for Remediation, and part number D0BSMLL, the basic
scan permission.
3. Put the license file on your development machine.

2.2 Install the software

1. Download IBM part number CIX0AML, IBM Security AppScan Source for Analysis V9.0
Windows Multilingual (or a later version).
2. Out of the .zip file, run the setup.exe file.
3. Install using the defaults, except for:
1. In “Component Select” select all the client components and none of the server components.
2. When the installation finishes, select Launch IBM Security AppScan License Manager
and click Done.
3. If asked, allow the Java virtual machine to access the Internet.
4. In the wizard, click Import license. Import the license you received from the AppScan
administrator and close the license manager.

2.3 Verify the installation

1. Run the AppScan Source for Analysis icon from desktop.
2. Log on with the user ID, password, and AppScan Enterprise Server URL provided by the
AppScan administrator.
 3. Choose to accept the certificate.

2.4 Install the Eclipse plug-in

Follow the directions at web address: http://www-
01.ibm.com/support/knowledgecenter/SSS9LM_9.0.0/com.ibm.rational.appscansrc.install.doc/topics/in
stall_developer_eclipse_35.html?cp=SSS9LM_9.0.0%2F1-2-2-5-0-1 to install the plug-in. This process
also installs the necessary prerequisites.
After the installation is over and Eclipse restarts, see that the top bar has a Security Analysis option.

3 Scanning a very simple application

As a first exercise, try to scan an extremely simple application.

3.1 Create a simple application to scan

Follow these steps to create a Dynamic Web Project in Eclipse:
1. Click File > New > Dynamic Web Project.
2. Name the project insecure and click Finish.
3. Right-click insecure > WebContent and select New > JSP File.
4. Name the new file index.jsp and click Finish.
5. Type the content from the listing:

<%@ page language="java"

contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<body>
<h2>Insecure</h2>
Reflected: <%= request.getParameter("reflect") %>
<form>
Reflect next: <input type="text" name="reflect" />
<br />
<button type="submit">Submit</button>
</form>
</body>
</html>

If you'd like, run this application and see that it reflects whatever string you provide it, including
JavaScript. This means it is vulnerable to cross-site scripting.
3.2 Scan the application
1. Click Security Analysis > Scan > Scan Projects.
2. Select the project you created and click OK.
3. The default AppScan Source installation directory is at C:\Program Files
(x86)\IBM\AppScanSource.
4. The scan results appear in the Security Analysis perspective.

3.3 Interpret the scan

The security analysis perspective is shown in Figure 1: The Security Analysis Perspective.

Figure 1: The Security Analysis Perspective

By default, the perspective has six panels:

(a) The complete list of findings, data flows that are suspicious in one way or another, sorted by
type, severity, and how likely they are to be a real problem. You can select a line to focus on
that particular subset.
(b) The list of currently selected findings, based on the subset selected in (a). You can select a line
to focus on that particular finding.
(c) A detailed explanation of the vulnerability type, including examples of how to solve it.
(d) A graphical trace of the currently selected (in (b) dangerous data flow.
(e) The file with the finding.
 (f) All the workspace's files.

3.4 How does it work?

The main method used by AppScan Source to identify dangers is taint analysis. The scanner has a list
of sources that receive input that could be dangerous. For example, any field that is filled by the user is
considered tainted (potentially information). This data is tracked in the source code, to see what else it
can affect. If it gets copied to a dangerous sink, a function that could cause damage when given bad
input, then the data flow is considerd a vulnerability.
For example, consider this part of index.jsp:

<%= request.getParameter("reflect") %>

The data source here is request.getParameter(<name>). This function returns a parameter from the
POST data, which is provided by the user in the HTTP request. This means that it is tainted and
potentially dangerous.
The JSP construct <%= ... %> evaluates the expression in the ellipsis (...) and prints it to the HTML
sent back to the user. This is a dangerous sink, because it allows for cross site scripting. You can see
this data from, from getParameter() to print(), in the trace in Figure 1: The Security Analysis
Perspective, panel (d).

4 Manage findings
Real applications typically have many findings. For example, the scan of WebGoat shown in Figure 2:
WebGoat findings has 29 findings, of various severity levels (the likely damage) and reliability levels
(how sure are we this is a vulnerability).

Figure 2: WebGoat findings

4.1 Filter findings

Unless you have enough time to fix everything, you need to prioritize. So the next step is to filter to see
only those findings that are a high severity attack and are definitely vulnerabilities:
 1. Click the Filter Editor tab, in the same panel as remediation assistance.
2. Expand Severity and clear all the options other than High.
3. Expand Classification clear all the options other than Definite.
4. See that the number of findings is reduced. Out of the 29 findings in Figure 2: WebGoat
findings, only eight are left in Figure 3: Filtered WebGoat findings.

Figure 3: Filtered WebGoat findings

4.2 Modify findings manually

Upon research, you may decide that some of the findings are not as severe as IBM AppScan Source
thought or that they aren't a real problem. In such a case, right-click the finding in the list (on the right
side of the findings tab). You can set the type, set the severity, exclude the finding, or add a note to it.
You can also bundle findings to assign a group of related findings to somebody.

5 Resources
You can learn from about IBM Security AppScan Source from IBM's web site or the product
documentation.
To learn how to filter results and what the different classifications mean, see the user guide, especially
chapter 5 Triage and Analysis.
There is a good article about the process to use the scanner on developerWorks.
Visit the security on developerWorks blog for announcements of new security articles, how-to guides,
and demonstration videos.
Visit the IBM developerWorks security zone for more articles about AppScan Enterprise and other
security topics.
Sign up for the developerWorks security newsletter and other topical newsletters from developerWorks.
Follow @dwSecurity on Twitter.

6 About the author

Ori Pomerantz has been securing computer networks and teaching other people how he does it since
1995. Since joining IBM in 2003, he has written and taught classes on several IBM Security products,
including the IBM Security AppScan product family.

6.1 Acknowledgements
I would like to thank Nicholas Chop for his valuable input. Any remaining mistakes are my own fault.