Static Analysis for Dynamic Assessments Greg Patton | September 2014
Dec 22, 2015
Agenda
• Introduction• Background & observations• Static analysis for dynamic
assessments– RIPSA tool
• Takeaways
Introduction
Greg PattonMobile Delivery Manager, HP Fortify on Demand
• Work on Fortify on Demand team• Web & mobile dynamic application testing• Attended first OWASP meeting on June 5, 2007 (Houston, TX)
Common dynamic challenges
• Lack of complete security assessments– Few conduct static and dynamic assessments in
concert
Common dynamic challenges
• Lack of complete security assessments– Few conduct static and dynamic assessments in
concert• Client-side false negatives– Dynamic tools and tests miss stuff
Common dynamic challenges
• Lack of complete security assessments– Few conduct static and dynamic assessments in
concert• Client-side false negatives– Dynamic tools and tests miss stuff
• “No source code available”– Dynamic testers rarely receive source code
A possible solution
Use static tools during dynamic assessments
Deeper analysis of JavaScript, HTML, XML, and other client-side files
RIPSA
• Accepts XML from Burp– Target Site Map– Proxy History
• Parses and saves responses as individual files on tester’s machine
• Output files can be scanned with static tools and manually audited
#Winning
Reduces potential false negatives by increasing breadth of dynamic web assessments
Utilizes information from Burp Suite that dynamic testers already collect
Pairs part of a static assessment with a full dynamic web assessment
#Winning
• Static tools– Fortify SCA, FxCop, JSHint, etc.
• JavaScript analysis – DOM based XSS
• Silverlight analysis• Gather and group files
– .dll files for disassembly– .pdf files for strings analysis
Takeaways
Embrace static
• Use static tools and techniques to dig deeper into client-side & DOM results– Use automated static tools– Disassemble and decompile
Java, Silverlight, Flash, etc.
Takeaways
Embrace static
• Use static information to assist with content discovery.– Map application– Identify files and targets
Call to the community
• ZAP extensions– Save responses as local files?– Static scanning signatures?
• Other ideas?