CAST Management Studio - Information - User Input Security - How to blackbox a method

Created by Amine Benarbia on Feb 11, 2022
Purpose

When analyzing the source code of an application, which has a defined analysis scope, some code is analyzed, some is not and is treated as an external code.

Any external code is unknown and cannot be accessed by the analyzer, and as such is not taken into account by the User Input Security feature. Therefore, security problems in this external source code would normally not be detected at all.    

In order to resolve this problem CAST has introduced the notion of blackbox methods.

Applicable in CAST Version


Release
Yes/No
8.3.x(tick)
8.2.x(tick)
8.1.x(tick)
8.0.x(tick)
7.3.x(tick)
Applicable RDBMS
RDBMS
Yes/No
Oracle Server (tick)
Microsoft SQL Server (tick)
CSS2 (tick)

Blackbox a method

Blackboxes are XML files that provide implementation for methods with no source code. you must create one xml file, "My_blackbox.blackbox.xml" (you can create a single file for all methods to blackbox). Save it at  Cast_flat\configuration\blackboxes\<YourTechnology>.

  • Copy, paste the following code: 
<?xml version="1.0" encoding="utf-8"?> 
<BlackBox name="My_blackbox" xmlns="http://tempuri.org/BlackBoxes.xsd"> 
</BlackBox>

 

  • Identify the method that presents the following error "No Implementation found" in SecurityAnalyzer.log.secondary, for example:  
INFO: No Implementation found for method "org.owasp.esapi.Encoder.encodeForJavaScript(java.lang.String)"
  • Add Class and signature of method to the blackbox. For our example the signature is getConnection(java.lang.String), and the Class is java.sql.DriverManager, the blackbox file will be like follows:  
<?xml version="1.0" encoding="utf-8"?> 
	<BlackBox name="My_blackbox" xmlns="http://tempuri.org/BlackBoxes.xsd"> 
		<Class id="1" mangling="org.owasp.esapi.Encoder"> 
			</Methods> 
				<Method signature="encodeForJavaScript(java.lang.String)">     
					
				</Method>			
			</Methods>   
		</Class> 
	</BlackBox>
  • Write the body of blackbox : The body of blackbox depend on the semantics you want to give, as well as the number of parameters of the method. For our example if the method is sanitization method with one parameter, the blackbox will be like:
<?xml version="1.0" encoding="utf-8"?> 
	<BlackBox name="My_blackbox" xmlns="http://tempuri.org/BlackBoxes.xsd"> 
		<Class id="1" mangling="org.owasp.esapi.Encoder"> 
			</Methods> 
				<Method signature="encodeForJavaScript(java.lang.String)">     
					<Flow source="1" sink="0" mode="assign" />
    					<Flow source="0" sink="-1" mode="assign" />  
				</Method>			
			</Methods>   
		</Class> 
	</BlackBox>

In general case the blackbox of your method will take the same form as one of the following patterns (Assuming that method have n parameters (method (1, .., n)):

  1. If method is sanitization:

    <Flow source="1" mode="clear" /> 
... 
<Flow source="n" mode="clear" />
<Flow source="0" sink="-1" mode="assign" />

  2. If method is collection (method add):

    <Flow source="1" sink="0" mode="alternative" /> 
... 
<Flow source="n" sink="0" mode="alternative" /> 
<Flow source="0" sink="-1" mode="assign" /

     

  3.  If method is collection (method Get):  

    <Flow source="0" sink="-1" mode="assign" />

     

  4. If method is tainted method:  

    <Flow caller="[cast#lib]Network.read" sink="-1" mode="receive" />

     

  5. If method is an SQL injection:  

    <Flow source="0" 
callee="[cast#lib]Database.write" mode="send"/>
<Flow source="1" 
callee="[cast#lib]Database.write" mode="send"/>

     

  6. If method is Path Manipulation:

    <Flow source="1" callee="[cast#lib]File.open" 
mode="send"/> 
... 
<Flow source="n" callee="[cast#lib]File.open" 
mode="send"/> 
 
<Flow source="1" sink="0" mode="alternative" /> 
... 
<Flow source="n" sink="0" mode="alternative" />
<Flow source="0" sink="-1" mode="assign" /

     

  7. If method is LDAP: 

    <Flow source="1" callee="[cast#lib]LDAP.filter" 
mode="send"/>
 ... 
<Flow source="n" callee="[cast#lib]LDAP.filter" 
mode="send"/>

     

  8. If method is Log forging: 

    <Flow source="1" 
callee="[cast#lib]Log.write"
mode="send"/> 
... 
<Flow source="n" callee="[cast#lib]Log.write"
 mode="send"/>

  9. If method is cross-site scripting with no parameters:

    <Flow sink="-1"
token="[cast#unsafe]cast#unsafe.returnType" 
mode="loadToken"/>

  10. If method is cross-site scripting with parameters:

    <Flow source="1" callee="[cast#lib]Network.write" 
mode="send"/> 
... 
<Flow source="n" callee="[cast#lib]Network.write" 
mode="send"/>

  11. If method is XPath injection:

    <Flow source="0" callee="[cast#lib]XPath.write" 
mode="send"/> 
<Flow source="1" callee="[cast#lib]XPath.write"
mode="send"/>

  12. If method is Format injection:

    <Flow source="1" callee="[cast#lib]String.format" 
$mode="send"/>
... 
<Flow source="n" callee="[cast#lib]String.format"
mode="send"/>

  13. If method is Command injection:

    <Flow source="0" callee="[cast#lib]Runtime.exec" 
mode="send"/> 
<Flow source="1" callee="[cast#lib]Runtime.exec"
 mode="send"/>

     

     
Notes/comments


Related Pages