Our black hat presentation describes how to look for many backdoor categories through static analysis.
http://www.veracode.com/images/stories/static-detection-of-backdoors-1.0-blackhat2007-slides.pdf The Veracode static analysis service implements many of these techniques. Finding hidden commands and functionality with static analysis is difficult because the correct commands/functionality needs to be defined. We discuss a potential way to do this for web apps which is to detect the set of commands and parameters available through the UI and then determine if the app has additional commands in a switch statement or table for instance. You could also look to see if additional parameters in web requests are used by the applications logic that do not show up in the UI. We define these as "invisible" parameters. -Chris -----Original Message----- From: Prasad N Shenoy [mailto:prasad.she...@gmail.com] Sent: Friday, December 17, 2010 8:21 PM To: ivan.a...@coresecurity.com Cc: Secure Coding; websecurity Subject: Re: [WEB SECURITY] Re: [SC-L] Backdoors in custom software applications I second that. Mostly pages that do not appear to be reachable from application menus but are only know to the attacker/insider/perp who created the backdoor. On that note ( hope I am not hijacking the thread) are there any automated ways to detect backdoors and logic bombs? Static Analysis anyone? Sent from my iPhone On Dec 16, 2010, at 6:01 PM, Ivan Arce <ivan.a...@coresecurity.com> wrote: > On 12/16/2010 05:18 PM, Sebastian Schinzel wrote: >> Hi all, >> >> I am looking for ideas how intentional backdoors in real software >> applications may look like. >> >> Wikipedia already provides a good list of backdoors that were found >> in software applications: >> http://en.wikipedia.org/wiki/Backdoor_(computing) >> >> Has anyone encountered backdoors during code audits, penetration tests, data >> breaches? >> Could you share some details of how the backdoor looked like? I am >> really interested in a technical and abstract description of the backdoor >> (e.g. informal descriptions or pseudo-code). >> Anonymized and off-list replies are also very welcome. >> >> Thanks, >> Sebastian > > I'd risk to say that the most common case is simply finding > authentication credentials hard-coded in the application (CWE-798) > > There is a large list of applications that suffer from this problem, > for > example: > > http://www.us-cert.gov/cas/techalerts/TA05-224A.html > > There are more sophisticated backdoors of course but I think > hard-coded credentials is the most common case by far. > > -ivan > > ---------------------------------------------------------------------- > ------ Join us on IRC: irc.freenode.net #webappsec > > Have a question? Search The Web Security Mailing List Archives: > http://www.webappsec.org/lists/websecurity/archive/ > > Subscribe via RSS: > http://www.webappsec.org/rss/websecurity.rss [RSS Feed] > > To unsubscribe email websecurity-unsubscr...@webappsec.org and reply > to the confirmation email > > Join WASC on LinkedIn > http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > ---------------------------------------------------------------------------- Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] To unsubscribe email websecurity-unsubscr...@webappsec.org and reply to the confirmation email Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
