Our black hat presentation describes how to look for many backdoor categories 
through static analysis.

http://www.veracode.com/images/stories/static-detection-of-backdoors-1.0-blackhat2007-slides.pdf

The Veracode static analysis service implements many of these techniques.  
Finding hidden commands and functionality with static analysis is difficult 
because the correct commands/functionality needs to be defined.  We discuss a 
potential way to do this for web apps which is to detect the set of commands 
and parameters available through the UI and then determine if the app has 
additional commands in a switch statement or table for instance.  You could 
also look to see if additional parameters in web requests are used by the 
applications logic that do not show up in the UI.  We define these as 
"invisible" parameters.

-Chris



-----Original Message-----
From: Prasad N Shenoy [mailto:prasad.she...@gmail.com] 
Sent: Friday, December 17, 2010 8:21 PM
To: ivan.a...@coresecurity.com
Cc: Secure Coding; websecurity
Subject: Re: [WEB SECURITY] Re: [SC-L] Backdoors in custom software applications

I second that. Mostly pages that do not appear to be reachable from application 
menus but are only know to the attacker/insider/perp who created the backdoor.

On that note ( hope I am not hijacking the thread) are there any automated ways 
to detect backdoors and logic bombs? Static Analysis anyone?

Sent from my iPhone

On Dec 16, 2010, at 6:01 PM, Ivan Arce <ivan.a...@coresecurity.com> wrote:

> On 12/16/2010 05:18 PM, Sebastian Schinzel wrote:
>> Hi all,
>> 
>> I am looking for ideas how intentional backdoors in real software 
>> applications may look like.
>> 
>> Wikipedia already provides a good list of backdoors that were found 
>> in software applications: 
>> http://en.wikipedia.org/wiki/Backdoor_(computing)
>> 
>> Has anyone encountered backdoors during code audits, penetration tests, data 
>> breaches? 
>> Could you share some details of how the backdoor looked like? I am 
>> really interested in a technical and abstract description of the backdoor 
>> (e.g. informal descriptions or pseudo-code).
>> Anonymized and off-list replies are also very welcome.
>> 
>> Thanks,
>> Sebastian
> 
> I'd risk to say that the most common case is simply finding 
> authentication credentials hard-coded in the application (CWE-798)
> 
> There is a large list of applications that suffer from this problem, 
> for
> example:
> 
> http://www.us-cert.gov/cas/techalerts/TA05-224A.html
> 
> There are more sophisticated backdoors of course but I think 
> hard-coded credentials is the most common case by far.
> 
> -ivan
> 
> ----------------------------------------------------------------------
> ------ Join us on IRC: irc.freenode.net #webappsec
> 
> Have a question? Search The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
> 
> Subscribe via RSS: 
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> To unsubscribe email websecurity-unsubscr...@webappsec.org and reply 
> to the confirmation email
> 
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
> WASC on Twitter
> http://twitter.com/wascupdates
> 

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

To unsubscribe email websecurity-unsubscr...@webappsec.org and reply to the 
confirmation email

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates


_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________

Reply via email to