IBM Application Security Insider

Synthetic methods are important elements in WAFL specification. A synthetic method is a function. Like a function in any programming language, synthetic methods can have local variables and a body containing assignment statements and function calls. The function calls can be to any existing function in the application or to another synthetic method. Synthetic methods are called synthetic because they are not part of the application but are synthesized by F4F to represent the behavior of configuration files. Therefore, static analysis tools can easily convert the information in WAFL files to regular methods, calls and variables to conduct the static analysis.

In IBM Security AppScan Source, we use a component named framework handler to process a web application framework and produce the WAFL file. IBM Security AppScan Source contains a set of framework handlers; one for each framework that we support. For example, if the application to be scanned uses the Spring framework, then the Spring framework handler will come into action. It will process the annotations in source code and the configuration files of the application, and then produce a WAFL file as output. This WAFL file is consumed by the static security analysis component. Figure 1 summarizes how F4F works in IBM Security AppScan Source.

Figure 1. How F4F works

As shown in Figure 1, a cool thing about F4F is that it is extensible. Any AppScan Source user can write their own framework handler and plug it into AppScan Source. Such a framework handler is called a custom framework handler. In AppScan Source 8.6, we have provided improved APIs for WAFL generation. These APIs and other F4F interfaces can be used to easily generate WAFL code. Most importantly, in 8.6, we are shipping the source code of a sample framework handler. This framework handler processes Enterprise JavaBeans (EJB) 2 applications. It would be a good start point for developers who want to write their own custom framework handlers.

AppScan Source provides built-in support for the following frameworks: Apache Struts 1, Spring MVC 2.5, ASP.NET, JavaEE, and Enterprise JavaBeans (EJB) 2. Especially, in the 8.6 release, we have added support to Apache Struts 2 and JavaServer Faces(JSF) 2.

Figure 2 and Figure 3 are two example traces from a sample JSF2 application. With the support of JSF2 framework handler, now we can see traces (e.g., XSS traces) that go all the way from the input side on the request web page via configuration files to the output side on the response object. As shown in the following diagram, we can see an SQL injection trace which crosses different source files in the JSF 2 app.

Figure 2. A trace with SQL injection in a JSF2 application

In Figure 3, the JSF2 application uses an explicit navigation rule. In "login.xhtml", it defines an outcome value "ToPageSearch2", and in config file "faces-config.xml", it defines a navigation rule which specifies that the outcome "ToPageSearch2" from web page "login.xhtml" should navigate to page "Search2.xhtml". So on AppScan Source with the support of JSF2 framework handler, we can identify such control flow from the configuration file and see a trace from "login.xhtml" to "Search2.xhtml".

Figure 3. A trace with explicit navigation rule in a JSF2 application

To sum it up, with F4F technology, we can quickly and easily add support for new frameworks in AppScan Source. Moreover, with the built-in F4F handlers, users can identify many more framework-related security issues without any development or configuration effort.

F4F is another example of IBM's commitment to advancing application security. The F4F technology represents one of over one hundred patents granted or in the approval process for static, dynamic, and hybrid analysis.