HPE Security Fortify Runtime Software Version: 17.3 Versions 2017.1.3 (Java) and 2017.1.3 (.NET)

Application Protection Rulepack Kit Guide

Document Release Date: April 2017 Software Release Date: April 2017 Application Protection Rulepack Kit Guide

Legal Notices Warranty The only warranties for Hewlett Packard Enterprise Development products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HPE shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. Restricted Rights Legend Confidential computer software. Valid license from HPE required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The software is restricted to use solely for the purpose of scanning software for security vulnerabilities that is (i) owned by you; (ii) for which you have a valid license to use; or (iii) with the explicit consent of the owner of the software to be scanned, and may not be used for any other purpose. You shall not install or use the software on any third party or shared (hosted) server without explicit consent from the third party. Copyright Notice © Copyright 2010 - 2017 Hewlett Packard Enterprise Development LP Trademark Notices Adobe™ is a trademark of Adobe Systems Incorporated. Microsoft® and Windows® are U.S. registered trademarks of Microsoft Corporation. UNIX® is a registered trademark of The Open Group. This product includes an interface of the 'zlib' general purpose compression library, which is Copyright © 1995-2002 Jean- loup Gailly and Mark Adler. Documentation Updates The title page of this document contains the following identifying information:

l Software Version number

l Document Release Date, which changes each time the document is updated

l Software Release Date, which indicates the release date of this version of the software To check for recent updates or to verify that you are using the most recent edition of a document, go to: https://www.protect724.hpe.com/community/fortify/fortify-product-documentation You will receive updated or new editions if you subscribe to the appropriate product support service. Contact your HPE sales representative for details.

HPE Security Fortify Runtime (17.3) Page 2 of 47 Application Protection Rulepack Kit Guide

Contents

Preface 5 Contacting HPE Security Fortify Support 5 For More Information 5 About the Documentation Set 5

Change Log 6

Chapter 1: Rule Categories for Rulepacks 7

Chapter 2: HPE Security Fortify Application Protection Rules 9 ClassLoader Manipulation: Struts 11 Command Injection 12 Command Injection: Shellshock 13 Cookie Security: HTTPOnly Not Set on Session Cookie 14 Cross-Site Scripting Attack 16 Dangerous File Inclusion: Local 17 Dangerous File Inclusion: Remote 18 Denial of Service: Parse Double 19 Directory Listing 20 Discovery: Known Vulnerability Scanner Activity 21 Dynamic Code Evaluation: Unsafe Deserialization 22 Forceful Browsing 23 Header Manipulation 24 LDAP Injection 26 Malformed Request: Bad Content-Type 27 Malformed Request: Missing Accept Header 28 Malformed Request: Missing Content-Type 29 Malformed Request: Use of Unsupported Method 30 Method Call Failure: Database Query 31

HPE Security Fortify Runtime (17.3) Page 3 of 47 Application Protection Rulepack Kit Guide

OGNL Expression Injection: Direct Method Invocation 32 Open Redirect 33 Poor Error Handling: Unhandled Exception 34 Privacy Violation: Internal 35 Slow Method Call: Slow Database Query (Batch Processing) 36 Slow Method Call: Slow Database Query (Web Processing) 37 SQL Injection 38 System Information Leak 40 XML Entity Expansion Injection 41 XML External Entity Injection 42 XPath Injection 43

Appendix : Eliminating Hard-Coded XSS and SQLi Issues 44

Send Documentation Feedback 47

HPE Security Fortify Runtime (17.3) Page 4 of 47 Application Protection Rulepack Kit Guide Preface

Preface

Contacting HPE Security Fortify Support

If you have questions or comments about using this product, contact HPE Security Fortify Technical Support using one of the following options. To Manage Your Support Cases, Acquire Licenses, and Manage Your Account https://support.fortify.com To Email Support [email protected] To Call Support 1.844.260.7219

For More Information

For more information about HPE Security software products: http://www.hpe.com/software/fortify

About the Documentation Set

The HPE Security Fortify Software documentation set contains installation, user, and deployment guides for all HPE Security Fortify Software products and components. In addition, you will find technical notes and release notes that describe new features, known issues, and last-minute updates. You can access the latest versions of these documents from the following HPE Security user community website: https://www.protect724.hpe.com/community/fortify/fortify-product-documentation You will need to register for an account.

HPE Security Fortify Runtime (17.3) Page 5 of 47 Application Protection Rulepack Kit Guide Change Log

Change Log

The following table lists changes made to this document. Revisions to this document are published only if the changes made affect product functionality.

Software Release / Document Version Changes

17.3 Added:

l Malformed Request: Bad Content-Type

l Slow Method Call: Slow Database Query (Batch Processing)

l Slow Method Call: Slow Database Query (Web Processing)

16.8 Minor updates.

16.6 Added:

l LDAP Injection

l OGNL Expression Injection: Direct Method Invocation

HPE Security Fortify Runtime (17.3) Page 6 of 47 Chapter 1: Rule Categories for Rulepacks

The information in this section describes the detection capabilities of Fortify RTAP Rulepacks. Specifically, for each category of attack, vulnerability, or audit event detected by RTAP, HPE Security provides the following information.

Programming Language

Many RTAP rules often apply across multiple programming languages, but in cases where a rule applies only to one language or another we indicate so here.

Event Type

RTAP rules produce three types of events: attack, vulnerability, and audit. Rules that identify malicious activity produce attack events. Rules that identify vulnerabilities in the program definition produce vulnerability events. Rules that report information intended to help audit or debug the behavior of the program produce audit events. Many rules produce events that span multiple types, such as SQL injection, which produces events that represent an attack, vulnerability, and an activity relevant to an auditor all at the same time.

Priority

Events have one of four priorities associated with them: critical, high, medium, and low. Critical-priority events represent the most serious problems and low-priority events the least.

Default Response

A solid understanding of default behavior, as well as of any customization deemed necessary, is critical to a successful RTAP deployment. Rules can use the following actions, all of which are included in the default configuration:

l ignore—take no action (still logs event) l display404/display403—respond with a 404 or 403 error l rewrite—transform data per rule-specific instructions

HPE Security Fortify Runtime (17.3) Page 7 of 47 Application Protection Rulepack Kit Guide Chapter 1: Rule Categories for Rulepacks

Detection Strategy

The detection strategy implemented by a rule describes the combination of program and data characteristics that cause the rule to trigger and produce an event.

Configuration

Many rules have externalized configuration values that can be modified to fine-tune the behavior of the rule. The configuration template associated with a program protected by RTAP defines the configuration values, as described in the topics for those particular rules. To modify these values through HPE Security Fortify Software Security Center, view the details for the configuration template you wish to modify and navigate to the template-defined variables section.

Tuning

While Fortify Runtime and the RTAP rule set are designed to work well on most programs with little or no intervention, some categories of detection benefit from targeted testing, verification, and tuning. In these cases, you might want to adjust the configuration to accommodate changes that are warranted.

HPE Security Fortify Runtime (17.3) Page 8 of 47 Chapter 2: HPE Security Fortify Application Protection Rules

This section contains the following topics: ClassLoader Manipulation: Struts 11 Command Injection 12 Command Injection: Shellshock 13 Cookie Security: HTTPOnly Not Set on Session Cookie 14 Cross-Site Scripting Attack 16 Dangerous File Inclusion: Local 17 Dangerous File Inclusion: Remote 18 Denial of Service: Parse Double 19 Directory Listing 20 Discovery: Known Vulnerability Scanner Activity 21 Dynamic Code Evaluation: Unsafe Deserialization 22 Forceful Browsing 23 Header Manipulation 24 LDAP Injection 26 Malformed Request: Bad Content-Type 27 Malformed Request: Missing Accept Header 28 Malformed Request: Missing Content-Type 29 Malformed Request: Use of Unsupported Method 30 Method Call Failure: Database Query 31 OGNL Expression Injection: Direct Method Invocation 32 Open Redirect 33 Poor Error Handling: Unhandled Exception 34 Privacy Violation: Internal 35 Slow Method Call: Slow Database Query (Batch Processing) 36 Slow Method Call: Slow Database Query (Web Processing) 37 SQL Injection 38 System Information Leak 40

HPE Security Fortify Runtime (17.3) Page 9 of 47 Application Protection Rulepack Kit Guide Chapter 2: HPE Security Fortify Application Protection Rules

XML Entity Expansion Injection 41 XML External Entity Injection 42 XPath Injection 43

HPE Security Fortify Runtime (17.3) Page 10 of 47 Application Protection Rulepack Kit Guide Chapter 2: HPE Security Fortify Application Protection Rules

ClassLoader Manipulation: Struts

Language Event Type Priority Default Response

Java Attack, Vulnerability, Audit High Default Action

Detection Strategy Triggers when the property resolver is trying to access the classloader. The following frameworks are supported:

l Struts version 1, via monitoring -beanutils l Struts version 2, via monitoring OGNL Non-vulnerable versions will not be triggered.

Supported Frameworks

Java .NET

Apache Struts version 1 n/a Apache Struts version 2

Configuration None

Tuning None

HPE Security Fortify Runtime (17.3) Page 11 of 47 Application Protection Rulepack Kit Guide Chapter 2: HPE Security Fortify Application Protection Rules

Command Injection

Language Event Type Priority Default Response

Java, .NET Attack, Vulnerability, Audit High Default Action

Detection Strategy Matches any system command execution that contains a cross-boundary HTTP request parameter OR where the command contains more than one command (for example, a one-line batch command with “&&” or “|”). According to command line grammar, a “boundary” is a position between two lexical tokens. For example, the boundaries for “ping -n 4 localhost” are “ping|-n|4|localhost” and a string value “ping -n” is therefore a cross-boundary input while “localhost” is not.

Supported Frameworks

Java .NET

Core Java Core .NET

Configuration None

Tuning None

HPE Security Fortify Runtime (17.3) Page 12 of 47 Application Protection Rulepack Kit Guide Chapter 2: HPE Security Fortify Application Protection Rules

Command Injection: Shellshock

Language Event Type Priority Default Response

Java Attack, Vulnerability, Audit High Default Action

Detection Strategy Triggers if any HTTP header value starts with "() {"

Supported Frameworks

Java .NET

Core Java n/a

Configuration None

Tuning None

HPE Security Fortify Runtime (17.3) Page 13 of 47 Application Protection Rulepack Kit Guide Chapter 2: HPE Security Fortify Application Protection Rules

Cookie Security: HTTPOnly Not Set on Session Cookie

Language Event Type Priority Default Response

Java Vulnerability, Audit Medium Rewrite

Detection Strategy This rule works as a virtual patch on application servers, as listed in the following table, that either do not support the HttpOnly cookie flag or do not enable the flag on HTTP Session cookie by default.

Supports HttpOnly Session Type Cookie Since Comment

Apache 5.5.281 or 6.0.20 Default "false" for 5.5.28 to 6.0. Default "true" Tomcat for 7.0 and later.

Red Hat 6.0 Servlet 3.0, default "false," config via web. JBoss2

Oracle 9.2 MP43 Servlet 2.4, default "true" WebLogic

IBM 8.05 Servlet 3.0, default "true," configurable in WebSphere4 console

For all servers, the rule installs the virtual patch only if it is operating in Protect mode. HPE Security Fortify Application Defender sends events for this rule only during server startup.

1http://tomcat.apache.org/tomcat-5.5-doc/config/context.html 2According to https://www.owasp.org/index.php/HTTPOnly, JBoss 5.1 supports HttpOnly by using Context.xml (similar to Tomcat 5.5). 3http://download.oracle.com/docs/cd/E13222_01/wls/docs92/webapp/weblogic_ xml.html#wp1071982 4http://www-01.ibm.com/support/docview.wss?uid=swg1PK80629, the custom property addHttpOnlyAttributeToCookies on WAS 6.1 and 7.0 does not affect every cookie that passes through the application server. The list of non-HTTPOnly cookies includes JSESSIONID cookies. 5 http://publib.boulder.ibm.com/infocenter/ieduasst/v1r1m0/index.jsp?topic=/com.ibm.iea.was_ v8/was/8.0/Security/ WASv8_SecurityEnhancements/player.html

HPE Security Fortify Runtime (17.3) Page 14 of 47 Application Protection Rulepack Kit Guide Chapter 2: HPE Security Fortify Application Protection Rules

On and Red Hat JBoss servers, one event is triggered and the virtual patch is installed for each application context during the context startup. After a context startup, disabling this rule or changing it from Protect mode to Monitor mode has no further effect (that is, the virtual patch remains installed and the HttpOnly flag remains enabled). On Oracle WebLogic and IBM WebSphere servers, only one event is triggered during the entire application server startup. After server startup, disabling this rule or changing it from Protect mode to Monitor mode prevents the addition of the HttpOnly flag on subsequent HTTP sessions.

Supported Frameworks

Java .NET

Apache Tomcat n/a Red Hat Jboss Oracle WebLogic IBM WebSphere

Configuration None

Tuning Disable this rule if your application uses JavaScript to access the session cookie.

HPE Security Fortify Runtime (17.3) Page 15 of 47 Application Protection Rulepack Kit Guide Chapter 2: HPE Security Fortify Application Protection Rules

Cross-Site Scripting Attack

Language Event Type Priority Default Response

Java, .NET Attack, Vulnerability, Audit Critical Default Action

Detection Strategy Matches HTTP request parameter names and values that contain values associated with cross-site scripting attacks (the request values may be HTML decoded and stripped of white space prior to matching). Potential attack strings include the introduction of relevant tags, such as