Core Security Readies Web App Security Tool

Researchers at Core Security Technologies will present an open-source tool that takes on Web application threats.

Core Security Technologies is unveiling an open-source tool called Core Grasp Aug. 2, which is aimed at protecting Web applications from attack.

Researchers from CoreLabs will be presenting the tool, which was created with an eye towards preventing SQL-injection attacks for applications written in PHP, at the Black Hat conference in Las Vegas. By exploiting SQL-injection vulnerabilities in Web applications, hackers can steal or alter information stored in databases to gain direct access to back-end networks, Core Security officials said.

"We saw that PHP applications are riddled with bugs," said Ivan Arce, chief technology officer and co-founder of Core Security, based in Boston.

/zimages/3/28571.gifRead here about Core Securitys automation of user security testing.

Arce said the tool blocks attacks using a method known as "taint analysis," and does not require access or changes to the applications source code. Grasp works by tracking user input variables throughout the entire application execution environment by tagging the variables with a security mark, he said.

"At the end of all this process…if an operation is about to be performed on the database for example, we check that the variable that used to build the query does not have any security marks and is not controlled by the user," he said. "If it is controlled by the user, we verify that it does not have any attack strings in it, or characters that are not allowed to be sent to the database or things like that. And thats where we block the attack."

Arce said it is important that the tool works at the byte level because it provides an easy way to check each byte of the query string to see if that byte was controlled by the user or not.

Applications written in the most common Web scripting languages, including PHP, ASP, Python, Perl and Java, can be protected using this technology, Core Security officials said, adding that Grasp helps prevent database injection, shell injection, cross-site scripting and directory-transversal attacks.

"We dont have any plans to build a product around this," Arce said. "It started as a research project, it evolved into a functional implementation of our idea, and now we are releasing it as an open-source project, hopefully to contribute to the Web application community and to hopefully get people involved in using it and improving it."

Core Grasp will be available online Aug. 2.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.