Finding Vulnerabilities in Source Code
- Possible situations:
- Open source app
- Open source components
- Consultant doing penetration testing
- File disclosure vulnerability allowing a source code download
- Client-side code
Approaches to Code Review
Black-Box Versus White-Box Testing
- Black-box:
- Attack application from outside
- Monitor inputs and outputs
- No prior knowledge
- White-box
- Look at application internal
- Full access to design documentation, source code, etc
Code Review Methodology
- Identify security vulnerabilities in code
- Process:
- Trace user-controllable data from entry points
- Review code that processes user-controllable data
- Perform line-by-line review of possibly risky code
- Find any problems with it
Signatures of Common Vulnerabilities
Cross-Site Scripting
- Parts of HTML returned to user are constructed via user-controllable data
- User controllable data is used to set a variable which is used to build a response
SQL Injection
- User controllable data concatenated with hard coded strings to form SQL queries
- Just search for hard-coded substrings
Path Traversal
- User-controllable data passed to filesystem API without validation or verification
- Appended to hardcoded directory path
Arbitrary Redirection
- User controllable data used to construct URL to which a user is redirected
OS Command Injection
- Code interfacing with external systems
Backdoor Passwords
- Obvious password use in source code
Native Software Bugs
- Buffer Overflow Vulnerabilities
- Buffer manipulation via unchecked API
- strcpy
- strcat
- memcpy
- Sprintf
- User controllable string copied into fixed size buffer
- Integer Vulnerabilities
- Comparisons between signed and unsigned integers
- Format String Vulnerabilities
- Find 'printf' and 'FormatMessage' functions where format string parameter is not hard coded and is user controllable
- Look for keywords like 'bug', 'problem', 'todo', etc
Identifying User-Supplied Data
- getParameter
- getParameterNames
- getParameterValues
- getParameterMap
- getRemoteUser
- getUserPrincipal
- getHeader
- getHeaders
- getHeaderNames
- getQueryString
- getRequestURI
- getRequestURL
- getCookies
- getRequestedSessionId
- getInputStream
- getReader
- getMethod
- getProtocol
- getServerName
Session Interaction
- setAttribute
- putValue
- getAttribute
- getValue
- getAttributeNames
- getValueNames
Potentially Dangerous APIs
- File Access
- java.io.FileInputStream
- java.io.FileOutputStream
- java.io.FileReader
- java.io.FileWriter
- Database Access
- Commonly used
- java.sql.Connection.createStatement
- java.sql.Statement.execute
- java.sql.Statement.executeQuery
- Secure alternatives:
- java.sql.Connection.prepareStatement
- java.sql.PreparedStatement.setString
- java.sql.PreparedStatement.setInt
- java.sql.PreparedStatement.setBoolean
- java.sql.PreparedStatement.setObject
- java.sql.PreparedStatement.execute
- java.sql.PreparedStatement.executeQuery
- Dynamic Code Execution
- Java doesn't really contain a method for this, but some implementations have ways to do something like it.
- OS Command Execution
- java.lang.runtime.Runtime.getRuntime
- java.lang.runtime.Runtime.exec
- URL Redirection
- javax.servlet.http.HttpServletResponse.sendRedirect
- javax.servlet.http.HttpServletResponse.setStatus
- javax.servlet.http.HttpServletResponse.addHeader
- Sockets
Configuring the Java Environment
- login-config
- Configure authentication details here
- Categories:
- Forms-based
- Set action as j_security_check
- Submit parameters j_username and j_password
- Basic auth/Client-Cert
- security-constraint: can restrain resource access if login-config defined
- session-config
- error-page: Error handling defined here.
- init-param
ASP.NET
Identifying User-Supplied Data
- Params
- Item
- Form
- QueryString
- ServerVariables
- Headers
- Url
- RawUrl
- UrlReferrer
- Cookies
- Files
- InputStream
- BinaryRead
- HttpMethod
- Browser
- UserAgent
- AcceptTypes
- UserLanguages
Session Interaction
- Add
- Item
- Keys
- GetEnumerator
- CopyTo
Potentially Dangerous APIs
- File Access
- System.IO.FileStream
- System.IO.StreamReader
- System.IO.StreamWriter
- Database Access
- System.Data.SqlClient.SqlCommand
- System.Data.SqlClient.SqlDataAdapter
- System.Data.Oledb.OleDbCommand
- System.Data.Odbc.OdbcCommand
- System.Data.SqlServerCe.SqlCeCommand
- Dynamic Code Execution
- OS Command Execution
- System.Diagnostics.Start.Process
- System.Diagnostics.Start.ProcessStartInfo
- URL Redirection
- System.Web.HttpResponse.Redirect
- System.Web.HttpResponse.Status
- System.Web.HttpResponse.StatusCode
- System.Web.HttpResponse.AddHeader
- System.Web.HttpResponse.AppendHeader
- Server.Transfer
- Sockets
- System.Net.Sockets.Socket
Configuring the ASP.NET Environment
- httpCookies
- sessionState
- Compilation
- customErrors
- httpRuntime
PHP
Identifying User-Supplied Data
- $_GET
- $HTTP_GET_VARS
- $_POST
- $HTTP_POST_VARS
- $_COOKIE
- $HTTP_COOKIE_VARS
- $_REQUEST
- $_FILES
- $HTTP_POST_FILES
- $_SERVER['REQUEST_METHOD']
- $_SERVER['QUERY_STRING']
- $_SERVER['REQUEST_URI']
- $_SERVER['HTTP_ACCEPT']
- $_SERVER['HTTP_ACCEPT_CHARSET']
- $_SERVER['HTTP_ACCEPT_ENCODING']
- $_SERVER['HTTP_ACCEPT_LANGUAGE']
- $_SERVER['HTTP_CONNECTION']
- $_SERVER['HTTP_HOST']
- $_SERVER['HTTP_REFERER']
- $_SERVER['HTTP_USER_AGENT']
- $_SERVER['PHP_SELF']
Session Interaction
- Uses $_SESSION array to store/retrieve user session info
- Can also use $HTTP_SESSION_VARS
Potentially Dangerous APIs
- File Access
- gzfile
- gzpassthru
- readgzfile
- copy
- rename
- rmdir
- mkdir
- unlink
- file_get_contents
- file_put_contents
- parse_ini_file
- include
- include_once
- require
- require_once
- virtual
- Database Access
- Examples:
- mysql_query
- mssql_query
- pg_query
- Creating prepared statements:
- mysqli->prepare
- stmt->prepare
- stmt->bind_param
- stmt->execute
- odbc_prepare
- Dynamic Code Execution
- eval
- call_user_func
- call_user_func_array
- call_user_method
- call_user_method_array
- create_function
- OS Command Execution
- exec
- passthru
- popen
- proc_open
- shell_exec
- system
- The backtick operator (`)
- URL Redirection
- http_redirect
- header
- HttpMessage::setResponseCode
- HttpMessage::setHeaders
- Sockets
- socket_create
- socket_connect
- socket_write
- socket_send
- socket_recv
- fsockopen
- pfsockopen
Methods Usable to Remote File Retrieval
Methods for File Access Even if allow_url_fopen Set to 0
- SMB
- PHP input/output streams
- Compression streams
- Audio streams
Configuring the PHP Environment (php.ini)
- Register Globals
- If register_globals enabled, PHP created global varibles for all request parameters
- Safe Mode
- If safe_mode enabled, PHP restricts some dangerous functions
- Magic Quotes
- If magic_quotes_gpc enabled, any single quote, double quote, backslash, and NULL character is automatically escaped using a backslash.
- Doesn't prevent second-order or numeric field attacks.
- Miscellaneous
- allow_url_fopen
- allow_url_include
- display_errors
- file_uploads
- upload_tmp_dir
JavaScript
- APIs that read from DOM-based data
- Access DOM data via crafted URL
- document.location
- document.URL
- document.URLUnencoded
- document.referrer
- window.location
- Update document contents / Dynamically execute
- document.write()
- document.writeln()
- document.body.innerHtml
- eval()
- window.execScript()
- window.setInterval()
- window.setTimeout()
Database Code Components
SQL Injection
- Stored procedures can still be vulnerable to SQLi if a user-supplied value is concatenated with a dynamic query
- Strings for dynamic code execution
- MS-SQL: EXEC
- Oracle: EXECUTE IMMEDIATE
- SyBase: EXEC
- DB2: EXEC SQL
Calls to Dangerous Functions
- Default stored procedures in MS-SQL and Sybase allowing command execution, registry access, etc.
- Functions providing access to the filesystem
- User-defined functions linking to libraries outside the database
- Functions causing network access, such as database link in Oracle or OpenRowSet in MS-SQL