11.1. Code Audit

Others 2021-03-29 14:27:38 views: null

Article Directory

11.1. Code Audit

11.1.1. Introduction

Code auditing is the process of finding application defects. There are usually white box audits, black box audits, gray box audits and other methods. White box auditing refers to finding application defects through the analysis of source code. Black box auditing usually does not involve source code and mostly uses fuzz testing, while gray box auditing is a combination of black and white. The three different test methods have different advantages and disadvantages.

11.1.2. Common concepts

11.1.2.1. Input

Input is usually also called Source. The input of a web application can be the requested parameters (GET, POST, etc.), uploaded files, cookies, database data and other user-controllable or indirect controllable places.

For example, $_GET/ $_POST/ $_REQUEST/ $_COOKIE/ $_FILES/ in PHP $_SERVERcan be used as the input of the application.

11.1.2.2. Processing functions

The processing function is a function for filtering or encoding and decoding data, usually called Clean/Filter/Sanitizer. These functions perform security operations or filtering on the input, which brings uncertainty to the exploitation of the vulnerability.

PHP likewise an example, such a function may be mysqli_real_escape_string/ htmlspecialchars/ base64_encode/ str_rot13and the like, may also be applied custom filter function.

11.1.2.3. Dangerous functions

Dangerous functions are often called Sink Calls, vulnerability points, and are functions that may trigger dangerous behaviors such as file operations, command execution, and database operations.

In PHP, it may be include/ system/ echoand so on.

11.1.3. Automated Audit

It is generally believed that the triggering process of a vulnerability is the process of filtering the input to the dangerous function (Source To Sink), and auditing is the process of finding this chain. Common automated audit schemes include dangerous function matching and control flow analysis.

11.1.3.1. Dangerous function matching

The most common method of white box audit is to locate vulnerabilities by searching for dangerous functions and dangerous parameters. The most representative tool is the audit tool developed by Seay. The false positive rate of this method is quite high, because this method does not conduct an in-depth analysis of the program flow. On the other hand, this method usually analyzes each file in isolation, ignoring the complex calling relationship between files.

Specifically, this method can achieve almost no underreporting in some environments. As long as the auditor is patient, most of the vulnerabilities can be found, but in highly framed code, the vulnerabilities that can be found are relatively limited.

11.1.3.2. Control flow analysis

In the later system, considering the introduction of AST to a certain extent as the basis of analysis, false alarms were reduced to a certain extent, but there were still many defects.

Then, Dahse J et al. designed RIPS. This tool performs data flow and control flow analysis, combined with intra-process and inter-process analysis to obtain audit results. Compared with the method of dangerous function matching, the false alarm rate is much less, but the same It also increases overhead.

11.1.3.3. Graph-based analysis

Graph-based analysis is an improvement of control flow analysis. It uses the characteristics of CFG and graph calculation algorithms to simplify calculations to a certain extent. The most representative ones are Microsoft’s Semmle QL and NDSS’s article Efficient and published in 2017. Flexible Discovery of PHP Application Vulnerabilities.

11.1.3.4. Code similarity comparison

Some developers will copy the code of other frameworks or use various frameworks. If a corresponding vulnerability map is established in advance, the similarity method can be used to find the vulnerability.

11.1.3.5. Gray box analysis

Analysis based on control flow is expensive, so someone proposed a runtime-based analysis method to hook the code. When a dangerous function is executed, it automatically traces the input, finds the input and judges whether it is available.

This method solves the problems of complex implementation of control flow analysis and high computational path overhead. It also has certain breakthroughs in determining the filter function, but the gray box method does not necessarily trigger all vulnerabilities. The prvd developed by fate0 is based on this design idea.

11.1.4. Manual audit process

  • Get the code, determine the version, and try a preliminary analysis

    • Find historical vulnerability information
    • Find an example of the application of the system
    • Determine whether there are vulnerabilities in dependent libraries

  • Preliminary analysis based on audit tools

  • Understand the program running process

    • File loading method

      • Class library dependency
      • Whether to load waf

    • Database connection method

      • mysql/mysqli/pdo
      • Whether to enable precompilation

    • View rendering

      • XSS
      • Template injection

    • SESSION processing mechanism

      • file
      • database
      • RAM

    • Cache processing mechanism

      • File cache may write shell
      • Database cache may be injected
      • memcache

  • Account system

    • Auth method

    • Pages that can be accessed in the case of Pre-Auth

    • Ordinary user account

      • Is it possible to obtain normal user permissions

    • Default password of the administrator account

    • Account system

      • Encryption

      • Cracking the code

      • Reset vulnerability

      • Modify password vulnerability

        • Modify other account password

  • Find Sink according to the vulnerability type

    • SQLi

      • Can global filtering be bypassed

      • Is there a place to execute SQL directly

      • SQL use driver, mysql/mysqli/pdo

        • If using PDO, search for whether there is a directly executed part

    • XSS

      • Global bypass
      • View rendering

    • FILE

      • Find upload function points

      • Upload, download, overwrite, delete

      • contain

        • LFI
        • RFI
        • Find include, require globally

    • RCE

    • XXth

    • CSRF

    • SSRF

    • Deserialization

    • Variable coverage

    • LDAP

    • XPath

    • Cookie forgery

  • filter

    • Find the WAF filtering method to determine whether it can be bypassed

11.1.5. Reference links

  • rips
  • prvd
  • PHP runtime vulnerability detection
  • Backes M , Rieck K , Skoruppa M , et al. Efficient and Flexible Discovery of PHP Application Vulnerabilities[C]// IEEE European Symposium on Security & Privacy. IEEE, 2017.
  • Dahse J. RIPS-A static source code analyser for vulnerabilities in PHP scripts[J]. Retrieved: February, 2010, 28: 2012.

Guess you like

Origin blog.csdn.net/weixin_43510203/article/details/107791187
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com