0×01 Introduction
If a worker wants to do a good job, he must first sharpen his tools.
In the static security audit of source code, the use of automated tools instead of manual vulnerability mining can significantly improve the efficiency of audit work. Learning to use automated code auditing tools is a must for every code auditor. In the process of learning PHP source code auditing, I collected and used a variety of automated tools. This article will briefly introduce three of the more practical tools: RIPS, VCG, Fortify SCA.
RIPS is an open source automated code audit tool with strong vulnerability mining capabilities. It is written in PHP language and is used to statically audit the security of PHP code.
VCG (VisualCodeGrepper) is a free code security audit tool that supports C/C++, C#, VB, PHP, Java and PL/SQL. It is a dictionary-based detection tool with concise functions and easy to use.
Fortify SCA (Static Code Analyzer) is a commercial source code auditing tool developed by Fortify Software (acquired by HP). It uses a unique data flow analysis technology to analyze code vulnerabilities across layers and languages, and currently supports all mainstream development languages.
This article combines the analysis of an application example to introduce the usage and characteristics of the three tools.
0×02 RIPS
The main features of RIPS are as follows:
1) Ability to detect XSS, SQL injection, file leaks, local/remote file inclusion, remote command execution and many more types of vulnerabilities.
2) There are 5 level options for display and auxiliary debugging scan results.
3) Mark lines of code with vulnerabilities.
4) Highlight the variable.
5) Hovering the cursor over a user-defined function can display the function call.
6) Flexible jumping between function definitions and calls.
7) List in detail all user-defined functions (including definitions and calls), all program entry points (user input), and all scanned files (including include files).
8) Display source code files, include files, functions and their calls with visual diagrams.
9) CURL can be used to create EXP instances against detected vulnerabilities with just a few mouse clicks.
10) List each vulnerability's description, examples, PoC, patches and security functions in detail.
11) 7 different syntax highlighting modes.
12) Use a top-down or bottom-up approach to retrospectively display scan results.
13) A local server and browser that supports PHP can meet the usage requirements.
14) Regular search function.
The latest version of RIPS is 0.55, the download link is as follows:
https://sourceforge.net/projects/rips-scanner/
Unzip the downloaded zip file to the web server website directory. Enter the web server address and corresponding directory in the browser. The user interface of the RIPS tool is as follows:
At the top is a menu of all function buttons.
After the scanning task is over, 4 new buttons will appear in the menu, which are used to show/hide 4 scanning result windows: scanned files, user input points, scanning status information and scanned functions.
Now use a simple example to illustrate the use of RIPS. The download link is as follows:
http://jsdx.down.chinaz.com/201603/webjoker_v2.2.0.zip
This PHP application is used to count user access to a website, and you can log in to the program background to view detailed access information. Unzip the downloaded program, fill in the program unzip directory in the "path/file" option of RIPS, keep other options as default, click the "scan" button to start the scanning task.
扫描结束后,点击window菜单的4个按钮可以显示任务的详细情况。
正文部分显示扫描出漏洞的详细情况,点击“hide all”按钮可以查看/隐藏每个文件的详细漏洞结果列表。
让我们来看其中某一个漏洞详情,init.php源代码中存在SQL注入漏洞。
未过滤的$procookie参数直接被cheakcookie()函数调用。将光标悬停在cheakcookie()函数上方,即可显示cheakcookie()函数是如何定义的。
cheakcookie()函数在main.php文件中被定义,可以看出未被过滤的参数直接带入SQL语句被执行。
在漏洞的详细情况中显示$procookie参数由$_COOKIE[count_admin]传递,从init.php源代码的上下文可知,该参数是为了后台登录的cookie值校验。当count_admin值无法匹配数据库中的数据时,校验失败。
将POST包中Cookie中的count_admin改为“’ or 1=1 #”,即可绕过cookie校验,直接进入后台。
0×03 VCG
VCG是一个基于字典的自动化源代码扫描工具,可以由用户自定义需要扫描的数据。它可以对源代码中所有可能存在风险的函数和文本做一个快速的定位。
VCG的下载链接如下:
http://sourceforge.net/projects/visualcodegrepp/
双击下载的msi文件进行安装即可。
在Settings->Options->ConfigFiles选项中可以对每种语言的扫描配置文件进行编辑。
点击Settings选项,选择扫描的目标语言类型。点击File->New Target Directory选项,选择需要扫描的源代码文件存放目录,我们选择上文提到的应用实例存放目录。点击Scan->Full Scan选项,扫描开始。
扫描结果以图标的形式对被扫描文件的数据做一个统计,这个功能有点鸡肋。我们重点关注Results和Summary Table两个面板显示的内容。
Results面板显示所有存在安全风险的源码,右键点击可以对结果进行排序过滤。
Summary Table面板是对Results面板内容的总结展示。
VCG是通过匹配字典的方式查找可能存在风险的源代码片段。它的扫描原理较为简单,跟RIPS侧重点不同,并不深度发掘应用漏洞。VCG可以作为一个快速定位源代码风险函数的辅助工具使用。
0×04 Fortify SCA
Fortify SCA是一款商业软件,价格较为昂贵,因此我只找到了一个早期的版本进行试用。因为是商业软件,它有详细的使用文档,查阅非常方便。它支持一些IDE的插件功能,在安装的时候会有选项。
Fortify SCA的代码审计功能依赖于它的规则库文件,我们可以下载更新的规则库,然后放置在安装目录下相应的位置。bin文件放置在安装目录下Core\config\rules文件夹,xml文件放置在Core\config\ExternalMetadata文件夹(如果该文件夹没有则新建一个)。
打开AuditWorkbench,点击Start New Project->Advanced Scan选项就可以快速开始一个审计任务。选择需要审计的应用程序根目录,在Additional Options选项中选择使用的规则库,在Audit Guide提出的四个问题中选择对应的选项,点击Run Scan即可。
审计的结果由5个面板来呈现。
我们来看跟RIPS审计结果同样的SQL注入问题。点击左侧问题,源代码面板自动定位到出现问题的源代码行。
分析跟踪面板显示了详细的数据走向。从COOKIE读入->赋值给变量$procookie->带入cheakCookie()函数->赋值给变量$sql->带入mysqli_query()函数执行。
左侧每一个图标的含义在使用手册上可以查到。点击其中每一行,自动定位到对应的源代码行。同时在问题审计面板的Diagram中,有更为形象的数据流向图,直观展示了漏洞产生的原因。
The other tabs of the audit panel detail vulnerability information, and the Fortify SCA audit results are more detailed than open source software such as RIPS. The Tools->Generate Report function can also generate a report of the audit results according to the user's needs.
0× 05Summary
Unlike the other two tools, VCG is a concise risk function scanning and positioning tool, which implements scanning functions based on dictionaries. RIPS and Fortify SCA are powerful tools for static in-depth analysis of source code vulnerabilities. They use their respective technologies to track and analyze the execution process of the application and do in-depth vulnerability mining. RIPS is easy to deploy and use, and can be used as an automated audit analysis tool for simple application functions. The Fortify SCA function is more powerful and can be competent for more complex application automation analysis. In actual audit work, the two tools can be used in combination to learn from each other's strengths.
Automated static code auditing tools can save the labor cost of code auditing and are an important means to improve the efficiency of code auditing. It should be noted, however, that automated tools are not completely intelligent, and like all vulnerability scanning tools, the existence of false positive rates is still a real problem. Therefore, the vulnerabilities shown in the report require further confirmation by the auditors whether they actually exist. In addition, automated tools have a big limitation: they can only mine common types of web application vulnerabilities, and are powerless to mine business logic vulnerabilities in the Web 2.0 era. Therefore, for experienced code auditors, auditing tools only play an auxiliary role, and they will dig deeper loopholes on the basis of using tools and combining their own experience.
* The article was delivered by istr33, please indicate that the reprint comes from FreeBuf Hackers and Geeks (FreeBuf.COM)