Source Code Analysis with SAST

Source Code Analysis with
SAST

SCAs: How do they work?
Open source example

By methodology employed
• Style-checking
• Semantic Analysis
• Deep flow analysis

Methodology: Semantic Analysis
• Semantic Analysis
– looks for violations that represent a statically
detectable fault
– discovers basic structure and relation of each
function within the application
– Build abstract syntax tree to run simulations of
each function to calculate how the application will
execute after a build
– this additional information is then validated
against a set of rules

Methodology: Deep-flow Analysis
• Deep flow analysis
– extends semantic analysis to include control flow
graph generation and data flow analysis.
– can capture faults related to race conditions and
deadlocks, pointer misuses.
– employs meta compilation and abstract
interpretation to further improve analysis
capabilities

SCA Techniques
• Simplest tools
– search source code for text pattern matches
– calculate basic program metrics
(Cyclomatic complexity, Halstead complexity)
• Advanced tools
– act as advanced compiler for source code
– deeply analyze execution, data flow for faults
– include link information to determine higher-level
problems

Traditional checks
void temp( char *pszIn )
{
char szBuff[10];
strcpy(szBuff, pszIn);
. . .
}

Analyzing Source File
• It is possible to analyze source itself
• Source is in clear text
• Source is having methods, variables and calls
• One functionality or parameter may be
touching many files
• Code is on back burner or embedded
• Presentation is simple but code is complex at
the back

Simple presentation ASP.NET
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Cmdexec.aspx.cs" Inherits="Cmdexec" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
<title>Untitled Page</title>
</head>
<body style="font-size: 12pt">
<form id="form1" runat="server">
<div>
Enter the filename to view your contract:
<asp:TextBox ID="TextBox1" runat="server"></asp:TextBox>
<asp:Button ID="Button1" runat="server" OnClick="Button1_Click1" Text="Submit" /><br />
<br />
<asp:Label ID="Label1" runat="server" Height="355px" Text="Label" Width="544px"></asp:Label></div>
</form>
</body>
</html>

Code behind calls
using System;
…
…
using System.IO;
public partial class Cmdexec : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
Label1.Visible = false;
}
protected void Calendar1_SelectionChanged(object sender, EventArgs e)
{
}
protected void Button1_Click1(object sender, EventArgs e)
{
Label1.Visible = true;
Label1.Text = "";
System.Diagnostics.ProcessStartInfo psi = new System.Diagnostics.ProcessStartInfo();
psi.FileName = @"C:WINDOWSsystem32cmd.exe";
psi.Arguments = @"/c type c:contracts" + TextBox1.Text + @" > c:contractscontract.txt";
psi.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden;
System.Diagnostics.Process.Start(psi);
System.Threading.Thread.Sleep(3000);
TextReader textRead = new StreamReader("c:contractscontract.txt");
Label1.Text = textRead.ReadToEnd();
textRead.Close();
}
}

Running on Object Code
D:cmddeploy>dir /S
Volume in drive D has no label.
Volume Serial Number is 0859-A6D9
Directory of D:cmddeploy
12/09/2008 01:58 PM <DIR> .
12/09/2008 01:58 PM <DIR> ..
12/09/2008 01:58 PM <DIR> bin
12/09/2008 01:58 PM 86 Cmdexec.aspx
12/09/2008 01:58 PM 50 PrecompiledApp.config
2 File(s) 136 bytes
Directory of D:cmddeploybin
12/09/2008 01:58 PM <DIR> .
12/09/2008 01:58 PM <DIR> ..
12/09/2008 01:58 PM 7,680 App_Web_t_pyp492.dll
12/09/2008 01:58 PM 341 cmdexec.aspx.cdcab7d2.compiled
2 File(s) 8,021 bytes
Total Files Listed:
4 File(s) 8,157 bytes
5 Dir(s) 282,451,968 bytes free

Running on reverse engineering
D:cmddeploybin>ildasm /TEXT App_Web_t_pyp492.dll | grep System.Diagnostics.Pro
cess
.locals init (class [System]System.Diagnostics.ProcessStartInfo V_0,
IL_001c: newobj instance void [System]System.Diagnostics.ProcessStartIn
fo::.ctor()
IL_0028: callvirt instance void [System]System.Diagnostics.ProcessStartIn
fo::set_FileName(string)
IL_0048: callvirt instance void [System]System.Diagnostics.ProcessStartIn
fo::set_Arguments(string)
IL_004f: callvirt instance void [System]System.Diagnostics.ProcessStartIn
fo::set_WindowStyle(valuetype [System]System.Diagnostics.ProcessWindowStyle)
IL_0055: call class [System]System.Diagnostics.Process [System]System
.Diagnostics.Process::Start(class [System]System.Diagnostics.ProcessStartInfo)

Attack Surface
• Source Code is having probable attack surface
• Attack surface is defined by entry points
• Entry points are exploited by attackers
• Attacker passes payload from these points
and try to exploit the system
• Attack surface determination and entry point
identification are very critical

GET/POST
GET /login.aspx?username=shah HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.1) Gecko/2008070208
Firefox/3.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
POST http://example.com/cgi-bin/search.cgi HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3) Gecko/20040913 Firefox/0.10
Accept: text/xml, application/xml, application/xhtml+xml, text/html;q=0.9, text/plain;q=0.8, image/png,
*/*;q=0.5
Keep-Alive: 300
Referer: http://example.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 17
search=searchtext

XML-RPC
POST /trade-rpc/getquote.rem HTTP/1.0
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: xmlrpc.example.com
Content-Type: text/xml
Content-Length: 161
<?xml version="1.0"?>
<methodCall>
<methodName>stocks.getquote</methodName>
<params>
<param><value><string>MSFT</string></value></param>
</params>
</methodCall>

SOAP
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body>
<getQuotes xmlns="http://tempuri.org/">
<compid>MSFT</compid>
</getQuotes>
</soap:Body>
</soap:Envelope>

REST
<?xml version="1.0"?>
<p:Laptops xmlns:p="http://laptops.example.com"
xmlns:xl="http://www.w3.org/1999/xlink">
<Laptop id="0123" xl:href="http://www.parts-depot.com/laptops/0123"/>
< Laptop id="0348" xl:href="http://www.parts-depot.com laptops /0348"/>
< Laptop id="0321" xl:href="http://www.parts-depot.com/ laptops /0321"/>
…
…
</p:Laptops>

JSON
message = {
from : "john@example.com",
to : "jerry@example.com",
subject : "I am fine",
body : "Long message here",
showsubject : function(){document.write(this.subject)}
};

File calls
<form name="Form1" method="post"
action="ContractUpload.aspx" id="Form1"
enctype="multipart/form-data">
It is taking input as file as below,
<input name="uplTheFile" type="file"
id="uplTheFile" />

Entry Points – Client Side
• HTTP response – All headers as well as HTML
content
• JavaScripts coming from server
• Ajax/RIA calls consuming different structures which
we have discussed like JSON, XML, JS-Object etc.
• Callbacks – Modern days applications are using
callback mechanism so data coming from browser
can be injected into DOM using script functions.
• Browser making API calls across domains

HTTP processing
Request
IIS
aspnet_isapi.dll
HttpApplication
HttpHandler
HttpModule
HttpModule
HttpModule
Response
Web Application Resource
Web Application Client

HTTP to Source
http://192.168.1.50/Searchresult.aspx?ReferenceId=microsoft
GET /Searchresult.aspx?ReferenceId=microsoft HTTP/1.1
Host: 192.168.1.50
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.1) Gecko/2008070208
Firefox/3.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cache-Control: max-age=0
protected void Page_Load(object sender, EventArgs e)
{
if (!Page.IsPostBack)
{
bindresult(Request.QueryString["ReferenceId"].ToString());
}
}

Interesting…
• Request.Cookie – To access cookie values
• Request.Form – Form parameters
• Request.File – File parameter
• Request.ServerVariables – Access to server
variables

In compiled code
IL_0007: callvirt instance class
[System]System.Collections.Specialized.Name
ValueCollection
[System.Web]System.Web.HttpRequest::get_
QueryString()
IL_000c: ldstr "id"

Simple scan…
import sys
import os
import re
def scan4request(file):
infile = open(file,

Rules…
# Rules file for AppCodeScan
# This file is specific for ASP/ASP.NET applications (Just a sample
rules) - all regex patterns
#Scanning for Request Object Entry Points
.*.Request.*
#Scanning for ASP.NET app entry points
.*.<asp:FileUpload.*?>
.*.<asp:TextBox.*?>
.*.<asp:HiddenField.*?>
.*.<asp:Login.*?>
.*.<asp:PasswordRecovery.*?>
.*.<asp:ChangePassword.*?>

Java
• <% if ( request.getParameter("username") != null )
{%>
• HttpServletRequest
• doGet
• doPost
• Request
• Struts
– public class NameAction extends Action {

PHP/Coldfusion
• PHP
– $_GET[“var”]
– $_POST[“var”]
– $_REQUEST[“var”]
• Coldfusion
– #URL.name# - Getting from querystring “name”
– Similarly we can identify entry points for other aspects like
POST or such by following list of key words
– FORM/form
– SERVER/server
– CLIENT/client
– SESSION/session

Web 2.0
• Web Services and SOA entry points

Making POST
POST /ws/dvds4less.asmx HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.1433)
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/getProductInfo"
Host: 192.168.1.50
Content-Length: 317
Expect: 100-continue
Connection: Keep-Alive
<?xml version="1.0" encoding="utf-8"?><soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><getProductInfo
xmlns="http://tempuri.org/"><id>1</id></getProductInfo></soap:Body></soap:Envelope>

Code for Web Services
<%@ WebService Language="c#" Class="dvds4less" %>
<%@ Assembly name="Microsoft.Data.SqlXml" %>
using Microsoft.Data.SqlXml;
using System.Xml;
using System;
using System.Web.Services;
using System.Data.SqlClient;
using System.IO;
public class dvds4less
{
[WebMethod]
public string Intro()
{
return "DVDs4LESS - Information APIs for web application usage and other business usage";
}
[WebMethod]
public string getProductInfo(string id)
{
…. Code for this function
}

JSON-RPC
<%@ WebHandler Class="JayrockWeb.DemoService" Language="C#" %>
namespace JayrockWeb
{
using System;
using System.Configuration;
using System.Data;
using System.Data.SqlClient;
using System.Collections;
using System.Collections.Specialized;
using System.Web;
using System.Web.SessionState;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Drawing;
using Jayrock.Json;
using Jayrock.JsonRpc;
using Jayrock.JsonRpc.Web;
[ JsonRpcHelp("This is a JSON-RPC service that demonstrates the basic features of the Jayrock library.") ]
public class DemoService : JsonRpcHandler, IRequiresSessionState
{
[JsonRpcMethod("getProduct", Idempotent = true)]
[ JsonRpcHelp("Returns Product Info") ]
public DataSet GetProductSet(string id)
{
…. Code goes here…
}

Java based
import org.apache.axis.AxisFault;
import org.apache.axis.MessageContext;
import org.apache.axis.transport.http.HTTPConstants;
public class echo {
public String echowebservices(String echo) {
return echo;
}
}

PHP
<?php
require_once('nusoap/nusoap.php');
// ------ Implemention of method
// ---- getLang(langTo)
------------------------------------------------------
function getLang($langTo) {
$trText = array(

Entry Points…
• Entry points are source to the application
• Each source hits at some sink or end point in
the source code
• It traverses across the source code
• Entry point can be traced to its sink
• This tracing is very important aspect for code
analytics

Tainted variables
• If variable or entry point is injected with
payload then it can have significant impact
• Impact analysis needs to be done
• Impact is dependent on the hit points across
application
• Interesting for vulnerability scanning
perspective

End points / Sinks
• Language Calls – Application language say for example C# or
Java provides various classes and interfaces to access
resources from the system.
• These resources are outside application boundary.
Application may be passing value to SQL interface or system
level command.
• File system calls (Read/Write)
• Operating system calls
• Network/Socket calls
• SQL interfaces
• LDAP/Authentication interfaces

End points / Sinks
• Third party/Vendor interfaces – Application is using
some third party components and these are in binary
form.
• Applications to application – In recent time’s
applications are doing lot of intercommunication
across cross domains. In this case sink or end point
can be another application.
• Middleware call – Applications like banking or
trading uses middle ware extensively and several end
points are terminating into these middle ware calls.

End points / Sinks
• Response call back – In some cases entry point or
information coming through it is going back to the
client as response.
• Audit and Logs – In some cases application
information is going to logs or audit resources.
• Exception/Error message – This end point is special
and lot of application are taking value of entry point
and putting into exception or error message block.

End points / Sinks
• Business logic – Certain entry points are not
going out side application boundary but
staying in business logic space and get
processed inside application.
• Reflection level calls – Applications are
running in virtual machines and there are
certain reflection APIs which are responsible
for virtual machine processing.
Sink Scans

Types - Impact
• Three important aspects of entry points and process
towards end point,
– Data point – entry points are bringing simple new data to
the application and based on that it is going to database or
file system.
– Logic point – It has information which get consumed in the
business logic and it makes business decisions
– Event points – Certain information coming from user can
trigger an event inside the application. These are event
points, like calling LDAP server or such.

State Analysis
• Expected/Desired state – This is expected state by developer
and application’s behavior is absolutely legitimate.
• Unexpected legitimate state – In this state application goes to
unexpected state but it is legitimate and no objection with it.
• Exception/Error state – In this application ends with error or
exception and state may end up doing information leakage.
• Vulnerable state – In this state application goes into
vulnerable position where successful exploitation is possible.
Vulnerable state is our major concern.
Impact = Entry Point + End Point + State

Simple tracing…
import sys
import os
import re
def scan4trace(file,var):
infile = open(file,

Running…
D:sca-rb>trace.py d:cmdCmdexec.aspx.cs TextBox1
Tracing variable:TextBox1
[ 33 ] psi.Arguments = @"/c type c:contracts" + TextBox1.Text + @" >
c:contractscontract.txt";
D:sca-rb>trace.py d:cmdCmdexec.aspx.cs psi
Tracing variable:psi
[ 31 ] System.Diagnostics.ProcessStartInfo psi = new System.Diagnostics.
ProcessStartInfo();
[ 32 ] psi.FileName = @"C:WINDOWSsystem32cmd.exe";
[ 33 ] psi.Arguments = @"/c type c:contracts" + TextBox1.Text + @" >
c:contractscontract.txt";
[ 34 ] psi.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden;
[ 35 ] System.Diagnostics.Process.Start(psi);

Security Domains/Controls
• Authentication
• Authorization
• Error Handling
• Input Validations
• Data Validation
• Crypto and Secret Handling
• Business Logic Handling
• Session and Identity Handling
• Client Side Controls
• Auditing and Logging

Authentication
• Authentication disclosing sensitive information
• Not having auditing on the authentication
• No user lockdown policy in place
• Authentication bypass (SQL / LDAP interface)
• Password strength is poor
• No deployment of CAPTCHA or similar identification product
• Credential are not securely transmitted
• Credential are stored on client side which can be retrieved
• Authentication token or cookies are not well crafted
• Single Sign On (SSO) can be abused
• Deliberated backdoors are created
• Hidden fields and information exposure

Authorization
• Session tokens are insecure
• Weak authorization mechanism
• Client side tampering and manipulation possible
• Possible data and SQL injections
• Access to system level bypass
• Single place authorization bypass
• URL forcing and manipulation
• Guessable resources and access
• Role-based bypass exploitation and weakness

Error Handling
• Information leakage
• Logic bypass
• Internal logic and routine disclosure
• Stack trace enumeration

Input Validations
• Various injection vectors (SQL, LDAP, XPATH etc.)
• Cross Site Scripting (XSS)
• Cross Site Request Forgery (CSRF)
• Buffer overflows
• Denial of Services (DoS)
• Integer and logical boundary overrun
• Canonicalization issues
• Validation bypass (Client side)
• Serialization attacks
• Information leakage

Data Validations
• Proxy injections from third party stream
• XSS injection with RSS feeds
• Client side logic bypass
• Upload/download stream injections
• Remote command/code injection and
execution
• Callback manipulation in JavaScript

Crypto & Secrets
• Poor key generation
• Database fields are not well encrypted (password,
social security number etc.)
• Poor encryption (customized)
• Checksum spoofing
• Some secrets in source code itself
• Configuration file containing secrets
• Secret getting revealed in error message or some
other means

Business Logic
• Data type bypass
• ACLs manipulation
• Read/Write access
• Privilege escalation on application layer
• API abuse
• Cross Domain Call and API manipulation
• Client Side Logic reverse engineering

Session and Identity
• Session hijacking by eavesdropping
• Man in the middle attack
• Poor session identifier generation
• Browser hacks like XSS to gain cookies
• Predictable session identifier
• Session bypass and access
• Cookie scope and time abuse
• Abusing URL rewriting
• Local session storing access

Client Side Controls
• Client side validation bypass
• Reverse engineering of client side components
• Decompilation and knowledge gathering
• Cross Site Injections
• Abusing streams like JSON or RSS
• Local memory access and manipulation
• Desktop based offline module exploitation
• Browser exploits and hacking
• Information and identity theft
• Cross Site Request Forgery
• Exploiting callbacks and JavaScripts

Auditing and Logging
• Hacker’s attacks go without notice
• Successful hacks in the application
• No tracing of events
• Application layer bruteforcing
• Error message abuse

Source Code Analysis with SAST

Recommended

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Source Code Analysis with SAST (20)

More from Blueinfy Solutions (20)