Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

My tryst with sourcecode review

Anant Shrivastava
Anant Shrivastava

- The author discusses their journey doing source code reviews to find bugs in WordPress plugins and themes. They started with just two people manually reviewing code but then automated the process and expanded their team. - Through their Phase 1 efforts analyzing over 250 plugins, they found over 250 issues. They are now focusing on authenticated vulnerabilities in Phase 2 like SQL injection, XSS, and CSRF. - They have created some open source tools to help with the process and are seeking volunteers to help make open source software more secure by joining their Codevigilant platform.

1 of 51
Download to read offline
My tryst with Source Code Review Anant Shrivastava Information Security Consultant
$whoami $ Name : Anant Shrivastava $ Work : Information Security Consultant $ Work on : Web, Mobile, Linux $ Project Leader : * Android Tamer * Codevigilant $ Past life : * System and server Administrator * Developer (wp-filemanager >1L downloads)
Agenda • My journey so far in world of bug finding via code review. • And Yes I bluffed its not just about code review its also about associated automation and simple yet relevant techniques we used to identify all of that. • Simplest form : idea is to showcase what and how I have done stuff and how others can also do it.
What not to expect • Tools Release • Highly Sophisticated Code • Artificial Intelligence • Discussion about SAST (Static Application Security Testing)
Disclaimer • No commercials Source code review tools were harmed during the exercise.
Lets Read With enough eyes all bugs are shallow - Linus Torvalds Let me re-write it With enough expert eyes all bugs are shallow
WHY • Remember Last slide. Become “Expert Eye” • Wanted to Learn and Experiment new stuff. 1yr back (2013) : Security Researcher mainly Blackbox penetration tester and tool’s author.
Why not Bug Bounties • Invested time on Latest fad : Bugbounties • Realized : mostly its about alert(‘XSS’) and X-FRAME-OPTIONS or httpOnly for most of them. • Very few actually do something good. • Surface area is pretty small and its blackbox most of the time. • Personal opinion and people may have different opinion and its perfectly fine.
Bug Bounty efforts
What Next • Lets try Code review • But I don’t know code review • So lets learn code review • And off it goes into the ice box called pending things to learn.
Parallel efforts • I am not the only person thinking this, met another fellow researcher “Prajal Kulkarni” who was also planning on something similar and was looking for collaboration • We touched bases during #nullblr meet and off we-started with the project.
My tryst with sourcecode review
What is codevigilant • A community collaboration effort to make opensource software’s secure. • Finding bugs and responsibly disclosing them to respective author and preferable getting software updated. • Responsible disclosure on website after sufficient interval
Target A EcoSystem • We Picked WordPress Ecosystem which meant – WordPress Plugins (current focus) – WordPress Themes (current Focus) – WordPress Core (future check) • Pick an ecosystem which you think is near and dear to you and the language which you can easily understand.
Lets Roll • This is where things started to act funny. • We started with – Lets download top 10 and analyze one by one. – Ended up getting frustrated in couple of days – Mind you we were just two pentesters fiddling around with source code. Whitebox was not exactly our forte.
Lets Re-Roll • Lets automate and improvise – Download all plugins and Themes – Focus on vulnerability type and not on individual plugin • Seems like a good plan : so lets roll
Lets count
Automate Please • Quick WordPress information extractor and downloader. • Simple python script with grep / cut friendly output.
My tryst with sourcecode review
Lazy Me • Lets start with some easy stuff • How about looking at direct / unauthorized Access
Any tool available • Inspathx works just fine but I never got it to work for me. • So wrote a simple python script.
Tool release • Well I Lied let me release some tools for you • Error_finder release https://github.com/Codevigilant/error_finder
Output • Massive amount of Full Path Disclosure • Few direct access issues
Full Path Disclosure • WordPress stand of FPD is clear so no point reporting it.
WordPress Ecosystem • Lets step back and understand ecosystem a bit more – WordPress is a CMS – Various User Roles • Super Administrator • Administrator • Editor • Author • Contributor • Subscriber
WordPress ecosystem • Various plugin bind to various roles • Issues without authentication are prime concern. • Issues affecting subscriber and contributor hot 2nd. • Editor and Admins have unescaped HTML access
What Next • With this understanding in place we wanted to focus on unauthenticated issues first. • Lets start with A3-Cross Site Scripting
XSS • We thought its as simple as getting a <script>alert(‘XSS’)</script> back • Alas that should have been the case. • How to find it via Source code review. – Echo $_GET[‘input’]; • Grep “echo $_GET” should work
Did we missed something • How could we not miss obvious stuff • Attempt 2 – Either build a lexical parser tokenize whole source code or play intelligent – Extract all GET/POST/REQUEST parameters and access url with those parameters in place.
A3 XSS cont’ed • We did found massive amount on entries and then realized we have again screwed up. • If Content type is text/html XSS works • But if content type is – Json – Xml – Javascript • XSS failed
Automated more • Wrote another set of scripts which gives proper response types also.
A9 - Known Vulnerable components • We also focused on this issues category and identified multiple issues here also. • Mainly those were concerned with outdated SWF binaries used or old library files used.
By-Product • Error messages extracted via inspathx code yielded to multiple other issues like Directory traversal
End Result • Although this was like a rookie attempts to finding I don’t know what I am finding but we ended up with 250 plus issues in various WordPress plugins • We Decided to call this Phase 1
Phase 1 Statistics
Phase 2 • So What’s next • Authenticated issues – SQL Injection – Stored/Reflected Cross Site scripting in Admin console – CSRF – And more
Phase 2 Hurdles • We realized that authenticated flaws are prioritized based on user access. • We need to map all 30K Plugins with each type of access. – Script in progress to do exactly that.
Team Expansion • Started with me and Prajal we are now 4 people strong team – Anant Shrivastava – Prajal Kulkarni – Chaitu – Madhu Akula
What Next • We are seeking for more volunteers to come forward and help us make opensource softwares a more secure plateform.
What’s in this for audience • Simple list of vulnerable functions in PHP you can look for in your own codebases File Tainted file() fopen() popen() file_get_contents() fread() fscanf() Database tainted mysql_fetch_array() mysql_fetch_assoc() mysql_fetch_field() mysql_fetch_object() mysql_fetch_row() File Inclusion include() require() require_once() include_once() Command Execution exec() shell_ exec() system() proc_open() SQL Injection mysql_query() pg_query() User Controls $GLOBALS $_SERVER $_GET $_POST $_FILES $_COOKIE $_SESSION $_REQUEST $_ENV Cross Site Scripting (XSS) echo() print() printf()
What’s in this for audience • Appeal to use codevigilant plateform • You find flaws – Either join our team and do continuous contribution • You get an author’s page at codevigilant • If you get any bounty for the bug you keep it. – Send details as one off cases of finding • We will do co-ordination with third party • We will try to get it patched or remove it from internet if not patched. • We will publish advisory on website with yours and co-ordinator’s name in advisory.
What’s in this for audience • If you want a open source product tested contact us and we will see what we can do about it. • If you want quick test’s you can think about donating to the project.
Simple Checklist • Look for Obvious flaws in unauthenticated Code – Reflected XSS – SQL Injection – Direct access / information disclosure – Directory Traversal • Understand Application Architecture – Language specific checks – List of language specific vulnerable functions – List of User Roles with impact of confidentiality • Attack Authenticated section – Stored XSS – CSRF – XSPA – SQL Injection – Direct URL access
CodeVigilant • http://www.codevigilant.com • https://github.com/Codevigilant • https://facebook.com/Codevigilant • https://twitter.com/Codevigilant
Questions?
Why not automated scanners • They are either good at black or whitebox. • We wanted to confirm from both sides. • They have a workflow which should be followed.
Open Source automation Tools • Tested rats and couple of other tools only rips worked marginally good. • But rips workflow demanded we enter url in webview everytime and web view keeps getting hanged from time to time.
Commercial scanners • No motivation to use them (we will be processing result not learning from it) • No money to spend on them • We did got one generous offer and tried one product
Commercial scanner • I don’t play name shame game hence no names here. • Commercial product was cloud hosted app where we need to upload code for review. • Software missed simple XSS and SQLi but so did open source tools also.
Why scanners missed • WordPress or Other CMS have there own functions to handle stuff • Example – Mysql query – WordPress query • These scanners don’t know about it and failes to detect it.
Why scanners missed • Or it could have been a simple case of misconfiguration at our end. • But after sharing results with Tool Dev they kind of vanished and didn’t responded back.

More Related Content

My tryst with sourcecode review

  • 1. My tryst with Source Code Review Anant Shrivastava Information Security Consultant
  • 2. $whoami $ Name : Anant Shrivastava $ Work : Information Security Consultant $ Work on : Web, Mobile, Linux $ Project Leader : * Android Tamer * Codevigilant $ Past life : * System and server Administrator * Developer (wp-filemanager >1L downloads)
  • 3. Agenda • My journey so far in world of bug finding via code review. • And Yes I bluffed its not just about code review its also about associated automation and simple yet relevant techniques we used to identify all of that. • Simplest form : idea is to showcase what and how I have done stuff and how others can also do it.
  • 4. What not to expect • Tools Release • Highly Sophisticated Code • Artificial Intelligence • Discussion about SAST (Static Application Security Testing)
  • 5. Disclaimer • No commercials Source code review tools were harmed during the exercise.
  • 6. Lets Read With enough eyes all bugs are shallow - Linus Torvalds Let me re-write it With enough expert eyes all bugs are shallow
  • 7. WHY • Remember Last slide. Become “Expert Eye” • Wanted to Learn and Experiment new stuff. 1yr back (2013) : Security Researcher mainly Blackbox penetration tester and tool’s author.
  • 8. Why not Bug Bounties • Invested time on Latest fad : Bugbounties • Realized : mostly its about alert(‘XSS’) and X-FRAME-OPTIONS or httpOnly for most of them. • Very few actually do something good. • Surface area is pretty small and its blackbox most of the time. • Personal opinion and people may have different opinion and its perfectly fine.
  • 10. What Next • Lets try Code review • But I don’t know code review • So lets learn code review • And off it goes into the ice box called pending things to learn.
  • 11. Parallel efforts • I am not the only person thinking this, met another fellow researcher “Prajal Kulkarni” who was also planning on something similar and was looking for collaboration • We touched bases during #nullblr meet and off we-started with the project.
  • 13. What is codevigilant • A community collaboration effort to make opensource software’s secure. • Finding bugs and responsibly disclosing them to respective author and preferable getting software updated. • Responsible disclosure on website after sufficient interval
  • 14. Target A EcoSystem • We Picked WordPress Ecosystem which meant – WordPress Plugins (current focus) – WordPress Themes (current Focus) – WordPress Core (future check) • Pick an ecosystem which you think is near and dear to you and the language which you can easily understand.
  • 15. Lets Roll • This is where things started to act funny. • We started with – Lets download top 10 and analyze one by one. – Ended up getting frustrated in couple of days – Mind you we were just two pentesters fiddling around with source code. Whitebox was not exactly our forte.
  • 16. Lets Re-Roll • Lets automate and improvise – Download all plugins and Themes – Focus on vulnerability type and not on individual plugin • Seems like a good plan : so lets roll
  • 18. Automate Please • Quick WordPress information extractor and downloader. • Simple python script with grep / cut friendly output.
  • 20. Lazy Me • Lets start with some easy stuff • How about looking at direct / unauthorized Access
  • 21. Any tool available • Inspathx works just fine but I never got it to work for me. • So wrote a simple python script.
  • 22. Tool release • Well I Lied let me release some tools for you • Error_finder release https://github.com/Codevigilant/error_finder
  • 23. Output • Massive amount of Full Path Disclosure • Few direct access issues
  • 24. Full Path Disclosure • WordPress stand of FPD is clear so no point reporting it.
  • 25. WordPress Ecosystem • Lets step back and understand ecosystem a bit more – WordPress is a CMS – Various User Roles • Super Administrator • Administrator • Editor • Author • Contributor • Subscriber
  • 26. WordPress ecosystem • Various plugin bind to various roles • Issues without authentication are prime concern. • Issues affecting subscriber and contributor hot 2nd. • Editor and Admins have unescaped HTML access
  • 27. What Next • With this understanding in place we wanted to focus on unauthenticated issues first. • Lets start with A3-Cross Site Scripting
  • 28. XSS • We thought its as simple as getting a <script>alert(‘XSS’)</script> back • Alas that should have been the case. • How to find it via Source code review. – Echo $_GET[‘input’]; • Grep “echo $_GET” should work
  • 29. Did we missed something • How could we not miss obvious stuff • Attempt 2 – Either build a lexical parser tokenize whole source code or play intelligent – Extract all GET/POST/REQUEST parameters and access url with those parameters in place.
  • 30. A3 XSS cont’ed • We did found massive amount on entries and then realized we have again screwed up. • If Content type is text/html XSS works • But if content type is – Json – Xml – Javascript • XSS failed
  • 31. Automated more • Wrote another set of scripts which gives proper response types also.
  • 32. A9 - Known Vulnerable components • We also focused on this issues category and identified multiple issues here also. • Mainly those were concerned with outdated SWF binaries used or old library files used.
  • 33. By-Product • Error messages extracted via inspathx code yielded to multiple other issues like Directory traversal
  • 34. End Result • Although this was like a rookie attempts to finding I don’t know what I am finding but we ended up with 250 plus issues in various WordPress plugins • We Decided to call this Phase 1
  • 36. Phase 2 • So What’s next • Authenticated issues – SQL Injection – Stored/Reflected Cross Site scripting in Admin console – CSRF – And more
  • 37. Phase 2 Hurdles • We realized that authenticated flaws are prioritized based on user access. • We need to map all 30K Plugins with each type of access. – Script in progress to do exactly that.
  • 38. Team Expansion • Started with me and Prajal we are now 4 people strong team – Anant Shrivastava – Prajal Kulkarni – Chaitu – Madhu Akula
  • 39. What Next • We are seeking for more volunteers to come forward and help us make opensource softwares a more secure plateform.
  • 40. What’s in this for audience • Simple list of vulnerable functions in PHP you can look for in your own codebases File Tainted file() fopen() popen() file_get_contents() fread() fscanf() Database tainted mysql_fetch_array() mysql_fetch_assoc() mysql_fetch_field() mysql_fetch_object() mysql_fetch_row() File Inclusion include() require() require_once() include_once() Command Execution exec() shell_ exec() system() proc_open() SQL Injection mysql_query() pg_query() User Controls $GLOBALS $_SERVER $_GET $_POST $_FILES $_COOKIE $_SESSION $_REQUEST $_ENV Cross Site Scripting (XSS) echo() print() printf()
  • 41. What’s in this for audience • Appeal to use codevigilant plateform • You find flaws – Either join our team and do continuous contribution • You get an author’s page at codevigilant • If you get any bounty for the bug you keep it. – Send details as one off cases of finding • We will do co-ordination with third party • We will try to get it patched or remove it from internet if not patched. • We will publish advisory on website with yours and co-ordinator’s name in advisory.
  • 42. What’s in this for audience • If you want a open source product tested contact us and we will see what we can do about it. • If you want quick test’s you can think about donating to the project.
  • 43. Simple Checklist • Look for Obvious flaws in unauthenticated Code – Reflected XSS – SQL Injection – Direct access / information disclosure – Directory Traversal • Understand Application Architecture – Language specific checks – List of language specific vulnerable functions – List of User Roles with impact of confidentiality • Attack Authenticated section – Stored XSS – CSRF – XSPA – SQL Injection – Direct URL access
  • 44. CodeVigilant • http://www.codevigilant.com • https://github.com/Codevigilant • https://facebook.com/Codevigilant • https://twitter.com/Codevigilant
  • 46. Why not automated scanners • They are either good at black or whitebox. • We wanted to confirm from both sides. • They have a workflow which should be followed.
  • 47. Open Source automation Tools • Tested rats and couple of other tools only rips worked marginally good. • But rips workflow demanded we enter url in webview everytime and web view keeps getting hanged from time to time.
  • 48. Commercial scanners • No motivation to use them (we will be processing result not learning from it) • No money to spend on them • We did got one generous offer and tried one product
  • 49. Commercial scanner • I don’t play name shame game hence no names here. • Commercial product was cloud hosted app where we need to upload code for review. • Software missed simple XSS and SQLi but so did open source tools also.
  • 50. Why scanners missed • WordPress or Other CMS have there own functions to handle stuff • Example – Mysql query – WordPress query • These scanners don’t know about it and failes to detect it.
  • 51. Why scanners missed • Or it could have been a simple case of misconfiguration at our end. • But after sharing results with Tool Dev they kind of vanished and didn’t responded back.