Tools recommended: Three automated code audit tools

About 0X01

工欲善其事, its prerequisite.

In the static security audit of source code, the use of automation tools instead of artificial vulnerability mining can significantly improve the efficiency of audit work. Learning to use automated code auditing Tools is an essential competency for every code auditor. In the process of learning PHP source code audit, I collected and used a variety of automation tools. This article will briefly describe three of the more useful tools: RIPS, VCG, Fortify SCA.

Rips is an open source, automated Code Audit tool with strong vulnerability mining capabilities. It is written in the PHP language and is used to statically audit the security of PHP code.

VCG (Visualcodegrepper) is a free code security Audit tool that supports C + +, C #, VB, PHP, Java, and PL/SQL. It is a dictionary-based detection tool with simple and easy to use features.

Fortify SCA (Static code Analyzer) is a commercial version of the source Code audit tool developed by Fortify software company (acquired by HP). It uses unique data flow analysis techniques to analyze the vulnerability of code across layers across languages, and currently supports all major development languages.

Based on an application example, this paper introduces the usage and characteristics of three tools.

0x02 RIPS

The main functional features of Rips are as follows:

1) ability to detect XSS, SQL injection, file leaks, local/remote file containment, remote command execution, and more than one type of vulnerability.

2) There are 5 levels of options for displaying and assisting in debugging scan results.

3) mark the line of code where the vulnerability exists.

4) Highlight the variable.

5) hover cursor on user-defined function to display function call.

6) A flexible jump between function definitions and invocations.

7) detailed list of all user-defined functions (including definition and invocation), all program entry points (user input), and all scanned files (including files with include).

8) Display source code files, include files, functions, and their calls in a visual chart.

9) Use Curl to create an EXP instance for detected vulnerabilities with just a few mouse clicks.

10) Detailed descriptions, examples, PoC, patches, and security functions for each vulnerability.

11) 7 different syntax highlighting modes.

12) Use a top-down or bottom-up method to trace the results of the scan.

13) A PHP-enabled local server and browser are available to meet your needs.

14) Regular search function.

The latest version of Rips is 0.55 and the download link is as follows:

https://sourceforge.net/projects/rips-scanner/

Unzip the downloaded zip file to the Web Server Web site directory. Enter the Web server address and the corresponding directory in the browser, the user interface of the Rips tool is as follows:

At the top is a menu of all the function buttons.

After the scan task finishes, 4 new buttons appear in the menu to show/Hide 4 scan Results windows: Scanned files, user input points, scan status information, and scanned functions.

Now with a simple example to illustrate the use of rips, download links are as follows:

Http://jsdx.down.chinaz.com/201603/webjoker_v2.2.0.zip

The PHP application is used to count the user access of a website, and login to the background of the program to view detailed access information. Unzip the downloaded program, in the Rips "path/file" option to fill in the program decompression directory, other options remain the default, click the "Scan" button to start scanning tasks.

After the scan is over, click on the 4 buttons on the Window menu to display the details of the task.

The body section shows the details of the scanned vulnerability, and click the "Hide All" button to view/hide a detailed list of vulnerability results for each file.

Let's look at one of the vulnerability details, init.php a SQL injection vulnerability in the source code.

The unfiltered $procookie parameter is called directly by the Cheakcookie () function. Hover the cursor over the Cheakcookie () function to show how the Cheakcookie () function is defined.

The Cheakcookie () function is defined in the main.php file, and it can be seen that unfiltered parameters are executed directly into the SQL statement.

The $procookie parameter is passed by $_cookie[count_admin] in the details of the vulnerability, which is known from the context of the init.php source code, which is a COOKIE value check for background logons. The checksum fails when the Count_admin value cannot match the data in the database.

Change the count_admin in the cookie in the post package to "' or 1=1 #" to bypass the cookie check and go directly to the background.

0x03 VCG

VCG is a dictionary-based automated source Code scanning tool that allows users to customize the data that needs to be scanned. It can quickly locate all the functions and text in the source code that may be at risk.

The download links for VCG are as follows:

http://sourceforge.net/projects/visualcodegrepp/

Double-click the downloaded MSI file to install it.

The scan profile for each language can be edited in the Settings->options->configfiles option.

Click the Settings option to select the target language type for the scan. Click on the file->new Target directory option, select the directory where the source code files need to be scanned, and we will select the application instances mentioned above to store the directory. Click the scan->full scan option to start the scan.

Scan results in the form of an icon to the scanned file data to do a statistic, this function is a bit chicken. We focus on what the results and summary table two panels display.

The results panel displays all source code with security risks and right-click to sort the results.

The Summary table panel is a summary presentation of the contents of the results panel.

VCG is a way to find fragments of source code that may be at risk by matching dictionaries. Its scanning principle is relatively simple, with rips focus is different, do not dig deep application loopholes. VCG can be used as a helper tool for quickly locating source code risk functions.

0x04 Fortify SCA

Fortify SCA is a commercial software that is expensive, so I only found an earlier version to try it out. Because it is commercial software, it has the detailed use document, the inspection is very convenient. It supports some of the IDE's plug-in features and has options when installed.

Fortify SCA's Code audit function relies on its rule library files, and we can download the updated rules library and place it in the installation directory at the appropriate location. The bin file is placed in the Core\config\rules folder under the installation directory, and the XML file is placed in the Core\config\externalmetadata folder (if the folder is not a new one).

Open Auditworkbench and click the start New project->advanced scan option to start an audit task quickly. Select the application root that needs to be audited, select the rule library you want to use in the Additional Options option, select the appropriate option in the four questions raised by audit guide, and click Run Scan.

The results of the audit are presented by 5 panels.

Let's look at the same SQL injection problem as the rips audit results. Click on the left side of the problem, the source code panel automatically navigate to the source code line where the problem occurred.

The Analysis Tracking panel shows detailed data trends. Assign a value from a cookie read-in to a variable $procookie-> into the Cheakcookie () function, and assign to the variable $sql-> the mysqli_query () function execution.

The meaning of each icon on the left can be found in the user manual. Click on each line to automatically navigate to the corresponding source code line. At the same time, in the diagram of the problem audit panel, there is a more image data flow diagram, which visually shows the cause of the vulnerability.

Other tags in the Audit panel detail the vulnerability information, and the Fortify SCA audit results are presented in more detail than the open source software rips. The Tools->generate report feature can also generate reports of audit results based on user needs.

0X05 Summary

VCG, unlike the other two tools, is a concise risk function scanning location tool that enables scanning based on a dictionary. The rips and fortify SCA is a powerful tool for static depth analysis of source code vulnerabilities, and they use their own techniques to trace and analyze the application execution process, and to do deep hole mining. Rips is easy to deploy and use, and can be used as an automated audit analysis tool for simple application functions. Fortify SCA is more powerful and capable of complex application automation analysis. In the actual audit work can be combined with two tools, learn from each other.

The automated static Code audit tool can save the human cost of code audit, and is an important means to improve the efficiency of code audit. However, it is important to note that automation tools are not completely intelligent, as with all vulnerability scanning tools, the existence of false positives is still a real problem. As a result, the vulnerabilities that appear in the report require auditors to further confirm that they really exist. In addition, there is a big limitation of automation tools: it can only be used to mining common Web application vulnerability types, the emergence of the Web 2.0 era of business logic vulnerability mining is said to be do anything weak. So, for experienced code auditors, the audit tool is only a complementary role, they will use the tools based on the combination of their own experience to dig deeper holes.

* Article by Istr33 delivery, reprint please indicate from Freebuf hack and Geek (freebuf.com)

