A Free Trial That Lets You Build Big!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
To do well, you must first sharpen your tools.
In static security auditing of source code, using automated tools instead of manual vulnerability mining can significantly improve the efficiency of auditing. Learning to use automated code auditing tools is essential for every code auditor. I have collected and used multiple automated tools to learn PHP source code auditing. This article briefly introduces three useful tools: RIPS, VCG, and Fortify SCA.
RIPS is an open-source automated code audit tool with strong vulnerability mining capabilities. It is written in PHP and used for static auditing of PHP code security.
VCG (VisualCodeGrepper) is a free code security audit tool that supports C/C ++, C #, VB, PHP, Java, and PL/SQL. It is a dictionary-based detection tool with simple functions and ease of use.
Fortify SCA (Static Code Analyzer) is a commercial version of source Code audit tool developed by Fortify Software (which has been acquired by HP. It uses unique data stream analysis technology to analyze code vulnerabilities across different languages. Currently, it supports all mainstream development languages.
This article introduces the usage and features of the three tools based on the analysis of an application instance.
0 × 02 RIPS
The main features of RIPS are as follows:
1) it can detect XSS, SQL injection, file leakage, local/remote file inclusion, remote command execution, and more types of vulnerabilities.
2) there are 5 levels of options for displaying and assisting with debugging scan results.
3) mark the vulnerable code lines.
4) highlight the variable.
5) hover the cursor over a user-defined function to display the function call.
6) flexible jump between function definition and call.
7) list all user-defined functions (including definitions and calls), all program endpoints (user inputs), and all scanned files (including include files) in detail ).
8) displays source code files, including files, functions, and calls in visual charts.
9) with just a few clicks, you can use CURL to create an EXP instance for the detected vulnerability.
10) details the descriptions, examples, PoC, patches, and security functions of each vulnerability.
11) 7 different syntax highlighting modes.
12) use the top-down or bottom-up method to trace and display scan results.
13) a local server and browser supporting PHP can meet your needs.
14) regular expression search.
The latest version of RIPS is 0.55. the download link is as follows:
Decompress the downloaded zip file to the Web server website directory. Enter the Web server address and corresponding directory in the browser. The RIPS tool user interface is as follows:
At the top is the menu of all function buttons.
After the scan task is completed, four new buttons are displayed in the menu to display/hide the four scan result windows: scanned files, user input points, scan status information, and functions.
Here is a simple example to describe how to use RIPS. the download link is as follows:
This PHP application is used to collect statistics on user access to a website. you can log on to the background to view detailed access information. Decompress the downloaded program and enter the program extraction directory in the "path/file" option of RIPS. keep other options as default. click "scan" to start the scan task.
After scanning, click the four buttons in the window menu to display the task details.
The details of vulnerabilities are displayed in the body. click "hide all" to view/hide the detailed vulnerability result list for each file.
Let's take a look at the details of a vulnerability. the SQL injection vulnerability exists in the init. php source code.
Unfiltered $ procookie parameters are directly called by the cheakcookie () function. Hover the cursor over the cheakcookie () function to display how the cheakcookie () function is defined.
The cheakcookie () function is defined in the main. php file. it can be seen that unfiltered parameters are directly imported into the SQL statement for execution.
The vulnerability details show that the $ procookie parameter is passed by $ _ COOKIE [count_admin]. according to the context of the init. php source code, this parameter is used to verify the cookie value of background logon. When the count_admin value does not match the data in the database, the verification fails.
Change count_admin in the Cookie in the POST packet to "'or 1 = 1 #" to bypass cookie verification and directly go to the background.
0 × 03 VCG
VCG is a dictionary-based automated source code scanning tool that allows you to customize the data to be scanned. It can quickly locate all functions and texts that may have risks in the source code.
The download link of VCG is as follows:
Double-click the downloaded msi file to install it.
You can edit the scan configuration file for each language in Settings-> Options-> ConfigFiles Options.
Click the Settings option and select the target language type for the scan. Click File-> New Target Directory, select the Directory where the source code files to be scanned are stored, and select the Directory where the application instance is stored. Click Scan-> Full Scan to start scanning.
The scan result is used as a metric to calculate the data of the scanned file. We focus on the content displayed on the Results and Summary Table panels.
The Results panel displays all source code with security risks. you can right-click the source code to sort and filter the Results.
The Summary Table panel is a Summary presentation of the Results panel content.
VCG searches for vulnerable source code snippets by matching the dictionary. Its scanning principle is relatively simple. it focuses different from RIPS, and does not explore application vulnerabilities in depth. VCG can be used as an auxiliary tool to quickly locate source code risk functions.
0 × 04 Fortify SCA
Fortify SCA is a commercial software that is expensive, so I only found an earlier version for trial. Because it is a commercial software, it has detailed use documents, it is very convenient to read. It supports some IDE plug-in functions and has options during installation.
The code audit function of Fortify SCA depends on its rule repository file. we can download the updated rule repository and place it in the appropriate location under the installation directory. The binfile is placed in the Core \ config \ rules folder under the installation directory, and the xml file is placed in the Core \ config \ ExternalMetadata folder (if this folder does not exist, a new one is created ).
Open AuditWorkbench and click Start New Project> Advanced Scan to quickly Start an audit task. Select the root directory of the application to be audited, select the rule repository used in the Additional Options option, select the corresponding option from the four questions raised by the Audit Guide, and click Run Scan.
The audit results are displayed on five panels.
Let's take a look at the same SQL injection problem as the RIPS audit results. Click the problem on the left side. the Source Code panel automatically locates the problematic source code line.
The analysis trace panel displays detailed data trends. Read from COOKIE> assign value to variable $ procookie> bring into cheakCookie () function> assign value to variable $ SQL> bring into mysqli_query () function for execution.
The meaning of each icon on the left can be found in the user manual. Click each line to automatically locate the corresponding source code line. At the same time, there is a more visual data flow chart in the problem audit panel digoal, which intuitively shows the cause of the vulnerability.
Other labels on the audit panel detail vulnerability information. compared with open-source software such as RIPS, The Fortify SCA audit results are displayed in more detail. Tools-> Generate Report can also Generate audit results reports based on your needs.
0 × 05 summary
Different from the other two tools, VCG is a simple risk function scanning and locating tool that implements the scanning function based on dictionaries. RIPS and Fortify SCA are powerful tools for in-depth static source code vulnerability analysis. they use their own technologies to track and analyze the application execution process and perform in-depth vulnerability mining. RIPS is easy to deploy and use and can be used as an automated audit analysis tool for simple application functions. Fortify SCA is more powerful and competent for more complex application automation analysis. In actual audit work, two tools can be used to learn from each other.
Automated Static code auditing tools can reduce the labor cost of code auditing and are an important means to improve code auditing efficiency. However, it should be noted that automated tools are not completely intelligent. Like all vulnerability scanning tools, the existence of false positive rate is still a real problem. Therefore, the vulnerability displayed in the report requires auditors to further confirm whether the vulnerability exists. In addition, the automation tool has a major limitation: it can only mine common Web application vulnerability types, and the mining of business logic vulnerabilities in the Web 2.0 era can be said to be weak. Therefore, for experienced code auditors, audit tools only play a secondary role. they can exploit the tools to discover deeper vulnerabilities based on their own experience.
* The article is delivered by istr33. for details, refer to FreeBuf hacker and geek (FreeBuf. COM)
Start building with 50+ products and up to 12 months usage for Elastic Compute Service