12.1. Code Audit

12.1.1. Introduction

Code auditing is the process of finding application bugs. It usually has white box auditing, black box auditing, gray box auditing and so on. White-box auditing refers to finding application defects through the analysis of source code. Black-box auditing usually does not involve source code, and fuzz testing is often used, while gray-box auditing is a combination of black and white. The three different testing methods have different advantages and disadvantages.

12.1.2. Common Concepts

12.1.2.1. Input

Input is usually also called Source. The input of a web application can be the parameters of the request (GET, POST, etc.), uploaded files, cookies, database data and other user-controllable or indirectly controllable places.

For example, like $_GET / $_POST / $_REQUEST / $_COOKIE / $_FILES / $_SERVER etc in PHP can be used as the input of the application。

12.1.2.2. Handler functions

A processing function is a function that filters or encodes data, usually called Clean/Filter/Sanitizer. These functions perform safe manipulation or filtering of the input, introducing uncertainty to the exploit.

Also taking PHP as an example, such a function may be mysqli_real_escape_string / htmlspecialchars / base64_encode / str_rot13 etc., or it may be to apply a custom filter function.htmlspecialcharsbase64_encodestr_rot13

12.1.2.3. Dangerous functions

Dangerous functions are often called sink calls and vulnerability points. They are functions that may trigger dangerous behaviors such as file operations, command execution, and database operations

In PHP, it might be include / system / echo etc.。

12.1.3. Automated Auditing

It is generally believed that the triggering process of a vulnerability is the process of filtering from input to dangerous function (Source To Sink), and auditing is the process of finding this chain. Common automated auditing schemes include dangerous function matching, control flow analysis, etc.

12.1.3.1. Dangerous function matching

The most common way of white-box auditing is to locate vulnerabilities by searching for dangerous functions and dangerous parameters. A representative tool is the auditing tool developed by Seay. The false positive rate of this method is quite high, because this method does not conduct in-depth analysis of the program flow. On the other hand, this method usually analyzes each file in isolation, ignoring the complex calling relationship between files.

Specifically, this method can achieve almost no false negatives in some environments. As long as the auditor is patient, most of the vulnerabilities can be found, but in highly framed code, the vulnerabilities that can be found are relatively limited.

12.1.3.2. Control flow analysis

In the later system, taking into account the introduction of AST as the basis for analysis to a certain extent, the false positives were reduced to a certain extent, but there were still many defects.

Then, Dahse J et al. designed RIPS, which analyzes data flow and control flow, and obtains audit results by combining intra-process and inter-process analysis. Compared with the method of hazard function matching, the false alarm rate is much lower, but the same Also adds overhead.

12.1.3.3. Graph-Based Analysis

Graph-based analysis is an improvement on control flow analysis. It uses the characteristics of CFG and graph computing algorithms to simplify the calculation to a certain extent. The most representative ones are Microsoft’s Semmle QL and NDSS published in 2017. Efficient and Flexible Discovery of PHP Application Vulnerabilities.

12.1.3.4. Code similarity comparison

Some developers copy code from other frameworks, or use various frameworks. If the corresponding vulnerability map is established in advance, the similarity method can be used to find the vulnerability.

12.1.3.5. Grey Box Analysis

Analysis based on control flow is expensive, so someone proposed a runtime-based analysis method, which hooks the code, automatically backtracks the input when a dangerous function is executed, finds the input and determines whether it is available.

This method solves the problems of complex implementation of control flow analysis and high computational path overhead, and also has certain breakthroughs in judging filtering functions, but the gray box method does not necessarily trigger all loopholes. The prvd developed by fate0 is based on this design idea.

12.1.4. Manual Audit Process

  • Get the code, determine the version, try a preliminary analysis

    • Find historical vulnerability information

    • Find examples of applying the system

    • Determine if a dependency library is vulnerable

  • Preliminary analysis based on audit tools

  • Understand the program operation process
    • file loading method

      • class library dependencies

      • whether to load waf

    • Database connection method

      • mysql/mysqli/pdo

      • Whether to enable precompile

    • view rendering

      • XSS

      • template injection

    • SESSION processing mechanism

      • File

      • Database

      • Memory

    • Cache processing mechanism

      • File cache may write shell

      • Database cache may be injected

      • memcache

  • Account system

    • Auth method

    • Pages that can be accessed in the case of Pre-Auth

    • Guest user account

      • Is it possible to obtain ordinary user rights

    • Administrator account default password

    • Account system

      • Encryption

      • Blasting password

      • Reset vulnerability

      • Change Password Vulnerability

        • Modify other account passwords

  • Find Sinks by Vulnerability Type
    • SQLi

      • Can global filtering be bypassed

      • Is there a place to execute SQL directly

      • SQL use driver, mysql/mysqli/pdo

        • If using PDO, search if there is a directly executed part

    • XSS

      • global bypass

      • view rendering

    • FILE

      • Find the upload function point

      • Upload Download Overwrite Delete

      • Include

        • LFI

        • RFI

        • Globally find include, require

    • RCE

    • XXE

    • CSRF

    • SSRF

    • deserialize

    • variable coverage

    • LDAP

    • XPath

    • Cookie forgery

  • filter

    • Find the WAF filtering method to determine whether it can be bypassed