Hulp
Deze pagina aan uw boek toevoegen
Boek weergeven (27 pagina's)
Pagina's suggererenSoftwareSecurity2012/Group 2/Code Scanning
Inhoud
Introduction
In this wiki-page, a short research into the code analysis tools RIPS and YASCA is performed. RIPS is a source code analysis tool for PHP web applications. Its authors claim that the tool detects cros-site scripting, SQL-injections, file disclosure, local and remote file inclusion and reverse code engineering vulnerabilities. YASCA is also a source code analysier, which can analyse not only code in PHP, but also in Java, C/C++, HTML, JavaScript, ASP, .NET and other languages. It is not only used to find vulnerabilities in code, but also to check the code for quality, complience and performance issues.
The tools are tested on FluxBB, a bulletin board, and specifically on its modification for support for custom BBcode.
Code scanning results
RIPS
Installation
The installation requires a web-server to be installed on your system, which makes this tool a less attractive choice to use for code scanning.
Usability
There are a few points which make the choice of a browser application not practical:
- Browser dependant, if you complete a scan and it is not displayed correctly in a browser you have to switch to another browser (and start over the scan)
- Progress on scan is not visible
There are 5 verbosity levels:
- The default verbosity level 1 scans only for potentially vulnerable function (PVF) calls which are tainted with user input without any detected securing actions in the trace.
- The second verbosity level also includes files and database content as potentially malicious user input. This level is important to find vulnerabilities with a persistent payload storage but it might increase the false positive rate.
- The third verbosity level will also output secured PVF calls. This is important to detect insufficient securings which are sometimes hard to detect by a static source code analyser automatically.
- The fourth verbosity level also shows additional informations RIPS collected during the scan. This includes found exits, notes about the success of analysing included files and calls of functions that has been defined in the interesting functions array. On large PHP applications this information gathering can lead to a very large scan result.
- The last verbosity level 5 shows all PVF calls and its traces no matter if tainted by user input or not. This can be useful in scenarios where a list of static input to PVF calls is of interest. However this verbosity level can lead to a lot of false positives.
The system provides output containing errors and a statistical summary of the verbosity levels. When an error is found, it is displayed in a clear way: the first line displays the actual error, then follows the variable to where it was declared and used. Most of the errors have the type: Userinput reaches sensitive sink. Which makes finding a specific type very difficult, an alternative way of finding a more specific subcategory of errors is looking at for example "Cross-Site Scripting" or "File Manipulation", but more sub-categories are preferred as most errors are marked as "Cross-Site Scripting" at the moment.
Erik: I don't see a lot of difference between these verbosity levels in the images below, so I'm wondering why you include 5 almost identical images. Do you? Maybe I am missing something. If so, point that out.
Results
The statistic summary of each verbosity level looks as displayed in the five pictures below.
The total report becomes a 20 mb big html file with errors where only possible user-input errors are given. So the only information you get out of the tool is where userinput is processed in the code within function parameters, echo's and database inserts.
Yasca
Installation
Yasca does have a very simple installation procedure: Yasca is downloaded and extracted, afterwards it is directly functional.
Erik: it does have one :-), but a very simple one.
Usability
Yasca works from the command line. To analyze source code, the directory including the code is passed to Yasca as a parameter. Yasca lists its results in a table in a html file. It stores this html-file in Windows' default desktop directory (which might not be the actual desktop library). The tool is ready almost immediately after the tool starts the analysis (for 1127kb in 98 php files).
Results
The results of the Yasca scan can be found here: here.
Yasca looks for several types of security warnings. It organizes these into categories. Below is a summary of the
| severity | warning category | description | number of warnings |
|---|---|---|---|
| dark orange | W3 Core | Warnings about deviations from the W3C standard | 2 |
| dark orange | Cross-Site Scripting | Warnings for client-side code injection | 14 |
| light orange | W3 Core | Warnings about deviations from the W3C standard | 2 |
| light orange | Bug: Script Tag in JavaScript file | Warnings about possible bugs in JavaScript | 2 |
| yellow | W3 Core | Warnings about deviations from the W3C standard | 2 |
| blue | Performance: Function Within Loop Declaration | Warnings about possible performance issues in loops | 4 |
| green | W3 Core | Warnings about deviations from the W3C standard | 4 |
| green | Possible Licensing Restrictions | Warnings about licensing restrictions | 47 |
| green | Performance: Post-Increment of Simple Variable | Warnings about performance issues when post-incrementing variables | 27 |
Erik:Why not?[M:useful security warnings], Erik: These are conclusions I would (also) expect on your Reflection page. Also, do you have similar conclusions abour RIPS?
