SoftwareSecurity2012/Group 9/Code Scanning
Inhoud
RIPS
Installation
Installation requires more work and a lot of extra software. You can download the program from their website [1], but you'll also need to have an HTTP-server (for example: apache2) with PHP. One easy way is to get XAMPP [2]. Alternatively you can install the components separately.
You must extract the software into your webserver's directory. On SUSE Linux this is /srv/www/htdocs.
You will need to start the webserver and then you can access it in you local browser via http://localhost/*ripsdirectoryname*. RIPS now provides and comfortable and easy-to-use webinterface.
Results
We decided to use the most recent release v0.53. In the webinterface you can easily configure the verbosity level and vulnerability types you would want to search for. After running RIPS on the entire FluxBB-code, we got the following results for different verbosity levels:
Verbosity level | Code Execution | Command Execution | Header Injection | File Disclosure | File Inclusion | File Manipulation | SQL Injection | Cross-Site Scripting | HTTP Response Splitting | Positive Flow Control | Unserialize | Sum |
---|---|---|---|---|---|---|---|---|---|---|---|---|
1. user tainted only | 0 | 0 | 1 | 0 | 2 | 6 | 2 | 33 | 1 | 0 | 0 | 45 |
2. file/DB tainted +1 | 1 | 0 | 1 | 6 | 12 | 12 | 2 | 223 | 2 | 0 | 18 | 277 |
3. show secured +1,2 | 4 | 0 | 1 | 6 | 12 | 16 | 2 | 364 | 3 | 0 | 19 | 427 |
4. untainted +1,2,3 | 140 | 1 | 2 | 28 | 327 | 34 | 26 | 2662 | 73 | 222 | 20 | 3535 |
RIPS also provides a nice overview page with statistics after scanning or visualizations about the files.
Feedback
RIPS creates nice formatted output. You can choose your favorite syntax highlighting style. It is great, that along with the possible bugs, they often show you, what you actually can do to improve these lines of code.
RIPS warns that it does not support object-oriented code which might decrease the accuracy of the results as fluxbb uses object oriented programming.
Conclusion
However, as we are mainly focused on error handling and logging, we don't need RIPS to consider all vulnerability types, because they are not related to error handling and logging. For other groups though this seems to be a more useful tool.
YASCA
Yasca is free open source tool for source code analysis. It can scan code written in Java, C/C++, HTML, JavaScript, ASP, ColdFusion, PHP, COBOL, .NET, and other languages. Yasca has a plugin-based architecture and is logically consisted of a basic front-end, a set of scanning plugins and report renderers and an engine to tie them all together. The tool itself can be easily integrated and extended with plugins such as RATS, PHPLint and others, you can also create your own plugin using Grep (included by default).
In the case of our group, we scanned the PHP/JavaScript files of the forum application FluxBB.
First Impressions
Running and Installation
Yasca doesn't have any kind of installation. After downloading the binary at yasca.org you can run it directly using the command-line.
In Windows:
yasca [code directory] Ex: yasca c:\path\to\source
In Linux:
./yasca [code directory] Ex: ./yasca path/to/source
Yasca will then generate a file with the code scan results. The default output format is HTML, however, Yasca can also generate output in XML and CSV format. There's a manual for Yasca with a list of commands available in http://www.scovetta.com/yasca/yasca-manual.pdf.
Feedback
The file generated presents all the vulnerabilities found in the source code. To each vulnerability addressed in the output file, there are three fields:
- The first field represents the number of the vulnerability and its severity. The severity is represented by the color of present in the field. There are five types of severity: critical, high, warning, low and informational.
- The second field presents the file and line in which the vulnerability was found as well as a small description about it.
- The third field presents the piece of code (or part of it) in which the vulnerability as fonud.
If the user wishes to, s/he can also see all the scanned files in a list or a basic summary grid, which shows a short table with the file
and the vulnerabilities associated to it.
Results
We ran Yasca on the code and we found 104 vulnerabilities. The vulnerabilities are described in the table below:
Type/Severity | Critical | High | Warning | Low | Informational | Total |
---|---|---|---|---|---|---|
W3Core | 2 | 2 | 2 | 0 | 4 | 10 |
Cross-Site Scripting | 14 | 0 | 0 | 0 | 0 | 14 |
Bug: Script tag | 0 | 2 | 0 | 0 | 0 | 2 |
Peformance | 0 | 0 | 0 | 4 | 26 | 30 |
Licensing restictions | 0 | 0 | 0 | 0 | 46 | 46 |
Total | 16 | 4 | 2 | 4 | 78 | 104 |
At first glance it seems that the feedback given is not very useful as:
- Most vulnerabilities found were classified as informational (possible licensing restrictions and performance issues).
- Critical severity vulnerabilities found are related to cross-site scripting and to JavaScript commands that are not fully supported in Internet Explorer.
- High severity vulnerability found are related to some small bugs found in the PHP code.
- The rest of the vulnerabilities found are related to peformance issues and licensing restictions.
As far as we could see Yasca did not show any important security issues about SQL-injections, which are important vulnerability type (which could also mean that there is NO vulnerability no SQL-injection, but we can't assure that). As for error handling and logging, we still aren't sure as how a tool can find this type of vulnerability statically.
Conclusion
In the end, it seems that additional plugins are necessary for Yasca to make a deeper and more precise analysis. At least for our requirements the tool was not helpful.