Software Security/Group 7/Code Scanning

Uit Werkplaats
Ga naar: navigatie, zoeken

Pixy

Reports a few instances of functions called with extra arguments. Also reports duplicated method definitions in the database-related source files. It can't get the tainting analysis done due to memory issues.

there are two different ways to use pixy, The first is to use pixy online is very useful to understand how it works and the different vulnerabilities tested. The site explains very well the different techniques to find vulnerabilities and how arranged. pixy online can directly insert a source code copy and paste if it is not too big. what can be very interesting to quickly test a new function writes for a site. can also give a file to the site and after a few seconds they show the result. The second way is to download pixy is to use it by adding a file. to do that he must go to the command line in the file you want to test and post the links to software that gives a system like this,

C:\path\phpBB2 path\pixy\run-all.bat namefile.php [option]

optional, you can choose different specialties, but some do not work or are not recognized as the (-y)

PHP-SAT

Installation

PHP-SAT only seems to work correctly when installed using the Nix package manager

  • Download the Nix package manager for your operating system
  • Add the PHP-SAT channel to Nix and update the channels (the second command needs super-user privileges)
nix-channel --add http://hydra.nixos.org/jobset/psat/php-sat/channel/latest
nix-channel --update
  • You can check the available packages with this command:
nix-env -qa '*'
  • Install PHP-SAT (needs super-user privileges)
nix-env -i php-sat

Now the binaries will be in /nix/var/nix/profiles/default/bin. (You may want to add this to your path.)

Execution

  • You can execute PHP-SAT by typing
php-sat -i login.php -o login.php-sat --extended-output

where login.php is the input and login.php-sat is the output file.

  • In the ouput file PHP-SAT will mark the vulnerabilities the following way:
 /**
  * PHP-SAT check (Malicious Code CodeVulnerability)
  * Pattern ID : MCV000
  * Description: One of the parameters does not meet his precondition.
  */
 include $phpbb_root_path . 'extension.inc';

One can search for a vulnerability description by the Pattern ID on the page http://www.program-transformation.org/PHP/PhpSatBugPatterns. The patterns that PHP-Sat flags are common mistakes, but not necessarily bad in your situation. You have to decide for yourself whether or not you want to adjust your code.

For this kind of patterns (Malicious Code CodeVulnerability), there is only one Pattern ID, so one must manually check the possibilities listed on this page: http://www.program-transformation.org/PHP/PhpSatMCV000. This is only a kind of indicator like "there may be a security problem" but the additional information on this is not very helpful.

In the index.php of phpBB2 there is 4 mistakes with this pattern ID, and one of this:

 /**
  * PHP-SAT check (Correctness)
  * Pattern ID : C006
  * Description: Return value from a function is ignored or not used.
  */
 init_userprefs($userdata);

But this one is not really a security problem.

Fortify

Risk level number of vulnerabilities
Critical 3543
High 2488
Medium 1
Low 56

Reports numerous problems:

  • error_reporting turned on for admin pages
  • insecure randomness (high)
  • md5 is a weak cryptographic hash (low)
  • cookie security (low)
  • path manipulation (critical, high)
  • header manipulation (high)
  • system information leak (low)
  • password management and empty password (might be important for our topic) (high, low)
  • cross-site scripting (critical, high, medium, low)
  • SQL injection (critical, high)
  • Dangeruos File Inclusion (critical, high)
  • dynamic code evaulation: code injection (high)
  • privacy violation (high)

We note that 60% of critical issues of a SQL injection and that 20% of the high issues are also a SQL injection. there is 924 critical issues for the "Dangerous file inclusion" and 23 for the "path manipulation" this 2 parts are interesting for us for the access control requirement (V4). The header manipulation is also might be intresting for us.