When I just graduated, I joined a company with a technical team of more than 200 people. When I was familiar with the code in the first week, I did an audit and found four high-risk vulnerabilities. Please tell me about my experience at that time
Preliminary preparation (check out)
Look at the document
To audit an application, at least be familiar with the functional modules and the underlying implementation of the application. It is the fastest to have a ready-made document. As a developer, you should go through the project document and the framework document that you rely on in the first time, which brings continuous benefits to the audit
Look at the submission history
The commit history is a direct reflection of the recent state of the project, based on recent code commits to see if every development has followed the code specification. People with bad code specification will write high bug code
You can also search for commit messages, such as fix/ fix/ fix/ fix, to see what problems have been fixed and how they have been fixed, to get a sense of the project’s health and the level of developers
Set up the project and scan it with a scanner
This will give you an idea of the project’s directory structure, security, etc., and the functional modules and priorities to focus on
Start the audit
Search for raw and outdated code
My definition of primitive and backward code is that the function that is packaged by the framework is not used, and you have to call it in the most primitive way, or make a lousy wheel
For example, a PHP framework such as CodeIgniter already encapsulates variables that GET or POST from:
$this->input->post()
$this->input->get()
If it still shows upThe code of _POST and $_REQUEST global variables proves that the developer does not speak the specification. The reason for not speaking the specification is that the development level is low, and it is easy to write vulnerabilities if the level is low. The analysis can start from these positions
Like the CodeIgniter framework
$this->input->post()
$this->input->get()
The function,
The second argument is optional and is used to filter XSS, but the default is false, that is, do not filter… So write a re to look for code where the second argument is left blank or false, and then trace it to see if it’s filtered later, and so on
Search SQL statements
When a project with a framework, generally will use the API provided by the framework to operate the database, not directly splicing SQL statements, if there are SQL statements in the code, it is likely to be written by people who do not speak of the standard, similarly, not speaking of the standard staff level is usually not good, of course, it is easy to forget filtering
And most developers who want to concatenate SQL statements by hand will usually call the variable SQL, or XXXsql
So the search area is the code in the business code that contains SQL words, to go back to whether the SQL concatenated parts are parameterized queries, if not whether they are controlled by the user, and whether they are filtered defensively
Look for the rich text input box
Rich text filtering, no matter how experienced programmers, will always be too tight, from the rich text can be mined from too many vulnerabilities, such as interface hijacking
For rich text filtering,PHP does the best HTML Purifier, rich text filtering in other languages, you can see the site when submitting vulnerability check XSS vulnerability type repair suggestions
If a PHP program with rich text input fields is provided to the foreground user, and without HTML Purifier, it chooses to write its own, or copy from a less secure framework, the vulnerability probability is very high
Check API semantics and specifications
According to semantics and conventions, read interfaces are requested using GET and write interfaces are requested using POST
Mature frameworks on the market have global CSRF defenses, but generally only for POST operations
If you analyze an interface that has a write operation, but the corresponding POST request is definitely written by someone who doesn’t read the specification, this kind of interface usually has CSRF and other problems
Complex function first brainless change HTTP packets, and then look at the code business complex function, usually there are many interactive steps, the code is very complex, it is easy to feel dizzy directly, it is better to change all the submitted parameters and return values, see whether there are errors and other information, if everything is normal, then go to see the code
In fact, this kind of function, logic problems are the most, such as overstepping authority
Risk function
This first depends on their understanding of the language used in the project, the overall architecture of the project, the size of the project, the location of the danger function. Functions are there for people to use, but if you use them in the wrong place, or if the user input is controllable, that’s a problem
Take system command execution as an example, it is not impossible to use, but if an e-commerce shopping function, using the traditional Web framework, you tell me to add an exec to open a scheduled task, if nothing else, I will definitely let you go back to redo
Keep in mind that starting a new process is expensive, and you can drink a pitcher of CONCURRENT CPU usage. And can use this scheme, even blocking is what do not understand, and execute the system command is blocked in many language environment by default, affect the system performance, if open multithreading to deal with, and involve the thread pool, because the thread is not you want to open as much as you can open
In general, dangerous functions are targeted at PHP because of its rich function behavior and features, but I won’t say more now that PHP is losing its share
There is nothing to be said for checking whether the dependencies have been updated to the latest version, even if the dependencies are not consistent with the test environment, or if the dependencies are not consistent with all servers online, but you are just auditing and doing your best…
Talk to developers to see what’s going on
This is outside the scope of code audit, but if you know a developer, auditing his code for his weaknesses is a good shot
Such as
Under concurrent scenario, how to ensure the consistency of commodity inventory
What is the locking mechanism of Mysql
What features do you use in Redis
What queue components are used in the project and in what scenarios
A person who does not understand locking mechanism, do not know the queue, write code concurrency must have problems, if let him develop what [grab][collar][limit] this number of write operation scenario function, must have dirty read or dirty write vulnerability, resulting in a person can [grab multiple][grab multiple] vulnerability
Welcome to join the newly opened communication group, the purpose of this group is to communicate and solve problems, recruitment and chat do not enter