When I just graduated, I joined a company with a technical team of more than 200 people. When I was familiar with the code in the first week, I did an audit and found four high-risk vulnerabilities. Please tell me about my experience at that time

Preliminary preparation (check out)

Look at the document

To audit an application, at least be familiar with the functional modules and the underlying implementation of the application. It is the fastest to have a ready-made document. As a developer, you should go through the project document and the framework document that you rely on in the first time, which brings continuous benefits to the audit

Look at the submission history

The commit history is a direct reflection of the recent state of the project, based on recent code commits to see if every development has followed the code specification. People with bad code specification will write high bug code

You can also search for commit messages, such as fix/ fix/ fix/ fix, to see what problems have been fixed and how they have been fixed, to get a sense of the project’s health and the level of developers

Set up the project and scan it with a scanner

This will give you an idea of the project’s directory structure, security, etc., and the functional modules and priorities to focus on

Start the audit

Search for raw and outdated code

My definition of primitive and backward code is that the function that is packaged by the framework is not used, and you have to call it in the most primitive way, or make a lousy wheel

For example, a PHP framework such as CodeIgniter already encapsulates variables that GET or POST from:

$this->input->post()

$this->input->get()

If it still shows upThe code of _POST and $_REQUEST global variables proves that the developer does not speak the specification. The reason for not speaking the specification is that the development level is low, and it is easy to write vulnerabilities if the level is low. The analysis can start from these positions

Like the CodeIgniter framework

$this->input->post()

$this->input->get()

The function,

The second argument is optional and is used to filter XSS, but the default is false, that is, do not filter… So write a re to look for code where the second argument is left blank or false, and then trace it to see if it’s filtered later, and so on

Search SQL statements

When a project with a framework, generally will use the API provided by the framework to operate the database, not directly splicing SQL statements, if there are SQL statements in the code, it is likely to be written by people who do not speak of the standard, similarly, not speaking of the standard staff level is usually not good, of course, it is easy to forget filtering

And most developers who want to concatenate SQL statements by hand will usually call the variable SQL, or XXXsql

So the search area is the code in the business code that contains SQL words, to go back to whether the SQL concatenated parts are parameterized queries, if not whether they are controlled by the user, and whether they are filtered defensively

Look for the rich text input box

Rich text filtering, no matter how experienced programmers, will always be too tight, from the rich text can be mined from too many vulnerabilities, such as interface hijacking

For rich text filtering,PHP does the best HTML Purifier, rich text filtering in other languages, you can see the site when submitting vulnerability check XSS vulnerability type repair suggestions

If a PHP program with rich text input fields is provided to the foreground user, and without HTML Purifier, it chooses to write its own, or copy from a less secure framework, the vulnerability probability is very high

Check API semantics and specifications

According to semantics and conventions, read interfaces are requested using GET and write interfaces are requested using POST

Mature frameworks on the market have global CSRF defenses, but generally only for POST operations

If you analyze an interface that has a write operation, but the corresponding POST request is definitely written by someone who doesn’t read the specification, this kind of interface usually has CSRF and other problems

Complex function first brainless change HTTP packets, and then look at the code business complex function, usually there are many interactive steps, the code is very complex, it is easy to feel dizzy directly, it is better to change all the submitted parameters and return values, see whether there are errors and other information, if everything is normal, then go to see the code

In fact, this kind of function, logic problems are the most, such as overstepping authority

Risk function

This first depends on their understanding of the language used in the project, the overall architecture of the project, the size of the project, the location of the danger function. Functions are there for people to use, but if you use them in the wrong place, or if the user input is controllable, that’s a problem

Take system command execution as an example, it is not impossible to use, but if an e-commerce shopping function, using the traditional Web framework, you tell me to add an exec to open a scheduled task, if nothing else, I will definitely let you go back to redo

Keep in mind that starting a new process is expensive, and you can drink a pitcher of CONCURRENT CPU usage. And can use this scheme, even blocking is what do not understand, and execute the system command is blocked in many language environment by default, affect the system performance, if open multithreading to deal with, and involve the thread pool, because the thread is not you want to open as much as you can open

In general, dangerous functions are targeted at PHP because of its rich function behavior and features, but I won’t say more now that PHP is losing its share

There is nothing to be said for checking whether the dependencies have been updated to the latest version, even if the dependencies are not consistent with the test environment, or if the dependencies are not consistent with all servers online, but you are just auditing and doing your best…

Talk to developers to see what’s going on

This is outside the scope of code audit, but if you know a developer, auditing his code for his weaknesses is a good shot

Such as

Under concurrent scenario, how to ensure the consistency of commodity inventory

What is the locking mechanism of Mysql

What features do you use in Redis

What queue components are used in the project and in what scenarios

A person who does not understand locking mechanism, do not know the queue, write code concurrency must have problems, if let him develop what [grab][collar][limit] this number of write operation scenario function, must have dirty read or dirty write vulnerability, resulting in a person can [grab multiple][grab multiple] vulnerability

Welcome to join the newly opened communication group, the purpose of this group is to communicate and solve problems, recruitment and chat do not enter