Tracing Webapp Exploitability Through Code Review and Taint Analysis by Dana Epp

Tracing web applications exploitability through code review and taint analysis involves examining the application’s source code for potential security vulnerabilities and analyzing how user input is handled throughout the application’s code base.

Code review involves reviewing the application’s source code line by line to identify any security flows, such as SQL injection, cross-site scripting (XSS), or command injection. It is essential to identify any areas where user input is accepted and processed, as these areas are often the source of security vulnerabilities.

Taint analysis is a technique that tracks the flow of user input throughout the application's codebase. Taint analysis helps to identify potential vulnerabilities by tracing how user input is propagated and used within the application’s code. For example, if user input is used to construct a SQL query, taint analysis can be used to determine whether the input is properly sanitized before being used in the query. If not, the application may be vulnerable to SQL injection.

By combining code review and taint analysis, you can identify potential security vulnerabilities in web applications and determine the exploitability of those vulnerabilities. Once vulnerabilities are identified, they can be prioritized based on their potential impact and likelihood of exploitation. This Information can be then used to develop a plan to address the vulnerabilities, which may include code changes, additional security controls, or other mitigations.

Host:

Dana Epp spent decades as a security architect focusing on helping secure software, data and infrastructure. You might say he’s been on and led Blue and Red Teams well before it was even a thing. He built and sold several software companies focused on securing the ever changing landscape of IT, both on-premises and in the cloud. He is the founder and CTO of small startups with a handful of developers all the way to managing teams with hundreds of developers from all around the world.

Through all of that, what drives me is making sure information and information resources are kept secure. No matter what the size of the organization. Nor who is ultimately responsible for managing it. As both a Microsoft Regional Director and a Microsoft Security MVP for over 17 years, Dana spent a great deal of time on security (de)engineering in the cloud.

Lately, he’s on Purple team (A purple team is a group of cyber security professionals who simulate malicious attacks and penetration testing in order to identify security vulnerabilities and recommend radiation strategies for an organization’s IT infrastructure), shifting more on his offensive tradecraft to help developers and IT administrators see the demonstrable impact of exploitation on vulnerabilities in their work.

As the world of hybrid computing shifts more IT resources away from the office, it's clear more effort is needed to educate both administrators and developers on how to build safe, decoupled systems in the cloud. He helps people find and fix vulnerabilities in their apps and architecture before their adversaries do.

What is Code Review and why is it important?

Code review is the process of examining software source code to identify defects, security vulnerabilities, and opportunities for improvement. It involves reviewing the code line by line, looking for issues such as syntax errors, logical errors, and code that may not follow best practices.

Code review is an important aspect of software development because it can help to improve the quality and security of the software being developed. Specifically, code review offers the following benefits:

  1. Improved software quality: By reviewing code, developers can identify and fix defects and issues before they are released to the public. This can improve the overall quality of the software and reduce the number of bugs that are reported by end-users.
  2. Reduce development time and cost: Catching issues earlier in the development process can reduce the amount of time and resources required to fix them later. This can save money and reduce development time.
  3. Improved security: Code review can help identify security vulnerabilities that may be present in the software. By addressing these vulnerabilities early in the development process, developers can reduce the risk of security breaches and protect user’s sensitive data.
  4. Knowledge sharing and collaboration: Code review provides an opportunity for developers to share knowledge and collaborate with one another. By reviewing each other’s code, developers can learn from one another and improve their coding skills.

In summary, code review is an important process in software development that can improve the quality of the software.

For a comprehensive code review guide, a helpful source from OWASP(Open Worldwide Application Security Project) can be found here.

Source and Sink

In the context of software security, “source” and “sink” refer to the origin and destination of data that flows through a program.

A source is a point in the program where data is generated or received, such as user input from a form or data read from a file. Sources can be either trusted or untrusted, depending on the context. For example, data entered by a user may be considered an untrusted source because it can potentially contain malicious input.

A sink is a point in the program where data is consumed or output, such as database query or an HTTP response. Sinks can also be either trusted or untrusted, depending on the context. For example, a sink that performs database queries may be considered a trusted sink if it properly sanitizes input or prevents SQL injection attacks.

The flow of data between sources and sinks is known as a data flow. Data flows are important to understand in the context of software security because they can be used to identify potential vulnerabilities. For example, if untrusted user input flows directly into a trusted sink without proper validation or sanitation, it may be possible for an attacker to manipulate the input and execute a malicious payload.

To prevent these types of vulnerabilities, it is important to identify all sources and sinks in a program and implement appropriate security measures to ensure that data flows are properly validated, sanitized, and controlled. This may involve input validation, output encoding, access control, and secure communication, among other measures.

In the context of software security, a “source” is a piece of code that provides input to a system or application, while a “sink” is a place of code that receives input from a source and potentially exposes a security vulnerability.

While reviewing code for security vulnerabilities, it’s important to look for any potential source and sinks, and to consider how they interact with each other. Here are some key things to look for:

  1. Unsanitized input: if a source provides unsanitized input to a sink, it could potentially lead to a security vulnerability. For example, if a user-entered value is passed directly to a SQL query without proper sanitation, it could allow an attacker to perform SQL injection.
  2. Overly permissive input: Even if input is sanitized, if a source provides overly permissive input to a sink, it could still lead to a vulnerability. For example, if a user is allowed to provide a file name that is then used to open a file, they could potentially use a path traversal attack to access files they shouldn’t be able to access
  3. Trust boundaries: It’s important to consider trust boundaries when looking at source and sinks. For example, if a source is outside of trust boundaries (such as user input from a web form), and that input is used in a sensitive context (such as a password reset email), it could lead to a vulnerability.
  4. Context information: It’s important to consider the context in which a source and sink are used. For example, if a source is used to provide input to a sink in a loop, it could potentially lead to a vulnerability if the loop runs too many times or under certain conditions.

Overall, when reviewing code for security vulnerabilities, it is important to consider how source and sinks interact with each other, and to look for any potential vulnerabilities that could be introduced as a result of that interaction.

Static Application Security Testing (SAST) code review.

Static Application Security Testing (SAST) is a type of code analysis that is used to identify security vulnerabilities in software applications. It involves analyzing the source code of an application of potential vulnerabilities, without actually executing the code.

SAST code review tools analyze code line by line, looking for patterns that indicate security vulnerabilities. These tools can detect vulnerabilities such as buffer overflows, SQL injection, cross-site scripting (XSS), and other security vulnerabilities that can leave an application open to attack.

Some potential benefit of SAST code review include:

  1. Early detection of security vulnerabilities: Can detect vulnerabilities early in the development process, allowing developers to to fix them before they become more costly and time-consuming to address.
  2. Consistency in security standards: Applies a consistent set of security standards to code, ensuring that all code is checked for vulnerabilities in the same way.
  3. Cost-effectiveness: A cost-effective way to find security vulnerabilities in code. It requires fewer resources than other types of testing, such as penetration testing.

Some potential limitations of SAST code review include:

  1. False positives: SAST code review tools can sometimes flag code as being vulnerable when it is not. This can lead to wasted time and effort for developers who need to investigate and address false positives.
  2. Limited coverage: SAST code review tools may not detect all types of security vulnerabilities. They are particularly good at finding code-level vulnerabilities, but may not be as effective at detecting vulnerabilities related to configuration, environment, or network settings.

Overall, SAST code review is an important part of a comprehensive software security program. It can help to identify security vulnerabilities early in the development process, and can provide a consistent set of security standards for all code. However, it should be used in conjunction with other other types of testing, such as penetration testing and dynamic application security testing, for the best results.

Just because a source may be tainted does not mean it can be exploited.

Just because a source may contain potentially malicious input, does not necessarily mean it can be exploited. . It depends on how the tainted input is processed and how it interacts with other parts of the application.

For example, if the application properly sanitizes the tainted input before using it in sensitive operations such as database queries or systems commands, it may not be possible for an attacker to exploit the tainted input. Similarly, if the application correctly validates the input to ensure that it conforms to expected formats and ranges, it may not be vulnerable to attacks that rely on malformed or out-of-range input.

However, if the application does not properly sanitize or validate the tainted input, it could potentially be vulnerable to various types of attacks, such as SQL injection, cross-site scripting (XSS), or command injection. In these cases, an attacker may be able to inject malicious input that bypasses the application’s security mechanisms and allows them to execute unauthorized actions or access sensitive data.

Therefore, it’s important to treat tainted input as a potential security risk and to take appropriate measures to mitigate that risk, such as proper sanitization, validation, and parameterization of user input.

Tools related to tracing website application exploitability:

Semgrep:

Semgrep is a free and open source static analysis tool that is designed to help developers find and fix security issues and programming errors in their source code. It is a modern and easy-to-use tool that can be integrated into the software development lifecycle (SDLC) to provide continuous security feedback and improve code quality.

Semgrep uses a powerful pattern matching engine to scan source code and identify potential issues based on a set of pre-defined or custom rules. It supports a wide range of programming languages, including Python, JavaScript, Java, C++, and many more.

Burp Suite:

Burp Suite is a popular and widely used web application security testing tool that is designed to help security professionals test the security of web applications. It is developed by PortSwigger, a company that specializes in web application security tools.

Burp Suite provides range of features and capabilities for testing web applications, including:

  1. Intercepting and modifying HTTP requests and responses: Burp Suite allows users to intercept and modify HTTP requests and responses between the client and server. This makes it possible to manipulate and test the behavior of web applications and identify vulnerabilities such as cross-site scripting (XSS) and SQL injection.
  2. Scanning web applications for vulnerabilities: It can scan web applications for vulnerabilities such as SQL injection, cross-site scripting (XSS), and file inclusion vulnerabilities. It provides detailed reports and analysis of vulnerabilities found during scanning, making it easier for security professionals to prioritize and remediate issues.
  3. Spidering web applications: It can spider web applications to identify all the pages and resources available on the target site. This helps security professionals to identify hidden or forgotten parts of a web application that may contain vulnerabilities.
  4. Brute forcing: It can be used to automate the process of brute forcing credentials, such as usernames and passwords, on web applications that require authentication. This can help identify weak or guessable passwords that could be exploited by attackers.
  5. Session hijacking and management: It can be used to manage and manipulate user sessions on web applications, allowing security professionals to test for vulnerabilities such as session fixation and session hijacking.



Overall, Burp Suite is a powerful and versatile web application security testing tool that can be used by security professionals of all levels of expertise. Its range of features and ease of use make it a popular choice for web application security testing.