Beispiel #1
0
        public void SanitizationPropagateTaintedArgsAndAnalyzeWithReturn_ShouldCreateTwoVulns()
        {
            string phpcode     = @"<?php
$dbConnection = mysqli_connect(""localhost"",""root"",""1234"",""SomeDB"");

$test = $_REQUEST['test'];

$sql = ""SELECT * FROM someTable WHERE id="" . $test;
$sqlQuery = mysqli_query($dbConnection, $sql);

echo $test;

$test = mysqli_real_escape_string($dbConnection, $test);
$sql = ""SELECT * FROM someTable WHERE id="" . $test;
$sqlQuery = mysqli_query($dbConnection, $sql);

$test = htmlentities($test);
echo $test;

$sqlQuery = mysqli_query($db, ""SELECT * FROM someTable WHERE id="" . $test);
?>";
            var    vulnStorage = new ReportingVulnerabilityStorage(new Mock <IVulnerabilityReporter>().Object,
                                                                   new FunctionsHandler(new FuncSpecConfiguration(new List <string>(), new List <string>())));

            ParseAndAnalyze(phpcode, vulnStorage);
            Assert.AreEqual(2, vulnStorage.DetectedVulns.Count);
            Assert.NotNull(vulnStorage.Vulnerabilities.First(x => x.Message.ToUpper().Contains("SQL")));
            Assert.NotNull(vulnStorage.Vulnerabilities.First(x => x.Message.ToUpper().Contains("XSS")));
        }
Beispiel #2
0
        public void UnknownFunctionTest_NoTaintedInput()
        {
            string phpCode     = @"<?php echo hello('fisk'); ?>";
            var    vulnStorage = new ReportingVulnerabilityStorage(new Mock <IVulnerabilityReporter>().Object,
                                                                   new FunctionsHandler(new FuncSpecConfiguration(new List <string>(), new List <string>())));

            ParseAndAnalyze(phpCode, vulnStorage);
            Assert.AreEqual(0, vulnStorage.Vulnerabilities.Count());
        }
Beispiel #3
0
        public void StoredVulns_TempSanitize(string phpCode, int vulns)
        {
            var reporter    = new Mock <IVulnerabilityReporter>();
            var vulnStorage = new ReportingVulnerabilityStorage(reporter.Object, new FunctionsHandler(new FuncSpecConfiguration(new List <string>(), new List <string>())));

            ParseAndAnalyze(phpCode, vulnStorage);
            vulnStorage.CheckForStoredVulnerabilities();

            reporter.Verify(x => x.ReportStoredVulnerability(It.IsAny <IVulnerabilityInfo[]>()), Times.Exactly(vulns));
        }
Beispiel #4
0
        public void UnknownFunctionTest_ShouldCreateOneError()
        {
            string phpCode     = @"<?php echo hello($_GET['test']); ?>";
            var    vulnStorage = new ReportingVulnerabilityStorage(new Mock <IVulnerabilityReporter>().Object,
                                                                   new FunctionsHandler(new FuncSpecConfiguration(new List <string>(), new List <string>())));

            ParseAndAnalyze(phpCode, vulnStorage);
            Assert.AreEqual(1, vulnStorage.DetectedVulns.Count);
            Assert.True(vulnStorage.Vulnerabilities.First().Message.ToUpper().Contains("XSS"));
        }
Beispiel #5
0
        public void ReportedVarName()
        {
            string phpCode = @"<?php 
$x = $_GET['a'];
$y = 2;
echo $y . $x;";

            var vulnStorage = new ReportingVulnerabilityStorage(new Mock <IVulnerabilityReporter>().Object,
                                                                new FunctionsHandler(new FuncSpecConfiguration(new List <string>(), new List <string>())));

            ParseAndAnalyze(phpCode, vulnStorage);

            Assert.IsTrue(vulnStorage.Vulnerabilities.First().Message.Contains("variable: x "));
        }
Beispiel #6
0
        public void StoredVulnInFunction()
        {
            string phpCode     = @"<?php $test = 'INSERT INTO products (product_name) VALUES (' . $_GET['test'] . ')';
                                     mysql_query($test);
                                     $result = mysql_query('SELECT product_name FROM products');
                                     echo $result;
                                     mysql_query('INSERT INTO products (product_name) VALUES (' . $_GET['test2'] . ')');
                                     $result = mysql_query('SELECT product_name FROM products');
                                     echo $result;";
            var    reporter    = new Mock <IVulnerabilityReporter>();
            var    vulnStorage = new ReportingVulnerabilityStorage(reporter.Object, new FunctionsHandler(new FuncSpecConfiguration(new List <string>(), new List <string>())));

            ParseAndAnalyze(phpCode, vulnStorage);
            vulnStorage.CheckForStoredVulnerabilities();

            reporter.Verify(x => x.ReportStoredVulnerability(It.IsAny <IVulnerabilityInfo[]>()), Times.Exactly(2));
        }
Beispiel #7
0
        private static void ScanUnscannedSubroutines(List <File> filesCollection, Func <ImmutableVariableStorage, IIncludeResolver, AnalysisScope, AnalysisStacks, ImmutableVariableStorage> fileTaintAnalyzer, FunctionAndMethodAnalyzerFactory subroutineAnalyzerFactory, ReportingVulnerabilityStorage vulnerabilityStorage)
        {
            var defaultTaint = new DefaultTaintProvider().GetTaint();

            foreach (var file in filesCollection)
            {
                Console.WriteLine("Scanning " + file.Name);

                var analysisStacks = new AnalysisStacks(file);
                var analyser       = new FunctionAndMethodAnalyzer(defaultTaint,
                                                                   new IncludeResolver(filesCollection), analysisStacks,
                                                                   new CustomFunctionHandler(fileTaintAnalyzer, subroutineAnalyzerFactory, _funcHandler), vulnerabilityStorage, _funcHandler);

                foreach (var function in file.Functions.SelectMany(f => f.Value).Except(_funcHandler.ScannedFunctions))
                {
                    Console.WriteLine("> Scanning method " + function.Name);
                    var functionCall = new FunctionCall(function.Name, function.AstNode, 0, 0);
                    analysisStacks.CallStack.Push(functionCall);

                    analyser.AnalyzeFunctionCall(functionCall, new List <ExpressionInfo>());
                }
                foreach (var @class in file.Classes.SelectMany(c => c.Value))
                {
                    foreach (var method in @class.Methods.Except(_funcHandler.ScannedFunctions))
                    {
                        Console.WriteLine("> Scanning method " + method.Name);
                        var methodCall = new MethodCall(method.Name, new [] { @class.Name }, method.AstNode, 0, 0);
                        analysisStacks.CallStack.Push(methodCall);

                        analyser.AnalyzeMethodCall(methodCall, new List <ExpressionInfo>());
                    }
                }
            }
        }
Beispiel #8
0
        private static void Analyze(Arguments arguments, Config configuration)
        {
            Console.WriteLine("Parsing project at: " + arguments.Target);
            Console.WriteLine();

            foreach (var analysisStartingListener in _components.AnalysisStartingListeners)
            {
                // TODO - This should probably be a proper event - same goes for EndingEvent (this will also remove the loop(s)).
                analysisStartingListener.AnalysisStarting(null, new AnalysisStartingEventArgs(configuration, arguments));
            }

            var stopwatch = Stopwatch.StartNew();

            Console.WriteLine("Building ASTs..");
            ParseResult parseResult = ParseTarget(arguments, configuration);

            Console.WriteLine(" - AST build for {0} files ({1} failed)..", parseResult.ParsedFiles.Count, parseResult.FilesThatFailedToParse.Count);
            Console.WriteLine("Traversing ASTs..");

            var filesCollection      = new List <File>();
            var runningVulnReporter  = new CompositeVulneribilityReporter(_components.VulnerabilityReporters);
            var vulnerabilityStorage = new ReportingVulnerabilityStorage(runningVulnReporter, _funcHandler);

            var progrssIndicator = ProgressIndicatorFactory.CreateProgressIndicator(parseResult.ParsedFiles.Count());

            foreach (var parsedFile in parseResult.ParsedFiles)
            {
                progrssIndicator.Step();

                var file = BuildFileCFGAndExtractFileInformation(parsedFile);
                filesCollection.Add(file);
            }

            var subroutineAnalyzerFactory = new FunctionAndMethodAnalyzerFactory {
                UseSummaries = arguments.UseFunctionSummaries
            };
            Func <ImmutableVariableStorage, IIncludeResolver, AnalysisScope, AnalysisStacks,
                  ImmutableVariableStorage> fileTaintAnalyzer = null;

            fileTaintAnalyzer = (varStorage, inclResolver, scope, stacks) =>
            {
                Preconditions.NotNull(varStorage, "varStorage");
                Preconditions.NotNull(inclResolver, "inclResolver");

                var blockAnalyzer = new TaintBlockAnalyzer(vulnerabilityStorage, inclResolver, scope, fileTaintAnalyzer, stacks, subroutineAnalyzerFactory, _funcHandler);
                blockAnalyzer.AnalysisExtensions.AddRange(_components.BlockAnalyzers);
                var condAnalyser     = new ConditionTaintAnalyser(scope, inclResolver, stacks.IncludeStack, _funcHandler);
                var cfgTaintAnalysis = new TaintAnalysis(blockAnalyzer, condAnalyser, varStorage);
                var fileToAnalyze    = stacks.IncludeStack.Peek();
                var analyzer         = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new ReversePostOrderWorkList(fileToAnalyze.CFG));
                //var analyzer = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new QueueWorklist());
                analyzer.Analyze(fileToAnalyze.CFG);
                return(cfgTaintAnalysis.Taints[fileToAnalyze.CFG.Vertices.Single(block => block.IsLeaf)].Out[EdgeType.Normal]);
            };

            foreach (var file in filesCollection)
            {
                Console.WriteLine(Environment.NewLine + "=============================");
                Console.WriteLine("Analyzing {0}..", file.FullPath);
                var initialTaint      = GetDefaultTaint();
                var inclusionResolver = new IncludeResolver(filesCollection);

                var stacks = new AnalysisStacks(file);
                fileTaintAnalyzer(initialTaint, inclusionResolver, AnalysisScope.File, stacks);
            }

            Console.WriteLine("Scanned {0}/{1} subroutines. ", _funcHandler.ScannedFunctions.Count, _funcHandler.CustomFunctions.Count, _funcHandler);

            if (arguments.ScanAllSubroutines)
            {
                Console.WriteLine("Scanning remaining subroutines..");
                ScanUnscannedSubroutines(filesCollection, fileTaintAnalyzer, subroutineAnalyzerFactory, vulnerabilityStorage);
            }

            vulnerabilityStorage.CheckForStoredVulnerabilities();
            //parseResult.ParsedFiles.Values.First().Save(@"C:\Users\Kenneth\Documents\Uni\TestScript\current\parsedFile");

            stopwatch.Stop();

            foreach (var analysisEndedListener in _components.AnalysisEndedListeners)
            {
                analysisEndedListener.AnalysisEnding(null, new AnalysisEndedEventArgs(stopwatch.Elapsed));
            }

            Console.WriteLine("Time spent: " + stopwatch.Elapsed);
            Console.WriteLine("Found {0} vulnerabilities.", runningVulnReporter.NumberOfReportedVulnerabilities);
        }