Esempio n. 1
0
        private void ParseAndAnalyze(string php, IVulnerabilityStorage storage)
        {
            FunctionsHandler fh = new FunctionsHandler(Config.FuncSpecSettings);

            fh.LoadJsonSpecifications();

            var extractedFuncs = PHPParseUtils.ParseAndIterate <ClassAndFunctionExtractor>(php, Config.PHPSettings.PHPParserPath).Functions;

            fh.CustomFunctions.AddRange(extractedFuncs);

            var cfg = PHPParseUtils.ParseAndIterate <CFGCreator>(php, Config.PHPSettings.PHPParserPath).Graph;

            var incResolver = new IncludeResolver(new List <File>());
            var fileStack   = new Stack <File>();

            fileStack.Push(new File()
            {
                FullPath = @"C:\TestFile.txt"
            });
            var condAnalyser = new ConditionTaintAnalyser(AnalysisScope.File, incResolver, fileStack, fh);

            var funcMock      = new Mock <Func <ImmutableVariableStorage, IIncludeResolver, AnalysisScope, AnalysisStacks, ImmutableVariableStorage> >();
            var blockAnalyzer = new TaintBlockAnalyzer(storage, incResolver,
                                                       AnalysisScope.File, funcMock.Object, new AnalysisStacks(fileStack), new FunctionAndMethodAnalyzerFactory(), fh);
            var immutableInitialTaint = new DefaultTaintProvider().GetTaint();
            var cfgTaintAnalysis      = new TaintAnalysis(blockAnalyzer, condAnalyser, immutableInitialTaint);
            var taintAnalysis         = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new QueueWorklist());

            taintAnalysis.Analyze(cfg);
        }
Esempio n. 2
0
 public FunctionAndMethodAnalyzer Create(ImmutableVariableStorage variableStorage, IIncludeResolver incResolver,
                                         AnalysisStacks stacks, CustomFunctionHandler customFuncHandler,
                                         IVulnerabilityStorage vulnerabilityStorage, FunctionsHandler fh)
 {
     return(new FunctionAndMethodAnalyzer(variableStorage, incResolver, stacks, customFuncHandler, vulnerabilityStorage, fh)
     {
         UseSummaries = this.UseSummaries
     });
 }
 public FunctionAndMethodAnalyzer Create(ImmutableVariableStorage variableStorage, IIncludeResolver incResolver,
     AnalysisStacks stacks, CustomFunctionHandler customFuncHandler,
     IVulnerabilityStorage vulnerabilityStorage)
 {
     return new FunctionAndMethodAnalyzer(variableStorage, incResolver, stacks, customFuncHandler, vulnerabilityStorage)
            {
                UseSummaries = this.UseSummaries
            };
 }
Esempio n. 4
0
 public FunctionAndMethodAnalyzer(ImmutableVariableStorage variableStorage, IIncludeResolver incResolver,
                                  AnalysisStacks stacks, CustomFunctionHandler customFuncHandler,
                                  IVulnerabilityStorage vulnerabilityStorage, FunctionsHandler fh)
 {
     this._varStorage            = variableStorage;
     this._incResolver           = incResolver;
     this._stacks                = stacks;
     this._customFunctionHandler = customFuncHandler;
     this._vulnerabilityStorage  = vulnerabilityStorage;
     this._funcHandler           = fh;
 }
Esempio n. 5
0
        private ExpressionInfo HandleOptionsCall(FunctionCall call, XmlNode node, ExpressionInfo exprInfo, IVariableStorage currentStorage,
                                                 IVulnerabilityStorage storage, IDictionary <uint, ExpressionInfo> argumentInfos, AnalysisStacks analysisStacks)
        {
            if (_getOptionsFunctions.Contains(call.Name))
            {
                return(HandleGetOptions(call, argumentInfos, exprInfo));
            }
            else if (_updateOptionFunctions.Contains(call.Name) ||
                     _addOptionFunctions.Contains(call.Name))
            {
                return(HandleUpdateAddOptions(call, exprInfo, storage, argumentInfos, analysisStacks));
            }

            return(exprInfo);
        }
Esempio n. 6
0
 public ExpressionInfo AnalyzeFunctionCall(XmlNode node, ExpressionInfo exprInfo, IVariableStorage varStorage, 
                                           IVulnerabilityStorage vulnStorage, IDictionary<uint, ExpressionInfo> argumentInfos, AnalysisStacks analysisStacks)
 {
     var funcCall = new FunctionCallExtractor().ExtractFunctionCall(node);
     if (_getOptionsFunctions.Contains(funcCall.Name) ||
         _addOptionFunctions.Contains(funcCall.Name) ||
         _updateOptionFunctions.Contains(funcCall.Name))
     {
         return HandleOptionsCall(funcCall, node, exprInfo, varStorage, vulnStorage, argumentInfos, analysisStacks);
     }
     else if (_hookFunctions.Contains(funcCall.Name))
     {
         return HandleHookCall(node, exprInfo, varStorage, analysisStacks);
     }
     return exprInfo;
 }
Esempio n. 7
0
        /// <summary>
        /// Analyses a custom function in for security issues, with the currenctly known taint for actual parameters.
        /// </summary>
        /// <returns>A TainSets for the custom function that is being analyzed</returns>
        /// <param name="customFunction">Custom function object to perform the analysis on</param>
        /// <param name="varStorage">The currently known variable storage (this is to included because of superglobals, globals etc.)</param>
        /// <param name="paramActualVals">Parameter actual values</param>
        /// <param name="resolver">File inclusion resolver</param>
        /// <param name="includeStack">Currently known includes</param>
        /// <param name="functionCalls">Currently known function calls</param>
        internal ExpressionInfo AnalyseCustomFunction(Function customFunction, ImmutableVariableStorage varStorage, IVulnerabilityStorage vulnerabilityStorage,
            IList<ExpressionInfo> paramActualVals, IIncludeResolver resolver, AnalysisStacks stacks)
        {
            var stmts = customFunction.AstNode.GetSubNode(AstConstants.Subnode + ":" + AstConstants.Subnodes.Stmts).FirstChild;

            var traverser = new XmlTraverser();
            var cfgcreator = new CFGCreator();
            traverser.AddVisitor(cfgcreator);
            traverser.Traverse(stmts);

            var cfgPruner = new CFGPruner();
            cfgPruner.Prune(cfgcreator.Graph);

            var initialTaint = varStorage.ToMutable();
            initialTaint.SuperGlobals.Clear();
            initialTaint.SuperGlobals.AddRange(varStorage.SuperGlobals);
            initialTaint.LocalVariables.Clear();
            initialTaint.LocalAccessibleGlobals.Clear();

            for(int i = 1; i <= paramActualVals.Count; i++)
            {
                var paramFormal = customFunction.Parameters.FirstOrDefault(x => x.Key.Item1 == i);
                if (paramFormal.Value == null)
                {
                    continue;
                }
                var @var = new Variable(paramFormal.Value.Name, VariableScope.Function) {Info = paramActualVals[i - 1].ValueInfo};
                initialTaint.LocalVariables.Add(paramFormal.Value.Name, @var);
            }

            var blockAnalyzer = new TaintBlockAnalyzer(vulnerabilityStorage, resolver, AnalysisScope.Function, fileAnalyzer, stacks, subroutineAnalyzerFactory);
            blockAnalyzer.AnalysisExtensions.AddRange(AnalysisExtensions);
            var condAnalyser = new ConditionTaintAnalyser(AnalysisScope.Function, resolver, stacks.IncludeStack);
            var cfgTaintAnalysis = new TaintAnalysis(blockAnalyzer, condAnalyser, ImmutableVariableStorage.CreateFromMutable(initialTaint));
            //var taintAnalysis = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new QueueWorklist());
            var taintAnalysis = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new ReversePostOrderWorkList(cfgcreator.Graph));
            taintAnalysis.Analyze(cfgcreator.Graph);

            var exprInfoAll = new ExpressionInfo();

            foreach (ExpressionInfo exprInfo in blockAnalyzer.ReturnInfos)
            {
                exprInfoAll = exprInfoAll.Merge(exprInfo);
            }

            return exprInfoAll;
        }
Esempio n. 8
0
        public ExpressionInfo AnalyzeFunctionCall(XmlNode node, ExpressionInfo exprInfo, IVariableStorage varStorage,
                                                  IVulnerabilityStorage vulnStorage, IDictionary <uint, ExpressionInfo> argumentInfos, AnalysisStacks analysisStacks)
        {
            var funcCall = new FunctionCallExtractor().ExtractFunctionCall(node);

            if (_getOptionsFunctions.Contains(funcCall.Name) ||
                _addOptionFunctions.Contains(funcCall.Name) ||
                _updateOptionFunctions.Contains(funcCall.Name))
            {
                return(HandleOptionsCall(funcCall, node, exprInfo, varStorage, vulnStorage, argumentInfos, analysisStacks));
            }
            else if (_hookFunctions.Contains(funcCall.Name))
            {
                return(HandleHookCall(node, exprInfo, varStorage, analysisStacks));
            }
            return(exprInfo);
        }
Esempio n. 9
0
        public TaintBlockAnalyzer(IVulnerabilityStorage vulnerabilityStorage, IIncludeResolver inclusionResolver, AnalysisScope scope,
            Func<ImmutableVariableStorage, IIncludeResolver, AnalysisScope, AnalysisStacks, ImmutableVariableStorage> analyzeTaint, 
            AnalysisStacks stacks, FunctionAndMethodAnalyzerFactory subroutineAnalyzerFactory)
            : this()
        {
            Preconditions.NotNull(vulnerabilityStorage, "vulnerabilityStorage");
            Preconditions.NotNull(inclusionResolver, "inclusionResolver");
            Preconditions.NotNull(analyzeTaint, "analyzeTaint");
            Preconditions.NotNull(stacks, "stacks");
            Preconditions.NotNull(subroutineAnalyzerFactory, "subroutineAnalyzerFactory");

            this._vulnerabilityStorage = vulnerabilityStorage;
            this._inclusionResolver = inclusionResolver;
            this._analyzer = analyzeTaint;
            this._analysisScope = scope;
            this.ReturnInfos = new List<ExpressionInfo>();
            this._analysisStacks = stacks;
            this._subroutineAnalyzerFactory = subroutineAnalyzerFactory;
        }
Esempio n. 10
0
        private void ParseAndAnalyze(string php, IVulnerabilityStorage storage)
        {
            var extractedFuncs = PHPParseUtils.ParseAndIterate<ClassAndFunctionExtractor>(php, Config.PHPSettings.PHPParserPath).Functions;
            FunctionsHandler.Instance.CustomFunctions.AddRange(extractedFuncs);

            var cfg = PHPParseUtils.ParseAndIterate<CFGCreator>(php, Config.PHPSettings.PHPParserPath).Graph;

            var incResolver = new IncludeResolver(new List<File>());
            var fileStack = new Stack<File>();
            fileStack.Push(new File() { FullPath = @"C:\TestFile.txt" });
            var condAnalyser = new ConditionTaintAnalyser(AnalysisScope.File, incResolver, fileStack);

            var funcMock = new Mock<Func<ImmutableVariableStorage, IIncludeResolver, AnalysisScope, AnalysisStacks, ImmutableVariableStorage>>();
            var blockAnalyzer = new TaintBlockAnalyzer(storage, incResolver, AnalysisScope.File, funcMock.Object, new AnalysisStacks(fileStack), new FunctionAndMethodAnalyzerFactory());
            var immutableInitialTaint = new DefaultTaintProvider().GetTaint();
            var cfgTaintAnalysis = new TaintAnalysis(blockAnalyzer, condAnalyser, immutableInitialTaint);
            var taintAnalysis = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new QueueWorklist());
            taintAnalysis.Analyze(cfg);
        }
Esempio n. 11
0
 public ExpressionInfo Analyze(XmlNode node, ExpressionInfo exprInfo, IVariableStorage currentStorage, IVulnerabilityStorage storage)
 {
     return exprInfo;
 }
Esempio n. 12
0
        private ExpressionInfo HandleUpdateAddOptions(FunctionCall call, ExpressionInfo exprInfo, IVulnerabilityStorage storage, 
                                                      IDictionary<uint, ExpressionInfo> argumentInfos, AnalysisStacks analysisStacks)
        {
            XmlNode firstArgument;
            XmlNode secondArgument;

            string optionKeyValue;

            if (call.Arguments.TryGetValue(1, out firstArgument) &&
                call.Arguments.TryGetValue(2, out secondArgument) &&
                TryGetOptionKeyValue(firstArgument, argumentInfos[1], out optionKeyValue))
            {
                foreach (var sqliTaintSet in argumentInfos.ElementAt(1).Value.ExpressionTaint.SqliTaint)
                {
                    if (sqliTaintSet.TaintTag == SQLITaint.None)
                    {
                        continue;
                    }
                    string varName = (sqliTaintSet.InitialTaintedVariable ?? "???");
                    string message = "Stored SQLI found - Ingoing: " + varName +
                                    " on line: " + call.StartLine + " in file: " + analysisStacks.IncludeStack.Peek();

                    storage.AddPossibleStoredVulnerability(new StoredVulnerabilityInfo()
                    {
                        IncludeStack = analysisStacks.IncludeStack.ToImmutableStack(),
                        CallStack = analysisStacks.CallStack.ToImmutableStack(),
                        Message = message,
                        VulnerabilityType = VulnType.SQL,
                        PossibleStoredVuln = new StoredVulnInfo()
                                             {
                                                 ICantFeelIt = IsItInYet.YesItsGoingIn,
                                                 StorageName = optionKeyValue,
                                                 StorageOrigin = "Options",
                                                 Taint = new TaintSets(sqliTaintSet, new XSSTaintSet())
                                             }
                    });
                }
                foreach (var xssTaintSet in argumentInfos.ElementAt(1).Value.ExpressionTaint.XssTaint)
                {
                    if (xssTaintSet.TaintTag == XSSTaint.None)
                    {
                        continue;
                    }
                    string varName = (xssTaintSet.InitialTaintedVariable ?? "???");
                    string message = "Stored XSS found - Ingoing: " + varName +
                                    " on line: " + call.StartLine + " in file: " + analysisStacks.IncludeStack.Peek();

                    storage.AddPossibleStoredVulnerability(new StoredVulnerabilityInfo()
                    {
                        IncludeStack = analysisStacks.IncludeStack.ToImmutableStack(),
                        CallStack = analysisStacks.CallStack.ToImmutableStack(),
                        Message = message,
                        VulnerabilityType = VulnType.XSS,
                        PossibleStoredVuln = new StoredVulnInfo()
                                            {
                                                ICantFeelIt = IsItInYet.YesItsGoingIn,
                                                StorageName = optionKeyValue,
                                                StorageOrigin = "Options",
                                                Taint = new TaintSets(new SQLITaintSet(), xssTaintSet)
                                            }
                    });
                }
            }

            return exprInfo;
        }
Esempio n. 13
0
        private ExpressionInfo HandleOptionsCall(FunctionCall call, XmlNode node, ExpressionInfo exprInfo, IVariableStorage currentStorage, 
                                                 IVulnerabilityStorage storage, IDictionary<uint, ExpressionInfo> argumentInfos, AnalysisStacks analysisStacks)
        {
            if (_getOptionsFunctions.Contains(call.Name))
            {
                return HandleGetOptions(call, argumentInfos, exprInfo);
            }
            else if (_updateOptionFunctions.Contains(call.Name) ||
                     _addOptionFunctions.Contains(call.Name))
            {
                return HandleUpdateAddOptions(call, exprInfo, storage, argumentInfos, analysisStacks);
            }

            return exprInfo;
        }
Esempio n. 14
0
        /// <summary>
        /// Analyses a custom function in for security issues, with the currenctly known taint for actual parameters.
        /// </summary>
        /// <returns>A TainSets for the custom function that is being analyzed</returns>
        /// <param name="customFunction">Custom function object to perform the analysis on</param>
        /// <param name="varStorage">The currently known variable storage (this is to included because of superglobals, globals etc.)</param>
        /// <param name="paramActualVals">Parameter actual values</param>
        /// <param name="resolver">File inclusion resolver</param>
        /// <param name="includeStack">Currently known includes</param>
        /// <param name="functionCalls">Currently known function calls</param>
        internal ExpressionInfo AnalyseCustomFunction(Function customFunction, ImmutableVariableStorage varStorage, IVulnerabilityStorage vulnerabilityStorage,
                                                      IList <ExpressionInfo> paramActualVals, IIncludeResolver resolver, AnalysisStacks stacks)
        {
            var stmts = customFunction.AstNode.GetSubNode(AstConstants.Subnode + ":" + AstConstants.Subnodes.Stmts).FirstChild;

            var traverser  = new XmlTraverser();
            var cfgcreator = new CFGCreator();

            traverser.AddVisitor(cfgcreator);
            traverser.Traverse(stmts);

            var cfgPruner = new CFGPruner();

            cfgPruner.Prune(cfgcreator.Graph);

            var initialTaint = varStorage.ToMutable();

            initialTaint.SuperGlobals.Clear();
            initialTaint.SuperGlobals.AddRange(varStorage.SuperGlobals);
            initialTaint.LocalVariables.Clear();
            initialTaint.LocalAccessibleGlobals.Clear();

            for (int i = 1; i <= paramActualVals.Count; i++)
            {
                var paramFormal = customFunction.Parameters.FirstOrDefault(x => x.Key.Item1 == i);
                if (paramFormal.Value == null)
                {
                    continue;
                }
                var @var = new Variable(paramFormal.Value.Name, VariableScope.Function)
                {
                    Info = paramActualVals[i - 1].ValueInfo
                };
                initialTaint.LocalVariables.Add(paramFormal.Value.Name, @var);
            }

            var blockAnalyzer = new TaintBlockAnalyzer(vulnerabilityStorage, resolver, AnalysisScope.Function, fileAnalyzer, stacks, subroutineAnalyzerFactory, _funcHandler);

            blockAnalyzer.AnalysisExtensions.AddRange(AnalysisExtensions);
            var condAnalyser     = new ConditionTaintAnalyser(AnalysisScope.Function, resolver, stacks.IncludeStack, _funcHandler);
            var cfgTaintAnalysis = new TaintAnalysis(blockAnalyzer, condAnalyser, ImmutableVariableStorage.CreateFromMutable(initialTaint));
            //var taintAnalysis = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new QueueWorklist());
            var taintAnalysis = new CFGTraverser(new ForwardTraversal(), cfgTaintAnalysis, new ReversePostOrderWorkList(cfgcreator.Graph));

            taintAnalysis.Analyze(cfgcreator.Graph);

            var exprInfoAll = new ExpressionInfo();

            foreach (ExpressionInfo exprInfo in blockAnalyzer.ReturnInfos)
            {
                exprInfoAll = exprInfoAll.Merge(exprInfo);
            }

            return(exprInfoAll);
        }
Esempio n. 15
0
 public ExpressionInfo Analyze(XmlNode node, ExpressionInfo exprInfo, IVariableStorage currentStorage, IVulnerabilityStorage storage)
 {
     return(exprInfo);
 }
Esempio n. 16
0
        private ExpressionInfo HandleUpdateAddOptions(FunctionCall call, ExpressionInfo exprInfo, IVulnerabilityStorage storage,
                                                      IDictionary <uint, ExpressionInfo> argumentInfos, AnalysisStacks analysisStacks)
        {
            XmlNode firstArgument;
            XmlNode secondArgument;

            string optionKeyValue;

            if (call.Arguments.TryGetValue(1, out firstArgument) &&
                call.Arguments.TryGetValue(2, out secondArgument) &&
                TryGetOptionKeyValue(firstArgument, argumentInfos[1], out optionKeyValue))
            {
                foreach (var sqliTaintSet in argumentInfos.ElementAt(1).Value.ExpressionTaint.SqliTaint)
                {
                    if (sqliTaintSet.TaintTag == SQLITaint.None)
                    {
                        continue;
                    }
                    string varName = (sqliTaintSet.InitialTaintedVariable ?? "???");
                    string message = "Stored SQLI found - Ingoing: " + varName +
                                     " on line: " + call.StartLine + " in file: " + analysisStacks.IncludeStack.Peek();

                    storage.AddPossibleStoredVulnerability(new StoredVulnerabilityInfo()
                    {
                        IncludeStack       = analysisStacks.IncludeStack.ToImmutableStack(),
                        CallStack          = analysisStacks.CallStack.ToImmutableStack(),
                        Message            = message,
                        VulnerabilityType  = VulnType.SQL,
                        PossibleStoredVuln = new StoredVulnInfo()
                        {
                            ICantFeelIt   = IsItInYet.YesItsGoingIn,
                            StorageName   = optionKeyValue,
                            StorageOrigin = "Options",
                            Taint         = new TaintSets(sqliTaintSet, new XSSTaintSet())
                        }
                    });
                }
                foreach (var xssTaintSet in argumentInfos.ElementAt(1).Value.ExpressionTaint.XssTaint)
                {
                    if (xssTaintSet.TaintTag == XSSTaint.None)
                    {
                        continue;
                    }
                    string varName = (xssTaintSet.InitialTaintedVariable ?? "???");
                    string message = "Stored XSS found - Ingoing: " + varName +
                                     " on line: " + call.StartLine + " in file: " + analysisStacks.IncludeStack.Peek();

                    storage.AddPossibleStoredVulnerability(new StoredVulnerabilityInfo()
                    {
                        IncludeStack       = analysisStacks.IncludeStack.ToImmutableStack(),
                        CallStack          = analysisStacks.CallStack.ToImmutableStack(),
                        Message            = message,
                        VulnerabilityType  = VulnType.XSS,
                        PossibleStoredVuln = new StoredVulnInfo()
                        {
                            ICantFeelIt   = IsItInYet.YesItsGoingIn,
                            StorageName   = optionKeyValue,
                            StorageOrigin = "Options",
                            Taint         = new TaintSets(new SQLITaintSet(), xssTaintSet)
                        }
                    });
                }
            }

            return(exprInfo);
        }