how to find vulnerabilities in code:
- search for dangerous functionality
- find a path from input you control to that dangerous functionality
- test your exploit by isolating and running critical parts of the code locally
- search for dangerous functionality
- find a path from input you control to that dangerous functionality
- test your exploit by isolating and running critical parts of the code locally
how to find dangerous functionality:
pay special attention to:
- high concentration of security "bad words" (eval, exec, raw, privileged, YAML, merge, reflect, etc)
- string parsing (dynamic langs, SQL, URLs, file paths, etc)
- code handling security stuff (authN, authZ, crypto)
pay special attention to:
- high concentration of security "bad words" (eval, exec, raw, privileged, YAML, merge, reflect, etc)
- string parsing (dynamic langs, SQL, URLs, file paths, etc)
- code handling security stuff (authN, authZ, crypto)
how to find dangerous functionality:
- rules enforced by difficult to read code (likely some edge cases)
- calls that have "unsafe", "insecure", etc in the name
- counter-intuitive language features (perl array expansion, PHP implicit conversions, overwriting JS prototypes, etc.)
- rules enforced by difficult to read code (likely some edge cases)
- calls that have "unsafe", "insecure", etc in the name
- counter-intuitive language features (perl array expansion, PHP implicit conversions, overwriting JS prototypes, etc.)
how to find paths:
- walk the call stack and trace data you control
- use static analysis tools to do this
- use "find usages" in an IDE to find calls; repeat until you're at the top
- focus on less obvious input (auto set headers, input from other software, metadata, etc)
- walk the call stack and trace data you control
- use static analysis tools to do this
- use "find usages" in an IDE to find calls; repeat until you're at the top
- focus on less obvious input (auto set headers, input from other software, metadata, etc)
