oreilly.comSafari Books Online.Conferences.


Detecting Web Application Security Vulnerabilities
Pages: 1, 2, 3

Scanning the code with Python is a source code-scanning utility. It is simple Python script that automates the review process. This Python scanner has three functions with specific objectives:

  • The scanfile function scans the entire file for specific security-related regex patterns:

    ".*.[Rr]equest.*[^\n]\n" # Look for request object calls
    ".*.select .*?[^\n]\n|.*.SqlCommand.*?[^\n]\n" # Look for SQL execution points
    ".*.FileStream .*?[^\n]\n|.*.StreamReader.*?[^\n]\n" # Look for file system access
    ".*.HttpCookie.*?[^\n]\n|.*.session.*?[^\n]\n" # Look for
    cookie and session information
    "<!--.*?#include.*?-->" # Look for dependencies in the application
    ".*.[Rr]esponse.*[^\n]\n" # Look for response object calls
    ".*.write.*[^\n]\n" # Look for information going back to browser
    ".*catch.*[^\n]\n" # Look for exception handling
  • The scan4request function scans the file for entry points to the application using the ASP.NET Request object. Essentially, it runs the pattern ".*.[Rr]equest.*[^\n]\n".
  • The scan4trace function helps analyze the traversal of a variable in the file. Pass the name of a variable to this function and get the list of lines where it is used. This function is the key to detecting application-level vulnerabilities.

Using the program is easy; it takes several switches to activate the previously described functions.

Cannot parse the option string correctly
scancode -<flag> <file> <variable>
flag -sG : Global match
flag -sR : Entry points
flag -t  : Variable tracing
                  Variable is only needed for -t option

Examples: -sG details.aspx -sR details.aspx -t details.aspx pro_id


The scanner script first imports Python's regex module:

import re

Importing this module makes it possible to run regular expressions against the target file:

p = re.compile(".*.[Rr]equest.*[^\n]\n")

This line defines a regular expression--in this case, a search for the Request object. With this regex, the match() method collects all possible instances of regex patterns in the file:

m = p.match(line)

Looking for entry points

Now use to scan the details.aspx file for possible entry points in the target code. Use the -sR switch to identify entry points. Running it on the details.aspx page produces the following results:

D:\PYTHON\scancode> -sR details.aspx
Request Object Entry:
22 :    NameValueCollection nvc=Request.QueryString;

This is the entry point to the application, the place where the code stores QueryString information into the NameValue collection set.

Here is the function that grabs this information from the code:

def scan4request(file):
        infile = open(file,"r")
        s = infile.readlines()
        linenum = 0
        print 'Request Object Entry:'
        for line in s:                  
        linenum += 1
        p = re.compile(".*.[Rr]equest.*[^\n]\n")
        m = p.match(line)
        if m:                                   
                print linenum,":",

The code snippet shows the file being opened and the request object grabbed using a specific regex pattern. This same approach can capture all other entry points. For example, here's a snippet to identify cookie- and session-related entry points:

# Look for cookie and session management
        p = re.compile(".*.HttpCookie.*?[^\n]\n|.*.session.*?[^\n]\n")
        m = p.match(line)
        if m:
                print 'Session Object Entry:'
                print linenum,":",

After locating these entry points to the application, you need to trace them and search for vulnerabilities.

Pages: 1, 2, 3

Next Pagearrow

Sponsored by: