Penetration Testing mailing list archives
Re: Source code auditing
From: Zack Payton <zpayton () gmail com>
Date: Wed, 17 Feb 2010 11:27:11 -0800
Hi Oliver, First and foremost, there are some really good commercial tools out there that are useful particularly for larger bodies of code as they are generally better at reducing false positives than open source tools: Ounce Labs - www.ouncelabs.com/ Veracode - www.veracode.com/ Fortify - http://www.fortify.com/ Some good open source tools include: RATS and flawfinder are your original open source tools that generally work by simply searching for easily misused function calls and can generate a high level of false positives, but are still useful lacking better tools. As far as books go, the bible when it comes to software security is "The Art of Software Security Assessment" by Mcdonald, Dowd, Schuh. Also, you are gonna want a good code browser... To start with you want some kind of editor that has versatile syntax highlighting capabilities: notepad++ ultraedit textmate If you can afford it though you may want a more professional IDE, such as Visual Studio, Xcode, or Eclipse that allows you to not only perform syntax checking but also interactively peruse modules and classes which is useful when exploring the available API's for more secure functions and actually validating the syntax of any recommended code changes you may offer. Also, good code browsers are very useful for jumping through bodies of code (see book recommendation above for a more thorough list list): ctags code surfer Lastly, a good methodology is important to make effective use of your time and to guarantee good results. You methodolgy will really depend on your desired outcome. If you are looking to actively exploit applications a single vulnerability may be all that you need whereas if you are looking to secure the application you will want to cover as many vulnerabilities as possible. I generally start by attempting to understand the overall application architecture. This well help you to understand how the application functions and to imagine where the complex parts of the application may be. I try to imagine where as a programmer, I would make mistakes if I were to write an application with such architecture. What are the most complex parts? Where are frameworks useful? After that I like to perform input tracing in which I attempt to list all the sources from which the program takes external input (i.e. sockets, database, command line, config files, etc.). This is how I prioritize where to spend my time. Also, another thing that helps me is to look at the code and try to understand the programmers. How do they solve problems in the code. Are they sophisticated. Gaging the level of sophistication of the dev team will help you to understand where they are likely to make mistakes and what types of vulnerabilities they will be susceptible to (i.e, the mastered protecting against sql injection using input validation and parameterized queries, but they don't know a think about XSS and CSRF). Please forgive me for the poorly written response as I am short on time. Z On Tue, Feb 16, 2010 at 8:01 AM, Oliver Kindernay <oliver.kindernay () gmail com> wrote:
2010/2/15 Yasser Al-Ruhaili <yasser.alruhaily () gmail com>:Hi, I think OWASP Code Review book is a good starting point for source code review. http://www.lulu.com/items/volume_64/5678000/5678680/13/print/5678680.pdf for complete list of OWASP books: http://stores.lulu.com/owaspThanks, I'll check it. Sorry, I have sent you this email twice. 2010/2/15 <danuxx () gmail com>:I think she was not talking about the power of metasploit (which no doubt is poweful and magic!!) but the easy-to-use interface to exploit vulnerable systems. So that script kiddies do not need to know what EIP or Pop+Pop+Ret means in order to compromise a system. My 2 rupees :-)I was not talking about exploit vulnerabities, but about DISCOVERING it in source code. Something what can make it easier. 2010/2/16 M.D.Mufambisi, CISSP <mufambisi () gmail com>:Hi Oliver, I hope you are well. I do not have an answer to your question....but i want to ask you something regarding what you wrote. I want to learn how to develop exploits in linux such as the ones you mentioned that you have had experience with. What do i need to read to be able to understand that? Any materials you advise i should read to able to write buffer overflow exploits? Your help wioll be greatly appreciated. RegardsThere are tons of articels on the internet (for example milw0rm.com), and also great books (specially John Erickson - the art of exploitation). For some practice you can try some levels in pretty good wargame http://io.smashthestack.org:84/ (there is also irc channel where yo can get some help). Of course, you must have some skills (C, x86 basics (when you want to write exploits for x86 architectures, probably you want it), ..) 2010/2/15 <danuxx () gmail com>:I think she was not talking about the power of metasploit (which no doubt is poweful and magic!!) but the easy-to-use interface to exploit vulnerable systems. So that script kiddies do not need to know what EIP or Pop+Pop+Ret means in order to compromise a system. My 2 rupees :-) ------Original Message------ From: Oliver Kindernay Sender: listbounce () securityfocus com To: pen-test () securityfocus com Subject: Source code auditing Sent: Feb 15, 2010 10:53 AM Hi, I am interested in exploiting applications. I have some practice in writing exploits (buffer overflow, format string, ...) in linux. I want to start exploiting real applications (open source). I don't know how to start with finding bugs in application's source. I can use perl, grep, etc... for finding some statical buffers, strcpys, etc. but it's good just for some explorative research. Could you post some sources where can I learn some about source code auditing? ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ Sent via BlackBerry from T-Mobile------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Source code auditing Oliver Kindernay (Feb 15)
- Re: Source code auditing Think Defensive (Feb 17)
- Re: Source code auditing Oliver Kindernay (Feb 17)
- Re: Source code auditing Anders Thulin (Feb 17)
- Re: Source code auditing Think Defensive (Feb 17)
- Re: Source code auditing jcran (Feb 17)
- Re: Source code auditing Himanshu Goyal (Feb 22)
- <Possible follow-ups>
- Re: Source code auditing danuxx (Feb 15)
- Re: Source code auditing Oliver Kindernay (Feb 17)
- Re: Source code auditing Zack Payton (Feb 17)
- Re: Source code auditing Oliver Kindernay (Feb 22)
- Re: Source code auditing Oliver Kindernay (Feb 17)
- Re: Source code auditing Think Defensive (Feb 17)
- Re: Re: Source code auditing yasser . alruhaily (Feb 17)