Source Code to Audit with GREP Command

today in this tutorial we are going to discuss about (SAST) static application security testing along with its methodologies, types, methods, tools etc. Through this article we will give you a brief overview about SAST and then show you how we can find vulnerabilities in the source code of any web application based on PHP language with the help of kali linux utility called “grep”. Huh. Fine 😁!! So without wasting much time let’s start argle-bargle on static application security testing.

Table of Content

About SAST or Source Code Audit

Difference SAST and DAST

Black and White Box Testing

Installation of bWAAP Vulnerable Application

Source Code Audit with Grep Command

Source Code Audit with EGrep Command

CRASS Tool

Graudit Tool

Overview of RIPS SAST Tool

Questions of Knowledge

Q : What’s is Source Code Analysis or Source Code Audit?

According to the OWASP: Source code analysis or audit, also known as Static Application Security Testing (SAST) Tools, can help analyze source code or compiled versions of code to help find security flaws. SAST is very important for both the organization and us as it helps to analyze source code to detect security vulnerabilities, which make our organization’s applications susceptible to attack, so we need to be aware of all these from the point of view of security potential. Let us show you a small difference between SAST and DAST.

Q : What do you mean by SAST and DAST?

We have given below a small description about both these things.

Static application security testing (SAST) is a set of technologies designed to analyze application source code, byte code and binaries for coding and design conditions that are indicative of security vulnerabilities. SAST is a white box testing method. Its happened in Development Stages.

Dynamic application security testing (DAST) is a black box testing method that examines an application as it’s running to find vulnerabilities that an attacker could exploit.

Q : What is Black Box and White Box Testing?

Both SAST and DAST techniques are also known as white box and black box testing.

Black Box Testing refers to any type of software test that examines an application without knowledge of the internal design, structure, or implementation of the software project.

White Box Testing is a type of testing where the tester can see the code. Testers use this testing method to verify the flow of inputs and outputs through the application, improving usability and design and strengthening security.

Let’s move on to the installation part of the vulnerable application 😁 !!

bWAAP Vuln WebApp Installation

bWAPP, or a buggy web application, is a free and open-source deliberately insecure web application. bWAPP is a PHP application that uses a MySQL database. It can be hosted on Linux/Windows with Apache/IIS and MySQL. Configuring this vulnerable application in any operating system is quite simple that all we have to do is download this application by the link given below, unzip it and move all the files to the apache directory and that’s it.

1 2	https://sourceforge.net/projects/bwapp/ unzip -d /var/www/html/bwaap/ bWAAP_latest.zip

Now you can check whether all files are unzipped or not by going to the apache directory with the help of the below command.

1 2	cd /var/www/html/bwaap/ ls -l

What is Grep Utility?

Grep is a command-line utility for searching plain-text data sets for lines that match a regular expression. Its name comes from the ed command g/re/p (globally search for a regular expression and print matching lines), which has the same effect.

Hmm 😁 !! We think you should know about some basic commands of the grep utility before jumping to the source code review, so we have given some basic commands below which will facilitate you to use grep utility during SAST audit.

grep Basics Commands:

• grep boo /etc/passwd:  basic command to find word into the file.
• grep ‘word’ filename :  use to find specific word in the file.
• grep -c ‘root’ frontpage.txt:  count words present in the file.
• grep -n “root” /etc/passwd:   line number within its input file.
• grep -i ‘bar’ file1:  To find case-insensitive ex: bar, Bar, BAR,
• grep -r “192.168.1.5” /etc/ :   ecursively i.e. read all files under each directory.
• grep -R ‘passwd’ /etc/:   find word into the file or directory or its subdirectory.
• grep –color ‘root’ /etc/passwd:   print output with color

Now we will start Source Code Audit with Grep Command. Excited !! Let’s do it.

Find EXEC() System Call

OK :)!! We have first taken a basic example as you can see in the image below. The “exec” system call is used to execute a file that is residing in an active process and “-or” is used to find the “exec” system call into all PHP files of the web project. So we will use the following command that will fetch all “exec(“ system calls from PHP files and print to the terminal. Why have we done this? Because there are a lot of developers who don’t sanitize user input and directly use that input and can allow attackers for such RCE attacks.

grep <syntax> <string want to find> <file path of webapp>

1	grep -ir --color "exec(" /var/www/html/bwaap/

Color Output

There is simple method to print colored output on terminal with given command. By using the “–color” pattern in the command, we can highlight our output.

1	grep -ir --color "exec(" /var/www/html/bwaap/

Find Exec() Function in Specific Files

To find the “exec(“ system call function in any specific extension files like .php, .xml, .txt etc., we can use the include pattern of grep utility. As you can see in the below image which php files is that in which “exec(“ function is being used.

1	grep -ir --color "exec(" /var/www/html/bwaap/ --include=*.php

Find Sensitive Credentials

Sometimes developers forgot to remove the credentials from the source code of web application which makes the web application vulnerable. We can try to find the sensitive credentials available in the source code files with the help of command given below. The following command will search the password string in “.xml” extension files and print it to the terminal if it finds anything.

1	grep -ir --color "password" /var/www/html/bwaap/ --include=*.xml

Likewise, we can try to find some others sensitive credentials like login, users, password, api keys etc.

Using “grep” Utility with “cat” Command

Cat is another tool comes pre-installed in kali linux in order to edit or create files. cat which simply send the contents of the file to standard output, which shows up on the standard input of the grep, because the shell has connected the two with a pipe. As you can see below that with the help of these two combinations, we can print the exact output on the terminal.

1	cat heroes.xml |grep --color -in "password"

Monitoring MySQLi query Function

The query() / mysqli_query() function performs a query against a database. If we want to analysis the process of sql queries then we have to findout all the “query(.” funcations by using the command below.

1	grep -ir --color "query(." /var/www/html/bwaap/ --include=*.php

Find eval() Functions

The eval() function evaluates a string as PHP code. Usually, this function is useful for storing PHP code in a database but due to not having proper sanitizing it could give remote code execution permission to the attackers.

1	grep -ir --color "eval(" /var/www/html/bwaap/

Identify User Supplied Input

In PHP user-supplied input is mostly handled by either $_GET, $_POST, $_COOKIE, or $_REQUEST. However user-supplied input can also be handled with $_FILES, $_SERVER and others. The command we will use to search for user-supplied input within the “$_GET” param.

1	grep -ir --color "\$_GET" /var/www/html/bwaap/

Find Insecure Transport Protocols

We is using the following command to find all the insecure or secure protocols like FTP, http, tcp, https, file, etc. By exploring these such protocols, we can identify where is the real shortcoming of the web application.

1 2 3

grep -ir --color "http://" /var/www/html/bwaap/   grep -ir --color "ftp://" /var/www/html/bwaap/   grep -ir --color "file://" /var/www/html/bwaap/

Count of Number of Matches

We can find the number of lines that matches the given string/pattern.

1	grep -ir -c --color "exec(" /var/www/html/bwaap/

Print Line Number Only

To shows the line number of the file with the line matched.

1	grep -ir -n --color "exec(" /var/www/html/bwaap/

File Names that Matches the Pattern

We can just display the files that contain the given string/pattern.

1	grep -ir -l --color "exec(" /var/www/html/bwaap/

Let’s move on to another utility of kali Linux “egrep”. 😁 !!

What is egrep?

egrep is an acronym for “Extended Global Regular Expressions Print“. It is a program that scans a specified file line by line, returning lines that contain a pattern matching a given regular expression. The difference between grep and egrep is that grep is a command that allows searching content according to the given regular expression and displaying the matching lines while egrep is a variant of grep that allows to search content by applying extended regular expressions to display the machining lines.

Find Shell Functions with egrep Tool

This command searches all PHP files in a directory for vulnerable shell functions.

1	egrep -r --color --include "*.php" -e "(system|exec|popen|pcntl_exec|proc_open)\(" .

Explore PHP Execution Functions

This command searches all PHP files in a directory for certain vulnerable php execution functions.

1	egrep -r --color --include "*.php" -e "(eval|assert|preg_replace)\(" .

Find XSS Vuln in PHP Code

It can be useful for finding XSS vulnerabilities in PHP code.

1	egrep -r --color --include "*.php" -e "echo\s*\\$.*;" .

Identify System Access

This command will return all PHP files in a directory for file system access.

1	egrep -r --color --include "*.php" -e "(fopen|fread|fwrite|fclose)\(" .

Find Crypto Operations

This command will return instances where crypto operations are performed.

1	egrep -r --color --include "*.php" -e "mcrypt_|openssl_|mhash_|random_|crack_" .

Find Hardcoded Usernames and Passwords

This command will help us a lot for explore hardcoded usernames and passwords.

1	egrep -r --color --include "*.php" -e "(\\$|\->)?(\\[\")?(user|pass|username|password)(\"\\])?\s*=\s*\".*\""

Now let’s start the demo of some automation tools 😁 !!

CRASS – Source Code Analyzer

The “code review audit script scanner” (CRASS) started as a source code grep-er with a set of selected high-potential strings that may result in (security) problems. By now it is searching for strings that are interesting for analysts. Simplicity is the key: You don’t need anything than a couple of standard *nix command line tools (especially grep).

Installation of CRASS Tool

So guys all we have to do is first download the complete tool from GitHub using the git clone command, go to the directory of this tool, and then we can boot it with the bash command. So after this to do source code analysis of any web application based on PHP, you have to give the path to that source code and that’s it. It will automatically find all the vulnerabilities and save them in the “grep-output” directory.

1 2 3

git clone https://github.com/floyd-fuh/crass cd crass bash grep-it.sh

As you can see this you can see a lot of data has been collected and saved in txt files as per the name of the vulnerability.

DOM XSS

If you are unable to identify dom xss vulnerabilities then in those cases you can take the help of this tool which will easily give you the best results.

Results 2:

Results 3:

Graudit SAST Tool

Graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility grep. It’s comparable to other static analysis applications like RATS, SWAAT and flaw-finder while keeping the technical requirements to a minimum and being very flexible. First of all you have to install this tool in your machine which you can do by using below commands. The tool is coded in the bash language, so we can operate it with the bash utility of kali linux.

1 2 3 4

git clone https://github.com/wireghoul/graudit cd graudit ls -l bash graudit -h

It’s time to take some advantage of this tool. Let’s give the path to the source code project and see what kind of results we get using this tool. As you can see it has identified various vulnerabilities at the same time.

Rest results have given below.

RIPS : PHP Source Code Analysis Tool

RIPS is the most popular static code analysis tool to automatically detect vulnerabilities in PHP applications. By tokenizing and parsing all source code files, RIPS is able to transform PHP source code into a program model and to detect sensitive sinks (potentially vulnerable functions) that can be tainted by user input (influenced by a malicious user) during the program flow. Besides the structured output of found vulnerabilities, RIPS offers an integrated code audit framework.

Deployment of RIPS Tool

We think you don’t need to show the installation of rips on our localhost web server because you can do it easily but still we have given a reference below. Once the installation is complete you can proceed for the audit.

1	http://sourceforge.net/projects/rips-scanner/files/

Steps to Analysis Source Code

1. You have to given the path of source code project.

2. Select the “vulntype” to “all” and that’s it nothing to do anything more.

As soon as we click on scan it takes a few seconds to analyze the source code written in PHP and then show us depth details about the vulnerabilities identified.

Let’s take some questions too 😁 !!

Q: Which command would you prefer if you want to find the user supplied input in the entire PHP source code project along with file name?

1	<strong>A:</strong> grep -ir --color "\$_GET" /var/www/html/bwaap/ |grep --color "\(([^()]*)\)"