Scanning the code with Python
scancode.py is a source code-scanning utility. It is simple Python script that automates the review process. This Python scanner has three functions with specific objectives:
scanfilefunction scans the entire file for specific security-related regex patterns:
".*.[Rr]equest.*[^\n]\n" # Look for request object calls ".*.select .*?[^\n]\n|.*.SqlCommand.*?[^\n]\n" # Look for SQL execution points ".*.FileStream .*?[^\n]\n|.*.StreamReader.*?[^\n]\n" # Look for file system access ".*.HttpCookie.*?[^\n]\n|.*.session.*?[^\n]\n" # Look for cookie and session information "<!--.*?#include.*?-->" # Look for dependencies in the application ".*.[Rr]esponse.*[^\n]\n" # Look for response object calls ".*.write.*[^\n]\n" # Look for information going back to browser ".*catch.*[^\n]\n" # Look for exception handling
scan4requestfunction scans the file for entry points to the application using the ASP.NET
Requestobject. Essentially, it runs the pattern
scan4tracefunction helps analyze the traversal of a variable in the file. Pass the name of a variable to this function and get the list of lines where it is used. This function is the key to detecting application-level vulnerabilities.
Using the program is easy; it takes several switches to activate the previously described functions.
D:\PYTHON\scancode>scancode.py Cannot parse the option string correctly Usage: scancode -<flag> <file> <variable> flag -sG : Global match flag -sR : Entry points flag -t : Variable tracing Variable is only needed for -t option Examples: scancode.py -sG details.aspx scancode.py -sR details.aspx scancode.py -t details.aspx pro_id D:\PYTHON\scancode>
The scanner script first imports Python's regex module:
Importing this module makes it possible to run regular expressions against the target file:
p = re.compile(".*.[Rr]equest.*[^\n]\n")
This line defines a regular expression--in this case, a search for the
Request object. With this regex, the
match() method collects all possible instances of regex patterns in the file:
m = p.match(line)
Looking for entry points
Now use scancode.py to scan the details.aspx file for possible entry points in the target code. Use the
-sR switch to identify entry points. Running it on the details.aspx page produces the following results:
D:\PYTHON\scancode>scancode.py -sR details.aspx Request Object Entry: 22 : NameValueCollection nvc=Request.QueryString;
This is the entry point to the application, the place where the code stores
QueryString information into the
NameValue collection set.
Here is the function that grabs this information from the code:
def scan4request(file): infile = open(file,"r") s = infile.readlines() linenum = 0 print 'Request Object Entry:' for line in s: linenum += 1 p = re.compile(".*.[Rr]equest.*[^\n]\n") m = p.match(line) if m: print linenum,":",m.group()
The code snippet shows the file being opened and the
request object grabbed using a specific regex pattern. This same approach can capture all other entry points. For example, here's a snippet to identify cookie- and session-related entry points:
# Look for cookie and session management p = re.compile(".*.HttpCookie.*?[^\n]\n|.*.session.*?[^\n]\n") m = p.match(line) if m: print 'Session Object Entry:' print linenum,":",m.group()
After locating these entry points to the application, you need to trace them and search for vulnerabilities.