Results tagged “audit” from Just Another Hacker

Graudit 1.9 released

|
The next graudit version is already out! There were some serious issues with the 1.8 release that needed fixing.
  • Fixed php (php/xss.db) database which had a blank line at the end, causing everything to match. (Thx @jodymelbourne)
  • Added test case for blank lines in signature scripts
  • Added database validating aux script
  • Updated Makefile file manifest
  • Fixed bug in test script template (t/blank-test.sh)

Big thanks to the people who contributed with patches, bug reports and feedback. Keep them coming!

You can download the latest version from the graudit download page.

Graudit 1.8 released

|
The next (long overdue) graudit version is out! Just in time for those who wants to do some hacking during the holidays.
  • -L operator does vim friendly line numbers
  • Man pages and documentation updates
  • PHP signature updates
  • JSP signature updates
  • Dotnet signature updates
  • Perl signature updates and bug fixes
  • Python signature updates
  • Bug fixes for aux/ scripts
  • More aux/ scripts
  • Fixed ignore CVS directories by default

Package maintainers should note that graudit now has a man page. The install section of the Makefile does not currently place it anywhere, so please patch for the appropriate location. I will add more distro neutral updates to the makefile for next release.This release fixes some of the broken whitespace neutral rules I added last release. For the perl users, I'm sorry.

Big thanks to the people who contributed with patches, bug reports and feedback. Keep them coming!

You can download the latest version from the graudit download page.
Happy christmas!

Custom graudit signatures

|
Writing your own graudit signatures is relatively easy. Mastering regular expressions can be helpful, but in their simplest form a list of words will do. I have tried to document some of the common pitfalls that might creep up on you in my Ruxmon presentation, but I know how "useful" a single slide can be. I am catching up on graudit documentation and signatures is just around the corner. Until then, I thought I would share with you some of the databases I use when looking for low hanging fruit and want to reduce the information overload (noise) that you normally get from the php ruleset. Signatures after the break to avoid spamming rss readers.

It is time for another graudit release, and this time it includes some big changes.
  • New PHP signatures
  • Improved C signatures for fewer false positives
  • Improved dotnet signatures
  • Whitespace neutrality for all signatures
  • -l operator lists available databases
  • -x operator for excluding files
  • configure script added to make chain
  • Makefile install targets changed, install is now server wide
Package maintainers should take note of the last change. The make file currently supports the old style home directory install (make user install), but that is deprecated and will be dropped as ./configure --prefix /home/user/bin --dbdir /home/user/.graudit;make install does the same thing.
I have also added some scripts from my talks, you can find them in the aux directory. There are no install rules for them so they are only available from within the graudit-1.7_src tarball. My thanks to the people who contributed with patches and bug reports, keep them coming.

You can download the latest version from the graudit download page.
After a short hiatus I am happy to deliver the next graudit release. Version 1.6 introduces three new databases, c, dotnet and "all". The all database is a combined database of all the distributed signatures so you can easier scan multi language projects. The rough database has also been deprecated. As usual there are some new features, bug fixes and signature tweaks, see the changelog for the full details.

You can download the latest version from the graudit download page.
Please note that with the current changes to the test suite there is no development (.src.tar.gz) release. If you are a package maintainer or otherwise wish to use the development release you can either clone the git repository or wait for the upcoming 1.7 release.

Tool review: Bugle

|
Bugle is a neat tool which uses google and regular expressions to detect security defects in code. It makes it super quick to find vulnerable code.

The downside is that the code is often old and the vulnerability has been found, disclosed and fixed. And checking all those hits take time. Still it is well worth a spin.

Disclaimer:
Bugle's use of regular expressions to locate code defects was what initially prompted me to organize my messy scripts into the open source script graudit

Graudit version 1.5 released

|
The latest version of graudit is out. Notable changes are;
        New features for server wide install
        Source distro file for package maintainers
        Signature bug fixes
        New php, python and perl signatures
        Deprecating the rough signature set
        Fixed graudit usage text
        Improved documentation
        Several color modes supported
You can obtain the latest version from the graudit download page.

Graudit version 1.4 released

|
This will be a short lived release, it's actually more like 1.5RC1. Anyway, there are some improvements to the PHP signatures so if you really can't wait until the start of December for version 1.5, then grab a copy from the graudit download page.

Graudit, reducing false positives

|
Some anon called "R" left a comment today, but it was on a page where I had accidentally left comments on, so I won't publish it. He complained about false positives in graudit, and it is not the first time I have head this, or seen it for that matter. So I thought I would address it publicly, R's comment was;

"graudit seems to trip on things like "update_profile(", proudly hilighting "file(" :)"

This is true (I mostly see it around function names containing mail) and I would very much like to correct all the false positives matches and avoid any false negative ones too for that matter. However, this is a hobby project for me. I am not a company selling software, nor am I paid or given time off by my employer to work on graudit. Therefore my contribution to the project very much depends on my real life activities.

Graudit is meant to be a rough auditing tool. You run it against large/new projects so you can pick some starting points for your audit or even spot some low hanging fruit. It is not a complete solution and cannot validate whether what it highlights is exploitable or not. Since it uses grep it saves me from spending time on parsing engines for the supported languages, but it does make it harder to write signatures that are completely free of false positives. Regular expressions aren't that great for parsing :(

However, it is opensource, feel free to fix the issue and submit a patch, otherwise you will probably have to wait for version 1.5+ before any radical changes to the signatures happen. Until then I guess you will have to live with some false positives.

What is graudit?
Graudit is a semantic static analys tool that highlights potential vulnerabilities in source code.


Who should use graudit?
System administrators, developers, auditors, vulnerability researchers and anyone else that cares to know if the application they develop, deploy or otherwise use is secure.

What languages are supported?
Version 1.5 Shipped with support for the following languages:
  • ASP
  • JSP
  • Perl
  • PHP
  • Python
  • Other (looks for suspicious comments, etc)
Can you add support for language x,y,z?
I can add support for almost any language, but if I don't program in the language myself it is likely to have a high false-positive or even false-negative rate. If you can point me to an existing set of rules for a language I can convert these to graudit.

Can I help?
Sure you can! I could use help with anything and everything, improved rulesets, documentation, packaging, testing, etc. And if you're unable to help with any of these you can tell someone else about graudit.

Graudit version 1.3 released

|
The latest version of Graudit is here, version 1.3. The most exiting news about this release is the added support for ASP and JSP. That's right, Graudit now supports 5 languages.
There are also some new signatures and bug fixes for the existing rules.

You can obtain the latest version from the graudit download page.
I attended this months OWASP Melbourne meeting. It's been a while since I attended one and the talks this month were too good to miss.

Matthew Hackling - Australian Prudential Practice Guide 234
I missed the start of this thanks to my reading comprehension which saw me waste $4 on parking at Deloitte's old offices in QV. I'll be following the development on this closely.

The second presentation was
Richard Farrell - Static Source Code Analysis - What, why, when and how?
Although the world of static analysis hasn't had any earth shattering break throughs lately it was very good to see how the enterprise solution integrate and work. I wish I'd had more time to stay around and play, perhaps another time,

Graudit version 1.2 release

|
Graudit version 1.2 is finally out. Here It fixes several gripes I've (and other) had with some of the signatures. There are less false positives, the default signatures are aimed easier to detect vulnerabilities, there is a new signature set called other which focuses more on comments left by developers. Some bug fixes and better POSIX compliance for graudit. Better documentation (should be better still). And finally, if you get yours from github there is a Makefile and a basic test harness in place to ensure that future releases remain "quality".

Most notably though, the signature changes is what most people will enjoy.

You can obtain the latest version from the graudit download page.

Benchmarking graudit

|
Benchmarking might not be the correct term as graudit does not have the capacity to determine if a signature match is in fact a vulnerability or not. It only highlights a potential problem area so you can pay closer attention to it. Like most signature based approaches it does stand a fairly good chance of catching low hanging fruit, but certain kind of vulnerabilities will remain impossible to detect. None-the-less I am aiming to improve the standard of the signature sets, so from now on graudit will be "benchmarked" on each release.

To avoid writing signatures for specific vulnerabilities I am using two vulnerable applications to benchmark graudit with;

* Multillidae
* Damn Vulnerable Web Application

My hope is to approximate 100% low and 75% medium detection rate by version 2.0. Now to find some non PHP equivalents for the other languages.

Graudit

|
graudit-1.1-screenshot.jpgGRAUDIT
Graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility grep. It's comparable to other static analysis applications like RATS, SWAAT and flaw-finder while keeping the technical requirements to a minimum and being very flexible.

Graudit supports scanning code written in several languages; asp, jsp, perl, php and python.

USAGE
Graudit supports several options and tries to follow good shell practices. For
a list of the options you can run graudit -h or see below. The simplest way to use
graudit is;
graudit /path/to/scan

DEPENDENCIES
Required: bash, grep, sed

DOCUMENTATION
See the readme file and frequently asked questions.
DOWNLOAD
You can download the latest version from the graudit download page.

SOURCE
Graudit is available from github, you can check the github project page or check it out directly using git from git://github.com/wireghoul/graudit.git

No Clean Feed - Stop Internet Censorship in Australia
Creative Commons License
This weblog is licensed under a Creative Commons License.