Results tagged “graudit” from Just Another Hacker

Writing your own graudit signatures is relatively easy. Mastering regular expressions can be helpful, but in their simplest form a list of words will do. I have tried to document some of the common pitfalls that might creep up on you in my Ruxmon presentation, but I know how "useful" a single slide can be. I am catching up on graudit documentation and signatures is just around the corner. Until then, I thought I would share with you some of the databases I use when looking for low hanging fruit and want to reduce the information overload (noise) that you normally get from the php ruleset. Signatures after the break to avoid spamming rss readers.

It is time for another graudit release, and this time it includes some big changes.

• New PHP signatures

• Improved C signatures for fewer false positives

• Improved dotnet signatures

• Whitespace neutrality for all signatures

• -l operator lists available databases

• -x operator for excluding files

• configure script added to make chain

• Makefile install targets changed, install is now server wide

Package maintainers should take note of the last change. The make file currently supports the old style home directory install (make user install), but that is deprecated and will be dropped as ./configure --prefix /home/user/bin --dbdir /home/user/.graudit;make install does the same thing.
I have also added some scripts from my talks, you can find them in the aux directory. There are no install rules for them so they are only available from within the graudit-1.7_src tarball. My thanks to the people who contributed with patches and bug reports, keep them coming.

You can download the latest version from the graudit download page.

As promised I have uploaded the slides and the corresponding advisory for my graudit talk at the ruxcon meetup this month.

I am presenting at this months Ruxcon Monthly Meetup.

Date: Friday, 25th June
Time: 6:00PM
Location: RMIT University, City Campus
https://my.rmit.edu.au/portal/page/portal/RMITPortal/campusmaps?dsize=max
Room: Building 8, Level 9, Room 42 (008.09.042)

RMIT Building 8 entrance is off Swanston Street (just past Swanston and 
La Trobe). Please take the lift to Level 9 and make your way to Room 42. 
We will have directions posted up in the building.

Presentations
=============

Unsanitary Web Activities - Tim Noise (MovingData)

In the land of the internet, web developers are constantly rolling out 
new applications and letting them free into the Internet. Many with 
little knowledge or experience in security. They assume the users will 
provide data in a manner they expect. This talk will cover webapp 
security basics and commonplace attacks, showing you the effect this 
oversight can have, and how to prevent it.

Pownage Coquillage: Real World Tales From The Trenches - Sash Biskup  
(Stratsec)

In this talk the presenter will discuss various security incidents he 
has been involved in during the course of his career.  Starting with old 
school bof through to modern day malware and blackmail.  This isn't a 
deep technical analysis of each incident but an overview of the 
charateristics of each of the attacks and what the repurcussions were to 
the organisation or individual.

Static analysis with Graudit - Eldar Marcussen

Graudit is a rough audit tool, that can be used to find vulnerabilities 
in source code (C, ASP, .NET, JSP, PHP, Perl and Python). In this 
presentation I will show how to get the most out of graudit.

After a short hiatus I am happy to deliver the next graudit release. Version 1.6 introduces three new databases, c, dotnet and "all". The all database is a combined database of all the distributed signatures so you can easier scan multi language projects. The rough database has also been deprecated. As usual there are some new features, bug fixes and signature tweaks, see the changelog for the full details.

You can download the latest version from the graudit download page.
Please note that with the current changes to the test suite there is no development (.src.tar.gz) release. If you are a package maintainer or otherwise wish to use the development release you can either clone the git repository or wait for the upcoming 1.7 release.

The latest version of graudit is out. Notable changes are;

        New features for server wide install
        Source distro file for package maintainers
        Signature bug fixes
        New php, python and perl signatures
        Deprecating the rough signature set
        Fixed graudit usage text
        Improved documentation
        Several color modes supported

You can obtain the latest version from the graudit download page.

This will be a short lived release, it's actually more like 1.5RC1. Anyway, there are some improvements to the PHP signatures so if you really can't wait until the start of December for version 1.5, then grab a copy from the graudit download page.

Some anon called "R" left a comment today, but it was on a page where I had accidentally left comments on, so I won't publish it. He complained about false positives in graudit, and it is not the first time I have head this, or seen it for that matter. So I thought I would address it publicly, R's comment was;

"graudit seems to trip on things like "update_profile(", proudly hilighting "file(" :)"

This is true (I mostly see it around function names containing mail) and I would very much like to correct all the false positives matches and avoid any false negative ones too for that matter. However, this is a hobby project for me. I am not a company selling software, nor am I paid or given time off by my employer to work on graudit. Therefore my contribution to the project very much depends on my real life activities.

Graudit is meant to be a rough auditing tool. You run it against large/new projects so you can pick some starting points for your audit or even spot some low hanging fruit. It is not a complete solution and cannot validate whether what it highlights is exploitable or not. Since it uses grep it saves me from spending time on parsing engines for the supported languages, but it does make it harder to write signatures that are completely free of false positives. Regular expressions aren't that great for parsing :(

However, it is opensource, feel free to fix the issue and submit a patch, otherwise you will probably have to wait for version 1.5+ before any radical changes to the signatures happen. Until then I guess you will have to live with some false positives.

I will present a graudit lightning talk at the 2009 AISA Annual Seminar Day.
As a result I will aim to release new  versions more often, so I can present more bells and whistles. Expect graudit to version 1.6 by Christmas 2009!

For the full 2009 AISA ASD agenda please see http://www.aisa.org.au/index.php?page=243

What is graudit?
Graudit is a semantic static analys tool that highlights potential vulnerabilities in source code.


Who should use graudit?
System administrators, developers, auditors, vulnerability researchers and anyone else that cares to know if the application they develop, deploy or otherwise use is secure.

What languages are supported?
Version 1.5 Shipped with support for the following languages:

• ASP
• JSP
  
• Perl
• PHP
• Python
• Other (looks for suspicious comments, etc)

Can you add support for language x,y,z?
I can add support for almost any language, but if I don't program in the language myself it is likely to have a high false-positive or even false-negative rate. If you can point me to an existing set of rules for a language I can convert these to graudit.

Can I help?
Sure you can! I could use help with anything and everything, improved rulesets, documentation, packaging, testing, etc. And if you're unable to help with any of these you can tell someone else about graudit.

Please use the links below to download your preferred graudit release. We recommend that you use the latest release, or even stay up to date by using our github repository.

Latest version:
b40ef6d7c2de0b17bcdcfa8f863c24aa  graudit-1.7.tar.gz
2720f4b625a511a5b2ac50f0cdc5690a  graudit-1.7.zip
89bb69911cebf49bc52c172388232705  graudit-1.7_src.tar.gz

Older versions;
5f43b14b3af77f5af7e02fc549bcf4b3  graudit-1.6.tar.gz
ec6db94b7e450860af2afa1a24ddc69b  graudit-1.6.zip
1b6b255e8a384faec9e4f6a20179ad9d  graudit-1.5.tar.gz
e55c3463ff0d7c1a1c75c3e57ba92c9d  graudit-1.5.zip
0cbf01f09f1b84c6b3dd7dec78ba5784  graudit-1.5_src.tar.gz 291545462e89943aed26637047e78dc8  graudit-1.4.tar.gz
0f1771062fb54c61d85ab88963167231  graudit-1.4.zip
71297a09bd5c378826acc91e44baceb3  graudit-1.3.tar.gz
028dc34ad97ba8a1a5080f511f5fe638  graudit-1.3.zip
dd513e8663ab1bcfe61a034823c75d8f  graudit-1.2.tar.gz
85a73ef39fc685aaf72d1a8057406ed3  graudit-1.2.zip
a4a8937481a71f27df85bd7cd9ec2d25  graudit-1.1.tar.bz2

The latest version of Graudit is here, version 1.3. The most exiting news about this release is the added support for ASP and JSP. That's right, Graudit now supports 5 languages.
There are also some new signatures and bug fixes for the existing rules.

You can obtain the latest version from the graudit download page.

Graudit version 1.2 is finally out. Here It fixes several gripes I've (and other) had with some of the signatures. There are less false positives, the default signatures are aimed easier to detect vulnerabilities, there is a new signature set called other which focuses more on comments left by developers. Some bug fixes and better POSIX compliance for graudit. Better documentation (should be better still). And finally, if you get yours from github there is a Makefile and a basic test harness in place to ensure that future releases remain "quality".

Most notably though, the signature changes is what most people will enjoy.

You can obtain the latest version from the graudit download page.

Benchmarking might not be the correct term as graudit does not have the capacity to determine if a signature match is in fact a vulnerability or not. It only highlights a potential problem area so you can pay closer attention to it. Like most signature based approaches it does stand a fairly good chance of catching low hanging fruit, but certain kind of vulnerabilities will remain impossible to detect. None-the-less I am aiming to improve the standard of the signature sets, so from now on graudit will be "benchmarked" on each release.

To avoid writing signatures for specific vulnerabilities I am using two vulnerable applications to benchmark graudit with;

* Multillidae
* Damn Vulnerable Web Application

My hope is to approximate 100% low and 75% medium detection rate by version 2.0. Now to find some non PHP equivalents for the other languages.

GRAUDIT
Graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility grep. It's comparable to other static analysis applications like RATS, SWAAT and flaw-finder while keeping the technical requirements to a minimum and being very flexible.

Graudit supports scanning code written in several languages; asp, jsp, perl, php and python.

USAGE
Graudit supports several options and tries to follow good shell practices. For
a list of the options you can run graudit -h or see below. The simplest way to use
graudit is;
graudit /path/to/scan

DEPENDENCIES
Required: bash, grep, sed

DOCUMENTATION
See the readme file and frequently asked questions.
DOWNLOAD
You can download the latest version from the graudit download page.

SOURCE
Graudit is available from github, you can check the github project page or check it out directly using git from git://github.com/wireghoul/graudit.git

These are projects that we work on;

Evil Website Testing Suite
A collection of web pages that behave badly or provide malicious content in an attempt to break web based applications or cause malicious code inclusions in third party output, for example a RSS feed reader, link checker report, etc.


Graudit
Graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility grep. It's comparable to other static analysis applications like RATS, SWAAT and flaw-finder.