Psalm: [Security] Benchmark against known vulnerable web apps

Created on 18 Nov 2020  ยท  4Comments  ยท  Source: vimeo/psalm

Let's figure out what Psalm finds and what it doesn't. (and why not)

Out of my mind, these could be good candidates:

picture LukasReschke

Most helpful comment

Setup DVWA at https://github.com/LukasReschke/DVWA. Will use this comment to update the findings and later split these into single actionable tasks.

Exec

Low to High

โœ… Both RCEs are found

https://github.com/digininja/DVWA/blob/ba23da2d1808f6e7df004b304c2aea92442092d3/vulnerabilities/exec/source/high.php#L24-L31

The XSS is not found. But I guess that is due to the nature of the dynamic inclusion. Needs a recheck to see if they are found if no dynamic inclusion is used.

https://github.com/digininja/DVWA/blob/ba23da2d1808f6e7df004b304c2aea92442092d3/vulnerabilities/exec/source/high.php#L33-L34

Impossible

๐Ÿšซ The RCE is not exploitable but it seems Psalm looses the taint. (as there's no sanitizer). Possibly some missing stub?

https://github.com/digininja/DVWA/blob/ba23da2d1808f6e7df004b304c2aea92442092d3/vulnerabilities/exec/source/impossible.php#L8-L27

FI (File Inclusion)

All not found. I believe this is though due to how there is a dynamic inclusion at https://github.com/digininja/DVWA/blob/ba23da2d1808f6e7df004b304c2aea92442092d3/vulnerabilities/fi/index.php#L17-L39.

Needs a recheck to see if they are found if no dynamic inclusion is used.

SQLI (SQL Injection)

Low

โœ… Found

https://github.com/digininja/DVWA/blob/ba23da2d1808f6e7df004b304c2aea92442092d3/vulnerabilities/sqli/source/low.php#L8-L9

Medium

๐Ÿšซ Not found due to the sanitizer mysqli_real_escape_string. Which however is NOT sufficient.

https://github.com/digininja/DVWA/blob/ba23da2d1808f6e7df004b304c2aea92442092d3/vulnerabilities/sqli/source/medium.php#L7-L9

However due to the SQL query not having quotes around the parameter, this will not fully protect the query from being altered.

High

๐Ÿšซ Not found due to the source coming from $_SESSION. (second-order injection) Consider tainting this too.

https://github.com/digininja/DVWA/blob/ba23da2d1808f6e7df004b304c2aea92442092d3/vulnerabilities/sqli/source/high.php#L5-L8

Impossible

โœ… Prepared statements properly sanitized.

SQLI_Blind (Blind SQL Injection)

TODO

Upload

TODO

XSS

TODO

picture LukasReschke on 18 Nov 2020
👍2

All 4 comments

Hey @LukasReschke, can you reproduce the issue on https://psalm.dev ?

psalm-github-bot[bot] picture psalm-github-bot[bot] on 18 Nov 2020

Setup DVWA at https://github.com/LukasReschke/DVWA. Will use this comment to update the findings and later split these into single actionable tasks.

Exec

Low to High

โœ… Both RCEs are found

https://github.com/digininja/DVWA/blob/ba23da2d1808f6e7df004b304c2aea92442092d3/vulnerabilities/exec/source/high.php#L24-L31

The XSS is not found. But I guess that is due to the nature of the dynamic inclusion. Needs a recheck to see if they are found if no dynamic inclusion is used.

https://github.com/digininja/DVWA/blob/ba23da2d1808f6e7df004b304c2aea92442092d3/vulnerabilities/exec/source/high.php#L33-L34

Impossible

๐Ÿšซ The RCE is not exploitable but it seems Psalm looses the taint. (as there's no sanitizer). Possibly some missing stub?

https://github.com/digininja/DVWA/blob/ba23da2d1808f6e7df004b304c2aea92442092d3/vulnerabilities/exec/source/impossible.php#L8-L27

FI (File Inclusion)

All not found. I believe this is though due to how there is a dynamic inclusion at https://github.com/digininja/DVWA/blob/ba23da2d1808f6e7df004b304c2aea92442092d3/vulnerabilities/fi/index.php#L17-L39.

Needs a recheck to see if they are found if no dynamic inclusion is used.

SQLI (SQL Injection)

Low

โœ… Found

https://github.com/digininja/DVWA/blob/ba23da2d1808f6e7df004b304c2aea92442092d3/vulnerabilities/sqli/source/low.php#L8-L9

Medium

๐Ÿšซ Not found due to the sanitizer mysqli_real_escape_string. Which however is NOT sufficient.

https://github.com/digininja/DVWA/blob/ba23da2d1808f6e7df004b304c2aea92442092d3/vulnerabilities/sqli/source/medium.php#L7-L9

However due to the SQL query not having quotes around the parameter, this will not fully protect the query from being altered.

High

๐Ÿšซ Not found due to the source coming from $_SESSION. (second-order injection) Consider tainting this too.

https://github.com/digininja/DVWA/blob/ba23da2d1808f6e7df004b304c2aea92442092d3/vulnerabilities/sqli/source/high.php#L5-L8

Impossible

โœ… Prepared statements properly sanitized.

SQLI_Blind (Blind SQL Injection)

TODO

Upload

TODO

XSS

TODO

LukasReschke picture LukasReschke on 18 Nov 2020
👍2

@LukasReschke you can use psalm.dev to narrow down examples with // --taint-analysis at the top.

https://github.com/digininja/DVWA/blob/ba23da2d1808f6e7df004b304c2aea92442092d3/vulnerabilities/exec/source/impossible.php#L8-L27

can be narrowed to https://psalm.dev/r/6167a74f94 (i.e. stripslashes isn't stubbed out)

https://github.com/digininja/DVWA/blob/ba23da2d1808f6e7df004b304c2aea92442092d3/vulnerabilities/sqli/source/high.php#L5-L8

can be narrowed to https://psalm.dev/r/28aee75a41 (as you say, $_SESSION is not currently treated as tainted)

muglug picture muglug on 18 Nov 2020
👍1

I found these snippets:


https://psalm.dev/r/6167a74f94

<?php // --taint-analysis

echo stripslashes($_GET["id"]);

Psalm output (using commit 5ba4681):

No issues!


https://psalm.dev/r/28aee75a41

<?php // --taint-analysis

echo $_SESSION['id'];

Psalm output (using commit 5ba4681):

No issues!

psalm-github-bot[bot] picture psalm-github-bot[bot] on 18 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

staabm picture staabm  ยท  3Comments
caugner picture caugner  ยท  3Comments
ADmad picture ADmad  ยท  3Comments
SignpostMarv picture SignpostMarv  ยท  3Comments
weirdan picture weirdan  ยท  4Comments