Man vs. Code

'''UPDATE: I have proposed a "Sticky" Marking When Smart Highlighting enhancement to the Notepad++ team: when one is selecting a word character-by-character, allow one to do this multiple times, without clearing the previous selected (and now smart-highlighted) sets of words. Then, clear all marks when double click on any other word. Double-click smart-highlighting functionality remains the same as it was before. This allows one to follow variable assignments through the code more easily. This change allows one to select the original variable, then select a new variable that the old variable is now assigned to, and so on. If you're interested in the details, or an already built version with the changes, contact mike.boberski@owasp.org'''

Tools such as source code review tools are expensive. Let me rephrase. They cost as much as a house! Feeling like you just stepped into a survivalist reality show, after being asked to perform a review using for example OWASP ASVS? You need tools, and you need them now. You also need tools more useful than for example RATS (Rough Auditing Tool for Security).

Tools such as RATS even if their rules are beefed up are still not a fast way to do a code review. If you accept the premise that when performing a code review, one should do at least a minimal check for both false positives and false negatives, then regardless of tool, you still need to go through each and every source file even if only for a cursory inspection. This is where source code review tools shine, their IDE-like GUIs allow you to jump through the code interactively in a very efficient way. This is why tools such as RATS are pretty much useless. You need to be able to easily jump through the code and follow data from sources to sinks a lot more than you need an initial count of some huge number of potential findings!

With the above in mind, here's one way to fashion a basic, efficient source code review tool (in this case, for PHP source) using a little bit of research and some freely-available tools in perhaps unexpected ways. The basic idea is to use Notepad++ and Its “User Defined Language” Feature. It can be downloaded here: http://notepad-plus.sourceforge.net So, go and do that. The ability to define one’s language using Notepad++ configuration interfaces, its syntax highlighting, and the ability to highlight variables throughout by default after selecting them, provides the basis for a way to search file-by-file for security-related flaws. E.g. create a new “PHP 4, 5 SCA” language. You'll also want to use a grep tool and also open up the PHP web site so you can search for function/language definitions http://us2.php.net/manual/en/ Also, install the “Explorer” plugin (copy to its plugins directory, download from http://sourceforge.net/project/showfiles.php?group_id=189927&package_id=223667 then enable it using the “Plugins” menu

Then, based on looking for function and other keywords related to input, SQL, sessions, URLs, files, etc. one can mine documents for relevant keywords, e.g.:


 * http://us2.php.net/manual/en/reserved.variables.php
 * http://us2.php.net/manual/en/book.mysql.php
 * http://us2.php.net/manual/en/book.hash.php
 * http://us2.php.net/manual/en/refs.fileprocess.file.php
 * http://us2.php.net/manual/en/book.mail.php
 * http://us2.php.net/manual/en/book.session.php
 * http://us2.php.net/manual/en/features.cookies.php
 * http://us2.php.net/manual/en/ref.url.php
 * Chris Shiflett, Essential PHP Security (O’Reilly Media, Inc., 2005).
 * http://www.fortify.com/vulncat/en/vulncat/index.html

Next, configure Notepad++ to create a new PHP static analysis language:

Select “View” menu, then “User Define Dialog” menu item, then “Dock” button

Ext:
 * Set to php (no period!)

Folder & Default
 * Font name – Consolas

Keywords Lists - Use your research here!

1st Group - Use this to find potential problems
 * Foreground color – red
 * Background color – white
 * Font style - bold
 * Prefix mode – make sure this is set (checked)
 * $GLOBALS $_SERVER $_GET $_POST $_FILES $_REQUEST $_SESSION $_ENV $_COOKIE $php_errormsg $HTTP_RAW_POST_DATA $http_response_header $argc $argv mysql_ hash_ basename chgrp chmod chown clearstatcache copy delete dirname disk_free_space disk_total_space diskfreespace fclose feof fflush fgetc fgetcsv fgets fgetss file_exists file_get_contents file_put_contents file fileatime filectime filegroup fileinode filemtime fileowner fileperms filesize filetype flock fnmatch fopen fpassthru fputcsv fputs fread fscanf fseek fstat ftell ftruncate fwrite glob is_dir is_executable is_file is_link is_readable is_uploaded_file is_writable is_writeable lchgrp lchown link linkinfo lstat mkdir move_uploaded_file parse_ini_file parse_ini_string pathinfo pclose popen readfile readlink realpath rename rewind rmdir set_file_buffer stat symlink tempnam tmpfile touch umask unlink mail session_ setcookie setrawcookie header ob_ output_ base64_ get_headers get_meta_tags http_build_query parse_url rawurlecode urldecode urlencode ini_set error_log allow_url_fopen disable_functions display_errors enable_dl error_reporting file_uploads log_errors magic_quotes_gpc memory_limit open_basedir register_globals safe_mode eval exec file file_get_contents fopen include passthru phpinfo popen preg_replace proc_open readfile require shell_exec system $password mcrypt_ return echo <?php <? md5 ldap_ @ trigger_error print error_reporting display_errors <form Ajax.Request preg_replace htmlspecialchars hidden <input rand srand mt_srand mt_rand file extract href mysqli

2nd Group – Use this to highlight fixes
 * Foreground color – green
 * Font style - bold
 * Background color – white
 * Prefix mode – make sure this is set (checked)
 * mysql_real_escape_string

Comment & Number
 * Comment line
 * Foreground color – light grey
 * Treat keyword as symbol

Comment Block
 * Foreground color – light grey
 * Treat keyword as symbol
 * Comment open - /*
 * Comment close - */

Save As
 * PHP4, 5 SCA

Then, when one opens a file using the new "language", starting from the suspected highlighted finding, one can double click on the parameters and return values of suspect functions, then keep selecting variables and return values as you trace through the code, using the highlighting all instances function and so on to expidite your review.

Here it is in action: