Web application attacks are emerging every day and even the oldest of the attacks has not lost its significance. As the attacks are being evolved the developers are also evolving if not proportionally. At times it is not possible to find all the vulnerabilities by a single approach, be it black box or white box.
In this blog, we will demonstrate the applications and their extensions required for source code review or in other words, this blog will give you an idea of what white box testing is! We wrote this blog with the assumption that your target application is written in PHP.
This blog includes:
- Debugger Setup – VS Code
- Setting the debugging Breakpoint
- Breaking that Breakpoint
- Enabling and Monitoring DB Query Logging
- Bonus! – Reliving CVE-2020-13231
Without further ado, let’s begin.
Debugger Setup – VS Code
On the Linux VM, we will download Visual Studio Code.
What is Visual Studio Code?
Visual Studio Code is a lightweight but powerful source code editor which runs on your desktop and is available for Windows, macOS and Linux. It comes with built-in support for JavaScript, TypeScript and Node.js and has a rich ecosystem of extensions for other languages and runtimes (such as C++, C#, Java, Python, PHP, Go, .NET).
After downloading VS Code, it’s time to install extensions, for this course of the blog we will perform a manual code review of PHP code so we will be installing the extensions for PHP.
Extensions Installation
We will open our application code in the workspace from the explorer tab prior to adding the extension.
Fig. Image highlighting options under file menu in VS code
Now, we will add extensions
Fig. Image displaying the extensions required to review PHP applications
PHP Debug – We can set up and configure Break Points with the aid of this debug.
PHP Intelephense – This will enable us to rapidly browse the function definitions without having to manually open the file.
Setting up the Breakpoint
To get an idea of the code flow and data flow, one needs to understand all the code but that would be time-consuming, to ease it we have Breakpoints. Breakpoints let the user know that the specific code flow will be executed, and it will take the user inside the function, or the user can skip to the next function.
We’ll select Breakpoint and learn how it works now that we’ve assumed you’ve chosen the application for your first manual source code review.
Open the project in the VS code explorer.
Fig. Image displaying the application’s code in VS code
Next, open the file where you want to set the breakpoint, in this case “install.php”.
To set the Breakpoint, click to the left of the line number you want to break.
Fig. Image highlighting the intended breakpoint
And start debugging from the menu on the top
Run > Start Debugging
Fig. Image displaying the VS code window before the set breakpoint is triggered
Breaking the Breakpoint
When we explore that page, or more specifically when the function with the Breakpoint is executed, the Breakpoint that we defined in the previous section is triggered.
So, to trigger our Breakpoint, we will access our app’s installation page.
Fig. Image displaying triggered breakpoint
With this, we can step-in, step-out and step-over the function.
Enabling and Monitoring DB Query Logging
After completing this step, we will be able to examine the communication between the database and our application, which is significant during code review for detecting SQL injections. Configure your /etc/mysql/my.cnf with following configuration:
Fig. Image displaying modified mysql configuration file
Now to view the DB calls:
1$ sudo tail -f /var/log/mysql/mysql.log
Visit the login page, enter the credentials and submit
Fig. Bi-sectional Image displaying application’s UI and respective DB query
Bonus! – Reliving CVE-2020-13231
This CVE is a CSRF vulnerability which lets attacker change admin’s mail.
Let’s find the vulnerable code:
Fig. Image displaying vulnerable code
As it is highlighted in the image, to change the parameter name, which accepts email and username, a GET request is sent without any anti-CSRF token.
This issue was assigned CVE-2020-13231.
As a fix, they converted the GET request to POST and an anti-CSRF token was implemented.
Fig. Image displaying new commits to fix the vulnerable code
Conclusion
We hope the blog has provided you with some learning if you are new to source code reviews or have just started learning code reviews. Practicing will definitely help you move up the ladder, follow the approach, and review as much code as possible.
Post this blog, we will recommend you pick a vulnerable application, find all the vulnerabilities through backbox approach and try to find the same through code review.
About Payatu
Payatu is a research-powered, CERT-In empaneled cybersecurity consulting company specializing in security assessments of IoT product ecosystem, Web application & Network with a proven track record of securing applications and infrastructure for customers across 20+ countries.
Want to check the security posture of your organization? Browse through Payatu’s services and get started with the most effective cybersecurity assessments.
Have any specific requirements in mind? Let us know about them here and someone from our team will get in touch with you.
