Semgrep: The Open Source Tool for Finding Vulnerable Code

Transcript

1. SEMGREP The Open Source Tool for Finding Vulnerable Code

2. WHO 2023/04/18 SEMGREP 2 Duarte Duarte InfoSec Engineering Lead Blip

   (Flutter UK&I) @ 6 years

3. AGENDA 2023/04/18 Challenge #1 SAST What’s Semgrep? Semgrep Registry CI/CD

   Use case #1: Spring4Shell (CVE-2022-22965) Use case #2: DeFi Hacks SEMGREP 3

4. Challenge #1 Find disabled SSL certificate validation in Python 4

   https://requests.readthedocs.io/en/latest/user/advanced/

5. Let’s use grep… import requests def request1(): r = requests.get('https://securepayments.com/get-cc-data',

   verify=False) return r $ grep “verify=False” chall1.py r = requests.get('https://securepayments.com/get-cc-data', verify=False)

6. Let’s use grep… import requests def request2(): r = requests.get('https://securepayments.com/get-cc-data',

   verify = False) return r $ grep “verify *= *False” chall1.py r = requests.get('https://securepayments.com/get-cc-data', verify = False)

7. Let’s use grep… import requests def request3(): VERY_TRUE = False

   r = requests.get('https://securepayments.com/get-cc-data’,verify=VERY_TRUE) return r $ grep “verify=????” chall1.py ...

8. 8 https://xkcd.com/1171/ - Perl Problems

9. PRESENTATION TITLE 9

10. 10 Semgrep to the rescue

11. SAST Static Application Security Testing (or static analysis) Find vulnerabilities

    by reviewing source code Checkmarx, Fortify, SonarQube, Coverity, Bandit, … SEMGREP 11

12. What’s Semgrep? “Code Analysis at Ludicrous Speed Find bugs, run

    security scans in CI, and enforce security standards across your organization.” semgrep.dev github.com/returntocorp/semgrep 12

13. 13 rules: - id: disabled-cert-validation message: Certificate verification has been

    explicitly disabled. This permits insecure connections to insecure servers. Re- enable certification validation. metadata: cwe: [”CWE-295: Improper Certificate Validation”] owasp: - A03:2017 - Sensitive Data Exposure - A07:2021 - Identification and Authentication Failures references: - https://stackoverflow.com/questions/41740361/is-it-safe-to-disable-ssl-certificate-verification-in-pythonss- requests-lib category: security technology: [requests] subcategory: [audit] likelihood: LOW impact: LOW confidence: LOW license: Commons Clause License Condition v1.0[LGPL-2.1-only] languages: - python severity: ERROR pattern-either: - pattern: requests.put(..., verify=False, ...) - pattern: requests.patch(..., verify=False, ...) - pattern: requests.delete(..., verify=False, ...) - pattern: requests.head(..., verify=False, ...) - pattern: requests.options(..., verify=False, ...) - pattern: requests.request(..., verify=False, ...) - pattern: requests.get(..., verify=False, ...) - pattern: requests.post(..., verify=False, ...) fix-regex: regex: verify(\s)*=(\s)*False replacement: verify=True

14. Semgrep Registry • 1k+ rules by r2c/community • 20+ languages

    • $ semgrep --config=auto • github.com/returntocorp/semgrep-rules 14

15. CI/CD • Example: https://github.com/DDuarte/springshell-rce-poc/pulls • https://semgrep.dev/orgs/dduarte/findings?repo=DDuarte/springshell-rce-poc 15

16. CVE-2022-22965 a.k.a “Spring4Shell” - 0-day RCE on Spring - April

    2022 SEMGREP 16

17. Magic Beans 17

18. Exploitability 1. JDK 9 or above 2. Standalone Tomcat (no

    Embedded Tomcat) with WAR deployment 3. Any Spring version before 5.3.18 / 5.2.20 (Spring Boot before 2.5.12 / 2.6.6) 4. No blocklist on WebDataBinder / InitBinder 5. Writeable file system (e.g webapps/ROOT) 6. Parameter bind with POJOs directly (no @RequestBody, @RequestQuery, etc.) 18

19. 19 https://github.com/DDuarte/springshell-rce-poc

20. None

21. Get some $$ 21 https://github.com/Decurity/semgrep-smart-contracts

22. 2023/04/18 22 SEMGREP THANK YOU Duarte Duarte @dduarte (Slack)