Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Semgrep: The Open Source Tool for Finding Vulne...

Semgrep: The Open Source Tool for Finding Vulnerable Code

Avatar for Duarte Duarte

Duarte Duarte

April 20, 2023
Tweet

More Decks by Duarte Duarte

Other Decks in Technology

Transcript

  1. AGENDA 2023/04/18 Challenge #1 SAST What’s Semgrep? Semgrep Registry CI/CD

    Use case #1: Spring4Shell (CVE-2022-22965) Use case #2: DeFi Hacks SEMGREP 3
  2. Challenge #1 Find disabled SSL certificate validation in Python 4

    https://requests.readthedocs.io/en/latest/user/advanced/
  3. Let’s use grep… import requests def request1(): r = requests.get('https://securepayments.com/get-cc-data',

    verify=False) return r $ grep “verify=False” chall1.py r = requests.get('https://securepayments.com/get-cc-data', verify=False)
  4. Let’s use grep… import requests def request2(): r = requests.get('https://securepayments.com/get-cc-data',

    verify = False) return r $ grep “verify *= *False” chall1.py r = requests.get('https://securepayments.com/get-cc-data', verify = False)
  5. Let’s use grep… import requests def request3(): VERY_TRUE = False

    r = requests.get('https://securepayments.com/get-cc-data’,verify=VERY_TRUE) return r $ grep “verify=????” chall1.py ...
  6. SAST Static Application Security Testing (or static analysis) Find vulnerabilities

    by reviewing source code Checkmarx, Fortify, SonarQube, Coverity, Bandit, … SEMGREP 11
  7. What’s Semgrep? “Code Analysis at Ludicrous Speed Find bugs, run

    security scans in CI, and enforce security standards across your organization.” semgrep.dev github.com/returntocorp/semgrep 12
  8. 13 rules: - id: disabled-cert-validation message: Certificate verification has been

    explicitly disabled. This permits insecure connections to insecure servers. Re- enable certification validation. metadata: cwe: [”CWE-295: Improper Certificate Validation”] owasp: - A03:2017 - Sensitive Data Exposure - A07:2021 - Identification and Authentication Failures references: - https://stackoverflow.com/questions/41740361/is-it-safe-to-disable-ssl-certificate-verification-in-pythonss- requests-lib category: security technology: [requests] subcategory: [audit] likelihood: LOW impact: LOW confidence: LOW license: Commons Clause License Condition v1.0[LGPL-2.1-only] languages: - python severity: ERROR pattern-either: - pattern: requests.put(..., verify=False, ...) - pattern: requests.patch(..., verify=False, ...) - pattern: requests.delete(..., verify=False, ...) - pattern: requests.head(..., verify=False, ...) - pattern: requests.options(..., verify=False, ...) - pattern: requests.request(..., verify=False, ...) - pattern: requests.get(..., verify=False, ...) - pattern: requests.post(..., verify=False, ...) fix-regex: regex: verify(\s)*=(\s)*False replacement: verify=True
  9. Semgrep Registry • 1k+ rules by r2c/community • 20+ languages

    • $ semgrep --config=auto • github.com/returntocorp/semgrep-rules 14
  10. Exploitability 1. JDK 9 or above 2. Standalone Tomcat (no

    Embedded Tomcat) with WAR deployment 3. Any Spring version before 5.3.18 / 5.2.20 (Spring Boot before 2.5.12 / 2.6.6) 4. No blocklist on WebDataBinder / InitBinder 5. Writeable file system (e.g webapps/ROOT) 6. Parameter bind with POJOs directly (no @RequestBody, @RequestQuery, etc.) 18