Slide 1

Slide 1 text

SEMGREP The Open Source Tool for Finding Vulnerable Code

Slide 2

Slide 2 text

WHO 2023/04/18 SEMGREP 2 Duarte Duarte InfoSec Engineering Lead Blip (Flutter UK&I) @ 6 years

Slide 3

Slide 3 text

AGENDA 2023/04/18 Challenge #1 SAST What’s Semgrep? Semgrep Registry CI/CD Use case #1: Spring4Shell (CVE-2022-22965) Use case #2: DeFi Hacks SEMGREP 3

Slide 4

Slide 4 text

Challenge #1 Find disabled SSL certificate validation in Python 4 https://requests.readthedocs.io/en/latest/user/advanced/

Slide 5

Slide 5 text

Let’s use grep… import requests def request1(): r = requests.get('https://securepayments.com/get-cc-data', verify=False) return r $ grep “verify=False” chall1.py r = requests.get('https://securepayments.com/get-cc-data', verify=False)

Slide 6

Slide 6 text

Let’s use grep… import requests def request2(): r = requests.get('https://securepayments.com/get-cc-data', verify = False) return r $ grep “verify *= *False” chall1.py r = requests.get('https://securepayments.com/get-cc-data', verify = False)

Slide 7

Slide 7 text

Let’s use grep… import requests def request3(): VERY_TRUE = False r = requests.get('https://securepayments.com/get-cc-data’,verify=VERY_TRUE) return r $ grep “verify=????” chall1.py ...

Slide 8

Slide 8 text

8 https://xkcd.com/1171/ - Perl Problems

Slide 9

Slide 9 text

PRESENTATION TITLE 9

Slide 10

Slide 10 text

10 Semgrep to the rescue

Slide 11

Slide 11 text

SAST Static Application Security Testing (or static analysis) Find vulnerabilities by reviewing source code Checkmarx, Fortify, SonarQube, Coverity, Bandit, … SEMGREP 11

Slide 12

Slide 12 text

What’s Semgrep? “Code Analysis at Ludicrous Speed Find bugs, run security scans in CI, and enforce security standards across your organization.” semgrep.dev github.com/returntocorp/semgrep 12

Slide 13

Slide 13 text

13 rules: - id: disabled-cert-validation message: Certificate verification has been explicitly disabled. This permits insecure connections to insecure servers. Re- enable certification validation. metadata: cwe: [”CWE-295: Improper Certificate Validation”] owasp: - A03:2017 - Sensitive Data Exposure - A07:2021 - Identification and Authentication Failures references: - https://stackoverflow.com/questions/41740361/is-it-safe-to-disable-ssl-certificate-verification-in-pythonss- requests-lib category: security technology: [requests] subcategory: [audit] likelihood: LOW impact: LOW confidence: LOW license: Commons Clause License Condition v1.0[LGPL-2.1-only] languages: - python severity: ERROR pattern-either: - pattern: requests.put(..., verify=False, ...) - pattern: requests.patch(..., verify=False, ...) - pattern: requests.delete(..., verify=False, ...) - pattern: requests.head(..., verify=False, ...) - pattern: requests.options(..., verify=False, ...) - pattern: requests.request(..., verify=False, ...) - pattern: requests.get(..., verify=False, ...) - pattern: requests.post(..., verify=False, ...) fix-regex: regex: verify(\s)*=(\s)*False replacement: verify=True

Slide 14

Slide 14 text

Semgrep Registry • 1k+ rules by r2c/community • 20+ languages • $ semgrep --config=auto • github.com/returntocorp/semgrep-rules 14

Slide 15

Slide 15 text

CI/CD • Example: https://github.com/DDuarte/springshell-rce-poc/pulls • https://semgrep.dev/orgs/dduarte/findings?repo=DDuarte/springshell-rce-poc 15

Slide 16

Slide 16 text

CVE-2022-22965 a.k.a “Spring4Shell” - 0-day RCE on Spring - April 2022 SEMGREP 16

Slide 17

Slide 17 text

Magic Beans 17

Slide 18

Slide 18 text

Exploitability 1. JDK 9 or above 2. Standalone Tomcat (no Embedded Tomcat) with WAR deployment 3. Any Spring version before 5.3.18 / 5.2.20 (Spring Boot before 2.5.12 / 2.6.6) 4. No blocklist on WebDataBinder / InitBinder 5. Writeable file system (e.g webapps/ROOT) 6. Parameter bind with POJOs directly (no @RequestBody, @RequestQuery, etc.) 18

Slide 19

Slide 19 text

19 https://github.com/DDuarte/springshell-rce-poc

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

Get some $$ 21 https://github.com/Decurity/semgrep-smart-contracts

Slide 22

Slide 22 text

2023/04/18 22 SEMGREP THANK YOU Duarte Duarte @dduarte (Slack)