# Lab 3 - Static Application Security Testing (SAST) II Team #0: - **Список пидорасов** ## Task 1 - Theory 1. Source code scanners scans source code as a plain text (un-compiled code) and binary scanners scans binary files (compiled code) 2. Abstract Syntax Trees (AST) is a structure that used by compilers in order to translate source code into some intermediate language (or directly into binary files) since it is a convenient way to represent structured text as a collection of simple tockens (blocks, expressions, statements etc.). It is very effective to use AST in order to find structural patterns that matches vulnerable code 3. SAST tools are used in order to scan code in order to identify vulnerabilites and secret detection tools scans code in order to find secrets. As publishing secrets is a security thread and secret detection tools are static (they do not run code) we can consider them as a SAST tools. ## Task 2 - Gitlab SAST with Semgrep. 1. > Deploy a complete Gitlab environment with Gitlab server and Gitlab runner(s).Check back on Lab 1 DevSecOps -  3. > Import your project into Gitlab and add a register a runner to it. -  5. > Integrate Semgrep with Gitlab SAST in your pipeline and scan your project( to the Semgrep default rules, add Owasp top 10 rules ) - ```yaml semgrep: needs: [] stage: test image: returntocorp/semgrep script: semgrep ci --gitlab-sast > gl-sast-report.json rules: - if: $CI_PIPELINE_SOURCE == "web" - if: $CI_PIPELINE_SOURCE == "merge_request_event" - if: $CI_PIPELINE_SOURCE == "push" variables: SEMGREP_RULES: >- # more at semgrep.dev/r p/default p/security-audit p/secrets SEMGREP_GITLAB_JSON: "1" artifacts: when: always reports: sast: gl-sast-report.json ```  7. > Download the jobs artifacts, analyze your results and share your understandings. - Негры все пидорасы - The project contains multiple vulnerabilities found by semgrep. For example: - абоба > Give your understandings of: - > Static Analyzers - Ёбаные блять - > Static Analyzers features - Негры все пидорасы - > Post Analyzers - Надо их ебать ## Task 3 - Analysis with Semgrep ### Case 1 #### Where is the vulnerability in the code? The vulnerability can be found in `resp = r.set_cookie("username","DrewDennison")` and in `resp = r.set_cookie("username","DrewDennison")`. #### What is the vulnerability? Insecure way of handle `set_cookie` function: `secure`, `httponly`, and `samesite` arguments not set properly. CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute. #### How does it affect the code? Inproper protection of cookies increases the risk of being stolen by attacker, which make application vulnerable to unauthorized access. #### Semgrep rule ```yaml rules: - id: secure-cookie patterns: - pattern-not: r.set_cookie(..., secure=True, httponly=True, samesite='Lax', ...) - pattern-not: r.set_cookie(..., secure=True, httponly=True, samesite='Strict', ...) - pattern: r.set_cookie(...) message: Found flask set_cookie with insecure configuration. Secure, httponly, and samesite arguments didnt set correctly. Mitigate by setting secure=True, httponly=True, and samesite='Lax' or samesite='Strict'. metadata: cwe: CWE 614 category: security owasp: A5:2021 misconfiguration technology: - flask languages: - python severity: WARNING ``` ### Case 2 #### Where is the vulnerability in the code? The vulnerability can be found in `decode = tokenizer.decode(token, "password", verify=False)` and in `decode= jwt.decode(token,"password")`. #### What is the vulnerability? Usage of hardcoded plaintext secret. CWE-522: Insufficiently Protected Credentials #### How does it affect the code? Anyone who has access to the code can decode jwt tokens. #### Semgrep rule ```yaml rules: - id: hardcoded-secret patterns: - pattern: jwt.decode(..., $SECRET, ...) - pattern: | "..." message: Hardcoded secret is used. metadata: owasp: - A7:2021 authentication - A4:2021 insecure-design category: security technology: - jwt cwe: CWE 522 languages: - python severity: WARNING ``` #### Project:  #### CI job: ##### `.gitlab-ci.yml`: ```yaml stages: - test semgrep: needs: [] stage: test image: returntocorp/semgrep script: semgrep ci --gitlab-sast > gl-sast-report.json rules: - if: $CI_PIPELINE_SOURCE == "web" - if: $CI_PIPELINE_SOURCE == "merge_request_event" - if: $CI_PIPELINE_SOURCE == "push" variables: SEMGREP_RULES: >- # more at semgrep.dev/r hardcoded-secret.yaml secure-cookie.yaml SEMGREP_GITLAB_JSON: "1" artifacts: when: always reports: sast: gl-sast-report.json ``` ##### Status:  ##### Artifacts: `gl-sast-report.json`: ```json { "$schema": "https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/sast-report-format.json", "version": "14.1.2", "vulnerabilities": [ { "category": "sast", "confidence": "High", "cve": "case2.py:5c3170e37c0afc5e2f28630ac1a384a3a4dbe18cce186b98e265a5e8d6abfddd:hardcoded-secret", "id": "d4ff2b0d-0cf2-fc1b-7cf9-a3569e80f981", "identifiers": [ { "name": "Semgrep - hardcoded-secret", "type": "semgrep_type", "url": "https://semgrep.dev/r/hardcoded-secret", "value": "hardcoded-secret" } ], "location": { "end_line": 6, "file": "case2.py", "start_line": 6 }, "message": "Hardcoded secret is used.", "scanner": { "id": "semgrep", "name": "Semgrep", "vendor": { "name": "Semgrep" } }, "severity": "Medium" }, { "category": "sast", "confidence": "High", "cve": "case2.py:5c3170e37c0afc5e2f28630ac1a384a3a4dbe18cce186b98e265a5e8d6abfddd:hardcoded-secret", "id": "78cb817a-2c17-56ca-fb6d-b0728fd542e6", "identifiers": [ { "name": "Semgrep - hardcoded-secret", "type": "semgrep_type", "url": "https://semgrep.dev/r/hardcoded-secret", "value": "hardcoded-secret" } ], "location": { "end_line": 11, "file": "case2.py", "start_line": 11 }, "message": "Hardcoded secret is used.", "scanner": { "id": "semgrep", "name": "Semgrep", "vendor": { "name": "Semgrep" } }, "severity": "Medium" }, { "category": "sast", "confidence": "High", "cve": "case1.py:c701c69b0e87028f3598f3338e6a131ee1eda0d17ef44635b9de910c9bc59dba:secure-cookie", "id": "e852b08b-3f58-f498-5e57-bb76eec1e46a", "identifiers": [ { "name": "Semgrep - secure-cookie", "type": "semgrep_type", "url": "https://semgrep.dev/r/secure-cookie", "value": "secure-cookie" } ], "location": { "end_line": 9, "file": "case1.py", "start_line": 9 }, "message": "Found flask set_cookie with insecure configuration. Secure, httponly, and samesite arguments didnt set correctly. Mitigate by setting secure=True, httponly=True, and samesite='Lax' or samesite='Strict'.", "scanner": { "id": "semgrep", "name": "Semgrep", "vendor": { "name": "Semgrep" } }, "severity": "Medium" }, { "category": "sast", "confidence": "High", "cve": "case1.py:c701c69b0e87028f3598f3338e6a131ee1eda0d17ef44635b9de910c9bc59dba:secure-cookie", "id": "759b29b5-f442-c775-334a-fb07018e33eb", "identifiers": [ { "name": "Semgrep - secure-cookie", "type": "semgrep_type", "url": "https://semgrep.dev/r/secure-cookie", "value": "secure-cookie" } ], "location": { "end_line": 17, "file": "case1.py", "start_line": 15 }, "message": "Found flask set_cookie with insecure configuration. Secure, httponly, and samesite arguments didnt set correctly. Mitigate by setting secure=True, httponly=True, and samesite='Lax' or samesite='Strict'.", "scanner": { "id": "semgrep", "name": "Semgrep", "vendor": { "name": "Semgrep" } }, "severity": "Medium" } ] } ``` As we can see artifact provide very detailed information about found vulnerabilities. By parsing it we can understand what rule was broken and where exactly there is a vulnerability in code. ### Semgrep vs Grep Semgrep is an easy to use static analysis tool, and unlike `grep` where you need to write hard-to-understand regular expressions, semgrep has more simple way of creating rules through yaml files. Another thing that semgrep is smart. For example, pattern `func("secret")`, will also be matched to `pass = "secret"; func(pass)`.