Source Code Review for ASP .NET MVC

By

 Hi guys. Been a while since I last share something. So, for today I would like to share some knowledge regarding source code review. 

*I'm still beginner in doing source code review.

Recently I've been tasked with doing source code review for some organization and the language used for the application is ASP .NET MVC 5.0. As you all know that this language is now EOL. The last update is on 28 November 2018. This is my first time encountering this language.

Before that, below is the list of tools commonly used when doing source code review that is completely free:-

1) Visual Code Grepper (VCG) - https://github.com/nccgroup/VCG

2) Sublime Text - https://www.sublimetext.com/

3) Notepad++ - https://notepad-plus-plus.org/downloads/


Surprisingly, when running tools such as VCG, I did not found any sql query in the file. I did some research on how the language handle sql query. Also my colleague point out that the sql query is normally handle by .dll file for the language. It was a new knowledge that I gains when doing source code review for this language. 

*Big thanks to my collegue Dollah for pointing it out

After doing some research regarding .dll file, I stumbled upon tools which can read/decompile it. It is called JetBrains which is also an open source tools. Below attached the link for the tools.

https://www.jetbrains.com/decompiler/

After opening the .dll file with this tools, it would look like below image. 


As you can see, we can now see the sql query and start our review. Things to do when doing source code review:-

1) Look for dangerous function

2) Look on how the application handle sql query (whether it is properly sanitized or not)

3) Search for upload/download function if the application have one

4) Look on how the application handle user input

5) Search for hardcoded password/credentials

I also would like to share on some of the upload function found during the review.


As you can see on line 71, the application check for the extension of file. This can still be bypass since it did not use/implement MIME type checking. 

As for line 76, the application prevent any file to upload which has bigger size than 1024. There is smaller one liner code which can be used for webshell. For further reference, can check below link.

https://webshell.co/

That is all for this sharing. Hope you learned something from this post. 

Cheers.









Comments

Post a Comment

Popular posts from this blog

Petraware pTransformer ADC before 2.1.7.22827 allows SQL Injection via the User ID parameter to the login form.

By
Image
Hi All, Today I will share POC on vulnerability found during pentest. As per the title, I recently found SQL Injection vulnerability on a thick client.  To read more about thick client, click here :  https://techterms.com/definition/thickclient Thick clients, also called heavy clients, are full-featured computers that are connected to a network.  While a thick client is fully functional without a network connection, it is only a "client" when it is connected to a server. The server may provide the thick client with programs and files that are not stored on the local machine's hard drive.   Exploit Title:   Petraware pTransformer ADC before 2.1.7.22827 allows SQL Injection via the User ID parameter to the login form. Details & Description :   SQL injection is a vulnerability that allows an attacker to alter backend SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL
Read more

Setting up MobSF in Ubuntu 18.04

By
Image
Hi guys, It's been a while since I last updated the blog. Been busy. So, for today I will be giving guide on how to setup MobSF in Ubuntu 18.04 . There is a lot of guide out there about how to setup MobSF. I'm here to give out step by step guide to set it up as per my own experience. The main reason of using Ubuntu 18.04 is because it has a built-in Python 3.6 and pip3 version 9.0.1 which is the requirements to setup MobSF. It's pretty much simplify the process of setting up MobSF. *Note that this is a guide to setup MobSF for static analysis. For dynamic analysis, you can refer to MobSF page in github. MobSF also known as Mobile Security Framework is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static analysis, dynamic analysis, malware analysis and web API testing. Can further read about MobSF here:  https://github.com/MobSF/Mobile-Security-Framework-MobSF For Ubuntu 18.04 can be downloaded
Read more

Setting up RMS in Ubuntu 18.04

By
Image
Hi peeps, It's been a while since my last post. Been busy. So, for today I would like to share on how to setup RMS (Runtime Security Mobile) in Ubuntu 18.04. RMS -  https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security "Runtime Mobile Security (RMS), powered by FRIDA, is a powerful web interface that helps you to manipulate Android and iOS Apps at Runtime." "You can easily dump all the loaded classes and relative methods, hook everything on the fly, trace methods args and return value, load custom scripts and many other useful stuff." This is a continuation of my post here  https://faudhzanrahman.blogspot.com/2019/09/setting-up-mobsf-in-ubuntu-1804.html  where I did a setup on MobSF.  I'm currently trying to set a box where it contains all sort of testing tools specifically for mobile . Now I have both MobSF and RMS setup in this box which is the Ubuntu 18.04. The same reason of setting RMS in this box is because the requirements fits Ubuntu 18.04. T
Read more