Skip to content

SAST Banner

SAST Logo

SAST

This guide contains the answer and steps necessary to get to them for the SAST room.

Table of contents

Code Review

The answers to the following questions can be found in the text.

  1. Are automated code reviews a substitute for manual reviewing? (yea/nay)

Click for answerNay

  1. What type of code review will run faster? (Manual/Automated)

Click for answerAutomated

  1. What type of code review will be more thorough? (Manual/Automated)

Click for answerManual

Manual Code Review

  1. Local File Inclusion (LFI) attacks are made possible by the misuse of one of the following functions in PHP: require() include() require_once() include_once(). Answer the following questions using grep to search for LFI vulnerabilities only on the.php files in the html/ directory of thesimple-webappproject.

  2. Which of the mentioned functions is used in the project? (Include the parenthesis at the end of the function name)

After navigating to /home/ubuntu/Desktop/simple-webapp/html, we can search for any reference to these functions in the files using grep.

grep -r -n --include \*.php 'require('
grep -r -n --include \*.php 'include('
grep -r -n --include \*.php 'require_once('
grep -r -n --include \*.php 'include_once('

MANUAL

Looks like only one of the functions is present in the .php files.

Click for answerinclude()

  1. How many instances of the function found in question 2 exist in your project's code?

This we can find in the previous image, by counting the instances found.

Click for answer9

  1. Only one of the function's instances is vulnerable to LFI. Remember that for LFI to be present, the attacker must be able to manipulate a part of what is sent to the vulnerable function. The vulnerable instance must contain some reference to a GET or POST parameter or other manipulable inputs.What file contains the vulnerable instance?

Again from the previous image, we can see one instance that uses a GET or POST command.

Click for answerview.php

  1. What line in the file found on the previous question is vulnerable to LFI?

The grep command we used displays the line on which this function is used.

Click for answer22

Automated Code Review

All of the answers for the question below can be found in the text.

  1. Does SAST require a running instance of the application for analysis? (yea/nay)

Click for answerNay

  1. What kind of analysis would likely flag dead code segments?

Click for answerStructural Analysis

  1. What kind of analysis would likely detect flaws in configuration files?

Click for answerConfiguration Analysis

  1. What kind of analysis is similar to grepping the code in search of flaws?

Click for answerSemantics Analysis

Rechecking our Application with SAST Tools

  1. What type of error occurs when the tool reports on a vulnerability that isn't present in the code?

This can be found in the text.

Click for answerFalse Positive

  1. How many errors are reported after annotating the code as instructed in this task and re-running Psalm?

First we need to add the piece of code into the db.php file, just before the db_query function.

RECHECKING ADD

Now we can re-run psalm and the number of error founds will be listed at the bottom.

./vendor/bin/psalm --no-cache --taint-analysis

RECHECKING ERRORS

Click for answer9

SAST in the Development Cycle

  1. For this task's questions, we will analyse an old version ofReciPHP, a small open-source app. Before continuing, make sure to open thereciphp.code-workspaceicon on your desktop. This will open a VS Code workspace where the project is already loaded for you. VS Code will take around 3 minutes to load, so be patient.

  2. How many problems in total are detected by Semgrep in this project?

After opening the vscode workspace, we can see the number of errors in the window at the bottom.

DEVELOPMENT

Click for answer27

  1. How many problems are detected in theshowrecipe.inc.phpfile?

This number is reported in the left pane.

Click for answer8

  1. Open showrecipe.inc.php. There are two types of problems being reported by Semgrep in this file. One is identified as "tainted-sql-string" and refers to possible SQL injections.What other problem identifier is reported by Semgrep in this file? (Write the id reported by Semgrep)

After opening the file, we can see two types listed at the bottom (in the previous image).

Click for answerechoed-request

  1. What type of vulnerability is associated with the problem identifier on the previous question?

Hovering over said error, we are told what type of vulnerability this is related to.

Click for answerCross-site scripting