When auditing software, every critical component should be audited separately and together with the entire program.
It is a good idea to search for high-risk vulnerabilities first, then work down to low-risk vulnerabilities. Vulnerabilities in between high-risk and low-risk, generally exist depending upon the situation and how the source code in question is being used. Application penetration testing tries to identify vulnerabilities in software by launching as many known attack techniques as possible on likely access points in an attempt to bring down the application. This is a common auditing method and can be used to find out if any specific vulnerabilities exist, but not where they are in the source code.
Some common high-risk vulnerabilities may exist due to the use of:
- Non-bounds-checking functions (e.g., strcpy, sprintf, vsprintf, and sscanf) that could lead to a buffer overflow vulnerability
- Pointer manipulation of buffers that may interfere with later bounds checking, e.g.: if ((bytesread = net_read(buf,len)) > 0) buf += bytesread;
- Calls like execve(), execution pipes, system() and similar things, especially when called with non-static arguments
- Input validation, e.g. (in SQL): statement := "SELECT * FROM users WHERE name = '" + userName + "';" is an example of a SQL injection vulnerability
- File inclusion functions, e.g. (in PHP): include($page . '.php'); is an example of a Remote File Inclusion vulnerability
The following is a list of low-risk vulnerabilities that should be found when auditing code, but do not produce a high risk situation.
- Client-side code vulnerabilities that do not affect the server side (e.g., cross-site scripting)
- Username enumeration
- Directory traversal (in web applications)
Request Pricing for a Code Review and Audit
Pricing varies based on the amount of code. Please contact Security Arsenal for a quote to audit your code. Security Arsenal uses a mixed technique of manual and automated methods to Review code. Then a Penetration Test is performed.