Wednesday 31 July 2013

Example example of SQL Injection using Database.SQLQuery from GitHub (and idea for Cat.NET workflow)

After posting Another example why SATS technology needs custom rules (re: Detecting SQL Injection on .NET Entity framework)  I did this search on GitHub, and found an example of that dangerous Database.SqlQuery API in use:
These one allows callers to create SQL Injection (which means that whoever is consuming those APIs need to be VERY careful)

This one look OK (on diagonal reading)
Idea for Cat.NET workflow

Now wouldn't it be great if we could automate an Cat.NET (or another SAST scanner) to do this type of analysis automatically?

For example an Bot ot TeamCity workflow that:
  1. cloned/pulled a repo
  2. compile it
  3. run on it (with default or custom rules)
  4. automatically package the issues discovered 
  5. send issues to repo owner
  6. allow rules to be customised (maybe as an XML file somewhere in the repo), for example, wrappers around Database.SQLQuery need to be marked as sinks)
  7. go back to 1
I also would like a mode to create UnitTests based on the vulns discovered (using SAST and DAST techniques), but that is a topic for another post :)
Ideally all this would be linked to Developer friendly guidance (like TeamMentor or OWASP content) in order to help the developers to easily understand the issues and write the required fixes