Framework Misconfiguration Analysis with RIPS


Framework Misconfiguration

PHP frameworks such as Symfony, Laravel and CodeIgniter come with a variety of functions and components that make it easier for developers to build their application. However, various settings and configurations can have far-reaching consequences for security. Next to our unique and in-depth analysis for exploitable security vulnerabilities, RIPS is now also able to detect security weaknesses that stem from insecure configurations.

65 New Issue Types Added

In the latest release of our RIPS Code Analysis solution we added a new Preparser. The Preparser is able to detect different types of configurations and to check whether they ensure a secure state of the web application. Each framework has its own configuration files, parameters, keys and formats. In order to provide recommendations for a secure configuration of your application, our Preparser recognizes popular frameworks and libraries and checks their custom settings. Our list of identifiable and manageable frameworks is constantly being expanded, thus further recognizable misconfigurations will be added to the 65 new issue types introduced with this release.

Example 1: Config Files

In order to give an impression which different types of incorrect settings the Preparser recognizes, the following examples from different frameworks are shown.

In our first example, we show database settings in the WordPress configuration. The Preparser will not report the database password property as hardcoded password, because this input is required by design in WordPress and therefore does not represent an issue for the framework used. However, what is considered a security critical configuration is using the root user for the database connection.

wp-config.php

123
define('DB_NAME', 'very_unusual_db_name');
define('DB_USER', 'root');
define('DB_PASSWORD', 'ultra_secure_password');

One of the most common issues in web applications are Cross-Site Request Forgery (CSRF) vulnerabilities that allow attackers to hijack the browsers of victims to perform actions in their name. On the one hand, finding CSRF vulnerabilities is a complex task in static code analysis. On the other hand, many frameworks have integrated a CSRF solution by default which increases the application security. Nevertheless, in the case of CodeIgniter, the CSRF protection is deactivated by default and is therefore not used without the intervention of the developer. Through this approach to the CSRF detection problem, RIPS can help to indicate the absence of a CSRF countermeasure.

application/config/config.php

123456
$config['csrf_protection'] = FALSE;
$config['csrf_token_name'] = 'csrf_test_name';
$config['csrf_cookie_name'] = 'csrf_cookie_name';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = TRUE;
$config['csrf_exclude_uris'] = array();

Besides configurations in PHP format, the preparser can analyze many other formats, such as in the case of Symfony, the YAML format. Here, the weak encryption algorithm for the user passwords is marked.

config/packages/security.yaml

1234
security:
    encoders:
        Symfony\Component\Security\Core\User\User:
            algorithm: plaintext

Example 2: Controllers

An additional advantage besides the parsing of configuration files is the analysis of settings inside certain controllers of a framework. In the shown Symfony form class some standard options are set. Unlike CodeIgniter, Symfony has CSRF protection which is enabled by default. In this case, the CSRF protection is disabled for this form. This setting may be intended by the developer or a remnant from the development phase. As mentioned before the Preparser makes a recommendation for a secure setting. If the setting is intended, this issue can be excluded for subsequent scans via the RIPS user interface.

src/Form/TaskType.php

 1 2 3 4 5 6 7 8 910
class TaskType extends AbstractType
{
    public function configureOptions(OptionsResolver $resolver)
    {
        $resolver->setDefaults(array(
            'data_class'      => Task::class,
            'csrf_protection' => false,
        ));
    }
}

Example 3: php.ini

Another great benefit of the new RIPS Preparser is the analysis of the php.ini file. The ini-file determines global settings for all PHP scripts on the server. If the PHP configuration file is added to the application folder, it can be recognized and analyzed by RIPS. The settings of the file can be changed later in the script, but a correctly configured file is the basis for every PHP web application.

php.ini

123
register_globals = 0
display_errors = 1
;upload_max_filesize = 2M

In this example the enabled display_errors and the absence of the upload_max_filesize property raise an issue. In the first case, information leakage may occur, whereas, in contrast to the absence of the second property, the server may become obsolete.

Using the Preparser

The Preparser is available to all RIPS SaaS and On-Premises customers and integrates seamlessly into the existing workflow. As a SaaS customer you are already using the Preparser. On-Premises customers need to perform an update to the latest version. You can now simply include your configuration files into the next RIPS scan (of course you can remove any passwords first).

Be aware that new issue types like the ones from the Preparser are not added to existing analysis profiles automatically to keep the results consistent, so if you are using an analysis profile make sure to enable the new issue types. You can also disable the analysis for misconfiguration issues in your global analysis profile.

Additional Improvements of RIPS

Here are some of the highlights among many bug fixes and improvements that you can also expect from the latest RIPS releases.

  • A brand new vulnerability type, Phar Deserialization
  • A new batch action system in the UI for mass-reviews, clean-up and more
  • A new and improved API filter system for complex conditions
  • A clone action for analysis profiles that lets you create copies of analysis profiles through the UI and the API
  • A significantly improved callback support of the API for more notifications
  • An updated CLI tool that is ready to assist you with the Preparser
  • Improved support of CakePHP, Phalcon, and Yii based applications


Tags: nils werner, php, security, misconfiguration, framework,

Author: Nils Werner

Software Engineer

Nils philosophy is not to break up existing applications, but to build and lay the foundation for secure web applications. Premising on profound knowledge of his master's degree in IT Security at the Ruhr-University Bochum, he focuses on the secure configuration and integration of frameworks and other libraries.

Comments

comments powered by Disqus