Code-sharing leads to widespread bug sharing that black-hats can track

Researchers find vulns in popular tutorials that have spread far and wide

Developers' enthusiasm for sharing code saves their colleagues' time, but also means they share security bugs they haven't noticed. And that means a smart attacker could follow who's shared what with whom to trawl the Web for vulnerabilities.

That sobering idea comes from a group of German researchers with help from Trend Micro. Their straightforward reasoning: if they were able to find recurrent Web application vulnerabilities in reused code snippets, it won't be difficult for black hats to do the same.

The researchers looked at more than 64,000 Web applications and conclude that “adversary with access to a standard PC and a DSL broadband connection can leverage our techniques to efficiently discover recurring vulnerabilities in web application code”.

Among a group of 30 popular tutorials, the researchers said, nine contained vulnerable code: six had SQL injection errors, and there were three tutorials with XSS errors.

Here's a treat, for example: both SQL injection at line 6, and and XSS in lines 11 and 12, in one snippet:

1       <?php
2       include "db.php";
4       $title=$_POST["title"];
5       $result=mysql_query("SELECT * FROM wp_posts where;
6               post_title like ’%$title%’ and post_status=’publish’");
7       $found=mysql_num_rows($result);
9       if($found>0){
10              while($row=mysql_fetch_array($result)){
11              echo "<li>$row[post_title]</br>
12                   <a href=$row[guid]>$row[guid]</a></li>";

13              }
14      }else{
15              echo "<li>No Tutorial Found</li>
16 } 
17 // ajax search 
18 ?>

The question is, how to gather data automatically?

The researchers created a GitHub crawler, GithubSpider, and an analytical tool CADetector.

Of the projects the researchers examined, more than 6,300 counted as popular with ten stars; 16,000-plus with four to nine stars; and 42,000 unpopular projects (three stars or less).

The 117 code snippets the researches found might not sound like many, but these are likely repeated all over the Internet – meaning that black-hats would also be able to use the buggy code to bootstrap a widespread trawl of Web applications for vulnerabilities they inherited from tutorials.

“Our study finds disconcerting evidence of insufficiently reviewed tutorials compromising the security of open-source projects. Moreover, our findings testify to the feasibility of large-scale vulnerability discovery using poorly written tutorials as a starting point”, they write.

The paper's authors are Tommi Unruh, Bhargava Shastry and Jean-Pierre Seifert of the Technical University, Berlin; Malte Skoruppa of Saarland University; Trend Micro's Federico Maggi, and Konrad Rieck and Fabian Yamaguchi of the Technical University of Braunschweig. ®

Biting the hand that feeds IT © 1998–2019