1 of 20

Effectively finding vulnerabilities in web applications by debugging the source code

Grzegorz Niedziela

2 of 20

whoami

3 of 20

Agenda

  1. How to find source code?
  2. How debugging even looks like?
  3. When to do source-code review and when to debug?
  4. Finding CVE-2022-24825 SSRF step-by-step
  5. Where to start?

4 of 20

Where to find source code?

5 of 20

Where to find source code of closed-source apps?

  • Dockerhub
  • Via another vulnerability - XXE, RCE, path traversal
  • Cloud marketplaces - AWS, GCP, Azure
  • Contacting sales
  • Freelancing websites

How to do Code Review - The Offensive Security Way, Shubham Shah, https://www.youtube.com/watch?v=fb-t3WWHsMQ

6 of 20

Python example

7 of 20

Static code analysis

Running the app

Debugging

Time investment before testing

You can start as soon as you access the code

You need to setup the environment

You need to setup the environment + debug

What do you need to start testing?

The code

The code + setup instructions (docker is enough)

The code + setup + debugging setup

Do you need to understand what the code does?

You need to understand exactly what the code does

You don’t need to know the code

You need less understanding of what the code does

How the testing looks?

You need to evaluate the code in your head

Use Burp, like blackbox testing

You use Burp +

see what the

code does

8 of 20

When to do what?

  • Static source-code review
    • If you can’t setup the app
    • If the app is not complex
  • Running the app
    • Almost never - if I already know how to run the app, I might as well invest a bit more for debugging setup
  • Debugging - if I want to go deep into the complex application

9 of 20

Setup - Kibana example

Installation:

Starting

launch.json

10 of 20

11 of 20

12 of 20

Setup - smokescreen example

13 of 20

Setup - smokescreen example

14 of 20

Setup - smokescreen example

15 of 20

Case study - Stripe SSRF

16 of 20

Case study - Stripe SSRF

17 of 20

18 of 20

My approach

  • I’m not manually looking for dangerous functions (lgtm.com, semgrep)
  • Start like a blackbox test
  • Understand what happens and what can go wrong

19 of 20

Where to start?

CTFs

https://ctftime.org/

20 of 20

Thank you

Slides:

https://bbre.dev/dbg-slides

My media:

Survey:

https://bbre.dev/dbg-survey

https://bbre.dev