Route Sixty-Sink: Connecting Application Inputs to Sinks Using Static Analysis

Abstract

Route Sixty-Sink is an open source static analysis tool that traces the flow of user input through any .NET binary and determines whether it is passed as an argument to a dangerous function call (a “sink”). Route Sixty-Sink does this using two main modules:

  1. RouteFinder, which enumerates API routes in MVC-based and classic ASP page web applications.
  2. SinkFinder, which takes an entry point and creates a call graph of all classes and method calls. Then, it queries strings, method calls, and class names for “sinks”.

By tying these two pieces of functionality together, Route Sixty-Sink is able to quickly identify high fidelity vulnerabilities that would be difficult to discover using black box or manual static analysis approaches.

We have used Route Sixty-Sink to reveal and successfully exploit vulnerabilities including unsafe object deserialization, SQL injection, command injection, arbitrary file uploads and access, authorization bypasses, and more in both open-source and proprietary .NET applications.

Presentation Outline

  • Presenter Introductions and Background
    • Source to Sink Analysis
      • We will discuss our work as appsec-focused consultants and the approach we use known as “source-to-sink” analysis to identify vulnerabilities in source code
    • Inspiration
      • The team will discuss pain points that occur during code reviews and gray box assessments and how it lead to the inspiration for Route Sixty-Sink
    • Introduction to .NET
      • We will provide a brief overview of the .NET language and the Common Intermediary Language (”CIL”)
  • Identifying Sinks (SinkFinder module)
    • SinkFinder Functionality
      • We will explain how SinkFinder recursively follows method calls within an application to find “sinks.”
    • SinkFinder Implementation
      • Creating a function call graph
        • We will discuss how SinkFinder builds a function call graph of the application, which provides full coverage into potential sinks that will be called
      • Identifying sinks
        • We will discuss the heuristics used to create a list of sinks that SinkFinder will search for
        • We will show how one can easily create their own sinks to query an application for
    • Assumptions
      • We will explain assumptions we make through our implementation of the SinkFinder module
    • Case Study: Using Standalone SinkFinder to Query a Binary
      • As an example, we will show how we used SinkFinder to identify a local privilege escalation vulnerability in a console application
  • Identifying Routes (RouteFinder module)
    • Model View Controller (”MVC”) Routing
      • We will explain how modern API routing occurs in .NET applications, which includes:
        • Conventional Routing: A routing mechanism where controllers are specified using regular expressions for URI patterns
        • Attribute Routing: A routing mechanism where controllers are specified using C# “attributes”
    • Classic ASP Routing
      • The presenters will discuss how RouteFinder can also handle classic ASPX, ASMX, and ASCX pages to determine application inputs
    • Case Study: Using RouteFinder to Enumerate API Routes
      • The team will show a large web application without API documentation and how RouteFinder quickly identifies all API routes in seconds
  • Route Sixty-Sink: Tying RouteFinder and SinkFinder Together
    • Case Study: Identifying and exploiting a Vulnerability in an MVC application
    • Case Study: Identifying and exploiting a Vulnerability in an ASP Classic Pages application
  • Next Steps for Route Sixty-Sink
    • We will discuss some of the exciting plans we have for Route Sixty-Sink in the future, which includes:
      • Community-sourced sinks
      • New, higher-fidelity sink finding
      • The Route Sixty-Sink Burp extension

About the Speakers