Skip to content

Instantly share code, notes, and snippets.

@conikeec

conikeec/taint_flow.scala

Created April 24, 2020 05:11
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save conikeec/4c5905a0b5f02223f3c8516bbea04a40 to your computer and use it in GitHub Desktop.
Save conikeec/4c5905a0b5f02223f3c8516bbea04a40 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
taint_flow.scala
//enumerate all routes from attack surface script
val attackerControlledSource = cpg.method.filter(_.annotations.name("@RequestParameter").contains("userName")).parameter
// determine all security sensitive functions
val vulnerableSink = cpg.method.name("find*byUserName*").parameter
//conduct reachibility analysis from attacker controlled vectors to all security sensitive functions
if (vulnerableSink.reachableBy.attackerControlledSource.flows.exist) {
println("Authentication Bypass Found!")
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment