ENHANCING SECURE CODE REVIEW MODULE

You are viewing a wiki page. You are welcome to join the group and then edit it. Be bold!

Project Information:
Project Page : Security Testing
Student : Udit Jaggi
Irc nick : udaksh
Mentor : Michael Hess
Project : Proposal on Melange

Current Status : Scrubbing code and improving documentation .

Overview
The Project aims at enhancing the Secure Code Review module by:
• Developing additional security reviews in the secure code review module.
• Developing parsed based routines to find the vulnerable usage of the functions of source code of module.
• Developing Taint injection module to inject data into input fields.
• Displaying security review results

Tasks before May 21, 2012:

  • Conduct research on security vulnerabilities ,their prevention measures and secure coding techniques.

  • Study and understanding existing Secure code review code.

  • Planning designing and prototyping for enhancing Secure code review

Tasks before June 5, 2012:

  • Prepare sample modules with code vulnerabilities and understanding how the functions in these modules are vulnerably used and how does it affecting the website.

  • Prepare database of different inputs (data) to be injected in input fields to exploit the vulnerability in the sample modules.

Tasks before June 25, 2012:

  • Develop additional Security review routines to locate vulnerabilities in the sample modules.

  • Develop Parsed based routines to predict the vulnerabilities in the sample modules:

Now these routines will be developed separately from the security review routines, they discover the vulnerable usage of the functions in the sample modules and predicts the inputs that is to be fed in the inputs fields to exploit vulnerability

Tasks before July 5, 2012:

  • Integrate Security review routines with the Parsed based routines:

Since every time preparing the inputs with the parsed based routines is very cumbersome so its better to use parsed based routines only in places where security review routines encounters novel code snippet and is not able to determine whether the code snippet is secure or not.So Secure code review module will review the code first with security review routines and if it’s unsuccessful then it will do the reviewing by parsed based routines.

Tasks before Jul 20, 2012:

  • Midterm evaluation

  • Prepare the Taint Injection module

Tasks before Jul 30, 2012:

  • Integrate Secure code review module with the Taint injection module:

Taint injection module will use the results from parsed based routines and checks for vulnerabilities

Tasks before Aug 10, 2012:

  • Develop and implement a user interface to display security review results.

Tasks before Aug 20, 2012:

  • Scrub code, write tests and improve documentation.

Comments

Project update: Project

udaksh's picture

Project update:
Project disscussion page :
Approach and algorithm for locating xss vulnerabilties :

Task completed:
*Reached to Source value's from output Function Calls like theme(),drupal_set_title() etc in a file.
*Made the script(Taint module) to identify all input fields of a file,inject xss into these input fields and checks whether the injected xss will come as output.

Current status:
*Developing the routines to predict the input fields(of other modules whose data is to be used by a module under consideration) into which we have to inject the xss using source values and results from parsed routines.

Project Screencast

udaksh's picture

Screencast of the project : http://www.youtube.com/watch?v=wt4N-z-xTkE

Google Summer of Code 2012

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: