Tag Archives: CodeQL

Preventing a timing attack with CodeQL

A message authentication code (MAC) or a digital signature may be used to authenticate a message and to protect its integrity. When checking a signature, it is better to use constant-time algorithm. Otherwise, an attacker may be able to forge a valid signature for an arbitrary message by running a timing attack. Although it is a pretty sophisticated attack, sometimes it can be a real threat. Let’s see how such issues may be detected with CodeQL in Java applications.

Continue reading

Detecting Jackson deserialization vulnerabilities with CodeQL

If you use Jackson Databind library and run a security scanner, you might have received quite a lot of alerts about deserialization vulnerabilities. In the past, a new CVE pop up nearly every month when someone discovered a new deserialization gadget that could be used to exploit an application. Fortunately, the project doesn’t assign CVEs for new deserialization gadgets anymore. It makes sense because an application that uses Jackson libraries is not vulnerable by default. However, if the application uses Jackson libraries in a certain way, it may be in danger.

Below I’ll show how CodeQL can be used to to check whether or not an application is vulnerable to deserialization attacks.

Continue reading

Detecting dangerous RMI objects with CodeQL

Java RMI uses the default Java deserialization mechanism for passing parameters during remote method invocations. In other words, RMI uses ObjectInputStream that is a well-known unsafe deserialization mechanism. If an attacker can find and send a deserialization gadget to a vulnerable remote method, in the worst case it can result in arbitrary code execution.

I recently wrote a CodeQL query that looks for dangerous remote objects registered in an RMI registry. This post describes the vulnerability and how the query works.

Continue reading

Detecting dangerous Spring service exporters with CodeQL

In this blog post, I’ll talk about detecting unsafe Spring Exporters with a CodeQL query. First, I’ll describe the issue that received CVE-2016-1000027. Next, I’ll show what a vulnerable code looks like and how the issue can be mitigated in an application. Then, I’ll describe how the CodeQL query works. In addition, I’ll show a couple of vulnerabilities that have been found by the query.

(you can also read it on Medium)

Detecting dangerous Spring Exporters with CodeQL
Continue reading

Detecting JEXL injections with CodeQL

In this post, I’ll talk about a CodeQL query for detecting JEXL Expression Language injection vulnerabilities. First, I’ll give a brief overview of expression languages in general and JEXL in particular. Next, I’ll explain what Expression Language injection is and how to prevent it. Then, I’ll describe how the CodeQL query works. In addition, I’ll show a couple of vulnerabilities that have been found by the query.

(you can also read it on Medium)

Detecting JEXL injections with CodeQL
Continue reading