April 28, 2017
Checking NuGet Packages for Security Vulnerabilities
Another quick post on scanning projects for vulnerabilities using a quick and easy tool. End of the day, these are super quick wins for a security audit as you can identify packages that either need to be removed or should be updated to a newer version. Lame? Maybe. However, these are the small problems that can be chained with a worse vulnerability to lead to a potential critical vulnerability. I personally try my best to never lose sight of the low-hanging fruit (aka never forget the low severity issues, they matter too!).
So, let's get into the actual interesting part of this post. I'm going to outline a scenario for when using this workflow might make sense, but this likely isn't the ONLY situation when this workflow will be useful.
You've been asked to do a security review of a new .NET web project. You've been given the source code, and you're expected to get a security review done ASAP. One of the easiest wins is to check whether the packages being used contain known vulnerabilities. If so, that's sure as hell a finding!
In general, most .NET projects (C#, Visual C++, ASP.NET, etc) use Nuget to handle external dependency management. Simply put, Nuget is like PIP for Python, SBT for Scala, NPM for NodeJS, and the list goes on. Like all package management systems, there's absolutely no auto-updating of dependencies because THAT MIGHT BREAK THE BUILD. So, how do we audit the external dependencies of a .NET project? Let me introduce you to DevAudit.
DevAudit offers a TON of options, but I specifically use it to audit Nuget packages for .NET applications. You're highly encouraged to check out the other features of DevAudit, but for the purpose of this post, I will be focusing on the Nuget audit features.
NOTE: For once, I will be making a huge assumption you are using Powershell on a newer version of Windows. DevAudit, in my tests, runs best on Windows. You can get it to work on Linux, but you will need to figure out .NET Core shenanigans which has arguably gotten easier as of lately.
Grab the latest version of DevAudit from their releases section of Github. Open up your trusty Powershell console, and run the following command.
That little snippet will add the DevAudit directory to your Powershell path so it's less painful to run the program. Using Powershell, navigate into your project's directory and locate the Packages.config file. This is the file that contains the list of Nuget packages used in the project and the version used. This also happens to be the file DevAudit needs to audit the project. Be sure to be in the same directory as the Packages.config file.
Now simply run, devaudit.exe nuget . -- I've included some sample output from a random project I pulled off Github.
That simple. The report is color-coded, but Github Gists can't capture that. Sorry. Overall, I found this tool to be incredibly easy to use and provided incredibly helpful output for a recent assessment. Hopefully someone else benefits from using this tool.
Suggestions, comments? Post 'em below!
Yes, yes, I'm late to the party, I know. Poorly secured Amazon S3 buckets have been a thing for a while now, but recently there's...
Another quick post on scanning projects for vulnerabilities using a quick and easy tool. End of the day, these are super quick wins for...
It was about time for something a little bit different around here, so here's my write-up for the CSAW CTF 2017 -- Web 150 challenge tit...