Identifying Security Flaws With Code Analysis Tool (CAT.NET)

Code Analysis Tool (CAT.NET) is a binary source code analysis tool that helps in identifying common security flaws in managed code. These vulnerabilities are listed in the below table.

Vulnerability Description
Cross Site Scripting(XSS) XSS vulnerability allows an attacker to inject a malicious HTML Code or Scripts which gets executed in the Client’s browser.
A successful XSS can lead to modification in application, DOS attack, loss of user data, and execution of malicious command on the web server.
 

SQL Injection

SQL injection is a technique to exploit application using malicious code passed to Sql server for execution. A successful Sql injection attack results in unauthorized access to database. In some cases the whole system gets compromised
 

Process Command Injection

If user input is use to create a process in your application e.g. user provides that an argument to the new process, then it is vulnerable to process command execution. In this attack the attacker tries to execute system level commands.
 

File Canonicalization

Canonicalization is the process of converting data to its canonical form. File paths and URLs are particularly prone to canonicalization issues and many well-known exploits are a direct result of canonicalization bugs.
If user input is used to construct a path or name a resource then your application is vulnerable to file canonicalization
 

Exception Information

Exception handling is built in mechanism in .Net Framework to handle the errors that occurred at run time. Proper exception/error mechanism should be in place to avoid information disclosure through error message. The information may contain Database, Web server, application path, Source file details etc. which an attacker can misuse to launch an attack.

LDAP Injection
LDAP injection is a technique to exploit application using malicious code that constructs the LDAP query for execution.  The technique is similar to SQL Injection attack.
 

XPATH Injection

XPATH injection is a technique to exploit application using code that constructs the XPATH query for XML data. A successful XPATH injection can lead to the whole xml data file.
 

Redirection to User Controlled Site

When an application allows redirection via user supplied parameters in the destination URL like “http://samplewebsite.com/login.aspx?ReturnUrl=Statementview.aspx”. If these kinds of url are not validated for allowed destination, an attacker can simply send a malicious URL like “http://samplewebsite.com/login.aspx?ReturnUrl=http://phishingsiteurl” to redirect user to a phishing page.

CAT.Net tool enhances the quality of the source and helps in adopting security best practices. Microsoft uses this tool for security review. One thing we should always keep in my while using automated code analysis tool is the false positive results.Cat.net sometimes produces the false positive results.

CAT.Net tool must be used during the implementation phase of security development life cycle (SDL).

Code Analysis Tool
Code Analysis Tool

There are some limitations when using the CAT.Net i.e. on the size of the dll being analyzed. 18 MB dll is to be analyzed by cat.net. Above this size it throws an exception “Out of memory”. The exception will be thrown only on 32 bit not on 64 bit machines.

The CAT.NET tool can be used in four different scenarios:

  1. A snap-in to the Visual Studio IDE,
  2. A command line tool,
  3. As an FxCop rule and
  4. Integrated into VSTF TeamBuild as an MSBuild custom task.

Here in this demo I will be using command line tool.

  • Open command prompt and navigate to folder where CATNetCmd64.exe is located.
  • Type the command “CATNetCmd64.exe /file:”catnet.dll” where /file accept the assembly name to be analyzed.
  • Once done with this you will see the analysis has started and on successful completion it will generate a report. The screen after successful completion of the analysis.

sunilyadav_634358879259680000_2

You can view report which is generated in the root path of the ct.net directory named as report.html.

Sample report for the above analysis is shown below.

sunilyadav_634358879292070000_3

Download

32 bit- http://www.microsoft.com/downloads/en/details.aspx?FamilyID=0178E2EF-9DA8-445E-9348-C93F24CC9F9D  

64 bit- http://www.microsoft.com/downloads/details.aspx?FamilyId=e0052bba-2d50-4214-b65b-37e5ef44f146 

Author


Related Tags:

2 comments

Dear Sunil,

this blog helps me lot

thant you for that share.

Regards,
Raj Naik

Do we have this integration for Visual Studio 2015?
If not what are the best possible replacements for ir?

Leave a Reply

Your email address will not be published. Required fields are marked *