3.1.1 - Example
Analyze the Application’s Codebase
Below is an image that shows the cyclomatic and cognitive complexity scores of the code.
From the sonar docs we learn:
Sonar Documentation:
How simple or complicated the control flow of the application is.
Cyclomatic Complexity measures the minimum number of test cases
required for full test coverage. Cognitive Complexity
is a measure of how difficult the application is to understand
We can use this score to determine if there is a high probability for flaws in the business logic of the application. Behind all the files/folders we see the overall score. The higher this value, the more this piece of code becomes a contender for review.
Since this was a rather small application the scores were not really THAT interesting, but for larger code bases this is a really important tool in your recon arsenal.
The images below also show another handy feature of SonarQube namely Security Hotspots.
although we have different tooling for SAST (Semgrep) as discussed later on. It is always a good practise to have different tooling perform security checks since there might be a discrepancy on on what specific points the tooling excels to test on.
For now lets again add this finding to our RTM for later verification
| Feature ID | Description | potential Vulnerability | Test Method |
|---|---|---|---|
| F001 | User Authentication | JWT is prone to signature bypasses | SCA should point out CVE. There is also other methods of attack that need to be tested described here: https://portswigger.net/web-security/jwt |
| F002 | User login | SQLI | A potential POC can be build following this resource. https://flattsecurity.medium.com/finding-an-unseen-sql-injection-by-bypassing-escape-functions-in-mysqljs-mysql-90b27f6542b4 |
| F003 | SpikyFactor.js | RCE | SonarQube detected a potential RCE in the calculate function of the challenge/helpers/SpikyFactor.js |
Examine Application Routing
The routes of the application tell us a lot about the attack surface and could potentially point to interesting paths to check. In a lot of scenario’s we could i.i.e find paths here that have special roles/privileges or handle requests with a different authentication/authorization middleware.
router.post('/api/login', async (req, res) => {
router.get('/interface', AuthMiddleware, async (req, res) => {
router.post('/api/activity', AuthMiddleware, async (req, res) => {
router.get('/logout', (req, res) => {
Another way to find interesting routes or even other interesting files, backups, documentation could be running gobuster against the target.
gobuster dir -u http://192.168.50.242 -w /usr/share/wordlists/dirb/common.txt -x txt,pdf,config,zip
Identification of Business-Critical Code Sections
In this context we primarily want to focus on the authentication part of the application alongside the potential for the RCE. With all the information currently at our disposal these should be our primary focus.