How to: Run CAT.NET v1.1 at command prompt
Syed Aslam Basha here from the Information Security Tools team.
In the previous blog post I demonstrated “How to use CAT.NET as a Visual studio Add-In to identify security flaws within managed code”, for more information you can refer to the blog post here. Here am going to demonstrate “How to run CAT.NET at command prompt”.
Applications might have many security vulnerabilities like SQL injection, LDAP injection, XPath injection, Cross-Site Scripting (XSS), process command execution, file canonicalization, exception information and redirection to user controlled site. You can use CAT.NET tool to identify all of these security flaws.
For example:
1: //Process command execution vulnerability
2: Process aProcess = new Process();
3: aProcess.StartInfo.FileName = "someapp.exe";
4: aProcess.StartInfo.Arguments = TextBox1.Text;
5: // source & sink
6: aProcess.Start();
7:
8: //File canonicalization vulnerability
9: File.Create(TextBox2.Text);
10:
11: //Exception information vulnerability
12: protected void Button4_Click(object sender, EventArgs e)
13: {
14: string connectionString = "Data Source=myServerAddress;Initial Catalog=myDataBase;User Id=myUsername;Password=myPassword;";
15: SqlConnection myConnection = null;
16: try
17: {
18: myConnection = new SqlConnection(connectionString);
19: myConnection.Open();
20: }
21: catch (SqlException myEx)
22: {
23: DoSomethingWithException(myEx);
24: }
25: catch
26: {
27: Label2.Text = "This is just test, so fine";
28: }
29: finally
30: {
31: myConnection.Close();
32: }
33: }
34: protected void DoSomethingWithException(SqlException myEx)
35: {
36: string x = "Exception Info: " + myEx.Message; //Exception information vulnerable code
37: }
38:
39: //LDAP injection vulnerability
40: protected void Button7_Click(object sender, EventArgs e)
41: {
42: DirectorySearcher searcher = new DirectorySearcher();
43: string filter = TextBox5.Text;
44: LDAP_InjectionMethod( searcher, filter );
45: }
46: protected void LDAP_InjectionMethod( DirectorySearcher searcher, string filter )
47: {
48: string filterEx = filter + " Random Garbage";
49: searcher.Filter = filterEx;
50: }
51:
52: //Xpath injection vulnerability
53: protected void Button6_Click(object sender, EventArgs e)
54: {
55: XmlDocument doc = new XmlDocument();
56: XmlNode node = doc.CreateElement("Settings");
57: node.SelectSingleNode(TextBox4.Text);
58: }
59:
60: //SQL injection vulnerability
61: string connString = System.Configuration.ConfigurationManager.AppSettings.Get("connString");
62: SqlConnection myConnection = new SqlConnection(connString);
63:
64: //1 SQL Injection vulnerability exists here
65: SqlCommand myNaiveCommand = new SqlCommand("SELECT COUNT(*) FROM Users WHERE UserName='" + txbUsername.Text + "' AND Password='" + txbPassword + "'");
66:
67: //Redirection to user controlled site
68: string x = TextBox3.Text;
69: Response.Redirect(x); //1 Redirect vulnerabilty exists here
70:
71: //XSS vulnerability
72: string userName = txbUsername.Text;
The above code snippet has all the security flaws, you can use CAT.NET to identify them.
Steps to run CAT.NET at command prompt:
Launch command prompt
Go to C:\Program Files\Microsoft\CAT.NET>
You can run CAT.NET at command prompt as simple as
- C:\Program Files\Microsoft\CAT.NET> CATNetCmd /file:”c:\MyApplicationFoo.dll”
It generates MicrosoftACECodeAnalysisReport.xml report, which shows all the vulnerabilities detected. You can open it in CAT.NET UI
It also generates xlst transformed “report.html” and is stored at C:\Program Files\Microsoft\CAT.NET, you can open it in Internet Explorer
All Command-line options:
/file:<target>
The path of an assembly file to analyze. Multiple targets can be specified through separated /file: parameters. The '*' wildcard is supported in file names.
This is a required parameter./search:<directory>
Directory to be searched for assemblies that targets depend on./rule:<file/directory>
The path to a file or directory that contains analysis rule(s). The engine will use the default rules included with the product by default./ruleid:<[+|-]rule identifier>
A comma separated list of rules to be explicitly enabled or disabled. By default, all rules are enabled. To disable a rule, prefix the rule identifier with '-'. To
enable a rule, prefix the rule identifier with '+'./report:<file>
The file to store the analysis report in. By default, the report will be saved in 'MicrosoftACECodeAnalysisReport.xml' in the current working directory./reportxsl:<file>
The XSL file to use to transform the report. By default, the packaged XSL transform included in the product will be used./reportxsloutput:<file>
The output file to store the XSLT transform output in. By default, the HTML report will be saved in 'report.html' in the current working directory./config:<file>
The path to the configuration XML file that should be used by the analysis engine./verbose:<Warn|Info|Debug>
The verbosity level to use when displaying results./dfgraph:<file>
The path to store the GraphML version of the data flow graph in./types:<comma separated list of types to limit analysis to>
Restricts analysis to the specified types or methods. These types can be partial class or method names. The method names should not include signatures./profile
Enable profiling of the analysis process to collect more detailed information about how the engine is performing. The profiling information will be saved in 'profile.xml'./disablevectors:<comma separated list of vectors>
Disables one or more data source vectors. By default, no vectors are disabled.
Supported vectors:
CommandLine, Network, File, StreamInput, WebRequest, Exception, Database and WebServiceMethod./suppressions:<file>
Load suppression information from the specified XML file./depends
Show dependency information for the specified targets./restrict:[uniquesrc,uniquesink]
Restricts results to unique sources, unique sinks, or both unique sources and unique sinks.
You can refer to more articles on CAT.NET here
-Syed Aslam Basha ( syedab@microsoft.com )
Microsoft Information Security Tools (IST) Team
Test Lead
---------------------------------------------------------
Please leave a comment if the blog post has helped you.
Comments
- Anonymous
August 22, 2010
The comment has been removed - Anonymous
August 23, 2010
Hi Gabriel, It should work, there isnt anything you should do. Try running from UI. syedab