Methodology for finding variants of known vulnerabilities using Abstraction and Pattern Matching.
"One bug is a mistake. Two bugs is a pattern."
To find variants, you must stop thinking about specific code and start thinking about abstract patterns.
"The function
getUserlines 45-50 has a SQL injection becausereq.query.idis concatenated."
grep "getUser" -> Finds nothing else."A Controller Action takes User Input and passes it to a Database Query without Parameterization."
db.query("..." + $INPUT)getProduct, searchItems, etc."Input goes to Database."
eval, query, render)req.body, argv, file)sanitize, authorize)| Language | Typical Abstraction |
|---|---|
| JavaScript | Find dangerouslySetInnerHTML with non-literal strings. |
| Python | Find pickle.loads with any argument. |
| Java | Find classes implementing Serializable with readObject. |
| Go | Find go func() inside a loop using loop variables (closure capture). |
| PHP | Find unserialize() on user input. |