How to: Run CAT.NET v1.1 at command prompt

  • Article

Syed Aslam Basha here from the Information Security Tools team.

In the previous blog post I demonstrated “How to use CAT.NET as a Visual studio Add-In to identify security flaws within managed code”, for more information you can refer to the blog post here. Here am going to demonstrate “How to run CAT.NET at command prompt”.

Applications might have many security vulnerabilities like SQL injection, LDAP injection, XPath injection, Cross-Site Scripting (XSS), process command execution, file canonicalization, exception information and redirection to user controlled site. You can use CAT.NET tool to identify all of these security flaws.

For example:

  1: //Process command execution vulnerability 
  2: Process aProcess = new Process();   
  3: aProcess.StartInfo.FileName = "someapp.exe";   
  4: aProcess.StartInfo.Arguments = TextBox1.Text;        
  5: // source & sink 
  6: aProcess.Start();    
  7:  
  8: //File canonicalization vulnerability 
  9: File.Create(TextBox2.Text);   
  10:  
  11: //Exception information vulnerability 
  12: protected void Button4_Click(object sender, EventArgs e)  
  13: {  
  14: string connectionString = "Data Source=myServerAddress;Initial Catalog=myDataBase;User Id=myUsername;Password=myPassword;";  
  15: SqlConnection myConnection = null;  
  16: try  
  17: {  
  18: myConnection = new SqlConnection(connectionString);  
  19: myConnection.Open();  
  20: }  
  21: catch (SqlException myEx)  
  22: {  
  23: DoSomethingWithException(myEx);  
  24: }  
  25: catch   
  26: {  
  27: Label2.Text = "This is just test, so fine";     
  28: }  
  29: finally  
  30: {  
  31: myConnection.Close();  
  32: }  
  33: }  
  34: protected void DoSomethingWithException(SqlException myEx)  
  35: {  
  36: string x = "Exception Info: " + myEx.Message; //Exception information vulnerable code 
  37: }  
  38:  
  39: //LDAP injection vulnerability 
  40: protected void Button7_Click(object sender, EventArgs e)  
  41: {  
  42: DirectorySearcher searcher = new DirectorySearcher();  
  43: string filter = TextBox5.Text;  
  44: LDAP_InjectionMethod( searcher, filter );  
  45: }  
  46: protected void LDAP_InjectionMethod( DirectorySearcher searcher, string filter )  
  47: {  
  48: string filterEx = filter + " Random Garbage";  
  49: searcher.Filter = filterEx;  
  50: }  
  51:  
  52: //Xpath injection vulnerability 
  53: protected void Button6_Click(object sender, EventArgs e)  
  54: {  
  55: XmlDocument doc = new XmlDocument();  
  56: XmlNode node = doc.CreateElement("Settings");  
  57: node.SelectSingleNode(TextBox4.Text);  
  58: }  
  59:  
  60: //SQL injection vulnerability 
  61: string connString = System.Configuration.ConfigurationManager.AppSettings.Get("connString");  
  62: SqlConnection myConnection = new SqlConnection(connString); 
  63:  
  64: //1 SQL Injection vulnerability exists here 
  65: SqlCommand myNaiveCommand = new SqlCommand("SELECT COUNT(*) FROM Users WHERE UserName='" + txbUsername.Text + "' AND Password='" + txbPassword + "'");  
  66:  
  67: //Redirection to user controlled site 
  68: string x = TextBox3.Text;  
  69: Response.Redirect(x); //1 Redirect vulnerabilty exists here 
  70:  
  71: //XSS vulnerability 
  72: string userName = txbUsername.Text;

The above code snippet has all the security flaws, you can use CAT.NET to identify them.

Steps to run CAT.NET at command prompt:

  1. Launch command prompt

  2. Go to C:\Program Files\Microsoft\CAT.NET>

  3. You can run CAT.NET at command prompt as simple as

    1. C:\Program Files\Microsoft\CAT.NET> CATNetCmd /file:”c:\MyApplicationFoo.dll”

  4. It generates MicrosoftACECodeAnalysisReport.xml report, which shows all the vulnerabilities detected. You can open it in CAT.NET UI

  5. It also generates xlst transformed “report.html” and is stored at C:\Program Files\Microsoft\CAT.NET, you can open it in Internet Explorer

    All Command-line options:

    /file:<target>
    The path of an assembly file to analyze.  Multiple targets can be specified through separated /file: parameters.  The '*' wildcard is supported in file names.
    This is a required parameter.

    /search:<directory>
    Directory to be searched for assemblies that targets depend on.

    /rule:<file/directory>
    The path to a file or directory that contains analysis rule(s).  The engine will use the default rules included with the product by default.

    /ruleid:<[+|-]rule identifier>
    A comma separated list of rules to be explicitly enabled or disabled.  By default, all rules are enabled.  To disable a rule, prefix the rule identifier with '-'.  To
    enable a rule, prefix the rule identifier with '+'.

    /report:<file>
    The file to store the analysis report in.  By default, the report will be saved in 'MicrosoftACECodeAnalysisReport.xml' in the current working directory.

    /reportxsl:<file>
    The XSL file to use to transform the report.  By default, the packaged XSL transform included in the product will be used.

    /reportxsloutput:<file>
    The output file to store the XSLT transform output in.  By default, the HTML report will be saved in 'report.html' in the current working directory.

    /config:<file>
    The path to the configuration XML file that should be used by the analysis engine.

    /verbose:<Warn|Info|Debug>
    The verbosity level to use when displaying results.

    /dfgraph:<file>
    The path to store the GraphML version of the data flow graph in.

    /types:<comma separated list of types to limit analysis to>
    Restricts analysis to the specified types or methods.  These types can be partial class or method names.  The method names should not include signatures.

    /profile
    Enable profiling of the analysis process to collect more detailed information about how the engine is performing.  The profiling information will be saved in 'profile.xml'.

    /disablevectors:<comma separated list of vectors>
    Disables one or more data source vectors.  By default, no vectors are disabled.
    Supported vectors:
      CommandLine, Network, File, StreamInput, WebRequest, Exception, Database and WebServiceMethod.

    /suppressions:<file>
    Load suppression information from the specified XML file.

    /depends
    Show dependency information for the specified targets.

    /restrict:[uniquesrc,uniquesink]
    Restricts results to unique sources, unique sinks, or both unique sources and unique sinks.

You can refer to more articles on CAT.NET here

-Syed Aslam Basha ( syedab@microsoft.com )

Microsoft Information Security Tools (IST) Team

Test Lead

---------------------------------------------------------

Please leave a comment if the blog post has helped you.