# Vulnerable AWS app

Let's hunt for vulnerabilities in an app that use AWS SDK. We begin by setting up the basics for joern lib.

In [1]:
import asyncio

from joern_lib import client, workspace
from joern_lib.detectors import common as cpg, js
from joern_lib.utils import print_table

joern_host = "http://joern:9000"
joern_username = "admin"
joern_password  = "admin"

## Clone the vulnerable app

We use the vulnerable app from [HooliCorp](https://github.com/HooliCorp/vulnerable-aws-koa-app) for this notebook. We can clone this repo using GitPython and import to Joern using the import_code method.

In [3]:
import git
import os

if not os.path.exists("/tmp/aws-koa"):
    repo = git.Repo.clone_from("https://github.com/HooliCorp/vulnerable-aws-koa-app.git", "/tmp/aws-koa", branch="main", depth=1)
else:
    print("/tmp/aws-koa already exists")

/tmp/aws-koa already exists


In [4]:
async def create_workspace():
    connection = await client.get(joern_host, joern_username, joern_password)
    res = await workspace.import_code(connection, "/tmp/aws-koa", "aws-koa");
    print (res)
asyncio.run(create_workspace())

## Identify AWS services used

To look for AWS related vulnerabilities, we need to identify the services used by this application. JavaScript detector in joern-lib includes a method called `list_aws_modules` for this purpose.

In [6]:
async def detect_aws_services():
    connection = await client.get(joern_host, joern_username, joern_password)
    res = await js.list_aws_modules(connection)
    print_table(res)
    
asyncio.run(detect_aws_services())

┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━┳━━━━━━━━┓
┃ dynamicTypeHintFullName            ┃ name                                     ┃ code                                     ┃ typeFullName                                           ┃       columnNumber ┃    order ┃ _label          ┃       argumentIndex ┃      lineNumber ┃     id ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━╇━━━━━━━━┩
│                                    │ EC2Client                                │ EC2Client                                │ <export>::@aws-sdk/client-ec2.js

## Insecure Authentication

We can see the use of few services such as EC2, S3 but how is the application authenticating with these services? As per [AWS](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials.html), applications should not hardcode the credentials so let's begin our search here. In the below snippet, we look for the pattern `new Credentials()`.

In [8]:
async def safe_credentials_use():
    connection = await client.get(joern_host, joern_username, joern_password)
    await client.p(connection, """cpg.call.name("<operator>.new").code(".*Credentials.*").argument.order(3)""", title="AWS Credentials")
asyncio.run(safe_credentials_use())

                                                                                                                                    AWS Credentials                                                                                                                                     
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━┓
┃ dynamicTypeHintFullName                        ┃ code                                                                        ┃ typeFullName              ┃              columnNumber ┃        order ┃ _label         ┃              argumentIndex ┃           lineNumber ┃        id ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━

From the table, we can see several hardcoded credentials in use in this application. The snippet conveniently shows the use of `p` or `print` method which accepts native CPGQL query and displays the query result as a table.

## Attacker controlled input

Next up is to determine whether any external attacker controlled input is used directly to interact with AWS services without validation or sanitization. For this we need to know some sources (or entrypoints) and sinks (or exitpoints) in the application. We can use the library method `get_http_sources` for this purpose.

In [11]:
async def find_sources():
    connection = await client.get(joern_host, joern_username, joern_password)
    sources = await js.get_http_sources(connection)
    print (len(sources))
asyncio.run(find_sources())

63


For the sinks, we need a generic pattern for AWS sdk. The pattern `.*(send|upload|create|get|delete|list).*` should suffice for our use case.

In [13]:
async def find_reachable_flows():
    connection = await client.get(joern_host, joern_username, joern_password)
    await client.flows(connection, 'def source=cpg.call.name(Operators.assignment).code(".*ctx\\.request.*").argument.isIdentifier', 'def sink=cpg.call.code(".*(send|get|create|upload|delete|execute).*").argument.isIdentifier')
asyncio.run(find_reachable_flows())

______________________________________________________________________________
| nodeType   | tracked              | lineNumber| method     | file           |
| Identifier | _tmp_10 = ctx.req... | 48        | anonymous2 | src/storage.ts |
| Call       | userId = _tmp_10.... | 48        | anonymous2 | src/storage.ts |
| Identifier | userId = _tmp_10.... | 48        | anonymous2 | src/storage.ts |
| Identifier | __Runtime.TO_STRI... | 49        | anonymous2 | src/storage.ts |
| Call       | userId + "-picture"  | 60        | anonymous2 | src/storage.ts |
| Call       | _tmp_15.Key = use... | 60        | anonymous2 | src/storage.ts |
| Block      | _tmp_15              | 58        | anonymous2 | src/storage.ts |
| Identifier | s3client.deleteOb... | 58        | anonymous2 | src/storage.ts |
| Call       | s3client.deleteOb... | 58        | anonymous2 | src/storage.ts |
| Identifier | const deleteRespo... | 58        | anonymous2 | src/storage.ts |
| Identifier | ctx.response.body... | 63 

## Closing Thoughts

This notebook demonstrated the mixed use of built-in library methods and native query methods to interactively identify vulnerabilities in this AWS application.