This Twitter exchange got me to look at IDEA. The below are a few tips and config files that can get you started with using IDEA for manual audits. IMHO the results will be close to what you get from commercial code scanner, albeit slightly slower :)
IntelliJ features useful for code auditing
- "Analyze" ->"Data flow to here" or "Data flow from here" https://www.jetbrains.com/idea/webhelp/analyzing-data-flow.html
- "Analyze" -> "Inspect code"(next section below)
- All kinds of source navigation - to definition, to usages etc. Shortcuts below.
Custom code inspections
One of good starting points for basic concepts of code audits is Chapter 19 of "Web Application Hacker's Handbook" 2ed. You obviously have to have a clue what this security thing is all about, and this post is not an audit tutorial.
I've created some custom inspections for IDEA, as its original "Security" set is quite arbitrary and if it targets anything, it is applets, not web apps. My inspection policies are based on the WAHH2E book and are geared towards identifying user input, dodgy file operations and so on.
Installing the inspection policies
Open Options / Inspections. Import the policy you want to use (the full policy may produce a lot of results on very large projects, e.g. full Confluence produces about 2000 results, so I made partial policies as well), check "Share Profile", or you won't be able to use this policy.
|Configuring custom code inspections in IDEA|
TIP: For some silly reason every time you switch between audit policies, you need to "touch" one of the templates, modifying something (like add and delete a space), save and close. Without it IntelliJ ignores the policy or sticks to the previously used one - you will have no findings. I am not sure why this is happening, it could be the results of my chopping XML files in text editor instead of clicking in the GUI for an hour...
Templates will find points in code that are interesting for security auditor - HTTP parameters, file access, sessions, SQL queries, etc. Then you can use data flow analysis (point 1 in the list above) or simply navigate through source (below).
Running an analysis
Open "Analyze" / "Inspect code", select the policy, scope etc, run, check results. There are various ways of marking things as reviewed - see "suppress" options in the results pane. They are the same as with any other alerts produced by code inspection engine.
It may be useful (depending on a kind of the finding) to investigate data flow to and from the found input/output point.
IntelliJ's docs for this feature, which in turn uses very powerful Structural Search & Replace engine are at https://www.jetbrains.com/idea/webhelp/creating-own-inspections.html
Code navigation shortcutsCmd + Shift + A - opens a window where you can search for GUI commands
Cmd + Alt + Left to get back, Cmd + Alt + Right to “go forward”
Cmd + B - Go to declaration
Cmd + Alt + B - Go to implementation
Cmd + U - Go to super-method/super-class
Cmd + Alt + F7 - Show usages
Cmd + N - Go to class
Cmd + P - Parameter info
Cmd-F - Find, F3/Shift + F3 - Find next/previous, Ctrl + Shift + F - Find in path
F2/Shift + F2 - Next/previous highlighted error
Cmd + E - recently used files
There is a great plugin that will teach you shortcuts quickly - Key Promoter. Any time you do something with menus, it will show you what shortcut you could use to achieve the same effect.
Bonus: Code Reviewing Web App Framework Based Applications