1 / 39

Revealing the Secrets: Source Code Disclosure, Techniques, and Impacts

Revealing the Secrets: Source Code Disclosure, Techniques, and Impacts. I am…. Anant Kochhar, Senior Information Security Consultant with SecurEyes Project Manager and Researcher Malware Detection Techniques and Real World Cracker Techniques. Unique Insecurities….

khanh
Download Presentation

Revealing the Secrets: Source Code Disclosure, Techniques, and Impacts

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Revealing the Secrets: Source Code Disclosure, Techniques, and Impacts

  2. I am… • Anant Kochhar, Senior Information Security Consultant with SecurEyes • Project Manager and Researcher • Malware Detection Techniques and • Real World Cracker Techniques

  3. Unique Insecurities… • Each developer is unique • Each application is unique • Each application is uniquely insecure. • Each developer is uniquely insecure.

  4. Source Code Disclosure Types • Accidental Code Disclosure • Backup and Misc. Files • The Dirty Download Page

  5. Accidental Disclosure • Part of the Source Code is available in the HTML source code. • When Dynamic pages are turned into Static pages: like from ‘.asp’ to ‘.html’ • Coder don’t remove the ASP code before publishing the HTML page. • Why? Because IE is very forgiving.

  6. Google- Looking in a domain which claims to have ALL ‘audited’ sites “mdb” “server.createobject” OR “server.mappath” site:???.??

  7. In IE

  8. In Mozilla Firefox

  9. Voila…

  10. How to avoid it… • Don’t be careless. • Go through the HTML source code of every page before it is published online. • Use both IE and Firefox to test a page.

  11. Backup and Misc. Files • Source Codes stored in readable formats. • Coders save backup files in the website’s hosting folders. • Zipped files, ‘.bak’ extensions etc. • Coders often use bad extensions- like ‘.inc’- for ‘included’ configuration files.

  12. How to discover… • Directory Listings. • Disclosure in HTML Source (Rare) • Other non-standard techniques.

  13. Google-The same secured domain “zip” “parent directory” site:???.??

  14. Directory Listing Enabled- All ‘internal pages’ visible

  15. Interesting Folder:Election_aspInteresting File: Database Connection

  16. Backup File of Election_asp: Election_asp.zip

  17. All ASP Files…including Database Connection File

  18. Database username and password in the database connection file

  19. How to avoid it… • Disable Directory Listing • Don’t use the Hosting space as a storage space. • Name all ‘.inc’ files as ‘.inc.php’ or ‘.inc.asp’ files to make them inaccessible.

  20. The Dirty Download Page • Better known as ‘Insecure Direct Object Ref.’ • Paper in December 2007: http://secureyes.net/downloads/Source_Code_Disclosure_over_HTTP.pdf • Many white hats have contacted me regarding it. • Translated into Spanish- which is flattering and scary • Not the target audience.

  21. The Comment… “look on the internet for such pages…”

  22. How An Engine Works User_login.php URL:/user_login.php Application Root Folder PHP Engine User’s Browser HTML part of User_login.php Server

  23. The site’s root folder

  24. http://www.vulnerable123.com/1.doc

  25. Internal Affairs… 1.doc URL:/1.doc Application Root Folder PHP Engine User’s Browser 1.doc Server

  26. The Other Method… Stream the static content files through a dynamic page: • Filename passed as a parameter to the dynamic page- hereby called the ‘download’ page. • The download page looks for the file in the hosting folder • And upon finding it, streams it to the user’s browser.

  27. http://www.vulnerable123.com/download_file.php?filename=1.dochttp://www.vulnerable123.com/download_file.php?filename=1.doc

  28. Internal Affairs 2 1.doc Download_file.php URL:/download_file.php? filename=1.doc Application Root Folder PHP Engine User’s Browser 1.doc Server

  29. The Exploit… Change the filename parameter’s value to login_user.php: • Will it be processed by the engine before being streamed? • Not! The engine does not double-process a single request! It will simply stream the source code file ‘login_user.php’!

  30. http://www.vulnerable123.com/download_file.php?filename=user_login.phphttp://www.vulnerable123.com/download_file.php?filename=user_login.php

  31. user_login.php source code file Internal Affairs 3 Download_file.php User_login.php URL:/download_file.php? filename=user_login.php Application Root Folder PHP Engine User’s Browser Server

  32. Google A URL which contains: • A Dynamic Page extension. ext:php OR ext:jsp OR ext:asp OR ext:aspx • A Static File extension in the URL (somewhere): inurl:doc OR inurl:pdf OR inurl:xls OR inurl:txt OR inurl:ppt OR inurl:htm

  33. Pattern (contd.) Combining : inurl:doc OR inurl:pdf OR inurl:xls OR inurl:txt OR inurl:ppt ext:php OR ext:jsp OR ext:asp OR ext:aspx

  34. Google Result Page Lots of false positives

  35. Patterns (contd.) Search can be restricted to a site or a domain site:vulnerable123.com Finding the Dirty Download Page in www.vulnerable123.com: Inurl:doc OR inurl:pdf OR inurl:xls OR inurl:txt OR inurl:ppt ext:php OR ext:jsp OR ext:asp OR ext:aspx site:vulnerable123.com

  36. Voila…

  37. Unique Case of Java Sites- Directory Listing through the download page

  38. Recommended Resolutions • Indirectly refer internal objects. • For example, index the downloadable files, and pass index numbers instead of file names. • File Extensions Validations can be bypassed: Null Byte Injection

  39. Contact me: anant.kochhar[at]secureyes[dot]net Thank you

More Related