270 likes | 451 Views
Application Security - Science or Quality Assurance ?. Nazar Tymoshyk Ph.D , Security Consultant, R&D at SoftServe. Famous Security Professionals. Richard Stallman. Linus Torvalds. Tsutomu Shimomura. Robert Morris. Stephen Wozniak. Famous “Security Professionals”. Adrian Lamo.
E N D
Application Security - Science or Quality Assurance? Nazar Tymoshyk Ph.D, Security Consultant, R&D at SoftServe
Famous Security Professionals Richard Stallman Linus Torvalds Tsutomu Shimomura Robert Morris Stephen Wozniak
Famous “Security Professionals” Adrian Lamo Kevin Mitnick Kevin Poulsen Jonathan James Gary McKinnon
So you know where to move ;) Security is also metric of Software Quality “The simple truth is that catching security holes earlier costs an organization less to remediate, which makes good business sense. ”
QA Engineer Security Analyst In functional and performance testing, the expected results are documented before the test begins, and the quality assurance team looks at how well the expected results match the actual results In security testing, the quality assurance team is concerned only with unexpected results and testing for the unknown.
Weapon Passion Tools Persistence Guides Research Checklists
Collaboration and Team work “ IT security and quality assurance working together are exponentially more powerful. The result will be a more security-oriented QA department and a more quality-oriented IT security department, which will help remove more risk and provide better continuity ”
OWASP SAMM WAF Development guide Testing guide ASVS
Testing security with Tools Core Impact Burp Accunetix WVS w3af HP WebInspect OWASP ZAP OWASP Mantra IBM Rational AppScan
DEMO Let’s test small web-site with commercial and free tools
Applying Science approach Get tools from: http://goo.gl/eHl2u Targets: http://192.168.195.34 http://192.168.195.80
Smashing the app Remote code execution – one of the most dangerous vulnerabilities in web-apps How to achieve a goal: • Upload scripts to server • Remote File Inclusion (RFI) • Local File Inclusion (LFI)
Unrestricted file upload File upload– vulnerability allow remote attacker to upload files/scripts on server with special content or random extension. This vulnerability exist through incorrect file extension implementation. Incorrect methods of uploaded file extension validation : • Validation ofMIME-typeof uploading file vs validation of file extension • Black-list extension validation • Other errors… Unsecure web-server/application server configuration play also important role.
Changing MIME type Validation sample: <?php $imageTypes = array("image/gif", "image/jpg", "image/png"); if(isset($_FILES["image"])) { if(!in_array($_FILES["image"]["type"], $imageTypes)) { die("Hacking Attempt!"); } copy($_FILES["image"]["tmp_name"], "images/{$_FILES["image"]["name"]}"); } ?> Problem: It’s easy to change type of file – as it’s setting by browser inHTTP-request. And all variables that are set by browser – can be easily changed by user.
Content validation Black list: Wrong way <?php if(isset($_FILES["image"])) { if(preg_match('#\.((php)|(php3)|(php4)|(php5))$#i',$_FILES["image"]["name"]) ) { die("Hacking Attempt!"); } copy($_FILES["image"]["tmp_name"], "images/{$_FILES["image"]["name"]}"); } ?>
Regular expressions <?php if(isset($_FILES["image"])) { if(preg_match('#\.jpg#i', $_FILES["image"]["name"])) { copy($_FILES["image"]["tmp_name"], "images/{$_FILES["image"]["name"]}"); } } ?> In this sample name of uploaded file is checking for string .jpg. But regular expression is working as control symbol$that indicate EOL is missed,. As a result file shell.jpg.php will be successes fully uploaded.
Right way <?php if(isset($_FILES["image"])) { if(preg_match('#^[a-z0-9-_]+\.((jpg)|(png)|(bmp))$#i', $_FILES["image"]["name"]) ) { move_uploaded_file($_FILES["image"]["tmp_name"], "images/{$_FILES["image"]["name"]}"); } } ?> White list validation
Local File Inclusion Local File Inclusion – allow to include local fileson remote server and execute arbitrary code. Reason: incorrect linked file validation, vulnerable server configuration Successfully LFI exploitation have three main task : • Removing of postfix • Directory Traversal • Searching files for code injection
Directory Traversal Filtration can prevent Directory Traversal. Very often developers apply Filtration of ../ : <?php include(str_replace("../", "", $_GET["page"]).".inc"); ?> ../../../etc/passwd --> Filtration-->etc/passwd --> fail But such filtration is not enough – it’s not recursive: ..././..././..././etc/passwd --> Filtration--> ../../../etc/passwd--> profit
SecureValidation Secure Validation– validation of filename for service symbols if(preg_match('#[^a-z0-9-_]#i', $page)) { die("Hacking Attempt!"); } include("{$page}.inc"); In this sample if we will try to add file with symbols other thanA-Z,a-z,0-9andsymbol«-» &«_»executionof PHP-script will be interrupted.
So, how to become Security Analyst Use OWASP Researches Ask and share Participate in community Samurai WTF talk on Security Hole
Feedbacks & Questions Contact Nazar: skype: root_nt email: root.nt@gmail.com ? Presentation & Files: http://goo.gl/eHl2u Leave your Feedbacks: http://goo.gl/FW4ar Join OWASP Lviv: https://www.owasp.org/index.php/Lviv