SlideShare ist ein Scribd-Unternehmen logo

PHP Code Audit - OSCON 2009

Philippe Gamache
Philippe Gamache

In this laboratory, we will carry out a safety audit of an Open Source web application. The technical objective is to provide a complete report and treat all phases of investigative work: black box analysis, open source analysis, identifying vulnerabilities (XSS, injections, disclosure, etc.), recommendations for strengthening, and prioritization of tasks. All skills will be tested in this complex exercise. We will work on a real application: (The name of the application will come later). The laboratory will end with the handing over of the report to the authors of the application so they can have an outside view on the safety of the application.

Technologie
1 von 82
Downloaden Sie, um offline zu lesen
PHP code audits OSCON 2009 San José, CA, USA July 21th 2009 vendredi 13 novembre 2009 1
Agenda Workshop presentation Black box audit Source code audit vendredi 13 novembre 2009 2
Who speaks? Philippe Gamache Parler Haut, Interagir Librement : Web development, security audit, training info@ph-il.ca @SecureSymfony vendredi 13 novembre 2009 3
Who speaks? Damien Seguy Alter Way Consulting : Open sources expert services Father of the Elephpant Calendar maker damien.seguy@alterway.fr vendredi 13 novembre 2009 4
Security Book New 2009 edition Comprehensive review of security system for MySQL, PHP, etc. Published in French Planning translation vendredi 13 novembre 2009 5
The application http://www.cligraphcrm.com/ vendredi 13 novembre 2009 6
Full audit synopsis Identification of the audit goals Interview with the dev teams Black box testing Open Code audit Report vendredi 13 novembre 2009 7
Yes, we take questions vendredi 13 novembre 2009 8
Black box testing 9 vendredi 13 novembre 2009 9
Black box testing What is black box testing? Finding information What can I do with this application? Where are the most popular entry points? 10 vendredi 13 novembre 2009 10
Black box testing Look for vulnerabilities Use different tools and technics Automatic scanners By hand Fuzzing tools Scenarios How do I use to my advantage? 11 vendredi 13 novembre 2009 11
Black box testing Strike Attacking a vulnerability with a specific purpose 12 vendredi 13 novembre 2009 12
Find Information Look at the application web site Features 13 vendredi 13 novembre 2009 13
Find Information Look at the application web site Technology 14 vendredi 13 novembre 2009 14
Find Information Look at the application web site Technology 15 vendredi 13 novembre 2009 15
Find Information Look at the application web site Technology 16 vendredi 13 novembre 2009 16
Find Information Look at the application web site Technology 17 vendredi 13 novembre 2009 17
Find Information Look at the application web site Technology 18 vendredi 13 novembre 2009 18
Where did I hear about this? vendredi 13 novembre 2009 19
Find vulnerabilities We look in Common Vulnerabilities and Exposures Also in bugtrack, xssed.com, etc... We could have look in Google, Bing, etc... No published vulnerabilities for cliGraph 20 vendredi 13 novembre 2009 20
Find Information HTTP/1.x 200 OK Date: Mon, 20 Jul 2009 17:29:25 GMT Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch11 mod_ssl/2.2.3 OpenSSL/0.9.8c X-Powered-By: PHP/5.2.0-8+etch11 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 586 HTTP headers Content-Type: text/html; charset=UTF-8 X-Cache: MISS from Colossus Connection: close curl, wget, Firefox Rex Swain's HTTP Viewer 21 vendredi 13 novembre 2009 21
Typical files Usual directories includes, include, inc, com, classes, lib, library admin, adm, administrator, tmp, TMP, ext, var data, db, conf, config uploads, install, 22 vendredi 13 novembre 2009 22
Typical files .phps, .inc, .class, xml, ini, yaml, cfg Apache Alias : /icons/ robots.txt vendredi 13 novembre 2009 23
Security dilema robots.txt User-agent: * Disallow: /administrator/ Disallow: /cache/ Disallow: /components/ Disallow: /images/ Disallow: /includes/ Disallow: /installation/ Disallow: /language/ Disallow: /libraries/ Disallow: /media/ Disallow: /modules/ Disallow: /plugins/ Disallow: /templates/ Disallow: /tmp/ Disallow: /xmlrpc/ 24 vendredi 13 novembre 2009 24
External testing Get the list of the scripts (find .) Turn that into URLs Fetch them directly on the web site Study what’s coming back Maybe you gonna need to install it yourself vendredi 13 novembre 2009 25
Typical files https 404 and 5xx pages Blank page Bad code without error posting 26 vendredi 13 novembre 2009 26
Automatic scanners Nikto http://www.cirt.net/ 27 vendredi 13 novembre 2009 27
Find vulnerabilities What to look for ? XSS CSRF Injections Files overwrite 28 vendredi 13 novembre 2009 28
Automatic scanners Web Application Attack and Audit Framework (W3AF) http://w3af.sourceforge.net/ 29 vendredi 13 novembre 2009 29
Manual tools Firefox Access Me Firebug SQL Inject Me Web Developer XSS Me Data 30 vendredi 13 novembre 2009 30
Manual tools Arrays c[]=1 Surplus variables debug=1, task=view Missing variables 31 vendredi 13 novembre 2009 31
Manual tools action/facture_fiche.php? exp_typedoc=facture&exp_id= 2009N000196&exp_formdoc=pdf 32 vendredi 13 novembre 2009 32
Manual tools action/facture_fiche.php? exp_typedoc=facture&exp_id= 2009N000196&exp_formdoc=pdf action/facture_fiche.php? exp_typedoc=facture&exp_id=2009 N000196&exp_formdoc=fiche 32 vendredi 13 novembre 2009 32
Manual tools action/facture_fiche.php? exp_typedoc=facture&exp_id= 2009N000196&exp_formdoc=pdf action/facture_fiche.php? exp_typedoc=facture&exp_id=2009 N000196&exp_formdoc=fiche Fatal error: Cannot redeclare fct_redimension_img() (previously declared in /var/www/crm_demo/fonctions/ fonction_img.php:68) in /var/www/crm_demo/fonctions/ fonction_img.php on line 134 32 vendredi 13 novembre 2009 32
Fuzzing Test by random value Stress forms Database All characters from 0 to x255 All Unicode characters The numbers 1, 0, -1, 0.99, extreme, infinite 33 vendredi 13 novembre 2009 33
Fuzzing Strings Long Short Dictionaries of values of vulnerabilities GET, POST, COOKIE 34 vendredi 13 novembre 2009 34
Fuzzing Wfuzz http://www.edge-security.com/wfuzz.php WebSlayer http://www.edge-security.com/webslayer.php 35 vendredi 13 novembre 2009 35
Exemple Fuzzing vendredi 13 novembre 2009 36
Scenarios More realistic tests fragile Automate your tests Complete with fuzzing Use proxy servers 37 vendredi 13 novembre 2009 37
Scenarios Firefox Selenium IDE WebScarab http://www.owasp.org/index.php/ Category:OWASP_WebScarab_Project 38 vendredi 13 novembre 2009 38
Simplify your life Samurai Web Testing Framework http://samurai.inguardians.com/ vendredi 13 novembre 2009 39
Conclusion Black box Easy to set up Take into account the context of the application Often spectacular Generally shallow vendredi 13 novembre 2009 40
Open code audit vendredi 13 novembre 2009 41
Code audits Look into the PHP code Search for hidden problems Usually less spectacular than black box vendredi 13 novembre 2009 42
From the interview Check if dev teams knows that to secure Have it explains their approach Check what they say Check what they don’t say vendredi 13 novembre 2009 43
The shy version We know there are security problems but we have no time to secure them this app has been written years ago we can’t keep up with the threats vendredi 13 novembre 2009 44
The strong version We have secured the application We use SSL, and webwasher and crypto All content is validated and filtered We don’t do any dynamical include Our frameworks doesn’t allow this vendredi 13 novembre 2009 45
Approach What to search for? What are the entry points? How can they be exploited Or protected ? vendredi 13 novembre 2009 46
What to search for? Injections PHP SQL HTML system vendredi 13 novembre 2009 47
Keep focused Easy to loose focus Tempting to audit everything vendredi 13 novembre 2009 48
PHP injections PHP injections dynamical inclusion include, require and *_once back ticks eval vendredi 13 novembre 2009 49
Eval Easy to look for grep Fast, available, convenient 853 occurences Tokenizer Semantic, accurate 37 occurrences vendredi 13 novembre 2009 50
Tokenizer <?php Array [1] => print ("hello $world! "); ?> ( [6] => Array [0] => 266 ( [1] => print [0] => 309 [2] => 1 [1] => $world ) [2] => 1 ) [2] => Array ( [7] => Array [0] => 370 ( [1] => [0] => 314 [2] => 1 [1] => ! ) [2] => 1 ) [3] => ( [4] => " [8] => " [5] => Array [9] => ) ( [10] => ; [0] => 314 [1] => Array [1] => hello ( [2] => 1 [0] => PHP token ) [1] => PHP code [2] => Script line ) [2] => " vendredi 13 novembre 2009 51
Evals ◦ eval('$retour=$GLOBALS["'.$matches[1].'"];') ◦ Variable variables. ◦ eval($contenu_thjipk); ◦ eval($contents_essai); ◦ Content is read into variable, then executed : an include? ◦ eval('$hexdtime = "'.$hexdtime.'";') ◦ Long way to cast a string into a string ◦ eval('$retour2.= '.var_dump($recept->erreur).';') ◦ This doesn’t even work vendredi 13 novembre 2009 52
Assessing the code One liners One line of code is sufficiently to be bad Even though you must follow the code In reverse vendredi 13 novembre 2009 53
Inclusion ◦ require("../params_frm.php") ◦ require(fct_lien_page_custom(TYPE_DOMAINE."/".TYPE_DOC. "_custom.php","abs")) ◦ require(fct_lien_page_custom("params_footer.php","abs")) ◦ Pretty secure inclusions ◦ But 96 variables used in includes ◦ include(fct_lien_page_custom("action/facture_". $format.".php","abs")) ◦ $format, anyone? ◦ require_once("etat_simple_".$choix_page."_trt.php") ◦ $choix_page, anyone ? vendredi 13 novembre 2009 54
$format ? <?php require("../params_trt.php"); $format=htmlentities($_REQUEST['exp_formdoc']); if(empty($_REQUEST['exp_affiche'])) $affichage=0;  else $affichage=$_REQUEST['exp_affiche']; if(empty($_REQUEST['exp_stockdoc'])) $stockage=0;  else $stockage=$_REQUEST['exp_stockdoc']; $cde_id=$_REQUEST['exp_id']; $type_doc=$_REQUEST['exp_typedoc']; require(fct_lien_page_custom("fonctions/ fonction_img.php","abs")); include(fct_lien_page_custom("action/facture_". $format.".php","abs")); ?> vendredi 13 novembre 2009 55
$choix_format ?   switch($choix) {     case 0 : $choix_page="tabl";     break;     case 1 : $choix_page="histo1";  if ($gfx_sens_graph=="1") $gfx_margegauche_dft="90";     break;     case 2 : $choix_page="histo2";  if ($gfx_sens_graph=="1") $gfx_margegauche_dft="90";     break;     case 3 : $choix_page="histo3";  if ($gfx_sens_graph=="1") $gfx_margegauche_dft="90";     break;     case 4 : $choix_page="histo4";  if ($gfx_sens_graph=="1") $gfx_margegauche_dft="90";     break;     case 5 : $choix_page="histo5";  if ($gfx_sens_graph=="1") $gfx_margegauche_dft="90";     break; }    ###...Way below     require_once("etat_simple_".$choix_page."_trt.php"); vendredi 13 novembre 2009 56
Statistical audit Extract one type of information Review it out of context Use this as a starting point for more questions vendredi 13 novembre 2009 57
Comments //echo "<div><a class="texte1" style=... #echo "<pre>"; Left overs #print_r($_REQUEST); Main code is not cleaned of debug? // hack for mozilla sunbird's extra = signs Look for swearing, TODO, hack vendredi 13 novembre 2009 58
Variables 6883 different variables names All one possible one letter variable 32 chars : $cache_maxsize_UTF8StringToArray Most used : $i (2586 times) $_1904, $samedi, $dummy, $sss, 19 $unknowns 711 variables used only once in the codes vendredi 13 novembre 2009 59
Other ideas name of functions name of classes name of constants literal strings, numbers Condition (if, while) vendredi 13 novembre 2009 60
register_globals strikes back vendredi 13 novembre 2009 61
register_globals strikes back Foreach and $$ vendredi 13 novembre 2009 61
register_globals strikes back Foreach and $$ extract vendredi 13 novembre 2009 61
register_globals strikes back Foreach and $$ extract import_request_var vendredi 13 novembre 2009 61
register_globals strikes back Foreach and $$ extract import_request_var $GLOBALS vendredi 13 novembre 2009 61
register_globals strikes back Foreach and $$ extract import_request_var $GLOBALS parse_str vendredi 13 novembre 2009 61
register_globals strikes back Foreach and $$ extract import_request_var $GLOBALS parse_str register_globals (ini_get(‘register_globals’)) vendredi 13 novembre 2009 61
Found! ◦ ./install/identification.php ◦ extract($_POST)  : 1 ◦ Injection by $_POST ◦ ./eggcrm/fonctions/fonctions_gen.php ◦ $GLOBALS[$k] = $chaine[$k] ◦ $GLOBALS[$this->mode] [$k] = $chaine[$k] ◦ In the fct_urldecode, the values are stripslashed, and then injected in the $GLOBALS, resulting in variable creation vendredi 13 novembre 2009 62
SQL injections Point of entry mysql_query mysqli_real_escape_string SQL query : string with SELECT, UPDATE, ... vendredi 13 novembre 2009 63
Found! ◦ 'UPDATE param_suivi SET      param_suivi_nom="'.str_replace ($transf_sp,$transf_fr,$_POST["suivi_nom"])  : 1 ◦ Direct injection via POST ◦ WHERE campagne_nom LIKE '%".addslashes($_REQUEST['rech_nom'])  ◦ Injection from $_REQUEST ◦ "UPDATE even_spl SET even_spl_fait='". $even_fait."',even_spl_modification='".$date_du_jour."'     WHERE even_spl_id='".$even_id."' AND even_spl_affaire_id='". $even_aff_id."'";  : 1 ◦ "INSERT INTO ".$type_doc."_suivi    (". $type_doc."_suivi_param_suivi_id, ".$type_doc."_suivi_". $type_doc."_id, ".$type_doc."_suivi_canal_id,    ". $type_doc."_suivi_action, ".$type_doc."_suivi_commentaire, ". $type_doc."_suivi_creation)    VALUES ('".$id_suivi."', '". $id_doc."', '".$id_canal."', '".$suivi_date."', '".addslashes ($suivi_commentaire) vendredi 13 novembre 2009 64
And also Header injection Look for header() XSS look for Echo, or concatenation with tags Etc... vendredi 13 novembre 2009 65
Report Vulnerability Critical Load register_globals High High Injections High Medium SQL injection Medium High headers Low Low vendredi 13 novembre 2009 66
Team organization vendredi 13 novembre 2009 67
Team Work Continuous audit? Once When necessary Regularly Continuously vendredi 13 novembre 2009 68
PHP Mantra List your mantra The five most important rules you agree upon Have them printed and visible to everyone vendredi 13 novembre 2009 69
Cross audit Group developers by two Have each one review the code of the other Based on the mantra Light weight process Doesn’t have to be in the same project vendredi 13 novembre 2009 70
PHP audit tools Groogle (http://groogle.sourceforge.net) Review Board (http://www.review-board.org/) Rietveld http://codereview.appspot.com/ SmartBear (http://www.smartbear.com/) vendredi 13 novembre 2009 71
Community step up Mantra, cross audits go beyond services and departements Open this outside ? External review? New way of coding ? vendredi 13 novembre 2009 72
Thank you! Philippe Gamache : info@ph-il.ca Damien Seguy : damien.seguy@alterway.fr vendredi 13 novembre 2009 73
vendredi 13 novembre 2009 74

Empfohlen

WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.
WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.
WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.Dimitris Andreadis
 
Cryptographie 101 Pour les programmeurs (PHP)
Cryptographie 101 Pour les programmeurs (PHP)Cryptographie 101 Pour les programmeurs (PHP)
Cryptographie 101 Pour les programmeurs (PHP)Philippe Gamache
 
Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Philippe Gamache
 
Mentor et votre équipe
Mentor et votre équipeMentor et votre équipe
Mentor et votre équipePhilippe Gamache
 
Multi Factor Authetification - ZendCon 2017
Multi Factor Authetification - ZendCon 2017Multi Factor Authetification - ZendCon 2017
Multi Factor Authetification - ZendCon 2017Philippe Gamache
 
Browser Serving Your We Application Security - ZendCon 2017
Browser Serving Your We Application Security - ZendCon 2017Browser Serving Your We Application Security - ZendCon 2017
Browser Serving Your We Application Security - ZendCon 2017Philippe Gamache
 
Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
 

Empfohlen

WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.
WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.
WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.Dimitris Andreadis
 
Cryptographie 101 Pour les programmeurs (PHP)
Cryptographie 101 Pour les programmeurs (PHP)Cryptographie 101 Pour les programmeurs (PHP)
Cryptographie 101 Pour les programmeurs (PHP)Philippe Gamache
 
Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Philippe Gamache
 
Mentor et votre équipe
Mentor et votre équipeMentor et votre équipe
Mentor et votre équipePhilippe Gamache
 
Multi Factor Authetification - ZendCon 2017
Multi Factor Authetification - ZendCon 2017Multi Factor Authetification - ZendCon 2017
Multi Factor Authetification - ZendCon 2017Philippe Gamache
 
Browser Serving Your We Application Security - ZendCon 2017
Browser Serving Your We Application Security - ZendCon 2017Browser Serving Your We Application Security - ZendCon 2017
Browser Serving Your We Application Security - ZendCon 2017Philippe Gamache
 
Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
 
Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
 
Kaizen ou l'amélioration continue
Kaizen ou l'amélioration continueKaizen ou l'amélioration continue
Kaizen ou l'amélioration continuePhilippe Gamache
 
Entreprise Security API - OWASP Montreal
Entreprise Security API - OWASP MontrealEntreprise Security API - OWASP Montreal
Entreprise Security API - OWASP MontrealPhilippe Gamache
 
Entreprise Security API - ConFoo 2011
Entreprise Security API - ConFoo 2011Entreprise Security API - ConFoo 2011
Entreprise Security API - ConFoo 2011Philippe Gamache
 
Strong authetification - ConFoo 2011
Strong authetification - ConFoo 2011Strong authetification - ConFoo 2011
Strong authetification - ConFoo 2011Philippe Gamache
 
Une application en une heure avec symfony - Collège de Mainsonneuve
Une application en une heure avec symfony - Collège de MainsonneuveUne application en une heure avec symfony - Collège de Mainsonneuve
Une application en une heure avec symfony - Collège de MainsonneuvePhilippe Gamache
 
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009Philippe Gamache
 
One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009Philippe Gamache
 
Une application en deux heure - PHP Québec Janvier 2009
Une application en deux heure - PHP Québec Janvier 2009Une application en deux heure - PHP Québec Janvier 2009
Une application en deux heure - PHP Québec Janvier 2009Philippe Gamache
 
Audit de code PHP - PHP Code Audit - HackFest.ca 2009
Audit de code PHP - PHP Code Audit - HackFest.ca 2009Audit de code PHP - PHP Code Audit - HackFest.ca 2009
Audit de code PHP - PHP Code Audit - HackFest.ca 2009Philippe Gamache
 
Auditing and securing PHP applications - FRHACK 2009
Auditing and securing PHP applications - FRHACK 2009Auditing and securing PHP applications - FRHACK 2009
Auditing and securing PHP applications - FRHACK 2009Philippe Gamache
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 

Weitere ähnliche Inhalte

Mehr von Philippe Gamache

Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
 
Kaizen ou l'amélioration continue
Kaizen ou l'amélioration continueKaizen ou l'amélioration continue
Kaizen ou l'amélioration continuePhilippe Gamache
 
Entreprise Security API - OWASP Montreal
Entreprise Security API - OWASP MontrealEntreprise Security API - OWASP Montreal
Entreprise Security API - OWASP MontrealPhilippe Gamache
 
Entreprise Security API - ConFoo 2011
Entreprise Security API - ConFoo 2011Entreprise Security API - ConFoo 2011
Entreprise Security API - ConFoo 2011Philippe Gamache
 
Strong authetification - ConFoo 2011
Strong authetification - ConFoo 2011Strong authetification - ConFoo 2011
Strong authetification - ConFoo 2011Philippe Gamache
 
Une application en une heure avec symfony - Collège de Mainsonneuve
Une application en une heure avec symfony - Collège de MainsonneuveUne application en une heure avec symfony - Collège de Mainsonneuve
Une application en une heure avec symfony - Collège de MainsonneuvePhilippe Gamache
 
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009Philippe Gamache
 
One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009Philippe Gamache
 
Une application en deux heure - PHP Québec Janvier 2009
Une application en deux heure - PHP Québec Janvier 2009Une application en deux heure - PHP Québec Janvier 2009
Une application en deux heure - PHP Québec Janvier 2009Philippe Gamache
 
Audit de code PHP - PHP Code Audit - HackFest.ca 2009
Audit de code PHP - PHP Code Audit - HackFest.ca 2009Audit de code PHP - PHP Code Audit - HackFest.ca 2009
Audit de code PHP - PHP Code Audit - HackFest.ca 2009Philippe Gamache
 
Auditing and securing PHP applications - FRHACK 2009
Auditing and securing PHP applications - FRHACK 2009Auditing and securing PHP applications - FRHACK 2009
Auditing and securing PHP applications - FRHACK 2009Philippe Gamache
 

Mehr von Philippe Gamache (12)

Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 
Kaizen ou l'amélioration continue
Kaizen ou l'amélioration continueKaizen ou l'amélioration continue
Kaizen ou l'amélioration continue
 
Entreprise Security API - OWASP Montreal
Entreprise Security API - OWASP MontrealEntreprise Security API - OWASP Montreal
Entreprise Security API - OWASP Montreal
 
Entreprise Security API - ConFoo 2011
Entreprise Security API - ConFoo 2011Entreprise Security API - ConFoo 2011
Entreprise Security API - ConFoo 2011
 
Strong authetification - ConFoo 2011
Strong authetification - ConFoo 2011Strong authetification - ConFoo 2011
Strong authetification - ConFoo 2011
 
Une application en une heure avec symfony - Collège de Mainsonneuve
Une application en une heure avec symfony - Collège de MainsonneuveUne application en une heure avec symfony - Collège de Mainsonneuve
Une application en une heure avec symfony - Collège de Mainsonneuve
 
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
 
One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009
 
Une application en deux heure - PHP Québec Janvier 2009
Une application en deux heure - PHP Québec Janvier 2009Une application en deux heure - PHP Québec Janvier 2009
Une application en deux heure - PHP Québec Janvier 2009
 
Audit de code PHP - PHP Code Audit - HackFest.ca 2009
Audit de code PHP - PHP Code Audit - HackFest.ca 2009Audit de code PHP - PHP Code Audit - HackFest.ca 2009
Audit de code PHP - PHP Code Audit - HackFest.ca 2009
 
Auditing and securing PHP applications - FRHACK 2009
Auditing and securing PHP applications - FRHACK 2009Auditing and securing PHP applications - FRHACK 2009
Auditing and securing PHP applications - FRHACK 2009
 

Kürzlich hochgeladen

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Kürzlich hochgeladen (20)

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

PHP Code Audit - OSCON 2009

  • 1. PHP code audits OSCON 2009 San José, CA, USA July 21th 2009 vendredi 13 novembre 2009 1
  • 2. Agenda Workshop presentation Black box audit Source code audit vendredi 13 novembre 2009 2
  • 3. Who speaks? Philippe Gamache Parler Haut, Interagir Librement : Web development, security audit, training info@ph-il.ca @SecureSymfony vendredi 13 novembre 2009 3
  • 4. Who speaks? Damien Seguy Alter Way Consulting : Open sources expert services Father of the Elephpant Calendar maker damien.seguy@alterway.fr vendredi 13 novembre 2009 4
  • 5. Security Book New 2009 edition Comprehensive review of security system for MySQL, PHP, etc. Published in French Planning translation vendredi 13 novembre 2009 5
  • 6. The application http://www.cligraphcrm.com/ vendredi 13 novembre 2009 6
  • 7. Full audit synopsis Identification of the audit goals Interview with the dev teams Black box testing Open Code audit Report vendredi 13 novembre 2009 7
  • 8. Yes, we take questions vendredi 13 novembre 2009 8
  • 9. Black box testing 9 vendredi 13 novembre 2009 9
  • 10. Black box testing What is black box testing? Finding information What can I do with this application? Where are the most popular entry points? 10 vendredi 13 novembre 2009 10
  • 11. Black box testing Look for vulnerabilities Use different tools and technics Automatic scanners By hand Fuzzing tools Scenarios How do I use to my advantage? 11 vendredi 13 novembre 2009 11
  • 12. Black box testing Strike Attacking a vulnerability with a specific purpose 12 vendredi 13 novembre 2009 12
  • 13. Find Information Look at the application web site Features 13 vendredi 13 novembre 2009 13
  • 14. Find Information Look at the application web site Technology 14 vendredi 13 novembre 2009 14
  • 15. Find Information Look at the application web site Technology 15 vendredi 13 novembre 2009 15
  • 16. Find Information Look at the application web site Technology 16 vendredi 13 novembre 2009 16
  • 17. Find Information Look at the application web site Technology 17 vendredi 13 novembre 2009 17
  • 18. Find Information Look at the application web site Technology 18 vendredi 13 novembre 2009 18
  • 19. Where did I hear about this? vendredi 13 novembre 2009 19
  • 20. Find vulnerabilities We look in Common Vulnerabilities and Exposures Also in bugtrack, xssed.com, etc... We could have look in Google, Bing, etc... No published vulnerabilities for cliGraph 20 vendredi 13 novembre 2009 20
  • 21. Find Information HTTP/1.x 200 OK Date: Mon, 20 Jul 2009 17:29:25 GMT Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch11 mod_ssl/2.2.3 OpenSSL/0.9.8c X-Powered-By: PHP/5.2.0-8+etch11 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 586 HTTP headers Content-Type: text/html; charset=UTF-8 X-Cache: MISS from Colossus Connection: close curl, wget, Firefox Rex Swain's HTTP Viewer 21 vendredi 13 novembre 2009 21
  • 22. Typical files Usual directories includes, include, inc, com, classes, lib, library admin, adm, administrator, tmp, TMP, ext, var data, db, conf, config uploads, install, 22 vendredi 13 novembre 2009 22
  • 23. Typical files .phps, .inc, .class, xml, ini, yaml, cfg Apache Alias : /icons/ robots.txt vendredi 13 novembre 2009 23
  • 24. Security dilema robots.txt User-agent: * Disallow: /administrator/ Disallow: /cache/ Disallow: /components/ Disallow: /images/ Disallow: /includes/ Disallow: /installation/ Disallow: /language/ Disallow: /libraries/ Disallow: /media/ Disallow: /modules/ Disallow: /plugins/ Disallow: /templates/ Disallow: /tmp/ Disallow: /xmlrpc/ 24 vendredi 13 novembre 2009 24
  • 25. External testing Get the list of the scripts (find .) Turn that into URLs Fetch them directly on the web site Study what’s coming back Maybe you gonna need to install it yourself vendredi 13 novembre 2009 25
  • 26. Typical files https 404 and 5xx pages Blank page Bad code without error posting 26 vendredi 13 novembre 2009 26
  • 27. Automatic scanners Nikto http://www.cirt.net/ 27 vendredi 13 novembre 2009 27
  • 28. Find vulnerabilities What to look for ? XSS CSRF Injections Files overwrite 28 vendredi 13 novembre 2009 28
  • 29. Automatic scanners Web Application Attack and Audit Framework (W3AF) http://w3af.sourceforge.net/ 29 vendredi 13 novembre 2009 29
  • 30. Manual tools Firefox Access Me Firebug SQL Inject Me Web Developer XSS Me Data 30 vendredi 13 novembre 2009 30
  • 31. Manual tools Arrays c[]=1 Surplus variables debug=1, task=view Missing variables 31 vendredi 13 novembre 2009 31
  • 32. Manual tools action/facture_fiche.php? exp_typedoc=facture&exp_id= 2009N000196&exp_formdoc=pdf 32 vendredi 13 novembre 2009 32
  • 33. Manual tools action/facture_fiche.php? exp_typedoc=facture&exp_id= 2009N000196&exp_formdoc=pdf action/facture_fiche.php? exp_typedoc=facture&exp_id=2009 N000196&exp_formdoc=fiche 32 vendredi 13 novembre 2009 32
  • 34. Manual tools action/facture_fiche.php? exp_typedoc=facture&exp_id= 2009N000196&exp_formdoc=pdf action/facture_fiche.php? exp_typedoc=facture&exp_id=2009 N000196&exp_formdoc=fiche Fatal error: Cannot redeclare fct_redimension_img() (previously declared in /var/www/crm_demo/fonctions/ fonction_img.php:68) in /var/www/crm_demo/fonctions/ fonction_img.php on line 134 32 vendredi 13 novembre 2009 32
  • 35. Fuzzing Test by random value Stress forms Database All characters from 0 to x255 All Unicode characters The numbers 1, 0, -1, 0.99, extreme, infinite 33 vendredi 13 novembre 2009 33
  • 36. Fuzzing Strings Long Short Dictionaries of values of vulnerabilities GET, POST, COOKIE 34 vendredi 13 novembre 2009 34
  • 37. Fuzzing Wfuzz http://www.edge-security.com/wfuzz.php WebSlayer http://www.edge-security.com/webslayer.php 35 vendredi 13 novembre 2009 35
  • 38. Exemple Fuzzing vendredi 13 novembre 2009 36
  • 39. Scenarios More realistic tests fragile Automate your tests Complete with fuzzing Use proxy servers 37 vendredi 13 novembre 2009 37
  • 40. Scenarios Firefox Selenium IDE WebScarab http://www.owasp.org/index.php/ Category:OWASP_WebScarab_Project 38 vendredi 13 novembre 2009 38
  • 41. Simplify your life Samurai Web Testing Framework http://samurai.inguardians.com/ vendredi 13 novembre 2009 39
  • 42. Conclusion Black box Easy to set up Take into account the context of the application Often spectacular Generally shallow vendredi 13 novembre 2009 40
  • 43. Open code audit vendredi 13 novembre 2009 41
  • 44. Code audits Look into the PHP code Search for hidden problems Usually less spectacular than black box vendredi 13 novembre 2009 42
  • 45. From the interview Check if dev teams knows that to secure Have it explains their approach Check what they say Check what they don’t say vendredi 13 novembre 2009 43
  • 46. The shy version We know there are security problems but we have no time to secure them this app has been written years ago we can’t keep up with the threats vendredi 13 novembre 2009 44
  • 47. The strong version We have secured the application We use SSL, and webwasher and crypto All content is validated and filtered We don’t do any dynamical include Our frameworks doesn’t allow this vendredi 13 novembre 2009 45
  • 48. Approach What to search for? What are the entry points? How can they be exploited Or protected ? vendredi 13 novembre 2009 46
  • 49. What to search for? Injections PHP SQL HTML system vendredi 13 novembre 2009 47
  • 50. Keep focused Easy to loose focus Tempting to audit everything vendredi 13 novembre 2009 48
  • 51. PHP injections PHP injections dynamical inclusion include, require and *_once back ticks eval vendredi 13 novembre 2009 49
  • 52. Eval Easy to look for grep Fast, available, convenient 853 occurences Tokenizer Semantic, accurate 37 occurrences vendredi 13 novembre 2009 50
  • 53. Tokenizer <?php Array [1] => print ("hello $world! "); ?> ( [6] => Array [0] => 266 ( [1] => print [0] => 309 [2] => 1 [1] => $world ) [2] => 1 ) [2] => Array ( [7] => Array [0] => 370 ( [1] => [0] => 314 [2] => 1 [1] => ! ) [2] => 1 ) [3] => ( [4] => " [8] => " [5] => Array [9] => ) ( [10] => ; [0] => 314 [1] => Array [1] => hello ( [2] => 1 [0] => PHP token ) [1] => PHP code [2] => Script line ) [2] => " vendredi 13 novembre 2009 51
  • 54. Evals ◦ eval('$retour=$GLOBALS["'.$matches[1].'"];') ◦ Variable variables. ◦ eval($contenu_thjipk); ◦ eval($contents_essai); ◦ Content is read into variable, then executed : an include? ◦ eval('$hexdtime = "'.$hexdtime.'";') ◦ Long way to cast a string into a string ◦ eval('$retour2.= '.var_dump($recept->erreur).';') ◦ This doesn’t even work vendredi 13 novembre 2009 52
  • 55. Assessing the code One liners One line of code is sufficiently to be bad Even though you must follow the code In reverse vendredi 13 novembre 2009 53
  • 56. Inclusion ◦ require("../params_frm.php") ◦ require(fct_lien_page_custom(TYPE_DOMAINE."/".TYPE_DOC. "_custom.php","abs")) ◦ require(fct_lien_page_custom("params_footer.php","abs")) ◦ Pretty secure inclusions ◦ But 96 variables used in includes ◦ include(fct_lien_page_custom("action/facture_". $format.".php","abs")) ◦ $format, anyone? ◦ require_once("etat_simple_".$choix_page."_trt.php") ◦ $choix_page, anyone ? vendredi 13 novembre 2009 54
  • 57. $format ? <?php require("../params_trt.php"); $format=htmlentities($_REQUEST['exp_formdoc']); if(empty($_REQUEST['exp_affiche'])) $affichage=0;  else $affichage=$_REQUEST['exp_affiche']; if(empty($_REQUEST['exp_stockdoc'])) $stockage=0;  else $stockage=$_REQUEST['exp_stockdoc']; $cde_id=$_REQUEST['exp_id']; $type_doc=$_REQUEST['exp_typedoc']; require(fct_lien_page_custom("fonctions/ fonction_img.php","abs")); include(fct_lien_page_custom("action/facture_". $format.".php","abs")); ?> vendredi 13 novembre 2009 55
  • 58. $choix_format ?   switch($choix) {     case 0 : $choix_page="tabl";     break;     case 1 : $choix_page="histo1";  if ($gfx_sens_graph=="1") $gfx_margegauche_dft="90";     break;     case 2 : $choix_page="histo2";  if ($gfx_sens_graph=="1") $gfx_margegauche_dft="90";     break;     case 3 : $choix_page="histo3";  if ($gfx_sens_graph=="1") $gfx_margegauche_dft="90";     break;     case 4 : $choix_page="histo4";  if ($gfx_sens_graph=="1") $gfx_margegauche_dft="90";     break;     case 5 : $choix_page="histo5";  if ($gfx_sens_graph=="1") $gfx_margegauche_dft="90";     break; }    ###...Way below     require_once("etat_simple_".$choix_page."_trt.php"); vendredi 13 novembre 2009 56
  • 59. Statistical audit Extract one type of information Review it out of context Use this as a starting point for more questions vendredi 13 novembre 2009 57
  • 60. Comments //echo "<div><a class="texte1" style=... #echo "<pre>"; Left overs #print_r($_REQUEST); Main code is not cleaned of debug? // hack for mozilla sunbird's extra = signs Look for swearing, TODO, hack vendredi 13 novembre 2009 58
  • 61. Variables 6883 different variables names All one possible one letter variable 32 chars : $cache_maxsize_UTF8StringToArray Most used : $i (2586 times) $_1904, $samedi, $dummy, $sss, 19 $unknowns 711 variables used only once in the codes vendredi 13 novembre 2009 59
  • 62. Other ideas name of functions name of classes name of constants literal strings, numbers Condition (if, while) vendredi 13 novembre 2009 60
  • 64. register_globals strikes back Foreach and $$ vendredi 13 novembre 2009 61
  • 65. register_globals strikes back Foreach and $$ extract vendredi 13 novembre 2009 61
  • 66. register_globals strikes back Foreach and $$ extract import_request_var vendredi 13 novembre 2009 61
  • 67. register_globals strikes back Foreach and $$ extract import_request_var $GLOBALS vendredi 13 novembre 2009 61
  • 68. register_globals strikes back Foreach and $$ extract import_request_var $GLOBALS parse_str vendredi 13 novembre 2009 61
  • 69. register_globals strikes back Foreach and $$ extract import_request_var $GLOBALS parse_str register_globals (ini_get(‘register_globals’)) vendredi 13 novembre 2009 61
  • 70. Found! ◦ ./install/identification.php ◦ extract($_POST)  : 1 ◦ Injection by $_POST ◦ ./eggcrm/fonctions/fonctions_gen.php ◦ $GLOBALS[$k] = $chaine[$k] ◦ $GLOBALS[$this->mode] [$k] = $chaine[$k] ◦ In the fct_urldecode, the values are stripslashed, and then injected in the $GLOBALS, resulting in variable creation vendredi 13 novembre 2009 62
  • 71. SQL injections Point of entry mysql_query mysqli_real_escape_string SQL query : string with SELECT, UPDATE, ... vendredi 13 novembre 2009 63
  • 72. Found! ◦ 'UPDATE param_suivi SET      param_suivi_nom="'.str_replace ($transf_sp,$transf_fr,$_POST["suivi_nom"])  : 1 ◦ Direct injection via POST ◦ WHERE campagne_nom LIKE '%".addslashes($_REQUEST['rech_nom'])  ◦ Injection from $_REQUEST ◦ "UPDATE even_spl SET even_spl_fait='". $even_fait."',even_spl_modification='".$date_du_jour."'     WHERE even_spl_id='".$even_id."' AND even_spl_affaire_id='". $even_aff_id."'";  : 1 ◦ "INSERT INTO ".$type_doc."_suivi    (". $type_doc."_suivi_param_suivi_id, ".$type_doc."_suivi_". $type_doc."_id, ".$type_doc."_suivi_canal_id,    ". $type_doc."_suivi_action, ".$type_doc."_suivi_commentaire, ". $type_doc."_suivi_creation)    VALUES ('".$id_suivi."', '". $id_doc."', '".$id_canal."', '".$suivi_date."', '".addslashes ($suivi_commentaire) vendredi 13 novembre 2009 64
  • 73. And also Header injection Look for header() XSS look for Echo, or concatenation with tags Etc... vendredi 13 novembre 2009 65
  • 74. Report Vulnerability Critical Load register_globals High High Injections High Medium SQL injection Medium High headers Low Low vendredi 13 novembre 2009 66
  • 75. Team organization vendredi 13 novembre 2009 67
  • 76. Team Work Continuous audit? Once When necessary Regularly Continuously vendredi 13 novembre 2009 68
  • 77. PHP Mantra List your mantra The five most important rules you agree upon Have them printed and visible to everyone vendredi 13 novembre 2009 69
  • 78. Cross audit Group developers by two Have each one review the code of the other Based on the mantra Light weight process Doesn’t have to be in the same project vendredi 13 novembre 2009 70
  • 79. PHP audit tools Groogle (http://groogle.sourceforge.net) Review Board (http://www.review-board.org/) Rietveld http://codereview.appspot.com/ SmartBear (http://www.smartbear.com/) vendredi 13 novembre 2009 71
  • 80. Community step up Mantra, cross audits go beyond services and departements Open this outside ? External review? New way of coding ? vendredi 13 novembre 2009 72
  • 81. Thank you! Philippe Gamache : info@ph-il.ca Damien Seguy : damien.seguy@alterway.fr vendredi 13 novembre 2009 73