SlideShare ist ein Scribd-Unternehmen logo

Real-World WebAppSec Flaws - Examples and Countermeasues

Als PPTX, PDF herunterladen
volvent
volvent

A presentation at the Sydney WebApp meeting for the security stream. Covers some easy to follow examples of more common things found and general recommendations for development teams.

1 von 53
Examples and Countermeasures Sydney WebApps Meetup: Security - March
 Started off doing web-dev, sysadmin, programming 90‟s Traditional web-dev Modern web-dev Now
 Started off doing web-dev, sysadmin, programming 90‟s  Have been doing security research for 10+ years Traditional  Designing/developing custom sec-tech. web-dev  Security assessments (code review, pentesting, etc.)  Consulting related to security defense, etc. Modern web-dev Now
 Started off doing web-dev, sysadmin, programming 90‟s  Have been doing security research for 10+ years Traditional  Designing/developing custom sec-tech. web-dev  Security assessments (code review, pentesting, etc.)  Consulting related to security defense, etc.  Over the past several years, the term „web‟ has well and truly changed, and now encompasses:  HTML-based user-interfaces for apps  Mobile phone applications Modern  Web-based SaaS, web-services, etc. web-dev Now  ChromeOS, etc.
Text-book code examples: … and Top 10‟s / stats: BAD! Some exploitation tricks/demos:
However: • Text-book vulnerable code (e.g. SQL injection) is not so common • Flaws are becoming more complicated (or at least abstracted)
However: • Text-book vulnerable code (e.g. SQL injection) is not so common • Flaws are becoming more complicated (or at least abstracted) • Showing exploitation of vulnerabilities is useful to illustrate the risk • But also takes away from explaining how these bugs surface
However: • Text-book vulnerable code (e.g. SQL injection) is not so common • Flaws are becoming more complicated (or at least abstracted) • Showing exploitation of vulnerabilities is useful to illustrate the risk • But also takes away from explaining how these bugs surface • Vulnerability statistics can be interesting • But can also be quite misleading
 Provide example flaws based on recent web-related assessments  Often developers making a small (sometimes understandable) mistake
 Provide example flaws based on recent web-related assessments  Often developers making a small (sometimes understandable) mistake  Run through several defensive steps  A few processes and mitigation methods to consider  General guidance, recommended reading, etc.
 Provide example flaws based on recent web-related assessments  Often developers making a small (sometimes understandable) mistake  Run through several defensive steps  A few processes and mitigation methods to consider  General guidance, recommended reading, etc.  I have only have 20 minutes for this, but I‟ll be touching on quite a lot  These slides will be put online with all of the references, links, etc.  Also happy to chat about any of this over a drink 
Interpretation • Languages/compilers behaviors and annoying technicalities Logic Flaws • Logic issues that don‟t have an immediate security impact Technology Layers • How technology layers can have interesting technicalities Defensive Measures • Several approaches to help manage webapp risks
Languages/compilers behaviors and annoying technicalities
Use case: Select and upload a binary and receive analysis results
Technology Functionality Test Cases
Technology Functionality Test Cases PHP & Apache Web Upload & Compile Test & Linux Execute Binary Case Sets
1. How is the PHP Upload working? 1. How is the uploaded file stored? 2. How are file extensions validated? Technology Functionality Test Cases 3. … 2. How is it executing the binary? 1. Queued in a database? 2. via PHP popen(), system()? 3. Pushing to other web-services? 4. … PHP & Apache Web Upload & Compile Test 3. What is returned to the user? & Linux Execute Binary Case Sets 1. Is user-controlled input correctly encoded (filename, etc.) 2. … 4. …
 About 10 minutes we were about here:
 Another test-case looked like this:
 Another test-case looked like this: oh snap.
A few minutes later…  Pop a www-user shell over a reliable and encrypted channel  Determine the entry-point flaw  Start a white-box code review of the application  Start a review of the host environment and surrounding infrastructure
Simplified Code
Simplified Code The Bug  param is attacker-controlled  param is not explicitly cast as a numeric value, thus:  param = „0.1‟ = PASS  param = „1.1‟ = FAIL  param = „and hi‟ = FAIL  param = „1.1 and hi‟ = FAIL  param = „0.1 and hi‟ = PASS  Resulting in arbitrary command execution on the system
Simplified Code Explanation  param is attacker-controlled  param is validated as a numeric value between 0 and 1  param = „0.1‟ = PASS  param = „1.1‟ = FAIL  param = „and hi‟ = FAIL  param = „1.1 and hi‟ = FAIL  param = „0.1 and hi‟ = FAIL  The shellescapearg() function is also used to escape the argument to popen()
This example is a bit dumb, but:
This example is a bit dumb, but: The Bug  strcmp() accepts two strings and returns 0 if they match  The return value of strcmp() is checked using the type-unsafe equality operator of „==„  If either parameter is not a string (for example an array) strcmp() will fail and return 0/NULL
The Fix Explanation  strcmp() accepts two strings and returns 0 if they match  The return value of strcmp() is checked using the type-safe equality operator of „===„
 A lot of higher level languages are quite lax about data-types  This is dangerous for web-languages and affects many applications  Be explicit and remove assumptions about data-types
 A lot of higher level languages are quite lax about data-types  This is dangerous for web-languages and affects many applications  Be explicit and remove assumptions about data-types  A common trend is for developers to lower their guard post-validation  “This user-controlled data is now trusted” is a very dangerous assumption
 A lot of higher level languages are quite lax about data-types  This is dangerous for web-languages and affects many applications  Be explicit and remove assumptions about data-types  A common trend is for developers to lower their guard post-validation  “This user-controlled data is now trusted” is a very dangerous assumption  It can be dangerous hopping between programming languages  Programmers of different backgrounds make various (risky) assumptions  Get proficient at the languages you spend most time in  Every single language has its “gotchas” to be aware of
How logic flaws can be much more serious than a security hole
 Use case: Select an item and pay for it
 The interface performed (adequate) client-side and server-side validations
 Later on, discovered an (almost) identical interface
 Later on, discovered an (almost) identical interface Oh, snap
Explanation Payment Resource  Virtually identical payment resources were A implemented separately Payment  One (the lesser visible) resource missed a Gateway server-side validation for negative sums Bridge  The flaw allowed an attacker to credit an arbitrary account (i.e. receive money) Payment Resource B
 “Safe” applications can still suffer from application-specific risks  This was a relatively well written .NET application with minimal security risks  Yet, this single logic bug raised more immediate concern than if I had popped a shell
 “Safe” applications can still suffer from application-specific risks  This was a relatively well written .NET application with minimal security risks  Yet, this single logic bug raised more immediate concern than if I had popped a shell  The nature of new software functional requirements should be treated with caution  Hacked on components/interfaces without proper system and integration analysis
 “Safe” applications can still suffer from application-specific risks  This was a relatively well written .NET application with minimal security risks  Yet, this single logic bug raised more immediate concern than if I had popped a shell  The nature of new software functional requirements should be treated with caution  Hacked on components/interfaces without proper system and integration analysis  There are huge risks when critical validation/integration isn‟t centralized  Often has a higher chance of inconsistent validation rules  Makes it more expensive and inefficient to both implement and later fix issues  Less efficient to review critical code when it‟s scattered erratically
How technology layers can have interesting technicalities
 Data transferring from higher level A couple of basic examples: languages down to the OS-level introduce certain risks  Technicalities such as how NULL bytes are treated for certain functions affect almost all languages  .NET/Java  iOS Applications  PHP, …  So far this year have found such issues in two jobs (.NET and Java)  Arbitrary file write to full server compromise
 XSS is very common and affecting more technologies and devices  UIWebView in iOS, etc.  Many interesting attacks possible  Attacking internal network infra.  Triggering client-side vulnerabilities  Targeted phishing attacks that are executing specific payloads  Increasingly used for decently executed targeted attacks  Such as using XSS to own apache.org
 Secure, Open, Convenient  Pick two   Frameworks are great for many obvious reasons  It‟s clear frameworks do help limit or remove certain risks  But there‟s a lot of functionality that‟s supported and/or exposed  Ruby on Rails is a recent target by researchers  It will take some time for it to mature  Louis from PentesterLab gave a great overview on the recent issues
Methods to help strengthen your web-app security
 Mitigations are about raising the cost of an attack  Try avoiding things that add an attack surface (e.g. WAF‟s)  Explicit inbound/outbound network trusts should be part of provisioning  End-point threats affect almost everyone these days  Review the DSD‟s Top 35  See what big targets are doing:  Facebook talk from Ruxcon
Threat Modeling  It‟s important to spend some time to think about your potential adversaries  Threats aren‟t just bots and kids scanning your network and webapps  People focusing on your apps  Social engineering (remote or physical)  Internal staff  (the list goes on...)  A basic way to get started in-house is to try Microsoft‟s card-game ! 
 Unfortunately, it‟s still common for things to be out of date/vulnerable  Subscribe to a freely available vulnerability alerting service  Regularly review your external internet presence and services  Try to lean on auto. updates, or test with a prod clone with them enabled to see if things break  If it‟s not essential, don‟t run it
 During code reviews I usually map out developer comments  Frequency of comments vs. mood  The use of specific keywords (e.g. XXX, TODO, dropping the f-bomb)  Instead of venting in code, keep a risk register for risky/uncertain spots  Have a peer-review process and/or periodically bring in an external specialist to help go over it
 Some basic changes to QA testing can pick up some low-hanging fruit  Fixing issues internally during development is a lot cheaper  Lots of excellent resources for learning and testing, such as PentesterLab.com  There are good guides for different languages, such as the Ruby guide by Meder@Google
 Keep up with research relevant to you, there‟s new things every day  I develop a tool called „Talkback‟ that tracks news/research  There are free monthly seminars called „Ruxmon‟ in Sydney  Consider attending the annual Ruxcon security conference in Melbourne
 Bugs happen. It‟s okay.   Dedicate some time to think about:  Your potential threats  How you can introduce security tests during your development lifecycle  If you get external security people in  Think about what you want to get exactly  Organise it to be as efficient as possible  Remember that:  functionality = attack surface  KISS is a security feature in itself  The devil is in the details 
matt@volvent.com.au www.volvent.com.au twitter: @volvent
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project http://g-laurent.blogspot.com.au/2009/08/wordpress-283-remote-admin-reset.html http://www.pentesterlab.com http://portswigger.net/burp/download.html https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project https://pentesterlab.com/talks/Ruxmon_Feb_2013-What_happened_to_Rails.pdf http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm https://code.google.com/p/ruby-security/wiki/Guide http://www.auscert.org.au/render.html?cid=1 https://blogs.apache.org/infra/entry/apache_org_04_09_2010 http://www.microsoft.com/security/sdl/adopt/eop.aspx http://www.youtube.com/watch?v=vEqu5fk9rlE (Elevation of Privilege) http://talkback.volvent.org http://www.ruxmon.com http://www.ruxcon.org.au http://www.slideshare.net/mimeframe/ruxcon-2012-15195589

Empfohlen

Continuous Integration: Live Static Analysis with Puma Scan
Continuous Integration: Live Static Analysis with Puma ScanContinuous Integration: Live Static Analysis with Puma Scan
Continuous Integration: Live Static Analysis with Puma Scan
Cypress Data Defense
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability Management
Andrew McNicol
 
Software Security information security
Software Security information securitySoftware Security information security
Software Security information security
mubeen arshad
 
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
securityxploded
 
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Malachi Jones
 
ANOTHER BRICK OFF THE WALL: DECONSTRUCTING WEB APPLICATION FIREWALLS USING AU...
ANOTHER BRICK OFF THE WALL: DECONSTRUCTING WEB APPLICATION FIREWALLS USING AU...ANOTHER BRICK OFF THE WALL: DECONSTRUCTING WEB APPLICATION FIREWALLS USING AU...
ANOTHER BRICK OFF THE WALL: DECONSTRUCTING WEB APPLICATION FIREWALLS USING AU...
Ioannis Stais
 
Server Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonServer Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep Jadon
Mandeep Jadon
 
Http Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacksHttp Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacks
Stefano Di Paola
 

Empfohlen

Continuous Integration: Live Static Analysis with Puma Scan
Continuous Integration: Live Static Analysis with Puma ScanContinuous Integration: Live Static Analysis with Puma Scan
Continuous Integration: Live Static Analysis with Puma Scan
Cypress Data Defense
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability Management
Andrew McNicol
 
Software Security information security
Software Security information securitySoftware Security information security
Software Security information security
mubeen arshad
 
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
securityxploded
 
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Malachi Jones
 
ANOTHER BRICK OFF THE WALL: DECONSTRUCTING WEB APPLICATION FIREWALLS USING AU...
ANOTHER BRICK OFF THE WALL: DECONSTRUCTING WEB APPLICATION FIREWALLS USING AU...ANOTHER BRICK OFF THE WALL: DECONSTRUCTING WEB APPLICATION FIREWALLS USING AU...
ANOTHER BRICK OFF THE WALL: DECONSTRUCTING WEB APPLICATION FIREWALLS USING AU...
Ioannis Stais
 
Server Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonServer Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep Jadon
Mandeep Jadon
 
Http Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacksHttp Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacks
Stefano Di Paola
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
beched
 
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
BlueHat Security Conference
 
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
securityxploded
 
DEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPDEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WP
Amr Thabet
 
DEFCON 21: EDS: Exploitation Detection System Slides
DEFCON 21: EDS: Exploitation Detection System SlidesDEFCON 21: EDS: Exploitation Detection System Slides
DEFCON 21: EDS: Exploitation Detection System Slides
Amr Thabet
 
Brief introduction into Padding Oracle attack vector
Brief introduction into Padding Oracle attack vectorBrief introduction into Padding Oracle attack vector
Brief introduction into Padding Oracle attack vector
Payampardaz
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysis
Chong-Kuan Chen
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
Chris Gates
 
Reading Group Presentation: Web Attacks on Host-Proof Encrypted Storage
Reading Group Presentation: Web Attacks on Host-Proof Encrypted StorageReading Group Presentation: Web Attacks on Host-Proof Encrypted Storage
Reading Group Presentation: Web Attacks on Host-Proof Encrypted Storage
Michael Rushanan
 
Basic buffer overflow part1
Basic buffer overflow part1Basic buffer overflow part1
Basic buffer overflow part1
Payampardaz
 
How to really obfuscate your pdf malware
How to really obfuscate your pdf malwareHow to really obfuscate your pdf malware
How to really obfuscate your pdf malware
zynamics GmbH
 
JProfiler / an introduction
JProfiler / an introductionJProfiler / an introduction
JProfiler / an introduction
Tommaso Torti
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code Analysis
Andrey Karpov
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
Yury Chemerkin
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzing
G Prachi
 
Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_
EndgameInc
 
Stack-Based Buffer Overflows
Stack-Based Buffer OverflowsStack-Based Buffer Overflows
Stack-Based Buffer Overflows
Daniel Tumser
 
Reversing malware analysis training part11 exploit development advanced
Reversing malware analysis training part11 exploit development advancedReversing malware analysis training part11 exploit development advanced
Reversing malware analysis training part11 exploit development advanced
Cysinfo Cyber Security Community
 
Reversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basicsReversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basics
Cysinfo Cyber Security Community
 
HTTP Parameter Pollution (HPP) - SEaCURE.it edition
HTTP Parameter Pollution (HPP) - SEaCURE.it editionHTTP Parameter Pollution (HPP) - SEaCURE.it edition
HTTP Parameter Pollution (HPP) - SEaCURE.it edition
Luca Carettoni
 
Microtemicroteach_demo.ESCUDERO-KAREM.ppt
Microtemicroteach_demo.ESCUDERO-KAREM.pptMicrotemicroteach_demo.ESCUDERO-KAREM.ppt
Microtemicroteach_demo.ESCUDERO-KAREM.ppt
UPLA
 
Bookreport
BookreportBookreport
Bookreport
nayeli8a
 

Weitere ähnliche Inhalte

Was ist angesagt?

Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
beched
 
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
BlueHat Security Conference
 
How to really obfuscate your pdf malware
How to really obfuscate your pdf malwareHow to really obfuscate your pdf malware
How to really obfuscate your pdf malware
zynamics GmbH
 
JProfiler / an introduction
JProfiler / an introductionJProfiler / an introduction
JProfiler / an introduction
Tommaso Torti
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
Yury Chemerkin
 
HTTP Parameter Pollution (HPP) - SEaCURE.it edition
HTTP Parameter Pollution (HPP) - SEaCURE.it editionHTTP Parameter Pollution (HPP) - SEaCURE.it edition
HTTP Parameter Pollution (HPP) - SEaCURE.it edition
Luca Carettoni
 

Was ist angesagt? (20)

Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
 
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
 
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
 
DEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPDEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WP
 
DEFCON 21: EDS: Exploitation Detection System Slides
DEFCON 21: EDS: Exploitation Detection System SlidesDEFCON 21: EDS: Exploitation Detection System Slides
DEFCON 21: EDS: Exploitation Detection System Slides
 
Brief introduction into Padding Oracle attack vector
Brief introduction into Padding Oracle attack vectorBrief introduction into Padding Oracle attack vector
Brief introduction into Padding Oracle attack vector
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysis
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
Reading Group Presentation: Web Attacks on Host-Proof Encrypted Storage
Reading Group Presentation: Web Attacks on Host-Proof Encrypted StorageReading Group Presentation: Web Attacks on Host-Proof Encrypted Storage
Reading Group Presentation: Web Attacks on Host-Proof Encrypted Storage
 
Basic buffer overflow part1
Basic buffer overflow part1Basic buffer overflow part1
Basic buffer overflow part1
 
How to really obfuscate your pdf malware
How to really obfuscate your pdf malwareHow to really obfuscate your pdf malware
How to really obfuscate your pdf malware
 
JProfiler / an introduction
JProfiler / an introductionJProfiler / an introduction
JProfiler / an introduction
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code Analysis
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzing
 
Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_
 
Stack-Based Buffer Overflows
Stack-Based Buffer OverflowsStack-Based Buffer Overflows
Stack-Based Buffer Overflows
 
Reversing malware analysis training part11 exploit development advanced
Reversing malware analysis training part11 exploit development advancedReversing malware analysis training part11 exploit development advanced
Reversing malware analysis training part11 exploit development advanced
 
Reversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basicsReversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basics
 
HTTP Parameter Pollution (HPP) - SEaCURE.it edition
HTTP Parameter Pollution (HPP) - SEaCURE.it editionHTTP Parameter Pollution (HPP) - SEaCURE.it edition
HTTP Parameter Pollution (HPP) - SEaCURE.it edition
 

Andere mochten auch

Bookreport
BookreportBookreport
Bookreport
nayeli8a
 
Trabajo excel
Trabajo excelTrabajo excel
Trabajo excel
nayeli8a
 
Tutorial del blog (repaired)
Tutorial del blog (repaired)Tutorial del blog (repaired)
Tutorial del blog (repaired)
nayeli8a
 
Tiend afinal
Tiend afinalTiend afinal
Tiend afinal
nayeli8a
 
Tipos de rede sword
Tipos de rede swordTipos de rede sword
Tipos de rede sword
nayeli8a
 
Airtel ES Case Study 2
Airtel ES Case Study 2Airtel ES Case Study 2
Airtel ES Case Study 2
Airtel India
 
Airtel ES Case Study 1
Airtel ES Case Study 1Airtel ES Case Study 1
Airtel ES Case Study 1
Airtel India
 
Fichas word
Fichas wordFichas word
Fichas word
nayeli8a
 

Andere mochten auch (17)

Microtemicroteach_demo.ESCUDERO-KAREM.ppt
Microtemicroteach_demo.ESCUDERO-KAREM.pptMicrotemicroteach_demo.ESCUDERO-KAREM.ppt
Microtemicroteach_demo.ESCUDERO-KAREM.ppt
 
Bookreport
BookreportBookreport
Bookreport
 
Shooting clay pidgins
Shooting clay pidginsShooting clay pidgins
Shooting clay pidgins
 
I’m going to go... stalk... Lenny and Carl...
I’m going to go... stalk... Lenny and Carl...I’m going to go... stalk... Lenny and Carl...
I’m going to go... stalk... Lenny and Carl...
 
Trabajo excel
Trabajo excelTrabajo excel
Trabajo excel
 
Sifting through twitter
Sifting through twitterSifting through twitter
Sifting through twitter
 
Tutorial del blog (repaired)
Tutorial del blog (repaired)Tutorial del blog (repaired)
Tutorial del blog (repaired)
 
Tiend afinal
Tiend afinalTiend afinal
Tiend afinal
 
Tipos de rede sword
Tipos de rede swordTipos de rede sword
Tipos de rede sword
 
Foros vs
Foros vsForos vs
Foros vs
 
Airtel ES Case Study 2
Airtel ES Case Study 2Airtel ES Case Study 2
Airtel ES Case Study 2
 
Mobile energy efficiency and the indian industry
Mobile energy efficiency and the indian industryMobile energy efficiency and the indian industry
Mobile energy efficiency and the indian industry
 
Airtel ES Case Study 1
Airtel ES Case Study 1Airtel ES Case Study 1
Airtel ES Case Study 1
 
Framework for Running Minimum Viable Tests (MVT)
Framework for Running Minimum Viable Tests (MVT)Framework for Running Minimum Viable Tests (MVT)
Framework for Running Minimum Viable Tests (MVT)
 
Safety Management Systems - Workshop - DGCA SAG Members
Safety Management Systems - Workshop - DGCA SAG MembersSafety Management Systems - Workshop - DGCA SAG Members
Safety Management Systems - Workshop - DGCA SAG Members
 
Fichas word
Fichas wordFichas word
Fichas word
 
Updated - Safety Management Systems - Workshop - DGCA SAG Members - As Presented
Updated - Safety Management Systems - Workshop - DGCA SAG Members - As PresentedUpdated - Safety Management Systems - Workshop - DGCA SAG Members - As Presented
Updated - Safety Management Systems - Workshop - DGCA SAG Members - As Presented
 

Ähnlich wie Real-World WebAppSec Flaws - Examples and Countermeasues

The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
Steve Poole
 
Measuring Your Code
Measuring Your CodeMeasuring Your Code
Measuring Your Code
Nate Abele
 
Measuring Your Code 2.0
Measuring Your Code 2.0Measuring Your Code 2.0
Measuring Your Code 2.0
Nate Abele
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
Dmitry Evteev
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security
Zane Lackey
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
 
Native client (Евгений Эльцин)
Native client (Евгений Эльцин)Native client (Евгений Эльцин)
Native client (Евгений Эльцин)
Ontico
 

Ähnlich wie Real-World WebAppSec Flaws - Examples and Countermeasues (20)

Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
 
Whittaker How To Break Software Security - SoftTest Ireland
Whittaker How To Break Software Security - SoftTest IrelandWhittaker How To Break Software Security - SoftTest Ireland
Whittaker How To Break Software Security - SoftTest Ireland
 
Effectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application BackdoorsEffectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application Backdoors
 
Chapter 2 program-security
Chapter 2 program-securityChapter 2 program-security
Chapter 2 program-security
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
 
Measuring Your Code
Measuring Your CodeMeasuring Your Code
Measuring Your Code
 
Measuring Your Code 2.0
Measuring Your Code 2.0Measuring Your Code 2.0
Measuring Your Code 2.0
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code Analysis
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security
 
Operations: Production Readiness Review – How to stop bad things from Happening
Operations: Production Readiness Review – How to stop bad things from HappeningOperations: Production Readiness Review – How to stop bad things from Happening
Operations: Production Readiness Review – How to stop bad things from Happening
 
DevSecCon Talk: An experiment in agile Threat Modelling
DevSecCon Talk: An experiment in agile Threat ModellingDevSecCon Talk: An experiment in agile Threat Modelling
DevSecCon Talk: An experiment in agile Threat Modelling
 
An experiment in agile threat modelling
An experiment in agile threat modellingAn experiment in agile threat modelling
An experiment in agile threat modelling
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Native client (Евгений Эльцин)
Native client (Евгений Эльцин)Native client (Евгений Эльцин)
Native client (Евгений Эльцин)
 

Real-World WebAppSec Flaws - Examples and Countermeasues

  • 1. Examples and Countermeasures Sydney WebApps Meetup: Security - March
  • 2.  Started off doing web-dev, sysadmin, programming 90‟s Traditional web-dev Modern web-dev Now
  • 3.  Started off doing web-dev, sysadmin, programming 90‟s  Have been doing security research for 10+ years Traditional  Designing/developing custom sec-tech. web-dev  Security assessments (code review, pentesting, etc.)  Consulting related to security defense, etc. Modern web-dev Now
  • 4.  Started off doing web-dev, sysadmin, programming 90‟s  Have been doing security research for 10+ years Traditional  Designing/developing custom sec-tech. web-dev  Security assessments (code review, pentesting, etc.)  Consulting related to security defense, etc.  Over the past several years, the term „web‟ has well and truly changed, and now encompasses:  HTML-based user-interfaces for apps  Mobile phone applications Modern  Web-based SaaS, web-services, etc. web-dev Now  ChromeOS, etc.
  • 5. Text-book code examples: … and Top 10‟s / stats: BAD! Some exploitation tricks/demos:
  • 6. However: • Text-book vulnerable code (e.g. SQL injection) is not so common • Flaws are becoming more complicated (or at least abstracted)
  • 7. However: • Text-book vulnerable code (e.g. SQL injection) is not so common • Flaws are becoming more complicated (or at least abstracted) • Showing exploitation of vulnerabilities is useful to illustrate the risk • But also takes away from explaining how these bugs surface
  • 8. However: • Text-book vulnerable code (e.g. SQL injection) is not so common • Flaws are becoming more complicated (or at least abstracted) • Showing exploitation of vulnerabilities is useful to illustrate the risk • But also takes away from explaining how these bugs surface • Vulnerability statistics can be interesting • But can also be quite misleading
  • 9.  Provide example flaws based on recent web-related assessments  Often developers making a small (sometimes understandable) mistake
  • 10.  Provide example flaws based on recent web-related assessments  Often developers making a small (sometimes understandable) mistake  Run through several defensive steps  A few processes and mitigation methods to consider  General guidance, recommended reading, etc.
  • 11.  Provide example flaws based on recent web-related assessments  Often developers making a small (sometimes understandable) mistake  Run through several defensive steps  A few processes and mitigation methods to consider  General guidance, recommended reading, etc.  I have only have 20 minutes for this, but I‟ll be touching on quite a lot  These slides will be put online with all of the references, links, etc.  Also happy to chat about any of this over a drink 
  • 12. Interpretation • Languages/compilers behaviors and annoying technicalities Logic Flaws • Logic issues that don‟t have an immediate security impact Technology Layers • How technology layers can have interesting technicalities Defensive Measures • Several approaches to help manage webapp risks
  • 13. Languages/compilers behaviors and annoying technicalities
  • 14. Use case: Select and upload a binary and receive analysis results
  • 15. Technology Functionality Test Cases
  • 16. Technology Functionality Test Cases PHP & Apache Web Upload & Compile Test & Linux Execute Binary Case Sets
  • 17. 1. How is the PHP Upload working? 1. How is the uploaded file stored? 2. How are file extensions validated? Technology Functionality Test Cases 3. … 2. How is it executing the binary? 1. Queued in a database? 2. via PHP popen(), system()? 3. Pushing to other web-services? 4. … PHP & Apache Web Upload & Compile Test 3. What is returned to the user? & Linux Execute Binary Case Sets 1. Is user-controlled input correctly encoded (filename, etc.) 2. … 4. …
  • 18.  About 10 minutes we were about here:
  • 19.  Another test-case looked like this:
  • 20.  Another test-case looked like this: oh snap.
  • 21. A few minutes later…  Pop a www-user shell over a reliable and encrypted channel  Determine the entry-point flaw  Start a white-box code review of the application  Start a review of the host environment and surrounding infrastructure
  • 23. Simplified Code The Bug  param is attacker-controlled  param is not explicitly cast as a numeric value, thus:  param = „0.1‟ = PASS  param = „1.1‟ = FAIL  param = „and hi‟ = FAIL  param = „1.1 and hi‟ = FAIL  param = „0.1 and hi‟ = PASS  Resulting in arbitrary command execution on the system
  • 24. Simplified Code Explanation  param is attacker-controlled  param is validated as a numeric value between 0 and 1  param = „0.1‟ = PASS  param = „1.1‟ = FAIL  param = „and hi‟ = FAIL  param = „1.1 and hi‟ = FAIL  param = „0.1 and hi‟ = FAIL  The shellescapearg() function is also used to escape the argument to popen()
  • 25. This example is a bit dumb, but:
  • 26. This example is a bit dumb, but: The Bug  strcmp() accepts two strings and returns 0 if they match  The return value of strcmp() is checked using the type-unsafe equality operator of „==„  If either parameter is not a string (for example an array) strcmp() will fail and return 0/NULL
  • 27. The Fix Explanation  strcmp() accepts two strings and returns 0 if they match  The return value of strcmp() is checked using the type-safe equality operator of „===„
  • 28.  A lot of higher level languages are quite lax about data-types  This is dangerous for web-languages and affects many applications  Be explicit and remove assumptions about data-types
  • 29.  A lot of higher level languages are quite lax about data-types  This is dangerous for web-languages and affects many applications  Be explicit and remove assumptions about data-types  A common trend is for developers to lower their guard post-validation  “This user-controlled data is now trusted” is a very dangerous assumption
  • 30.  A lot of higher level languages are quite lax about data-types  This is dangerous for web-languages and affects many applications  Be explicit and remove assumptions about data-types  A common trend is for developers to lower their guard post-validation  “This user-controlled data is now trusted” is a very dangerous assumption  It can be dangerous hopping between programming languages  Programmers of different backgrounds make various (risky) assumptions  Get proficient at the languages you spend most time in  Every single language has its “gotchas” to be aware of
  • 31. How logic flaws can be much more serious than a security hole
  • 32.  Use case: Select an item and pay for it
  • 33.  The interface performed (adequate) client-side and server-side validations
  • 34.  Later on, discovered an (almost) identical interface
  • 35.  Later on, discovered an (almost) identical interface Oh, snap
  • 36. Explanation Payment Resource  Virtually identical payment resources were A implemented separately Payment  One (the lesser visible) resource missed a Gateway server-side validation for negative sums Bridge  The flaw allowed an attacker to credit an arbitrary account (i.e. receive money) Payment Resource B
  • 37.  “Safe” applications can still suffer from application-specific risks  This was a relatively well written .NET application with minimal security risks  Yet, this single logic bug raised more immediate concern than if I had popped a shell
  • 38.  “Safe” applications can still suffer from application-specific risks  This was a relatively well written .NET application with minimal security risks  Yet, this single logic bug raised more immediate concern than if I had popped a shell  The nature of new software functional requirements should be treated with caution  Hacked on components/interfaces without proper system and integration analysis
  • 39.  “Safe” applications can still suffer from application-specific risks  This was a relatively well written .NET application with minimal security risks  Yet, this single logic bug raised more immediate concern than if I had popped a shell  The nature of new software functional requirements should be treated with caution  Hacked on components/interfaces without proper system and integration analysis  There are huge risks when critical validation/integration isn‟t centralized  Often has a higher chance of inconsistent validation rules  Makes it more expensive and inefficient to both implement and later fix issues  Less efficient to review critical code when it‟s scattered erratically
  • 40. How technology layers can have interesting technicalities
  • 41.  Data transferring from higher level A couple of basic examples: languages down to the OS-level introduce certain risks  Technicalities such as how NULL bytes are treated for certain functions affect almost all languages  .NET/Java  iOS Applications  PHP, …  So far this year have found such issues in two jobs (.NET and Java)  Arbitrary file write to full server compromise
  • 42.  XSS is very common and affecting more technologies and devices  UIWebView in iOS, etc.  Many interesting attacks possible  Attacking internal network infra.  Triggering client-side vulnerabilities  Targeted phishing attacks that are executing specific payloads  Increasingly used for decently executed targeted attacks  Such as using XSS to own apache.org
  • 43.  Secure, Open, Convenient  Pick two   Frameworks are great for many obvious reasons  It‟s clear frameworks do help limit or remove certain risks  But there‟s a lot of functionality that‟s supported and/or exposed  Ruby on Rails is a recent target by researchers  It will take some time for it to mature  Louis from PentesterLab gave a great overview on the recent issues
  • 44. Methods to help strengthen your web-app security
  • 45.  Mitigations are about raising the cost of an attack  Try avoiding things that add an attack surface (e.g. WAF‟s)  Explicit inbound/outbound network trusts should be part of provisioning  End-point threats affect almost everyone these days  Review the DSD‟s Top 35  See what big targets are doing:  Facebook talk from Ruxcon
  • 46. Threat Modeling  It‟s important to spend some time to think about your potential adversaries  Threats aren‟t just bots and kids scanning your network and webapps  People focusing on your apps  Social engineering (remote or physical)  Internal staff  (the list goes on...)  A basic way to get started in-house is to try Microsoft‟s card-game ! 
  • 47.  Unfortunately, it‟s still common for things to be out of date/vulnerable  Subscribe to a freely available vulnerability alerting service  Regularly review your external internet presence and services  Try to lean on auto. updates, or test with a prod clone with them enabled to see if things break  If it‟s not essential, don‟t run it
  • 48.  During code reviews I usually map out developer comments  Frequency of comments vs. mood  The use of specific keywords (e.g. XXX, TODO, dropping the f-bomb)  Instead of venting in code, keep a risk register for risky/uncertain spots  Have a peer-review process and/or periodically bring in an external specialist to help go over it
  • 49.  Some basic changes to QA testing can pick up some low-hanging fruit  Fixing issues internally during development is a lot cheaper  Lots of excellent resources for learning and testing, such as PentesterLab.com  There are good guides for different languages, such as the Ruby guide by Meder@Google
  • 50.  Keep up with research relevant to you, there‟s new things every day  I develop a tool called „Talkback‟ that tracks news/research  There are free monthly seminars called „Ruxmon‟ in Sydney  Consider attending the annual Ruxcon security conference in Melbourne
  • 51.  Bugs happen. It‟s okay.   Dedicate some time to think about:  Your potential threats  How you can introduce security tests during your development lifecycle  If you get external security people in  Think about what you want to get exactly  Organise it to be as efficient as possible  Remember that:  functionality = attack surface  KISS is a security feature in itself  The devil is in the details 
  • 53. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project http://g-laurent.blogspot.com.au/2009/08/wordpress-283-remote-admin-reset.html http://www.pentesterlab.com http://portswigger.net/burp/download.html https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project https://pentesterlab.com/talks/Ruxmon_Feb_2013-What_happened_to_Rails.pdf http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm https://code.google.com/p/ruby-security/wiki/Guide http://www.auscert.org.au/render.html?cid=1 https://blogs.apache.org/infra/entry/apache_org_04_09_2010 http://www.microsoft.com/security/sdl/adopt/eop.aspx http://www.youtube.com/watch?v=vEqu5fk9rlE (Elevation of Privilege) http://talkback.volvent.org http://www.ruxmon.com http://www.ruxcon.org.au http://www.slideshare.net/mimeframe/ruxcon-2012-15195589