Application Security Science or Quality Assurance? Nazar Tymoshyk Ph.D, Security Consultant, R&D at SoftServe Famous Security Professionals Richard Stallman Robert Morris Linus Torvalds Tsutomu Shimomura Stephen Wozniak Famous “Security Professionals” Adrian Lamo Kevin Mitnick Gary McKinnon Kevin Poulsen Jonathan James What about famous QA professionals? To be a security bug hunter So you know where to move ;) Security is also metric of Software Quality “The simple truth is that catching security holes earlier costs an organization less to remediate, which makes good business sense. ” QA Engineer In functional and performance testing, the expected results are documented before the test begins, and the quality assurance team looks at how well the expected results match the actual results Security Analyst In security testing, the quality assurance team is concerned only with unexpected results and testing for the unknown. Weapon Passion Persistence Research Tools Guides Checklists Collaboration and Team work “ IT security and quality assurance working together are exponentially more powerful. The result will be a more securityoriented QA department and a more qualityoriented IT security department, which will help remove more risk and provide better continuity ” OWASP SAMM WAF Development guide Testing guide ASVS Microsoft approach Testing security with Tools Core Impact Burp Accunetix WVS w3af HP WebInspect OWASP ZAP IBM Rational AppScan OWASP Mantra DEMO Let’s test small web-site with commercial and free tools Applying Science approach Get tools from: http://goo.gl/eHl2u Targets: http://192.168.195.34 http://192.168.195.80 Smashing the app Remote code execution – one of the most dangerous vulnerabilities in web-apps How to achieve a goal: • Upload scripts to server • Remote File Inclusion (RFI) • Local File Inclusion (LFI) Unrestricted file upload File upload – vulnerability allow remote attacker to upload files/scripts on server with special content or random extension. This vulnerability exist through incorrect file extension implementation. Incorrect methods of uploaded file extension validation : • Validation of MIME-type of uploading file vs validation of file extension • Black-list extension validation • Other errors… Unsecure web-server/application server configuration play also important role. Upload your shell Changing MIME type Validation sample: <?php $imageTypes = array("image/gif", "image/jpg", "image/png"); if(isset($_FILES["image"])) { if(!in_array($_FILES["image"]["type"], die("Hacking Attempt!"); $imageTypes)) { } copy($_FILES["image"]["tmp_name"], "images/{$_FILES["image"]["name"]}"); } ?> Problem: It’s easy to change type of file – as it’s setting by browser in HTTP-request. And all variables that are set by browser – can be easily changed by user. Content validation Black list: Wrong way <?php if(isset($_FILES["image"])) { if(preg_match('#\.((php)|(php3)|( php4)|(php5))$#i',$_FILES["image "]["name"]) ){ die("Hacking Attempt!"); } copy($_FILES["image"]["tmp_nam e"], "images/{$_FILES["image"]["name "]}"); } ?> Regular expressions <?php if(isset($_FILES["image"])) { if(preg_match('#\.jpg#i', $_FILES["image"]["name"])) { copy($_FILES["image"]["tmp_name"], "images/{$_FILES["image"]["name"]}"); } } ?> In this sample name of uploaded file is checking for string .jpg. But regular expression is working as control symbol $ that indicate EOL is missed,. As a result file shell.jpg.php will be successes fully uploaded. Right way <?php if(isset($_FILES["image"])) { if(preg_match('#^[a-z0-9-_]+\.((jpg)|(png)|(bmp))$#i', $_FILES["image"]["name"]) ){ move_uploaded_file($_FILES["image"]["tmp_name"], "images/{$_FILES["image"]["name"]}"); } } ?> White list validation Local File Inclusion Local File Inclusion – allow to include local files on remote server and execute arbitrary code. Reason: incorrect linked file validation, vulnerable server configuration Successfully LFI exploitation have three main task : • Removing of postfix • Directory Traversal • Searching files for code injection Directory Traversal Filtration can prevent Directory Traversal. Very often developers apply Filtration of ../ : <?php include(str_replace("../", "", $_GET["page"]).".inc"); ?> ../../../etc/passwd --> Filtration --> etc/passwd --> fail But such filtration is not enough – it’s not recursive: ..././..././..././etc/passwd --> Filtration --> ../../../etc/passwd --> profit Secure Validation Secure Validation – validation of filename for service symbols if(preg_match('#[^a-z0-9-_]#i', $page)) { die("Hacking Attempt!"); } include("{$page}.inc"); In this sample if we will try to add file with symbols other than A-Z, a-z, 0-9 and symbol «-» & «_» execution of PHP-script will be interrupted. So, how to become Security Analyst Use OWASP Researches Ask and share Samurai WTF Participate in community talk on Security Hole Feedbacks & Questions Contact Nazar: skype: root_nt email: root.nt@gmail.com Presentation & Files: http://goo.gl/eHl2u Leave your Feedbacks: http://goo.gl/FW4ar ? Join OWASP Lviv: https://www.owasp.org /index.php/Lviv