Code review
The Problem
17,394 ColdFusion source files Many hacked together in place Variety of skilled and unskilled developers
– Many of whom don’t work here anymore Mostly no test versions
– Not allowed to poke things (unlike attackers)
OWASP Top 10
Provides a focus for training and review Initial focus on:
– Code execution– SQL injection– XSS
Methodology
Track third level directories in a huge Google Sheet– Owner– Reviewer– Most serious exploit– Status
“Code Review” day No automated code review tools for ColdFusion, so…
Mechanical Turk
Recruited students on the Cyber Security MSc Can quickly teach someone to spot flaws in
ColdFusion– “ColdFusion for Pentesters”– “Deconstructing ColdFusion”
Decidedly more challenging with complex Java apps
Inability to recreate environment– Makes fixing harder
What did we find?
Arbitrary file upload – Additional misconfiguration allowing access to all web
scripts and DB passwords 29 “apps” with SQL injection (mix of public and
authenticated) 33 with XSS (mix of stored and reflected) A few “generate arbitrary e-mail” scripts Downloadable source code with passwords in (wrong
extension, zip files, etc.) Username stored in cookies
What will you find?
What will you find?
Spoiler: It’s not going to be that different
Really serious stuff
Disable code Fix web server config
Competent responsible owner
Let the owner know a breakdown of the issues Offer them our training course Meet up with people
– People start coming to you
Everything else
Asking people to fix their code? No. Asking if we could fix their code? No. Promising to remove their code in two weeks? Sort of.
– Surprisingly little resistance– Or consequence
Webapp Security Training
Full day course offered to developers across the University
Theory and practical “hacking” exercises– DVWA running in VirtualBox– sqlmap
Find out what languages used in advanced
Embedding code review
Automated, continuous deployment with Jenkins Code review with Review Board
– Helps get more developers familiar with the code
– Gets two pairs of eyes on security Lightweight, but effective
Questions?