Date post: | 23-Jan-2015 |
Category: |
Documents |
Upload: | tjylen-veselyj |
View: | 1,258 times |
Download: | 0 times |
Application Security -Science or Quality Assurance?
Nazar Tymoshyk Ph.D, Security Consultant, R&D at SoftServe
Richard Stallman Linus Torvalds Tsutomu Shimomura
Stephen Wozniak
Famous Security Professionals
Robert Morris
Jonathan James
Kevin Mitnick Kevin Poulsen Adrian Lamo
Gary McKinnon
Famous “Security Professionals”
What about famous QA professionals?
Security is also metric of Software Quality
“The simple truth is that catching security holes earlier costs an
organization less to remediate, which makes good business sense. ”
So you know where to move ;)
QA Engineer Security Analyst
In security testing, the quality assurance team is concerned only with unexpected results and testing for the unknown.
In functional and performance testing, the expected results are documented
before the test begins, and the quality assurance team looks at how well the
expected results match the actual results
Weapon
Checklists
ToolsGuides
PassionPersistenceResearch
“ IT security and quality assurance working
together are exponentially more powerful. The result
will be a more security-oriented QA department
and a more quality-oriented
Collaboration and Team work
IT security department, which will help remove more risk and provide better continuity ”
OWASP
Testing guideDevelopment guide ASVSWAFSAMM
Microsoft approach
Testing security with Tools
Accunetix WVS
Burp
w3af
IBM Rational AppScan
Core Impact
HP WebInspect OWASP ZAP
OWASP Mantra
DEMOLet’s test small web-site with commercial and free tools
Applying Science approach
Targets:http://192.168.195.34http://192.168.195.80
Get tools from:http://goo.gl/eHl2u
Remote code execution – one of the most dangerous vulnerabilities in web-apps
How to achieve a goal:
• Upload scripts to server
• Remote File Inclusion (RFI)
• Local File Inclusion (LFI)
Smashing the app
Unrestricted file upload
File upload – vulnerability allow remote attacker to upload files/scripts on server with special content or random extension.
This vulnerability exist through incorrect file extension implementation.
Incorrect methods of uploaded file extension validation :• Validation of MIME-type of uploading file vs validation of
file extention
• Black-list extension validation
• Other errors…
Unsecure web-server/application server configuration play also important role.
Upload your shell
Changing MIME typeValidation sample:
<?php
$imageTypes = array("image/gif", "image/jpg", "image/png");
if(isset($_FILES["image"])) {
if(!in_array($_FILES["image"]["type"], $imageTypes)) {
die("Hacking Attempt!"); }copy($_FILES["image"]["tmp_name"], "images/{$_FILES["image"]["name"]}");
} ?>
Problem: It’s easy to change type of file – as it’s setting by
browser in HTTP-request. And all variables that are set by
browser – can be easily changed by user.
<?php if(isset($_FILES["image"])) {if(preg_match('#\.((php)|(php3)|(php4)|(php5))$#i',$_FILES["image"]["name"])) {die("Hacking Attempt!");}copy($_FILES["image"]["tmp_name"], "images/{$_FILES["image"]["name"]}"); } ?>
Content validation
Black list: Wrong way
<?phpif(isset($_FILES["image"])) {if(preg_match('#\.jpg#i', $_FILES["image"]["name"])) {
copy($_FILES["image"]["tmp_name"], "images/{$_FILES["image"]["name"]}");} } ?>
In this sample name of uploaded file is checking for string .jpg. But regular expression is working as control symbol $ that indicate EOL is missed,.
As a result file shell.jpg.php will be successes fully uploaded.
Regular expressions
<?phpif(isset($_FILES["image"])) {
if(preg_match('#^[a-z0-9-_]+\.((jpg)|(png)|(bmp))$#i', $_FILES["image"]["name"])
) {move_uploaded_file($_FILES["image"]["tmp_name"],
"images/{$_FILES["image"]["name"]}");} }?>
Right way
White list validation
Local File Inclusion – allow to include local files on remote server and execute arbitrary code.
Reason: incorrect linked file validation, vulnerable server configuration
Successfully LFI exploitation have three main task :• Removing of postfix
• Directory Traversal
• Searching files for code injection
Local FileInclusion
Filtration can prevent Directory Traversal.
Very often developers apply Filtration of ../ :
<?php include(str_replace("../", "", $_GET["page"]).".inc"); ?>
../../../etc/passwd --> Filtration --> etc/passwd --> fail
But such filtration is not enough – it’s not recursive:
..././..././..././etc/passwd --> Filtration --> ../../../etc/passwd --> profit
DirectoryTraversal
Secure Validation – validation of filename for service symbols
if(preg_match('#[^a-z0-9-_]#i', $page)) {die("Hacking Attempt!");
}include("{$page}.inc");
In this sample if we will try to add file with symbols other than A-Z, a-z, 0-9 and symbol «-» & «_» execution of PHP-script will be interrupted.
Secure Validation
So, how to become Security Analyst
Use OWASP
Participate in community
Ask and share
Researches
Samurai WTF
talk on Security Hole
Feedbacks & Questions
Leave your Feedbacks:http://goo.gl/FW4ar
Contact Nazar:skype: root_ntemail: [email protected]
?Join OWASP Lviv:https://www.owasp.org/index.php/Lviv
Presentation & Files:http://goo.gl/eHl2u