anant kochhar _revealing_the_secrets - clubhack2009
TRANSCRIPT
![Page 1: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/1.jpg)
Revealing the Secrets:
Source Code Disclosure, Techniques, and Impacts
![Page 2: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/2.jpg)
I am…
Anant Kochhar, Senior Information Security Consultant with SecurEyes
Project Manager and Researcher
Malware Detection Techniques and
Real World Cracker Techniques
![Page 3: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/3.jpg)
Unique Insecurities…
Each developer is unique
Each application is unique
Each application is uniquely insecure.
Each developer is uniquely insecure.
![Page 4: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/4.jpg)
Source Code Disclosure Types
Accidental Code Disclosure
Backup and Misc. Files
The Dirty Download Page
![Page 5: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/5.jpg)
Accidental Disclosure
Part of the Source Code is available in the HTML source code.
When Dynamic pages are turned into Static pages: like from ‘.asp’ to ‘.html’
Coder don’t remove the ASP code before publishing the HTML page.
Why? Because IE is very forgiving.
![Page 6: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/6.jpg)
Google- Looking in a domain which claims to have ALL ‘audited’ sites
“mdb” “server.createobject” OR “server.mappath”site:???.??
![Page 7: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/7.jpg)
In IE
![Page 8: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/8.jpg)
In Mozilla Firefox
![Page 9: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/9.jpg)
Voila…
![Page 10: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/10.jpg)
How to avoid it…
Don’t be careless. – Go through the HTML source code of every page
before it is published online.
Use both IE and Firefox to test a page.
![Page 11: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/11.jpg)
Backup and Misc. Files
Source Codes stored in readable formats.
Coders save backup files in the website’s hosting folders.
Zipped files, ‘.bak’ extensions etc.
Coders often use bad extensions- like ‘.inc’- for ‘included’ configuration files.
![Page 12: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/12.jpg)
How to discover…
Directory Listings.
Disclosure in HTML Source (Rare)
Other non-standard techniques.
![Page 13: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/13.jpg)
Google-The same secured domain
“zip”
“parent directory” site:???.??
![Page 14: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/14.jpg)
Directory Listing Enabled- All ‘internal pages’ visible
![Page 15: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/15.jpg)
Interesting Folder:Election_aspInteresting File: Database Connection
![Page 16: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/16.jpg)
Backup File of Election_asp: Election_asp.zip
![Page 17: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/17.jpg)
All ASP Files…including Database Connection File
![Page 18: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/18.jpg)
Database username and password in the database connection file
![Page 19: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/19.jpg)
How to avoid it…
Disable Directory Listing
Don’t use the Hosting space as a storage space.
Name all ‘.inc’ files as ‘.inc.php’ or ‘.inc.asp’ files to make them inaccessible.
![Page 20: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/20.jpg)
The Dirty Download Page
Better known as ‘Insecure Direct Object Ref.’Paper in December 2007:http://secureyes.net/downloads/
Source_Code_Disclosure_over_HTTP.pdfMany white hats have contacted me regarding it.Translated into Spanish- which is flattering and
scaryNot the target audience.
![Page 21: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/21.jpg)
The Comment… “look on the internet for such pages…”
![Page 22: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/22.jpg)
How An Engine Works
PHP Engine
User’s Browser
URL:/user_login.php
HTML part of User_login.php
ApplicationRoot Folder
User_login.php
Server
![Page 23: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/23.jpg)
The site’s root folder
![Page 24: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/24.jpg)
http://www.vulnerable123.com/1.doc
![Page 25: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/25.jpg)
Internal Affairs…
PHP Engine
User’s Browser
URL:/1.doc
1.docApplicationRoot Folder
1.doc
Server
![Page 26: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/26.jpg)
The Other Method…
Stream the static content files through a dynamic page:
1) Filename passed as a parameter to the dynamic page- hereby called the ‘download’ page.
2) The download page looks for the file in the hosting folder
3) And upon finding it, streams it to the user’s browser.
![Page 27: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/27.jpg)
http://www.vulnerable123.com/download_file.php?filename=1.doc
![Page 28: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/28.jpg)
Internal Affairs 2
PHP Engine
User’sBrowser
URL:/download_file.php?filename=1.doc
1.docApplicationRoot Folder
Download_file.php1.doc
Server
![Page 29: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/29.jpg)
The Exploit…
Change the filename parameter’s value to login_user.php:
Will it be processed by the engine before being streamed?
Not! The engine does not double-process a single request! It will simply stream the source code file ‘login_user.php’!
![Page 30: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/30.jpg)
http://www.vulnerable123.com/download_file.php?filename=user_login.php
![Page 31: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/31.jpg)
Internal Affairs 3
PHP Engine
User’s Browser
URL:/download_file.php?filename=user_login.php
ApplicationRoot Folder
Download_file.php User_login.php
user_login.php source code file
Server
![Page 32: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/32.jpg)
A URL which contains:
A Dynamic Page extension.ext:php OR ext:jsp OR ext:asp OR ext:aspx
A Static File extension in the URL (somewhere):inurl:doc OR inurl:pdf OR inurl:xls OR inurl:txt
OR inurl:ppt OR inurl:htm
![Page 33: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/33.jpg)
Pattern (contd.)
Combining :
inurl:doc OR inurl:pdf OR inurl:xls OR inurl:txt OR inurl:ppt ext:php OR ext:jsp OR ext:asp OR ext:aspx
![Page 34: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/34.jpg)
Google Result Page
Lots of false positives
![Page 35: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/35.jpg)
Patterns (contd.)
Search can be restricted to a site or a domainsite:vulnerable123.com
Finding the Dirty Download Page in www.vulnerable123.com:
Inurl:doc OR inurl:pdf OR inurl:xls OR inurl:txt OR inurl:ppt ext:php OR ext:jsp OR ext:asp OR ext:aspx site:vulnerable123.com
![Page 36: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/36.jpg)
Voila…
![Page 37: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/37.jpg)
Unique Case of Java Sites- Directory Listing through the download page
![Page 38: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/38.jpg)
Recommended Resolutions
Indirectly refer internal objects.
For example, index the downloadable files, and pass index numbers instead of file names.
File Extensions Validations can be bypassed: Null Byte Injection
![Page 39: Anant kochhar _revealing_the_secrets - ClubHack2009](https://reader036.vdocument.in/reader036/viewer/2022062923/5483b7aab4af9f42278b477f/html5/thumbnails/39.jpg)
Contact me: anant.kochhar[at]secureyes[dot]net