using logic flaws to steal data and how php can stab you in the back – frans rosén @ detectify
TRANSCRIPT
detectify
Knowledge Advisor, @detectify ( @fransrosen )Blogging at labs.detectify.comHackerOne #1 https://hackerone.com/thanks
Hacked a bunch of companies:
etc…
Frans Rosén #cyber
detectify
PHP 5.2 #onceuponatimeecho round(2047.075, 2); //2047.08echo round(2048.075, 2); //2048.07
BCMath to the rescue, or…
detectify
String Comparison #tomatotomáto
Thx: @homakov
detectify
Business Impact #obvious
• Keys, Passwords• Credit Card Data• User Information / Email• Invoices / Billing Data
detectify
Business Impact #notsoobviousNumeric IDs for Order Receipts
“Not found” vs “No access”
Poll every day, you get analytics!$$$
detectify
Business Impact #evenworse
Change Delivery Address of an order.
Deleting another user’s information.
Reclaiming other user’s data. Gift Certificates anyone?
detectify
Why so few? #ohnoez1. No secure access model.
“User X should only have access to A”
“User X that has access to A should only have access to B”
and so on…
detectify
Why so few? #ohnoez2. Numeric IDs.
Enumerable/Sequential. Decrease value with 1 and try.
Easy to test. Easy to attack.
Do hashes instead! (Don’t just hash the numbers…)
detectify
Why so few? #ohnoez3. Error messages show and tell.
“User X cannot view object owned by User Y”
“No access to this object” vs“Object does not exist”
detectify
Why so few? #ohnoez4. Inconsistent ID sources.
/receipt/view/434
/receipt/?view=434
POST /receipt/view/ HTTP/1.1receipt=434
detectify
Example – Twitter #bringpopcorn
Found by secgeek (Ahmed Aboul-‐Ela) https://hackerone.com/reports/27404
Credit Card deletion from other users.
Sequential IDs when deleting cards.
Bounty $2,800
detectify
Example – SquareUpdate other users / Get user info
ID as hashes, but visible using Google.
No check if user was in another company.
Bounty $3,000
https://hackerone.com/reports/23126
detectify
Example – ZapierGet log-history from other user’s Zaps.
Contained sensitive information such as OAuth tokens / Credentials,
No access control for log entries.
Bounty $3,000
https://zapier.com/engineering/bug-‐bounty-‐program/
detectify
Example – WordPressGet all users on a WordPress site.
blog.com/?author=1
WONTFIX by Wordpress
http://hackertarget.com/wordpress-‐user-‐enumeration/
detectify
Doing it right. #hellyeh2. Access model in routes or controllers.
Stick to it! Easy to miss.
detectify
Quick repetition #eatsleepraverepeat1. Careful with string comparison
2. IDORs are bad. Easy to exploit. East to find.Exploited as we speak – worth $$$
3. Numeric IDs vs Hashes
4. Generic access model
5. Review your code!
detectify
THAT’S ALL FOLKS!Questions?
by Frans Rosén (@fransrosen)
www.detectify.com