MA
Uploaded byMazin Ahmed
PPTX, PDF589 views

Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed

The document discusses backup file artifacts (BFA) and their potential to expose sensitive data and source code in web applications due to oversights by developers and the use of version control systems. It introduces 'bfac,' a tool for automated detection of such backup artifacts, and highlights the need for increased awareness and security measures to mitigate these vulnerabilities. The document also shares real-world examples of BFA exploitation that led to significant security breaches.

Embed presentation

Download to read offline
Backup File Artifacts The Underrated Web Danger TESTING AND EXPLOITING BFA WITH BFAC By: Mazin Ahmed @mazen160 mazin AT mazinahmed DOT net
WHO AM I?  Mazin Ahmed • Freelancing Security Researcher at Bugcrowd, Inc. • Security Contributor at ProtonMail • Freelancing Information Security Specialist • You can read more at https://mazinahmed.net/
WHO AM I?  And I have contributed to the security of the following:
Table of Contents  Introduction  How BFA Occurs?  Background  Previous Researches  Wrapping Ideas Together  The Problem  BFA Findings in Real-World.  Introducing BFAC  Using BFAC  Mitigations  Questions
What is Backup-File Artifacts?
Background Code Editors  Code editors makes a backup copy of the files that being edited.  Mostly, it's being done in the same directory of the file.  It's made using the same filename.  It uses predictable patterns.
Background Code Editors Product Name Backup Pattern (Assuming the filename is config.php) Emacs #config.php# Nano config.php.save Vim (swap file) config.php.swp Vim (swap file) config.php.swo Vim, Gedit config.php~
Background Code Editors The Problem  Developers mostly forgets to check for Backup File Artifacts caused by code editors, and underestimate the impact of leaving similar artifacts.  This would lead to the disclosure of the source code of the script that has been edited.
Background Version Control Systems  Version Control Systems (VCS) are systems made to manage changes on files, documents, computer programs, code, websites, etc…  All Version Control Systems has a directory by design that contains data and/or source-code.  The directory is made to have a backup of files, and to control the changes on the files within the project.  By design, we already know directories names, the important files, and the directories' structure of source-code version controller systems.
Background Version Control Systems Version Control System Pre-known Files and Directories GIT /.git (Default Directory) GIT /.gitignore GIT /.git/index GIT /.git/HEAD GIT /.git/refs Mercurial /.hg (Default Directory) Mercurial /.hg/requires Bazaar /.bzr/ (Default Directory) Bazaar /.bzr/README Subversion /.svn (Default Directory) Subversion /.svn/entries Subversion /.svnignore
Background Version Control Systems The Problem  Companies and developers in many occasions clone or download the repository into production, and FORGETS TO DELETE THE VCS DIRECTORIES.  This would lead to the disclosure of the source code of the company's application.
 The worst part: many websites don't disable directory listing, which makes exploiting that like a piece of cake. Profit?  downloading the VCS directory would be as simple as: $ wget --mirror -np –I /[path_to_vcs_dir] http://example.com/[path_to_vcs_dir] Background Version Control Systems The Problem
 In case the website disables directory listing, exploitation is still possible. Background Version Control Systems The Problem
 Exploitation of Missed VCS Folders on Web-Apps When Directory Listing is Disabled:-  Simply: Brute-Forcing the VCS structure. Background Version Control Systems The Problem
 Exploitation of Missed VCS Folders on Web-Apps When Directory Listing is Disabled:-  There are tools that can do that too:  GIT-Tools by Internetwache: A collection of scripts that can be used to retrieved GIT repositories from the web-app, even if directory listing is disabled. Written in Bash and Python.  DVCS-Ripper by @kost: A tool that can perform recover different repositories even if directory listing is disabled. Written in Perl.  DVCS-Pillage by Adam Baldwin: A tool that extracts and retrieves different DVCS repositories. Background Version Control Systems The Problem
Background Human-Based Missed Backup File Artifacts  Developers usually do a backup before attempting to edit files.  Example:- Editing index.php  Before editing, many developers do the following: $cp index.php index.php.bak
 Developers in many cases forgets to remove the backup file.  It may even be left on production. Background Human-Based Missed Backup File Artifacts The Problem
Impact  An unauthorized attacker can brute-forces through different patterns of human-based backing up, and check if the file exists and accessible to the public.  If succeeded, the unauthorized attacker would be able to view the source- code of the script (Source-Code Disclosure). Background Human-Based Missed Backup File Artifacts The Problem
Previous Researches Pillaging DVCS Repos For Fun And Profit - Defcon 19 - Adam Baldwin – 2011  The talk discusses different leakage of Distributed Version Control Systems, and how it can leak the website’s source-code and data if it’s incorrectly accessible by unauthorized users.  A test on Alexa top 1M was done and showed that roughly 2,000 websites were vulnerable.  A tool called DVCS-Pillage was released that helps retrieving repositories from websites that exposes them.
1% of CMS-Powered Sites Expose Their Database Passwords - Feross Aboukhadijeh – 2011  A research that shows how can human-based backup artifacts and backup artifacts made by code-editors leaks sensitive data on popular CMSs.  Also, tested Alexa top 200,000 websites for basic BFAs on CMSs configuration files.  Results showed a large number of high-profile websites had BFA left on production.  Wrote a tool that can detect basic BFAs for CMSs configuration files. Previous Researches
Don't publicly expose .git or how we downloaded your website's sourcecode – Internetwache - 2015  A research done by Internetwache on GIT VCS, and how it can leak web- applications' source-code and data.  Demonstrated different techniques for real-world exploitation of missed GIT repositories on production.  Tested Alexa top 1M websites for web-applications that left GIT repositories on production.  Published a set of scripts to automatically tries to retrieve files from GIT repositories. Previous Researches
 Backup-File Artifacts are caused by different ways, mostly, it’s the admin/developer mistake to allow it accessible.  Exploitation of Human-Based BFA and BFAs that is caused by code-editors can be done as the following: Example:- Saying that index.php.bak is discovered. Wrapping Ideas Together
 Having the meta directory of Control Version Systems accessible also leads to source-code and data disclosure. Wrapping Ideas Together
Wrapping Ideas Together Source-Code and Data Disclosure Human-Based Backup File Artifacts Backup File Artifacts Caused by Code Editors Version Controlling System Meta Directories Backup File Artifacts
 Most Open-Source and Commercial Web Vulnerability Scanners DO NOT PERFORM TESTING FOR BACKUP FILE ARTIFACTS.  Examples of Tested Open-Source Scanners That Do Not Perform BFA Checks:- • OWASP ZAP 2.4 • Vega • W3AF – There are partial plugins that does basic testing, but it’s disabled by default. • Nikto 2.4.6 The Problem
 There are very few current Scanners that performs Backup Artifacts. Testing. However, those rare scanners only test the very basic pattern of BFA.  Many Important patterns testing are MISSED! The Problem
BFA Findings in Real-World Paypal BFA That Lead to RCE - Ebraheem Hegazy  Ebraheem found a script called upload.php on a Paypal-owned server.  wrote script to test for BFA, and to check if the script exist on other subdomains.  Found a BFA for upload.php, and transformed the Blackbox testing to whitebox testing.  After source-code reviewing it, he found a bug that leads to RCE. Profit: Got an RCE exploit on a Paypal server. Paypal fixed the issue, and he was awarded a nice bounty.
BFA Findings in Real-World ISC.org BFA that Disclosed Database Credentials - Feross Aboukhadijeh  During Feross’s research, he tested ISC.org for BFA on Wordpress configuration files, wp-config.php.  He found a BFA left on the main production site of ISC.org, containing database credentials. Profit: The researcher had potentially valid credentials to ISC.org (“potentially” is said, as the researcher stated that he didn’t use it gain unauthorized access). Feross reported it to ISC.org, and they have fixed it.
BFA Findings in Real-World A Collection of BFAs - Mazin Ahmed  Used BFAC to discover a number of BFA issues on web-applications, mostly for confidential clients.  BFA Findings Leads To: • Credentials leakage. • Turning testing to whitebox. • Finding additional security vulnerabilities. • RCE. • SQLI. • XSS. • Even more BFA issues. • etc...
 About the Project:  BFAC (Backup-File Artifacts Checker) is an automated tool that checks for backup artifacts that may discloses the web-application's source code.  BFAC goal is to be an all-in-one tool for backup-file artifacts black-box testing.
Introducing BFAC  About the Project:  Code Specifications:-  Written in pure Python.  Compatible with both Python2.x and Python3.x.  Cross-Platform: Works on Linux, Windows, Mac, Android, and IOS.  Requires a slight amount of resources/modules.  API friendly.  Released under GNU GPLv3.0 License.
Introducing BFAC  About the Project:  Features:-  Testing all common types of backup-file artifacts patterns, including human-based BFAs, and BFA that can occur via code-editors.  Includes tests for common VCS artifacts, such as GIT, Subversion, Mercurial, and Bazaar.  Smart detection techniques: Capable of detecting "Not Found", and valid pages using different tests.  Stealthy Interaction with Web Servers.  Easy to edit and customize based on needs; easy to add custom BFA patterns.  Dynamic and generic; made to be not specified to test a specific environment or server.
Downloading BFAC BFAC https://github.com/mazen160/bfac
Downloading and Installing BFAC  Cloning BFAC $ git clone https://github.com/mazen160/bfac.git  Installing BFAC ( for *NIX machines) As simple as: $ python install.py confirm
Using BFAC  Performs basic tests on the link, showing all attempts, and using random user-agents on each request. $ bfac --url 'http://example.com/test.php' --verbose --random-agent  Ignore 500 and 503 HTTP response codes when is detected as findings. $ bfac --url 'http://example.com/test.php' --verbose --exclude- status-codes 500,503
Using BFAC  Default option to confirm the existence of the BFA is set to check both of the HTTP Status Codes and the Content Length (set to “both”).  Rely only on HTTP Status Codes for confirming the existence of the BFA. $ bfac --url 'http://example.com/test.php' --verbose --verify-file- availability status_code  Rely only on Content Length measures in order to confirm the existence of the BFA. $ bfac --url 'http://example.com/test.php' --verbose --verify-file- availability content_length
Using BFAC  Perform BFA testing for all current testing levels (Level 4 includes tests from all below levels). $ bfac --url 'http://example.com/test.php' --verbose --level 4  Print a clean output with only findings, separated by newlines. Suitable for APIs and integration with other tools. $ bfac --url 'http://example.com/test.php' --no-text --level 4
Mitigation Developer-Level:-  Awareness  Probably the only reliable solution.  Developers' behavior regarding actions on production-level and publicly accessible applications are the main reason for this vulnerability type to occur. Software-Level:-  Access rules seems to be useful in blocking some of the patterns. However, it does not protect as needed.
Questions? Mazin Ahmed Twitter: @mazen160 Email: mazin AT mazinahmed DOT net Website: https://mazinahmed.net LinkedIn: https://linkedin.com/in/infosecmazinahmed

More Related Content

PPTX
Bug bounty
byn|u - The Open Security Community
 
PDF
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
byMazin Ahmed
 
PPTX
Bug Bounty - Play For Money
byShubham Gupta
 
PPTX
Bug Bounty #Defconlucknow2016
byShubham Gupta
 
PDF
Bug Bounty - Hackers Job
byArbin Godar
 
PDF
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
byFrans Rosén
 
PDF
Bug Bounty Hunter's Manifesto V1.0
byDinesh O Bareja
 
PPTX
XSS (Cross Site Scripting)
byShubham Gupta
 
Bug bounty
byn|u - The Open Security Community
 
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
byMazin Ahmed
 
Bug Bounty - Play For Money
byShubham Gupta
 
Bug Bounty #Defconlucknow2016
byShubham Gupta
 
Bug Bounty - Hackers Job
byArbin Godar
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
byFrans Rosén
 
Bug Bounty Hunter's Manifesto V1.0
byDinesh O Bareja
 
XSS (Cross Site Scripting)
byShubham Gupta
 

What's hot

PDF
REST API Pentester's perspective
bySecuRing
 
PPTX
Bug Bounty for - Beginners
byHimanshu Kumar Das
 
PPTX
Basics of getting Into Bug Bounty Hunting
byMuhammad Khizer Javed
 
PPTX
Bug Bounty 101
byShahee Mirza
 
PDF
Wi-Fi Hotspot Attacks
byGreg Foss
 
PDF
Hacking Web Apps by Brent White
byEC-Council
 
PPT
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
byNipun Jaswal
 
PDF
ACRNA Webinar #5: Cyber Security – The Unlikely Romance
byCasey Ellis
 
PPTX
Bug bounty
byRamin Farajpour Cami
 
PDF
Bug bounty or beg bounty?
byCasey Ellis
 
PDF
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
byFrans Rosén
 
PDF
Tale of Forgotten Disclosure and Lesson learned
byAnant Shrivastava
 
PDF
Security by Weston Hecker
byEC-Council
 
PDF
CMS Hacking Tricks - DerbyCon 4 - 2014
byGreg Foss
 
PPTX
Kludges and PHP. Why Should You Use a WAF?
bySucuri
 
PPTX
Bug bounties - cén scéal?
byCiaran McNally
 
PPT
Overview of information security
byAskao Ahmed Saad
 
PDF
Testing iOS apps without jailbreak in 2018
bySecuRing
 
PDF
Empire Work shop
byHaydn Johnson
 
PDF
Hijacking Softwares for fun and profit
byNipun Jaswal
 
REST API Pentester's perspective
bySecuRing
 
Bug Bounty for - Beginners
byHimanshu Kumar Das
 
Basics of getting Into Bug Bounty Hunting
byMuhammad Khizer Javed
 
Bug Bounty 101
byShahee Mirza
 
Wi-Fi Hotspot Attacks
byGreg Foss
 
Hacking Web Apps by Brent White
byEC-Council
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
byNipun Jaswal
 
ACRNA Webinar #5: Cyber Security – The Unlikely Romance
byCasey Ellis
 
Bug bounty
byRamin Farajpour Cami
 
Bug bounty or beg bounty?
byCasey Ellis
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
byFrans Rosén
 
Tale of Forgotten Disclosure and Lesson learned
byAnant Shrivastava
 
Security by Weston Hecker
byEC-Council
 
CMS Hacking Tricks - DerbyCon 4 - 2014
byGreg Foss
 
Kludges and PHP. Why Should You Use a WAF?
bySucuri
 
Bug bounties - cén scéal?
byCiaran McNally
 
Overview of information security
byAskao Ahmed Saad
 
Testing iOS apps without jailbreak in 2018
bySecuRing
 
Empire Work shop
byHaydn Johnson
 
Hijacking Softwares for fun and profit
byNipun Jaswal
 

Viewers also liked

PDF
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
byMarco Balduzzi
 
PDF
Cybercrime in the Deep Web (BHEU 2015)
byMarco Balduzzi
 
PPTX
Cctk support for setting hdd password
byartisriva
 
PDF
AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)
byMarco Balduzzi
 
PDF
Why AIS is not always enough
byPole Star Space Applications
 
PPT
Possessive adjectives
bybogomolova1879
 
PPT
Family tree
bybogomolova1879
 
PPTX
Cloud computing security policy framework for mitigating denial of service at...
byVenkatesh Prabhu
 
PDF
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
byMarco Balduzzi
 
PDF
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
byMarco Balduzzi
 
PPTX
600.412.Lecture02
byragibhasan
 
PPTX
A New Form of Dos attack in Cloud
bySanoj Kumar
 
PPT
Softworx Enterprise Asset Management 101 - Presentation Template
byEnterprise Softworx Solutions
 
ODP
Personal informatic
byXavier Puig de las Heras
 
PPTX
Presentation1
byNima Kamali
 
PPT
Avian flu Type A-H5N1 epidemiological model: Puerto Rico as a case study
byMariangeles Rivera
 
PPTX
чынгыз айтматов Small
byKamchibekova Rakia
 
PPS
Pentru tine
byMircea Tivadar
 
PPT
Christmas
bybogomolova1879
 
PPTX
ОО" Шоола Кол" презентация Результаты поиска Санкт-Петербург 14 октября
byАсылбек Айтматов
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
byMarco Balduzzi
 
Cybercrime in the Deep Web (BHEU 2015)
byMarco Balduzzi
 
Cctk support for setting hdd password
byartisriva
 
AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)
byMarco Balduzzi
 
Why AIS is not always enough
byPole Star Space Applications
 
Possessive adjectives
bybogomolova1879
 
Family tree
bybogomolova1879
 
Cloud computing security policy framework for mitigating denial of service at...
byVenkatesh Prabhu
 
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
byMarco Balduzzi
 
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
byMarco Balduzzi
 
600.412.Lecture02
byragibhasan
 
A New Form of Dos attack in Cloud
bySanoj Kumar
 
Softworx Enterprise Asset Management 101 - Presentation Template
byEnterprise Softworx Solutions
 
Personal informatic
byXavier Puig de las Heras
 
Presentation1
byNima Kamali
 
Avian flu Type A-H5N1 epidemiological model: Puerto Rico as a case study
byMariangeles Rivera
 
чынгыз айтматов Small
byKamchibekova Rakia
 
Pentru tine
byMircea Tivadar
 
Christmas
bybogomolova1879
 
ОО" Шоола Кол" презентация Результаты поиска Санкт-Петербург 14 октября
byАсылбек Айтматов
 

Similar to Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed

PDF
Lares from LOW to PWNED
byChris Gates
 
PPTX
Detection of webshells in compromised perimeter assets using ML algorithms
byRod Soto
 
PPTX
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
bylior mazor
 
PPTX
Exploitation techniques and fuzzing
byPrachi Gulihar
 
PPTX
Finalppt metasploit
bydevilback
 
PPTX
Adversary tactics config mgmt-&-logs-oh-my
byJesse Moore
 
PPT
shostack-blackhat-991.ppt YUGUUYGYGUUYUHJ
byAbodahab
 
PDF
Hack Attack! An Introduction to Penetration Testing
bySteve Phillips
 
PPTX
PowerPoint on advanced network threats.pptx
byAngieloBecenia1
 
PPTX
3. backup file artifacts - mazin ahmed
byRashid Khatmey
 
PPTX
DevSecCon London 2017: when good containers go bad by Tim Mackey
byDevSecCon
 
PPTX
Reversing Microsoft patches to reveal vulnerable code
byHarsimran Walia
 
PPT
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
byZack Meyers
 
PDF
Cyber attacks 101
byRafel Ivgi
 
PPTX
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
byChris Gates
 
PDF
Software Security Engineering (Learnings from the past to fix the future) - B...
byDebasisMohanty43
 
PPTX
BSides_Charm2015_Info sec hunters_gathers
byAndrew McNicol
 
PDF
Apt presso good to learn
byFajar Isnanto
 
ODP
Wonderful world of (distributed) SCM or VCS
byVlatko Kosturjak
 
PDF
[PH-Neutral 0x7db] Exploit Next Generation®
byNelson Brito
 
Lares from LOW to PWNED
byChris Gates
 
Detection of webshells in compromised perimeter assets using ML algorithms
byRod Soto
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
bylior mazor
 
Exploitation techniques and fuzzing
byPrachi Gulihar
 
Finalppt metasploit
bydevilback
 
Adversary tactics config mgmt-&-logs-oh-my
byJesse Moore
 
shostack-blackhat-991.ppt YUGUUYGYGUUYUHJ
byAbodahab
 
Hack Attack! An Introduction to Penetration Testing
bySteve Phillips
 
PowerPoint on advanced network threats.pptx
byAngieloBecenia1
 
3. backup file artifacts - mazin ahmed
byRashid Khatmey
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
byDevSecCon
 
Reversing Microsoft patches to reveal vulnerable code
byHarsimran Walia
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
byZack Meyers
 
Cyber attacks 101
byRafel Ivgi
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
byChris Gates
 
Software Security Engineering (Learnings from the past to fix the future) - B...
byDebasisMohanty43
 
BSides_Charm2015_Info sec hunters_gathers
byAndrew McNicol
 
Apt presso good to learn
byFajar Isnanto
 
Wonderful world of (distributed) SCM or VCS
byVlatko Kosturjak
 
[PH-Neutral 0x7db] Exploit Next Generation®
byNelson Brito
 

Recently uploaded

PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PPTX
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
PDF
Lab 4.4 More Cloud Logging and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Lab 5.1 Architecture + Threat Modeling Exercise - 2nd Sight Lab Cloud Securit...
by2nd Sight Lab
 
PDF
Smart Buildings 2025 Wrapped! The Rise of Outcomes-as-a-Service
byMemoori
 
PDF
Lab 4.2 Multi-cloud Deployments - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
PPTX
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PDF
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
PDF
Lab 1.1 Introduction to AWS Automation - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
DMVPN Tunnels to multi sites in networks
byMahboabAliGhalib
 
PDF
Exam Prep Plan Overview: Amazon Web Services (AWS) Certified
byVICTOR MAESTRE RAMIREZ
 
PPTX
communication-skills-with-technology tools
byJaleto Sunkemo
 
PDF
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
Lab 4.4 More Cloud Logging and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Lab 5.1 Architecture + Threat Modeling Exercise - 2nd Sight Lab Cloud Securit...
by2nd Sight Lab
 
Smart Buildings 2025 Wrapped! The Rise of Outcomes-as-a-Service
byMemoori
 
Lab 4.2 Multi-cloud Deployments - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
Lab 1.1 Introduction to AWS Automation - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
DMVPN Tunnels to multi sites in networks
byMahboabAliGhalib
 
Exam Prep Plan Overview: Amazon Web Services (AWS) Certified
byVICTOR MAESTRE RAMIREZ
 
communication-skills-with-technology tools
byJaleto Sunkemo
 
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 

Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed

  • 1.
    Backup File Artifacts TheUnderrated Web Danger TESTING AND EXPLOITING BFA WITH BFAC By: Mazin Ahmed @mazen160 mazin AT mazinahmed DOT net
  • 2.
    WHO AM I? Mazin Ahmed • Freelancing Security Researcher at Bugcrowd, Inc. • Security Contributor at ProtonMail • Freelancing Information Security Specialist • You can read more at https://mazinahmed.net/
  • 3.
    WHO AM I? And I have contributed to the security of the following:
  • 4.
    Table of Contents Introduction  How BFA Occurs?  Background  Previous Researches  Wrapping Ideas Together  The Problem  BFA Findings in Real-World.  Introducing BFAC  Using BFAC  Mitigations  Questions
  • 5.
  • 6.
    Background Code Editors  Codeeditors makes a backup copy of the files that being edited.  Mostly, it's being done in the same directory of the file.  It's made using the same filename.  It uses predictable patterns.
  • 7.
    Background Code Editors Product NameBackup Pattern (Assuming the filename is config.php) Emacs #config.php# Nano config.php.save Vim (swap file) config.php.swp Vim (swap file) config.php.swo Vim, Gedit config.php~
  • 8.
    Background Code Editors The Problem Developers mostly forgets to check for Backup File Artifacts caused by code editors, and underestimate the impact of leaving similar artifacts.  This would lead to the disclosure of the source code of the script that has been edited.
  • 9.
    Background Version Control Systems Version Control Systems (VCS) are systems made to manage changes on files, documents, computer programs, code, websites, etc…  All Version Control Systems has a directory by design that contains data and/or source-code.  The directory is made to have a backup of files, and to control the changes on the files within the project.  By design, we already know directories names, the important files, and the directories' structure of source-code version controller systems.
  • 10.
    Background Version Control Systems VersionControl System Pre-known Files and Directories GIT /.git (Default Directory) GIT /.gitignore GIT /.git/index GIT /.git/HEAD GIT /.git/refs Mercurial /.hg (Default Directory) Mercurial /.hg/requires Bazaar /.bzr/ (Default Directory) Bazaar /.bzr/README Subversion /.svn (Default Directory) Subversion /.svn/entries Subversion /.svnignore
  • 11.
    Background Version Control Systems TheProblem  Companies and developers in many occasions clone or download the repository into production, and FORGETS TO DELETE THE VCS DIRECTORIES.  This would lead to the disclosure of the source code of the company's application.
  • 12.
     The worstpart: many websites don't disable directory listing, which makes exploiting that like a piece of cake. Profit?  downloading the VCS directory would be as simple as: $ wget --mirror -np –I /[path_to_vcs_dir] http://example.com/[path_to_vcs_dir] Background Version Control Systems The Problem
  • 13.
     In casethe website disables directory listing, exploitation is still possible. Background Version Control Systems The Problem
  • 14.
     Exploitation ofMissed VCS Folders on Web-Apps When Directory Listing is Disabled:-  Simply: Brute-Forcing the VCS structure. Background Version Control Systems The Problem
  • 15.
     Exploitation ofMissed VCS Folders on Web-Apps When Directory Listing is Disabled:-  There are tools that can do that too:  GIT-Tools by Internetwache: A collection of scripts that can be used to retrieved GIT repositories from the web-app, even if directory listing is disabled. Written in Bash and Python.  DVCS-Ripper by @kost: A tool that can perform recover different repositories even if directory listing is disabled. Written in Perl.  DVCS-Pillage by Adam Baldwin: A tool that extracts and retrieves different DVCS repositories. Background Version Control Systems The Problem
  • 16.
    Background Human-Based Missed BackupFile Artifacts  Developers usually do a backup before attempting to edit files.  Example:- Editing index.php  Before editing, many developers do the following: $cp index.php index.php.bak
  • 17.
     Developers inmany cases forgets to remove the backup file.  It may even be left on production. Background Human-Based Missed Backup File Artifacts The Problem
  • 18.
    Impact  An unauthorizedattacker can brute-forces through different patterns of human-based backing up, and check if the file exists and accessible to the public.  If succeeded, the unauthorized attacker would be able to view the source- code of the script (Source-Code Disclosure). Background Human-Based Missed Backup File Artifacts The Problem
  • 19.
    Previous Researches Pillaging DVCSRepos For Fun And Profit - Defcon 19 - Adam Baldwin – 2011  The talk discusses different leakage of Distributed Version Control Systems, and how it can leak the website’s source-code and data if it’s incorrectly accessible by unauthorized users.  A test on Alexa top 1M was done and showed that roughly 2,000 websites were vulnerable.  A tool called DVCS-Pillage was released that helps retrieving repositories from websites that exposes them.
  • 20.
    1% of CMS-PoweredSites Expose Their Database Passwords - Feross Aboukhadijeh – 2011  A research that shows how can human-based backup artifacts and backup artifacts made by code-editors leaks sensitive data on popular CMSs.  Also, tested Alexa top 200,000 websites for basic BFAs on CMSs configuration files.  Results showed a large number of high-profile websites had BFA left on production.  Wrote a tool that can detect basic BFAs for CMSs configuration files. Previous Researches
  • 21.
    Don't publicly expose.git or how we downloaded your website's sourcecode – Internetwache - 2015  A research done by Internetwache on GIT VCS, and how it can leak web- applications' source-code and data.  Demonstrated different techniques for real-world exploitation of missed GIT repositories on production.  Tested Alexa top 1M websites for web-applications that left GIT repositories on production.  Published a set of scripts to automatically tries to retrieve files from GIT repositories. Previous Researches
  • 22.
     Backup-File Artifactsare caused by different ways, mostly, it’s the admin/developer mistake to allow it accessible.  Exploitation of Human-Based BFA and BFAs that is caused by code-editors can be done as the following: Example:- Saying that index.php.bak is discovered. Wrapping Ideas Together
  • 23.
     Having themeta directory of Control Version Systems accessible also leads to source-code and data disclosure. Wrapping Ideas Together
  • 24.
    Wrapping Ideas Together Source-Codeand Data Disclosure Human-Based Backup File Artifacts Backup File Artifacts Caused by Code Editors Version Controlling System Meta Directories Backup File Artifacts
  • 25.
     Most Open-Sourceand Commercial Web Vulnerability Scanners DO NOT PERFORM TESTING FOR BACKUP FILE ARTIFACTS.  Examples of Tested Open-Source Scanners That Do Not Perform BFA Checks:- • OWASP ZAP 2.4 • Vega • W3AF – There are partial plugins that does basic testing, but it’s disabled by default. • Nikto 2.4.6 The Problem
  • 26.
     There arevery few current Scanners that performs Backup Artifacts. Testing. However, those rare scanners only test the very basic pattern of BFA.  Many Important patterns testing are MISSED! The Problem
  • 27.
    BFA Findings inReal-World Paypal BFA That Lead to RCE - Ebraheem Hegazy  Ebraheem found a script called upload.php on a Paypal-owned server.  wrote script to test for BFA, and to check if the script exist on other subdomains.  Found a BFA for upload.php, and transformed the Blackbox testing to whitebox testing.  After source-code reviewing it, he found a bug that leads to RCE. Profit: Got an RCE exploit on a Paypal server. Paypal fixed the issue, and he was awarded a nice bounty.
  • 28.
    BFA Findings inReal-World ISC.org BFA that Disclosed Database Credentials - Feross Aboukhadijeh  During Feross’s research, he tested ISC.org for BFA on Wordpress configuration files, wp-config.php.  He found a BFA left on the main production site of ISC.org, containing database credentials. Profit: The researcher had potentially valid credentials to ISC.org (“potentially” is said, as the researcher stated that he didn’t use it gain unauthorized access). Feross reported it to ISC.org, and they have fixed it.
  • 29.
    BFA Findings inReal-World A Collection of BFAs - Mazin Ahmed  Used BFAC to discover a number of BFA issues on web-applications, mostly for confidential clients.  BFA Findings Leads To: • Credentials leakage. • Turning testing to whitebox. • Finding additional security vulnerabilities. • RCE. • SQLI. • XSS. • Even more BFA issues. • etc...
  • 31.
     About theProject:  BFAC (Backup-File Artifacts Checker) is an automated tool that checks for backup artifacts that may discloses the web-application's source code.  BFAC goal is to be an all-in-one tool for backup-file artifacts black-box testing.
  • 32.
    Introducing BFAC  Aboutthe Project:  Code Specifications:-  Written in pure Python.  Compatible with both Python2.x and Python3.x.  Cross-Platform: Works on Linux, Windows, Mac, Android, and IOS.  Requires a slight amount of resources/modules.  API friendly.  Released under GNU GPLv3.0 License.
  • 33.
    Introducing BFAC  Aboutthe Project:  Features:-  Testing all common types of backup-file artifacts patterns, including human-based BFAs, and BFA that can occur via code-editors.  Includes tests for common VCS artifacts, such as GIT, Subversion, Mercurial, and Bazaar.  Smart detection techniques: Capable of detecting "Not Found", and valid pages using different tests.  Stealthy Interaction with Web Servers.  Easy to edit and customize based on needs; easy to add custom BFA patterns.  Dynamic and generic; made to be not specified to test a specific environment or server.
  • 34.
  • 35.
    Downloading and InstallingBFAC  Cloning BFAC $ git clone https://github.com/mazen160/bfac.git  Installing BFAC ( for *NIX machines) As simple as: $ python install.py confirm
  • 36.
    Using BFAC  Performsbasic tests on the link, showing all attempts, and using random user-agents on each request. $ bfac --url 'http://example.com/test.php' --verbose --random-agent  Ignore 500 and 503 HTTP response codes when is detected as findings. $ bfac --url 'http://example.com/test.php' --verbose --exclude- status-codes 500,503
  • 37.
    Using BFAC  Defaultoption to confirm the existence of the BFA is set to check both of the HTTP Status Codes and the Content Length (set to “both”).  Rely only on HTTP Status Codes for confirming the existence of the BFA. $ bfac --url 'http://example.com/test.php' --verbose --verify-file- availability status_code  Rely only on Content Length measures in order to confirm the existence of the BFA. $ bfac --url 'http://example.com/test.php' --verbose --verify-file- availability content_length
  • 38.
    Using BFAC  PerformBFA testing for all current testing levels (Level 4 includes tests from all below levels). $ bfac --url 'http://example.com/test.php' --verbose --level 4  Print a clean output with only findings, separated by newlines. Suitable for APIs and integration with other tools. $ bfac --url 'http://example.com/test.php' --no-text --level 4
  • 39.
    Mitigation Developer-Level:-  Awareness  Probablythe only reliable solution.  Developers' behavior regarding actions on production-level and publicly accessible applications are the main reason for this vulnerability type to occur. Software-Level:-  Access rules seems to be useful in blocking some of the patterns. However, it does not protect as needed.
  • 40.
    Questions? Mazin Ahmed Twitter: @mazen160 Email:mazin AT mazinahmed DOT net Website: https://mazinahmed.net LinkedIn: https://linkedin.com/in/infosecmazinahmed