Your SlideShare is downloading. ×
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Anant kochhar _revealing_the_secrets - ClubHack2009

1,271

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,271
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • No direct access to the source of the file
  • Index1.jsp?Filename=/claims/WEB-INF/
  • Transcript

    • 1. Revealing the Secrets: Source Code Disclosure, Techniques, and Impacts
    • 2. I am…
      • Anant Kochhar, Senior Information Security Consultant with SecurEyes
      • Project Manager and Researcher
      • Malware Detection Techniques and
      • Real World Cracker Techniques
    • 3. Unique Insecurities…
      • Each developer is unique
      • Each application is unique
      • Each application is uniquely insecure .
      • Each developer is uniquely insecure.
    • 4. Source Code Disclosure Types
      • Accidental Code Disclosure
      • Backup and Misc. Files
      • The Dirty Download Page
    • 5. Accidental Disclosure
      • Part of the Source Code is available in the HTML source code.
      • When Dynamic pages are turned into Static pages: like from ‘.asp’ to ‘.html’
      • Coder don’t remove the ASP code before publishing the HTML page.
      • Why? Because IE is very forgiving.
    • 6. Google- Looking in a domain which claims to have ALL ‘audited’ sites “ mdb” “ server.createobject” OR “server.mappath” site:???.??
    • 7. In IE
    • 8. In Mozilla Firefox
    • 9. Voila…
    • 10. How to avoid it…
      • Don’t be careless.
        • Go through the HTML source code of every page before it is published online.
      • Use both IE and Firefox to test a page.
    • 11. Backup and Misc. Files
      • Source Codes stored in readable formats.
      • Coders save backup files in the website’s hosting folders.
      • Zipped files, ‘.bak’ extensions etc.
      • Coders often use bad extensions- like ‘.inc’- for ‘included’ configuration files.
    • 12. How to discover…
      • Directory Listings.
      • Disclosure in HTML Source (Rare)
      • Other non-standard techniques.
    • 13. Google-The same secured domain “ zip” “ parent directory” site:???.??
    • 14. Directory Listing Enabled- All ‘internal pages’ visible
    • 15. Interesting Folder:Election_asp Interesting File: Database Connection
    • 16. Backup File of Election_asp: Election_asp.zip
    • 17. All ASP Files…including Database Connection File
    • 18. Database username and password in the database connection file
    • 19. How to avoid it…
      • Disable Directory Listing
      • Don’t use the Hosting space as a storage space.
      • Name all ‘.inc’ files as ‘.inc.php’ or ‘.inc.asp’ files to make them inaccessible.
    • 20. The Dirty Download Page
      • Better known as ‘Insecure Direct Object Ref.’
      • Paper in December 2007:
      • http://secureyes.net/downloads/Source_Code_Disclosure_over_HTTP.pdf
      • Many white hats have contacted me regarding it.
      • Translated into Spanish- which is flattering and scary
      • Not the target audience.
    • 21. The Comment… “look on the internet for such pages…”
    • 22. How An Engine Works PHP Engine User’s Browser URL:/user_login.php HTML part of User_login.php Application Root Folder User_login.php Server
    • 23. The site’s root folder
    • 24. http://www.vulnerable123.com/1.doc
    • 25. Internal Affairs… PHP Engine User’s Browser URL:/1.doc 1.doc Application Root Folder 1.doc Server
    • 26. The Other Method…
      • Stream the static content files through a dynamic page:
      • Filename passed as a parameter to the dynamic page- hereby called the ‘download’ page.
      • The download page looks for the file in the hosting folder
      • And upon finding it, streams it to the user’s browser.
    • 27. http://www.vulnerable123.com/download_file.php?filename=1.doc
    • 28. Internal Affairs 2 PHP Engine User’s Browser URL:/download_file.php? filename=1.doc 1.doc Application Root Folder Download_file.php 1.doc Server
    • 29. The Exploit…
      • Change the filename parameter’s value to login_user.php:
      • Will it be processed by the engine before being streamed?
      • Not! The engine does not double-process a single request! It will simply stream the source code file ‘login_user.php’!
    • 30. http://www.vulnerable123.com/download_file.php?filename=user_login.php
    • 31. Internal Affairs 3 PHP Engine User’s Browser URL:/download_file.php? filename=user_login.php Application Root Folder Download_file.php User_login.php Server user_login.php source code file
    • 32. Google
      • A URL which contains:
      • A Dynamic Page extension.
      • ext:php OR ext:jsp OR ext:asp OR ext:aspx
      • A Static File extension in the URL (somewhere):
      • inurl:doc OR inurl:pdf OR inurl:xls OR inurl:txt OR inurl:ppt OR inurl:htm
    • 33. Pattern (contd.)
      • Combining :
      • inurl:doc OR inurl:pdf OR inurl:xls OR inurl:txt OR inurl:ppt ext:php OR ext:jsp OR ext:asp OR ext:aspx
    • 34. Google Result Page Lots of false positives
    • 35. Patterns (contd.)
      • Search can be restricted to a site or a domain
      • site:vulnerable123.com
      • Finding the Dirty Download Page in www.vulnerable123.com :
      • Inurl:doc OR inurl:pdf OR inurl:xls OR inurl:txt OR inurl:ppt ext:php OR ext:jsp OR ext:asp OR ext:aspx site:vulnerable123.com
    • 36. Voila…
    • 37. Unique Case of Java Sites- Directory Listing through the download page
    • 38. Recommended Resolutions
      • Indirectly refer internal objects.
      • For example, index the downloadable files, and pass index numbers instead of file names.
      • File Extensions Validations can be bypassed: Null Byte Injection
    • 39.
      • Contact me:
      • anant.kochhar[at]secureyes[dot]net
      Thank you

    ×