Application Security from the Inside - OWASP

1. Application security from the inside

2. Agenda How to make apps more secure? 1. Triggering new vulnerabilities (bad guys) 2. Detecting/protecting found issues (good guys) 1. SQL injection 2. Cross Site Scripting (XSS) 3. Third party components vulnerabilities 4. Shell injection 2

3. About Me Jean-Baptiste Aviat CTO at Sqreen (https://sqreen.io) We protect applications automatically Sqreen is hiring Former RedTeam security engineer at Apple

4. The best place for app security • Where to gather accurate information for securing an application? • How to change the tires of a car running at 100 mph? • How to make the diagnosis continuous, as modern release cycles? 4

5. App security: the place to be • Need to get closer to the runtime • Retrieve all required data, while the application processes it • Work with the deployed, running application • Obvious solution: instrumentation 5

6. Debugging allows… • Devs & hackers method to inspect live apps • Access anything in it – CPU registers – Addressable memory of the whole process: functions, symbols… – Threads • And to modify anything in it – Modify return values 6

7. 7 (byebug) thread list + 1 #<Thread:0x007fe41b0d1ae0@2.2.0/webrick/server.rb:283 run> ... 2 #<WEBrick::Utils::TimeoutHandler::Thread:0x007fe41b0d1220@2.2.0/webrick/ utils.rb:162 sleep> 2.2.0/webrick/utils.rb:173 3 #<Thread:0x007fe4140bc408 sleep> 2.2.0/webrick/server.rb:174 (byebug) thread switch 3 3 #<Thread:0x007fe4140bc408 sleep> 2.2.0/webrick/server.rb:174 (byebug) thread switch 3 [168, 177] in 2.2.0/webrick/server.rb 172: while @status == :Running 173: begin => 174: if svrs = IO.select([shutdown_pipe[0], *@listeners], nil, nil, 2.0) 175: if svrs[0].include? shutdown_pipe[0] 176: break At first sight

8. Web application speciﬁcs • Relevant information in a web application: – User request (headers, cookies, parameters…) and server response – Any function call and its arguments • Database requests • File operations • External APIs calls • Syscalls… – All current threads 8

9. 9 0 ActiveRecord::ConnectionAdapters::SQLite3Adapter.exec_query(sql#String, name#String…) … 7 PostsController.set_post … 23 ActionController::ParamsWrapper.process_action(action#NilClass, *args#Array) … 27 ActionController::Metal.dispatch(action#NilClass, request#ActionDispatch::Request) … 37 Rack::ETag.call(env#Hash) … 40 ActionDispatch::ParamsParser.call(env#Hash) … 44 ActionDispatch::Cookies.call(env#Hash) 45 ActiveRecord::QueryCache.call(env#Hash) … 74 WEBrick::HTTPServer.service(req#WEBrick::HTTPRequest, res#WEBrick::HTTPResponse) 75 WEBrick::HTTPServer.run(sock#TCPSocket) 76 block in WEBrick::GenericServer.start_thread(sock#TCPSocket, &block#NilClass) Looking closer…

10. • Application instrumentation • Different ways to identify vulnerabilities • And many solutions to prevent them – Patch a function return value – Encode a function arguments – Raise an exception to prevent further execution 10

11. 11 (byebug) break ActiveRecord::ConnectionAdapters::SQLite3Adapter.exec_query Successfully created breakpoint with id 1 (byebug) continue [283, 292] in …/active_record/connection_adapters/sqlite3_adapter.rb 287: => 288: def exec_query(sql, name = nil, binds = []) 289: type_casted_binds = binds.map { |col, val| 290: [col, type_cast(val, col)] 291: } 292: (byebug) var local binds = [] name = Post Load self = #<ActiveRecord::ConnectionAdapters::SQLite3Adapter:0x007fb1eb30df50> sql = SELECT * FROM posts WHERE id=3 (byebug) self.quote("it's a string") "'it''s a string'" Where the database is accessed

12. SQL injection detection • Inside an app, full access to: – Raw SQL query just as the database receives it – Database system (Oracle, MySQL…) – Database conﬁguration (encoding) – Untrusted parameters • Ability to parse the complete SQL query 12

13. SQL injection • Untrusted entry used in a SQL request • Assume pwd is injectable • Injected query: • The SQL query has to be valid to trigger an injection • How to prove that an injection happened? 13 SELECT * FROM users WHERE pwd = ‘sun' LIMIT 1 SELECT * FROM users WHERE pwd = 'sun' OR 1=1--+’ LIMIT 1

14. Request just before it leaves the app to the DB: Reminder: we know the database, its charset, encoding rules… 1 user entry, multiple SQL tokens: This is an injection. 14 SELECT * FROM users WHERE password = 'sun' OR 1=1-- ' SELECT * FROM users WHERE password = sun OR 1 = 1

15. #0 ActionView::OutputBuffer.<<(value#NilClass) #1 ActionView::CompiledTemplates._app_views_posts_show_html_erb…(local_assigns, output_buffer) #2 block in ActionView::Template.render(view, locals#Hash, buffer#NilClass, &block#Proc) #3 #<Class:ActiveSupport::Notifications>.instrument(name#String, payload#Hash) […] #18 ActionView::Rendering._render_template(options#Hash) #19 ActionController::Streaming._render_template(options#Hash) #0 is string concatenation #1 is template insertion Rendering a template

16. (byebug) break ActionView::OutputBuffer.<< [6, 15] in actionview-4.2.3/lib/action_view/buffers.rb … 10: def <<(value) => 11: return self if value.nil? 12: super(value.to_s) 13: end 14: alias :append= :<< 15: (byebug) var local value = "my <script>alert()</script> title" (byebug) value.html_safe? true String concatenation

17. [6, 15] in app/views/posts/show.html.erb 8: 9: <p> 10: <strong>Title:</strong> => 11: <%= @post.title %> 12: </p> 13: In Template Insertion

18. XSS detection • Inside an app, access to: – Template engine (JSF, ERB…) – Partially rendered page – Fully rendered page – Generated page type – HTML, CSS, JSON… – Untrusted parameters 18

19. XSS detection • HTML can be parsed • Injection if: – User entry adds HTML to the rendered page • HTML node • HTML attribute • In such cases, we have an HTML injection 19 <div><script src=atta.ck/></script>Safari</div> <a href=‘#’ onclick=‘alert()’>Data</div>

20. Third party components vulnerabilities 20

21. irb(main):001:0> Gem.loaded_specs.map do |k, v| puts "%20st%st%s " % [k, v.version, v.homepage] end rake 10.4.2 i18n 0.7.0 http://github.com/svenfuchs/i18n tzinfo 1.2.2 http://tzinfo.github.io activesupport 4.2.3 http://www.rubyonrails.org erubis 2.7.0 http://www.kuwata-lab.com/erubis/ nokogiri 1.6.6.2 http://nokogiri.org actionview 4.2.3 http://www.rubyonrails.org sqlite3 1.3.10 https://github.com/sparklemotion/sqlite3-ruby execjs 2.6.0 https://github.com/rails/execjs ... CVE-2015-1819 CVE-2015-7941 CVE-2015-7942 CVE-2015-8035 An application dependencies

22. 3rd party components vuln. • Application knows its libraries – Version – Conﬁguration – Dependencies • And OS libraries • Correlation with public security advisories • And restrict / correct the vulnerable paths 22

23. Shell injection 23

24. • Inside an app, access to: – Command (before execution) – Shell • Type (Bash, ksh, PowerShell, cmd.exe…) • Version (ShellShock vulnerable?) – Environment – User parameters 24

25. Shell injection • Similar to SQL injection • Ability to parse the executed command – Legitimate command: – Injected command: • Possible correlation with untrusted parameters 25 whois jbaviat.sqreen.io whois jbaviat.sqreen.io ; cat /etc/passwd

26. @JbAviat Questions? 26 jb@sqreen.io

27. Sqreen: you code, we protect • We protect applications automatically • Beta program available: Contact us to be part of it • Sqreen is hiring 27

Application Security from the Inside - OWASP

You are reading a preview.

Check these out next

Application Security from the Inside - OWASP

More Related Content

Slideshows for you (20)

Viewers also liked (15)

Similar to Application Security from the Inside - OWASP (20)

Recently uploaded (20)