Thought hacking was hard? It’s not, it’s easy and I’m going to show you how! Most sites are far more vulnerable to attack than they think. In this talk we’ll go through a series of hacking stories and breakdown the hack together to see exactly how they did it. By the end you’ll walk away perhaps a little bit more scared, but definitely armed with some great practices you can apply immediately to your own applications.
before I begin I'd like to ask a quick question...
pee question
hopefully, by the end of the talk, that %age will have increased.
because today we are going to talk about security and hacking.
and Introduce
To begin I'd like to tell you a story...
working in investment banking, career going well, good money
side project
events site
slightly successful.
quit to work on this full time
arrogant
money started running out, had 3 months left.
found one investor still interested
demo 7 days
48 hours linode
investigate, confirmed, tmp folder
what was the source?
found php running, weird since I don't use php
remembered
resolution
No fool.
Took security this very seriously.
Followed all the instructions.
Forgot one small thing.
Lesson Take Away = Happen to you.
I love stories.
Today I'm going to talk about hacking.
But through 3 different hacking stories.
Some specific to node
Some general.
Moral at the end
Lesson to learn
Steps to protect yourself
Lets start off with breaking down exactly how I think I was hacked at eventsushi.
Lets first explain a few terms
A vulnerability is a hole in security
a weakness - e.g. not using a firewall is a vulnerability.
An exploit is a tool, piece of code, or just a sequence of commands
which takes advantage of a vulnerability to do bad things.
Q) Who here has heard of the term 0 day exploit?
A 0 day exploit is one that no one knows about, yet.
It's a secret
Photo by Kristina Flour on Unsplash
https://unsplash.com/search/photos/whisper?photo=BcjdbyKWquw
Once a 0 day exploit is found
It's not called a 0 day exploit anymore.
1D, 30D, 6MONTH etc..
Then the clock starts ticking.
How hard do you think it would be to get a hold of a 0 day exploit?
How hard do you think it would be to get a hold of an exploit that's been in the public domain for 6 months?
https://unsplash.com/photos/p3Pj7jOYvnM
Photo by Veri Ivanova on Unsplash
In fact it's very easy.
you can find them on the internet.
There are lots of sites.
This one for instance https://www.exploit-db.com/
[SHOW VIDEO]
We like to believe all hackers are like this?
black hat
mysterious
geniuses
I think we like to believe that because it makes us feel better when we do get hacked.
"I mean it's MrRobot, How am I a supposed to defend against that"?
But MrRobot didn't hack me.
They didn't use a 0 day exploit.
I was running a really old version of PHP.
My attacker GOOGLED how to hack me and followed instructions.
Not hard!
Or like this... ooooh mysterious....
http://www.istockphoto.com/gb/photo/hard-at-work-gm518069822-89813857
But it probably looked like this...
But I was running an old version of PHP.
My attacker GOOGLED how to hack me and followed instructions.
In fact it's even easier than that..
you don't even need to do this manually.
tools automate this whole process
metasploit is one from rapid7.
scans a site.
identifies potential vulnerabilities.
then lets you automate exploits from its database of plugins.
[NO....]
So you just need to find an idiot like me on the internet
With an old version of PHP running
Scan me with metasploit and then try a few known exploits.
So what can we do?
We are still vulnerable to 0 day exploits.
Can't defend from unknown.
Can defend from known exploits simply by keeping our software updated.
That's easy right, we just need to update...
OS
Apache
Nginx
Database Software
Underlying Libraries
Bulletins
Actually that sounds like a lot of hard work
Any my job is to write apps, not maintain servers.
So after this attack i started exclusively using PAASs
Photo by Nolan Issac on Unsplash
https://unsplash.com/photos/K5sjajgbTFw
Describe.
Patching
Companies
SUMMARY:
Leaving an OLD version of PHP running was a vulnerability.
Don't think they came in through a 0 day.
They came in using a known exploit, one that was probably already fixed in the latest version of PHP.
So if i had at least updated PHP to the latest version I would be safe.
But keeping everything updated is hard.
So use a PAAS.
On Premise
You look after hardware, OS and application code
IaaS
You look after OS and App code and they look after the Hardware
PaaS
They look after harware, OS (and software like web servers) and you just release app code
In the past i've used Heroku, Google App Engine, Amazon has something called Beanstalk but i've never used it and Azure has something called AppService
Doesn't matter which one you use to be honest, they all auto update the infrastructure versions on a pretty regular level just make sure to use one.
Still not convinced?
Q) Who's heard of the recent equifax hack?
The largest hack in history, affects about 200 million people.
Billion dollar company.
10,000 employees.
Did the hackers get in through a 0 day exploit?
NO.
They got in through a KNOWN exploit of Apache Struts.
The patch to fix the exploit had been released for 2 months BEFORE the hack.
They just hadn't applied the patch.
Azure Security Centre
Coolest things about Azure
No one else has got this.
Signals
Alerts create noise
So to solve this we trained in AI to detect hacking attempts from the signals.
The AI can chain together signals and figure out if you are being attacked with a pretty high degree of certainty.
It's not perfect but i'm lazy and it doesn't require any effort to use
so I like to switch it on.
Who watches this show?
So my closing arguments.
Thinking you can create a secure platform to host your appwhen you are not an expert in security
is like thinking you can represent yourself in court
if you are not a lawyer.
Did I manage to scare any of you?
Probably not...
maybe this next story will scare you more.
http://www.istockphoto.com/gb/photo/little-boy-stealing-cookies-gm164114602-23379436
http://www.istockphoto.com/gb/photo/close-up-of-a-little-girl-taking-one-cookie-gm160146392-17820916
This story is about a company I used to work at.
They were a financial startup.
Brought to help them move from an old Java framework to Angular.
Framework decommissioned in 2003, first line of code was written in 2005.
Can laugh but
It's financial services so lots of it regulation including security.
Hired a pen testing firm to try to hack us.
It wasn't hard.
This is the story of one of the vulnerabilities they found.
It's called XSS or CrossSiteScripting and it's a type of Injection Attack.
They basically found a way to steal a users cookies then login and make trades and financial transactions as that user.
The way they did this was simple.
The form that we used to submit a comment allowed some simple formatting, bold etc..
It used HTML to define the text format.
It then converted the HTML to Base64 and this was posted to the server and stored in the database.
Later on when it comes to display it converts from base64 on the server side and returns HTML from the server.
NOTE: This is NOT an SPA, serverside rendered!
So instead of the HTML you saw before, these hackers crafted their own HTML comment.
This one had a script tag.
Do you see what it's doing?
It's sending your cookie to some other server, assuming you login with cookies this is giving someone else complete access to your account.
Remember it gets converted to base64 first and they just used postman to post it to our APIs.
Then when we rendered the page later on.
We rendwered it WITH their script tag!
So just VIEWING a forum page with one of these special comments in will send your cookie to someone else server.
http://www.istockphoto.com/gb/photo/deception-concept-disguise-between-shark-and-goldfish-gm534192884-94746997
http://www.istockphoto.com/gb/photo/in-the-wrong-place-gm92469124-700142
https://www.pexels.com/photo/close-up-of-human-hand-257279/
Moral of the story: Don't assume your inputs will arrive in the format you expect.
What's the solution?
Sanitise on backend - on the serverside should strip tags it doesnt' recognise: https://www.npmjs.com/package/xss [ADD]
Sanitise on frontend: With frameworks like Angular it by default assumes that all content is unstrusted and runs it through a sanitiser removing all script tags: https://angular.io/guide/security
CSP script-src https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src [CSP]
https://beta.companieshouse.gov.uk/company/10542519
companies house.
This is an actual limited company registered in the UK.
It's an example of an attempt at an injection attack
a sql injection attack.
Run untrusted code in a trusted environment.
The goal is to trick an application to run some raw SQL.
So if someone wasn't careful and had a script that ran something like this
'select * from companies where name ='+ name;
they would end up running something like this
But name might be something a user entered into a form.
or came from an API request.
You are susceptible to this whenever you use "untrusted" input in an SQL statement.
Backup database, so what
DROPTABLES isn't the only command
Don't even have to try all these commands manually.
http://sqlmap.org/
It's such a common vulnerability that there are automated tools to help you attack, such as this one.
python script
pass in the URL which has the vulnerability
scans to begin with, finding out things like database software and version.
Figured out it's myself so tries to guess the admin password from a database of common passwords.
dump users table
run shell commands
In about a min, we can get access to the database, dump the users table and even run commands on the OS shell.
Moral of the story: Don't assume your inputs will arrive in the format you expect.
Photo by Braydon Anderson on Unsplash
https://unsplash.com/collections/480109/animals-in-disguise?photo=wOHH-NUTvVc
What's the solution?
Sanitise untrusted input.
sqlstring
Strips out anything that looks unsafe from a sql statement.
Others, front end, XSS etc...
Anytime you have untrusted input from a user sanitise.
[SLOW]
If you use something like azure sql database
it automatically ❤️ detects sql injection attacks
doesn't stop them but does send you an alert.
How are you feeling now?
I showed you an automated script which took over a database in under a minute.
More scared?
Who's heard of this company?
So github has a bug bounty.
They pay you if you find a security hole in their software.
There was a great exploit found in github enterprse by someone called orange tsai
twitter handle.
gave a hacker the ability to run any command on the github server
as if they have a bash shell open on your server.
chaining a number of smaller exploits together into one large exploit.
heist movie
figuring out how they did it is so facinating.
I've tried to break down for you and would love to tell.
http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html
You know webhooks right?
You can setup a webhook so that when someone pushes to git it will POST to a HTTP endpoint.
What if you set the webhook URL to localhost?
Aha... then it will post to a local process instead
post to any port
behind the firewall!
But the github people knew this
They USED a sanitiser that blacklisted localhost.
But they didn't blacklist 0 which can resolve to localhost as well!
About the only thing he could do with that is shutdown elastic search.
Spent a few more days looking.
graphite
charting
open source so checked the source code
found this function
POST -> GET
But that second GET request is using HttpConnection lib
Which is know to have a vulnerability called called CR-LF Injection
A HTTP Request is just a series of lines sent over a TCP connection.
So it opens a port to 12345
Sends GET, \r\n HTTP\r\n etc...
But HTTPConnection converts those special chars to \r\n
So now we send GET /
then hello
Something that is expecting HTTP would probably error at this, the message is not formed correctly.
But HTTPConnection converts those special chars to \r\n
So now we send GET /
then hello
Something that is expecting HTTP would probably error at this, the message is not formed correctly.
This activity opens up the door to something called protocol smuggling.
So if we send a HTTP request to the redis instance on the box (6379) with the command SLAVEOF example.com 6379 then this redis instance becomes a slave of our external redis instance.
So it opens the door to being attacked through other protocols than HTTP.
What other things can we do?
But what if we did something like this.
11211 is memcached.
what would HTTPConnection try to send then.
The full HTTP message when generated by HttpConnection library then looks like this.
But remember we are not sending this to a server expecting HTTP.
We are sending this to memcached which is just expecting the memcached protocol.
Memcached is not expecting HTTP, doesn't know how to parse it, just executes commands if it sees a newline.
GET ignored, error.
next time, this is a real memecahced command, sets some data in memcached.
Lets us smuggle protocols
Developers, we like to store things in memcached,
But we are lazy so we like to use libs that do it for is.
We might use one which takes an instance of a class and serialises the whole thing.
So you take some code that exists in memory.
Convert it to a string or binary format.
Send that to memcached.
Sometime later load the data again, convert it into a class and call a function.
But now we have access to memcached
We can set data in memcached.
we can CHANGE what code is returned.
So when you execturte that code later on, you are running my code, not the code you stored.
Serialised instances contain the name of the class
Found this one
Instance had a known vulnerability so was depreciated
You can change a serialised instance of this class so that when it is called it executes a command in the shell instead.
BUT they still used it, so it was easy to hack.
Moral of the story: Big exploits are made from smaller exploits.
Attacks don't come in through one big exploit.
Multiple smaller exploits chained together.
So if you found a vuln and are thinking of ignoring it, think again.
How are you feeling now?
Anyone need to go to the toilet?
No?
Maybe after the next story...
Photo by Kelly Sikkema on Unsplash
https://unsplash.com/search/photos/lego?photo=JRVxgAkzIsM
What does the above code do?
It gets all your environment variables and converts them to a base64 encoded string.
What does the above code do?
Take a look at the host name.
It takes your environment variables and posts them to my server.
How many of you keep secret keys, passwords etc... in environment variables.
What if I told you I could make you run this code on your server?
Does this make it any clearer, the file is called package-setup.js
How about now?
I can see the realisation coming to some of you.
This is an npm module, when you install it you send me your environment variables.
But you are probably thinking, why would you ever install an npm package you have never heard of?
Take a look at this, was posted a few weeks ago.
cross-env is a very popular npm module created by kent dodds, over a million downloads every month.
What they had done was release a module called codeenv without the hyphen. That's it.
It's called typosquatting.
npm install from memory, tried with and without hyphens?
When you run npm install you are basically giving other developers the right to run their code on your server
behind all your firewalls
as if you wrote the code.
Moral of the story: We are too trusting!
maybe because open source.
developer is a good person.
they have released code to the community for free.
multiple eyes on it.
the npm modules were up for 2 weeks before they were discovered.
not using the environment
key vault.
but even that would not be safe
the code is running as if it was you who wrote it.
so it will have access to even read from keyvault
npm have taken down crossenv
maybe already installed? Links at the end.
ecosystem is HUGE
static analysis of npm packages
double triple sure you typed he module name correctly
https://unsplash.com/photos/sssxyuZape8
Photo by Jairo Alzate on Unsplash
What's the takeaway?
Stop pretending that because you've spent a few mins thinking about security that you are safe.
There are people who spend all day everyday thinking of clever ways to get access to your site.
Use a PaaS.
Don't assume people will use your site as you expect them to use it, every input can be abused, so sanitise.
No such thing as a small exploit, small ones can be chained together to create a big one. Fix your vulnerabilities no matter how small you think they are.
Did the npm one scare you? It should... we are too trusting, we trust objects we store in a memcache are not going to be tampered with, we trust that everything we install from npm is trustworthy.
Don't trust anyone!
If you want a good follow on course my colleage Brian Clarke has one on Pluralsight, it's a good one for going a bit deeper into some of these issues.