Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

4

Share

Breaking The Framework's Core #PHPKonf 2016

Web framework’leri yani web uygulama çatıları günümüz web teknolojisinin en önemli yapı taşlarından bir tanesidir. Yapısında bir çok farklı özelliği barındıran ve web uygulamalarının temeli olan framework'lerin güvenliği son derece önem teşkil eder. Drupal, WordPress, Symfony veya CodeIgniter gibi çok kullanılan açık kaynak sistemlerde tespit edilecek bir güvenlik açığı birbirinden bağımsız onlarca projeyi, kurumu ve sistemi etki alanı içine alır. Bu sunum içeriğinde popüler frameworklerde oluşan zafiyetlerin detaylı analizi ve en sık karşılaşılan yanlış kullanımlar uygulamalı örnekler ile anlatılacaktır.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Breaking The Framework's Core #PHPKonf 2016

  1. 1. InvictusEurope © 2016 Breaking The Framework’s Core Mehmet INCE
  2. 2. WHO AM I Ince, Mehmet Dursun Senior Penetration Tester, Co-founder / Invictus Europe Ordinarily; ● Hack the app. ● Make it secure. ● Hack it again. ● Train the developers, help them to build secure apps. Blogger http://www.mehmetince.net @mdisec
  3. 3. Web Application Framework A web application framework (WAF) is a software framework that is designed to support the development of dynamic websites, web applications, web services and web resources.
  4. 4. InvictusEurope © 2016 Components ● ORM. ● MVC or MVT Architecture ● DRY => (Don't Repeat Yourself) ● Template engine. ● Out of the box customizable Admin Interface for CRUD operations. ● Built-in lightweight web server. ● URL design. ● Middleware. ● Authentication / Authorization schema by default. ● Internationalization. ● Fast development.
  5. 5. InvictusEurope © 2016
  6. 6. InvictusEurope © 2016 One ring to rule them all One ring to bring them all and in the darkness bind them.
  7. 7. InvictusEurope © 2016
  8. 8. InvictusEurope © 2016 Where should we look at ? Encryption, Utils, ORM, Template Engine, Auth Mechanism, ...
  9. 9. InvictusEurope © 2016 Example #1 - Drupal SQL Injection ORM
  10. 10. InvictusEurope © 2016 Example #1 - Drupal SQL Injection ORM User input is array E.g : ids[]=1&ids[]=2&ids[]=3
  11. 11. InvictusEurope © 2016 Example #1 - Drupal SQL Injection ORM User input is array E.g : ids[0); DROP TABLE foo; --]=1&ids[]=2
  12. 12. InvictusEurope © 2016 MySQL prepared statements are limited to a single stacked query. But ?!
  13. 13. InvictusEurope © 2016 Mitigation?
  14. 14. InvictusEurope © 2016 Fix
  15. 15. InvictusEurope © 2016 serialize() ? unserialize() ?
  16. 16. Object Serialization serialize() returns a string containing a byte-stream representation of any value that can be stored in PHP. Using serialize to save an object will save all variables in an object. The methods in an object will not be saved, only the name of the class.
  17. 17. Object Deserialization unserialize() can use this string to recreate the original variable values. If the variable being unserialized is an object, after successfully reconstructing the object PHP will automatically attempt to call the __wakeup() member function (if it exists).
  18. 18. InvictusEurope © 2016 Code Reuse / POP Attacks 1. Payload is not injected into the application. 2. Instead the application, code flow will be hijacked. 3. Pieces of already available code will be executed in an attacker defined order.
  19. 19. Proof of Concept First picture shows Object. php that contains all the classes. Second picture shows Index.php which is the beginning of our poc application.
  20. 20. PAYLOAD
  21. 21. InvictusEurope © 2016
  22. 22. InvictusEurope © 2016 Example #2 - vBulletin Remote Code Execution via PHP Object Injection vBulletin 5.1.x core/vb/api/hook.php Also above function is callable from unauthenticated user through; ajax/api/hook/decodeArguments?arguments=PAYLOAD
  23. 23. InvictusEurope © 2016 OKAY! We have an entry point. What we gonna do ? 1 - Identify start point. 2- Find desirable end point. 3 - Make it rain!
  24. 24. InvictusEurope © 2016 1 - Find __destruct functions. 2 - This one can cause DoS but still useless. (vB_vURL class located at core/vb/vurl.php) 3 - This one is interesting (vB_dB_Result class located at core/vb/db/result.php ) Now, we need to find a class that have free_result() as a function…!
  25. 25. InvictusEurope © 2016 Example #2 - Luck Luckly! one class has this function..! vB_Database class located at core/vb/database.php
  26. 26. PAYLOAD
  27. 27. InvictusEurope © 2016
  28. 28. Moar! Complicated Object chaining
  29. 29. InvictusEurope © 2016 preg_replace!
  30. 30. InvictusEurope © 2016 Find Desirable End point
  31. 31. InvictusEurope © 2016 Zend 1.9 POP Attack Diagram
  32. 32. InvictusEurope © 2016 Result - PHP Object Injection “usually” easy to detect, - Not easy to exploit. - Do NOT use serialize() / unserialize() with untrusted inputs. - Instead use json_encode and json_decode - Keep up to date! Your framework and components -
  33. 33. InvictusEurope © 2016 Abusing PHP Template Engines Twig, Smarty, ….
  34. 34. InvictusEurope © 2016 Twig
  35. 35. InvictusEurope © 2016 Input as a Template Code
  36. 36. InvictusEurope © 2016 Don’t be fool..! It’s not an XSS. Server-Side Template Injection seems like a XSS but it’s NOT. It’s more dangerous...
  37. 37. InvictusEurope © 2016 RTFM
  38. 38. Moar! RFTM We are able to access env class through self object on templates, so we can call functions of Twig_Environment class.
  39. 39. InvictusEurope © 2016 PoC
  40. 40. InvictusEurope © 2016 Security is a serious business.
  41. 41. InvictusEurope © 2016 Final Words - Before development, - Risk assessments. - Architecture security overview. - SDLC ..? - Development phase, - Every single data is under the hacker control. - Validate input as much as possible - Never ever forget to do “encoding” in templates. - - Deployment phase, - Secure deployment pipeline ..? - Maintenance, - UPDATE your servers, services, packages, everything you have. Just keep UPDATING. - 3rd parties bug tracker. - During your life, - RTFM
  42. 42. THANK YOU Ince, Mehmet Dursun Senior Penetration Tester, Co-founder / Invictus Europe @mdisec mehmet.ince@invictuseurope.com mehmet@mehmetince.net http://www.mehmetince.net
  • EjderHakanAtlkarnca

    Aug. 16, 2018
  • OlcayDa

    Jul. 3, 2018
  • EmirAlkal

    Mar. 17, 2018
  • EgeBalc

    May. 24, 2016

Web framework’leri yani web uygulama çatıları günümüz web teknolojisinin en önemli yapı taşlarından bir tanesidir. Yapısında bir çok farklı özelliği barındıran ve web uygulamalarının temeli olan framework'lerin güvenliği son derece önem teşkil eder. Drupal, WordPress, Symfony veya CodeIgniter gibi çok kullanılan açık kaynak sistemlerde tespit edilecek bir güvenlik açığı birbirinden bağımsız onlarca projeyi, kurumu ve sistemi etki alanı içine alır. Bu sunum içeriğinde popüler frameworklerde oluşan zafiyetlerin detaylı analizi ve en sık karşılaşılan yanlış kullanımlar uygulamalı örnekler ile anlatılacaktır.

Views

Total views

1,566

On Slideshare

0

From embeds

0

Number of embeds

677

Actions

Downloads

0

Shares

0

Comments

0

Likes

4

×