Rashid Khatmey, profile picture
Uploaded byRashid Khatmey
PPTX, PDF250 views

3. backup file artifacts - mazin ahmed

The document discusses backup file artifacts (BFAs), which occur when code editors or version control systems create backup files that are sometimes left exposed publicly. This can disclose source code or sensitive information. The document introduces BFAC, a tool written in Python to detect BFAs through automated testing. BFAC checks for various types of BFA patterns and artifacts from version control systems. It aims to be more comprehensive than existing vulnerability scanners. The document also provides examples of real-world BFA findings and discusses mitigations, such as developer awareness and access rules.

Embed presentation

Download to read offline
Backup File Artifacts The Underrated Web Danger TESTING AND EXPLOITING BFA WITH BFAC By: Mazin Ahmed @mazen160 mazin AT mazinahmed DOT net
WHO AM I?  Mazin Ahmed • Freelancing Security Researcher at Bugcrowd, Inc. • Security Contributor at ProtonMail • Freelancing Information Security Specialist • You can read more at https://mazinahmed.net/
WHO AM I?  And I have contributed to the security of the following:
Table of Contents  Introduction  How BFA Occurs?  Background  Previous Researches  Wrapping Ideas Together  The Problem  BFA Findings in Real-World.  Introducing BFAC  Using BFAC  Mitigations  Questions
What is Backup-File Artifacts?
Background Code Editors  Code editors makes a backup copy of the files that being edited.  Mostly, it's being done in the same directory of the file.  It's made using the same filename.  It uses predictable patterns.
Background Code Editors Product Name Backup Pattern (Assuming the filename is config.php) Emacs #config.php# Nano config.php.save Vim (swap file) config.php.swp Vim (swap file) config.php.swo Vim, Gedit config.php~
Background Code Editors The Problem  Developers mostly forgets to check for Backup File Artifacts caused by code editors, and underestimate the impact of leaving similar artifacts.  This would lead to the disclosure of the source code of the script that has been edited.
Background Version Control Systems  Version Control Systems (VCS) are systems made to manage changes on files, documents, computer programs, code, websites, etc…  All Version Control Systems has a directory by design that contains data and/or source-code.  The directory is made to have a backup of files, and to control the changes on the files within the project.  By design, we already know directories names, the important files, and the directories' structure of source-code version controller systems.
Background Version Control Systems Version Control System Pre-known Files and Directories GIT /.git (Default Directory) GIT /.gitignore GIT /.git/index GIT /.git/HEAD GIT /.git/refs Mercurial /.hg (Default Directory) Mercurial /.hg/requires Bazaar /.bzr/ (Default Directory) Bazaar /.bzr/README Subversion /.svn (Default Directory) Subversion /.svn/entries Subversion /.svnignore
Background Version Control Systems The Problem  Companies and developers in many occasions clone or download the repository into production, and FORGETS TO DELETE THE VCS DIRECTORIES.  This would lead to the disclosure of the source code of the company's application.
 The worst part: many websites don't disable directory listing, which makes exploiting that like a piece of cake. Profit?  downloading the VCS directory would be as simple as: $ wget --mirror -np –I /[path_to_vcs_dir] http://example.com/[path_to_vcs_dir] Background Version Control Systems The Problem
 In case the website disables directory listing, exploitation is still possible. Background Version Control Systems The Problem
 Exploitation of Missed VCS Folders on Web-Apps When Directory Listing is Disabled:-  Simply: Brute-Forcing the VCS structure. Background Version Control Systems The Problem
 Exploitation of Missed VCS Folders on Web-Apps When Directory Listing is Disabled:-  There are tools that can do that too:  GIT-Tools by Internetwache: A collection of scripts that can be used to retrieved GIT repositories from the web-app, even if directory listing is disabled. Written in Bash and Python.  DVCS-Ripper by @kost: A tool that can perform recover different repositories even if directory listing is disabled. Written in Perl.  DVCS-Pillage by Adam Baldwin: A tool that extracts and retrieves different DVCS repositories. Background Version Control Systems The Problem
Background Human-Based Missed Backup File Artifacts  Developers usually do a backup before attempting to edit files.  Example:- Editing index.php  Before editing, many developers do the following: $cp index.php index.php.bak
 Developers in many cases forgets to remove the backup file.  It may even be left on production. Background Human-Based Missed Backup File Artifacts The Problem
Impact  An unauthorized attacker can brute-forces through different patterns of human-based backing up, and check if the file exists and accessible to the public.  If succeeded, the unauthorized attacker would be able to view the source- code of the script (Source-Code Disclosure). Background Human-Based Missed Backup File Artifacts The Problem
Previous Researches Pillaging DVCS Repos For Fun And Profit - Defcon 19 - Adam Baldwin – 2011  The talk discusses different leakage of Distributed Version Control Systems, and how it can leak the website’s source-code and data if it’s incorrectly accessible by unauthorized users.  A test on Alexa top 1M was done and showed that roughly 2,000 websites were vulnerable.  A tool called DVCS-Pillage was released that helps retrieving repositories from websites that exposes them.
1% of CMS-Powered Sites Expose Their Database Passwords - Feross Aboukhadijeh – 2011  A research that shows how can human-based backup artifacts and backup artifacts made by code-editors leaks sensitive data on popular CMSs.  Also, tested Alexa top 200,000 websites for basic BFAs on CMSs configuration files.  Results showed a large number of high-profile websites had BFA left on production.  Wrote a tool that can detect basic BFAs for CMSs configuration files. Previous Researches
Don't publicly expose .git or how we downloaded your website's sourcecode – Internetwache - 2015  A research done by Internetwache on GIT VCS, and how it can leak web- applications' source-code and data.  Demonstrated different techniques for real-world exploitation of missed GIT repositories on production.  Tested Alexa top 1M websites for web-applications that left GIT repositories on production.  Published a set of scripts to automatically tries to retrieve files from GIT repositories. Previous Researches
 Backup-File Artifacts are caused by different ways, mostly, it’s the admin/developer mistake to allow it accessible.  Exploitation of Human-Based BFA and BFAs that is caused by code-editors can be done as the following: Example:- Saying that index.php.bak is discovered. Wrapping Ideas Together
 Having the meta directory of Control Version Systems accessible also leads to source-code and data disclosure. Wrapping Ideas Together
Wrapping Ideas Together Source-Code and Data Disclosure Human-Based Backup File Artifacts Backup File Artifacts Caused by Code Editors Version Controlling System Meta Directories Backup File Artifacts
 Most Open-Source and Commercial Web Vulnerability Scanners DO NOT PERFORM TESTING FOR BACKUP FILE ARTIFACTS.  Examples of Tested Open-Source Scanners That Do Not Perform BFA Checks:- • OWASP ZAP 2.4 • Vega • W3AF – There are partial plugins that does basic testing, but it’s disabled by default. • Nikto 2.4.6 The Problem
 There are very few current Scanners that performs Backup Artifacts. Testing. However, those rare scanners only test the very basic pattern of BFA.  Many Important patterns testing are MISSED! The Problem
BFA Findings in Real-World Paypal BFA That Lead to RCE - Ebraheem Hegazy  Ebraheem found a script called upload.php on a Paypal-owned server.  wrote script to test for BFA, and to check if the script exist on other subdomains.  Found a BFA for upload.php, and transformed the Blackbox testing to whitebox testing.  After source-code reviewing it, he found a bug that leads to RCE. Profit: Got an RCE exploit on a Paypal server. Paypal fixed the issue, and he was awarded a nice bounty.
BFA Findings in Real-World ISC.org BFA that Disclosed Database Credentials - Feross Aboukhadijeh  During Feross’s research, he tested ISC.org for BFA on Wordpress configuration files, wp-config.php.  He found a BFA left on the main production site of ISC.org, containing database credentials. Profit: The researcher had potentially valid credentials to ISC.org (“potentially” is said, as the researcher stated that he didn’t use it gain unauthorized access). Feross reported it to ISC.org, and they have fixed it.
BFA Findings in Real-World A Collection of BFAs - Mazin Ahmed  Used BFAC to discover a number of BFA issues on web-applications, mostly for confidential clients.  BFA Findings Leads To: • Credentials leakage. • Turning testing to whitebox. • Finding additional security vulnerabilities. • RCE. • SQLI. • XSS. • Even more BFA issues. • etc...
 About the Project:  BFAC (Backup-File Artifacts Checker) is an automated tool that checks for backup artifacts that may discloses the web-application's source code.  BFAC goal is to be an all-in-one tool for backup-file artifacts black-box testing.
Introducing BFAC  About the Project:  Code Specifications:-  Written in pure Python.  Compatible with both Python2.x and Python3.x.  Cross-Platform: Works on Linux, Windows, Mac, Android, and IOS.  Requires a slight amount of resources/modules.  API friendly.  Released under GNU GPLv3.0 License.
Introducing BFAC  About the Project:  Features:-  Testing all common types of backup-file artifacts patterns, including human-based BFAs, and BFA that can occur via code-editors.  Includes tests for common VCS artifacts, such as GIT, Subversion, Mercurial, and Bazaar.  Smart detection techniques: Capable of detecting "Not Found", and valid pages using different tests.  Stealthy Interaction with Web Servers.  Easy to edit and customize based on needs; easy to add custom BFA patterns.  Dynamic and generic; made to be not specified to test a specific environment or server.
Introducing BFAC  About the Project:  Features:-  Testing all common types of backup-file artifacts patterns, including human-based BFAs, and BFA that can occur via code-editors.  Includes tests for common CVS artifacts, such as GIT, Subversion, Mercurial, and Bazaar.  Smart detection techniques: Capable of detecting "Not Found", and valid pages using different tests.  Stealthy Interaction with Web Servers.  Easy to edit and customize based on needs; easy to add custom BFA patterns.  Dynamic and generic; made to be not specified to test a specific environment or server.
Downloading BFAC BFAC https://github.com/mazen160/bfac
Downloading and Installing BFAC  Cloning BFAC $ git clone https://github.com/mazen160/bfac.git  Installing BFAC ( for *NIX machines) As simple as: $ python install.py confirm
Using BFAC  Performs basic tests on the link, showing all attempts, and using random user-agents on each request. $ bfac --url 'http://example.com/test.php' --verbose --random-agent  Ignore 500 and 503 HTTP response codes when is detected as findings. $ bfac --url 'http://example.com/test.php' --verbose --exclude- status-codes 500,503
Using BFAC  Default option to confirm the existence of the BFA is set to check both of the HTTP Status Codes and the Content Length (set to “both”).  Rely only on HTTP Status Codes for confirming the existence of the BFA. $ bfac --url 'http://example.com/test.php' --verbose --verify-file- availability status_code  Rely only on Content Length measures in order to confirm the existence of the BFA. $ bfac --url 'http://example.com/test.php' --verbose --verify-file- availability content_length
Using BFAC  Perform BFA testing for all current testing levels (Level 4 includes tests from all below levels). $ bfac --url 'http://example.com/test.php' --verbose --level 4  Print a clean output with only findings, separated by newlines. Suitable for APIs and integration with other tools. $ bfac --url 'http://example.com/test.php' --no-text --level 4
Mitigation Developer-Level:-  Awareness  Probably the only reliable solution.  Developers' behavior regarding actions on production-level and publicly accessible applications are the main reason for this vulnerability type to occur. Software-Level:-  Access rules seems to be useful in blocking some of the patterns. However, it does not protect as needed.
Questions? Mazin Ahmed Twitter: @mazen160 Email: mazin AT mazinahmed DOT net Website: https://mazinahmed.net LinkedIn: https://linkedin.com/in/infosecmazinahmed

More Related Content

PDF
Web Application Security 101
byCybersecurity Education and Research Centre
 
PDF
Penetration testing web application web application (in) security
byNahidul Kibria
 
PPTX
Web Application Penetration Testing Introduction
bygbud7
 
PPT
Owasp Top 10 - Owasp Pune Chapter - January 2008
byabhijitapatil
 
PPTX
Web application Security tools
byNico Penaredondo
 
PPTX
Owasp top 10 security threats
byVishal Kumar
 
PPTX
2 . web app s canners
byRashid Khatmey
 
PPTX
4 . future uni presentation
byRashid Khatmey
 
Web Application Security 101
byCybersecurity Education and Research Centre
 
Penetration testing web application web application (in) security
byNahidul Kibria
 
Web Application Penetration Testing Introduction
bygbud7
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
byabhijitapatil
 
Web application Security tools
byNico Penaredondo
 
Owasp top 10 security threats
byVishal Kumar
 
2 . web app s canners
byRashid Khatmey
 
4 . future uni presentation
byRashid Khatmey
 

What's hot

PPT
Top 10 Web Security Vulnerabilities (OWASP Top 10)
byBrian Huff
 
PPTX
Application Security Vulnerabilities: OWASP Top 10 -2007
byVaibhav Gupta
 
PDF
Web Application Security with PHP
byjikbal
 
PDF
Web App Security Presentation by Ryan Holland - 05-31-2017
byTriNimbus
 
PPTX
Security hole #5 application security science or quality assurance
byTjylen Veselyj
 
PPT
Using Proxies To Secure Applications And More
byJosh Sokol
 
PPTX
Analysis of web application penetration testing
byEngr Md Yusuf Miah
 
PDF
Top 10 Web Application vulnerabilities
byTerrance Medina
 
PPT
Intro to Web Application Security
byRob Ragan
 
PDF
How to find Zero day vulnerabilities
byMohammed A. Imran
 
PDF
Owasp top 10 web application security hazards - Part 1
byAbhinav Sejpal
 
PDF
A5-Security misconfiguration-OWASP 2013
bySorina Chirilă
 
PPTX
Web application security
byKapil Sharma
 
PDF
Web Application Security and Awareness
byAbdul Rahman Sherzad
 
PPTX
Web application security: Threats & Countermeasures
byAung Thu Rha Hein
 
PPTX
Rapid Android Application Security Testing
byNutan Kumar Panda
 
PPTX
Cyber ppt
bykarthik menon
 
PDF
Owasp top 10 web application security hazards part 2
byAbhinav Sejpal
 
PDF
Daniel billing exploring the security testers toolbox
byRomania Testing
 
PPTX
Introduction to security testing
byNagasahas DS
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
byBrian Huff
 
Application Security Vulnerabilities: OWASP Top 10 -2007
byVaibhav Gupta
 
Web Application Security with PHP
byjikbal
 
Web App Security Presentation by Ryan Holland - 05-31-2017
byTriNimbus
 
Security hole #5 application security science or quality assurance
byTjylen Veselyj
 
Using Proxies To Secure Applications And More
byJosh Sokol
 
Analysis of web application penetration testing
byEngr Md Yusuf Miah
 
Top 10 Web Application vulnerabilities
byTerrance Medina
 
Intro to Web Application Security
byRob Ragan
 
How to find Zero day vulnerabilities
byMohammed A. Imran
 
Owasp top 10 web application security hazards - Part 1
byAbhinav Sejpal
 
A5-Security misconfiguration-OWASP 2013
bySorina Chirilă
 
Web application security
byKapil Sharma
 
Web Application Security and Awareness
byAbdul Rahman Sherzad
 
Web application security: Threats & Countermeasures
byAung Thu Rha Hein
 
Rapid Android Application Security Testing
byNutan Kumar Panda
 
Cyber ppt
bykarthik menon
 
Owasp top 10 web application security hazards part 2
byAbhinav Sejpal
 
Daniel billing exploring the security testers toolbox
byRomania Testing
 
Introduction to security testing
byNagasahas DS
 

Viewers also liked

PPTX
1 keynote asim jaweesh
byRashid Khatmey
 
PDF
All about INCOTERMS latest revision
byMihai Guta
 
PDF
Palatul mogosoaia ghid copii
bymonicalia
 
PDF
147972488 corina-cace-psihologia-educatiei
bymonicalia
 
PPT
Synch
byMohannad Shishani
 
PDF
Clubul matematcienilor v 1 p04
bymonicalia
 
PDF
Clubul matematcienilor v 1 p01
bymonicalia
 
PDF
Clubul matematcienilor v 1 p02
bymonicalia
 
PDF
Clubul matematcienilor v 1 p03
bymonicalia
 
PDF
Arhimede v curs 1 22 scan
bymonicalia
 
PPT
Amistad2012
byMaria Jose Aguirre
 
PPT
Amistad2012
byMaria Jose Aguirre
 
PPT
amistad 1° bachillerato "C"
byMaria Jose Aguirre
 
PPT
Amistad2012
byMaria Jose Aguirre
 
PDF
16. art. vasilos v. dreptul natural )partea i
bymonicalia
 
PDF
Neamul romanesc-omenia (1)
bymonicalia
 
1 keynote asim jaweesh
byRashid Khatmey
 
All about INCOTERMS latest revision
byMihai Guta
 
Palatul mogosoaia ghid copii
bymonicalia
 
147972488 corina-cace-psihologia-educatiei
bymonicalia
 
Synch
byMohannad Shishani
 
Clubul matematcienilor v 1 p04
bymonicalia
 
Clubul matematcienilor v 1 p01
bymonicalia
 
Clubul matematcienilor v 1 p02
bymonicalia
 
Clubul matematcienilor v 1 p03
bymonicalia
 
Arhimede v curs 1 22 scan
bymonicalia
 
Amistad2012
byMaria Jose Aguirre
 
Amistad2012
byMaria Jose Aguirre
 
amistad 1° bachillerato "C"
byMaria Jose Aguirre
 
Amistad2012
byMaria Jose Aguirre
 
16. art. vasilos v. dreptul natural )partea i
bymonicalia
 
Neamul romanesc-omenia (1)
bymonicalia
 

Similar to 3. backup file artifacts - mazin ahmed

PDF
Lares from LOW to PWNED
byChris Gates
 
PPTX
Java Web Security Class
byRich Helton
 
PPTX
Detection of webshells in compromised perimeter assets using ML algorithms
byRod Soto
 
PPTX
Exploitation techniques and fuzzing
byPrachi Gulihar
 
PPTX
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
bylior mazor
 
PPTX
Finalppt metasploit
bydevilback
 
PPT
shostack-blackhat-991.ppt YUGUUYGYGUUYUHJ
byAbodahab
 
ODP
Ripping web accessible .git files
byVlatko Kosturjak
 
PDF
Hack Attack! An Introduction to Penetration Testing
bySteve Phillips
 
PPTX
Buffer overflow attacks
byJoe McCarthy
 
PPTX
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
byMazin Ahmed
 
PPTX
Reversing Microsoft patches to reveal vulnerable code
byHarsimran Walia
 
PPTX
DevSecCon London 2017: when good containers go bad by Tim Mackey
byDevSecCon
 
PPTX
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
byChris Gates
 
PDF
LasCon 2014 DevOoops
byChris Gates
 
PDF
Software Security Engineering (Learnings from the past to fix the future) - B...
byDebasisMohanty43
 
PPTX
BSides_Charm2015_Info sec hunters_gathers
byAndrew McNicol
 
PDF
Apt presso good to learn
byFajar Isnanto
 
ODP
Wonderful world of (distributed) SCM or VCS
byVlatko Kosturjak
 
PDF
[PH-Neutral 0x7db] Exploit Next Generation®
byNelson Brito
 
Lares from LOW to PWNED
byChris Gates
 
Java Web Security Class
byRich Helton
 
Detection of webshells in compromised perimeter assets using ML algorithms
byRod Soto
 
Exploitation techniques and fuzzing
byPrachi Gulihar
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
bylior mazor
 
Finalppt metasploit
bydevilback
 
shostack-blackhat-991.ppt YUGUUYGYGUUYUHJ
byAbodahab
 
Ripping web accessible .git files
byVlatko Kosturjak
 
Hack Attack! An Introduction to Penetration Testing
bySteve Phillips
 
Buffer overflow attacks
byJoe McCarthy
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
byMazin Ahmed
 
Reversing Microsoft patches to reveal vulnerable code
byHarsimran Walia
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
byDevSecCon
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
byChris Gates
 
LasCon 2014 DevOoops
byChris Gates
 
Software Security Engineering (Learnings from the past to fix the future) - B...
byDebasisMohanty43
 
BSides_Charm2015_Info sec hunters_gathers
byAndrew McNicol
 
Apt presso good to learn
byFajar Isnanto
 
Wonderful world of (distributed) SCM or VCS
byVlatko Kosturjak
 
[PH-Neutral 0x7db] Exploit Next Generation®
byNelson Brito
 

Recently uploaded

PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
PPTX
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
PPTX
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PPT
software-security-intro in information security.ppt
byismaeelsahib032
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PPTX
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
Cybersecurity: Safeguarding Digital Assets
byYasir Naveed Riaz
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PPTX
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
PPTX
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
PPTX
cybercrime in Information security .pptx
byismaeelsahib032
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
software-security-intro in information security.ppt
byismaeelsahib032
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
API-First Architecture in Financial Systems
bycyy111112
 
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
Cybersecurity: Safeguarding Digital Assets
byYasir Naveed Riaz
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
cybercrime in Information security .pptx
byismaeelsahib032
 

3. backup file artifacts - mazin ahmed

  • 1.
    Backup File Artifacts TheUnderrated Web Danger TESTING AND EXPLOITING BFA WITH BFAC By: Mazin Ahmed @mazen160 mazin AT mazinahmed DOT net
  • 2.
    WHO AM I? Mazin Ahmed • Freelancing Security Researcher at Bugcrowd, Inc. • Security Contributor at ProtonMail • Freelancing Information Security Specialist • You can read more at https://mazinahmed.net/
  • 3.
    WHO AM I? And I have contributed to the security of the following:
  • 4.
    Table of Contents Introduction  How BFA Occurs?  Background  Previous Researches  Wrapping Ideas Together  The Problem  BFA Findings in Real-World.  Introducing BFAC  Using BFAC  Mitigations  Questions
  • 5.
  • 6.
    Background Code Editors  Codeeditors makes a backup copy of the files that being edited.  Mostly, it's being done in the same directory of the file.  It's made using the same filename.  It uses predictable patterns.
  • 7.
    Background Code Editors Product NameBackup Pattern (Assuming the filename is config.php) Emacs #config.php# Nano config.php.save Vim (swap file) config.php.swp Vim (swap file) config.php.swo Vim, Gedit config.php~
  • 8.
    Background Code Editors The Problem Developers mostly forgets to check for Backup File Artifacts caused by code editors, and underestimate the impact of leaving similar artifacts.  This would lead to the disclosure of the source code of the script that has been edited.
  • 9.
    Background Version Control Systems Version Control Systems (VCS) are systems made to manage changes on files, documents, computer programs, code, websites, etc…  All Version Control Systems has a directory by design that contains data and/or source-code.  The directory is made to have a backup of files, and to control the changes on the files within the project.  By design, we already know directories names, the important files, and the directories' structure of source-code version controller systems.
  • 10.
    Background Version Control Systems VersionControl System Pre-known Files and Directories GIT /.git (Default Directory) GIT /.gitignore GIT /.git/index GIT /.git/HEAD GIT /.git/refs Mercurial /.hg (Default Directory) Mercurial /.hg/requires Bazaar /.bzr/ (Default Directory) Bazaar /.bzr/README Subversion /.svn (Default Directory) Subversion /.svn/entries Subversion /.svnignore
  • 11.
    Background Version Control Systems TheProblem  Companies and developers in many occasions clone or download the repository into production, and FORGETS TO DELETE THE VCS DIRECTORIES.  This would lead to the disclosure of the source code of the company's application.
  • 12.
     The worstpart: many websites don't disable directory listing, which makes exploiting that like a piece of cake. Profit?  downloading the VCS directory would be as simple as: $ wget --mirror -np –I /[path_to_vcs_dir] http://example.com/[path_to_vcs_dir] Background Version Control Systems The Problem
  • 13.
     In casethe website disables directory listing, exploitation is still possible. Background Version Control Systems The Problem
  • 14.
     Exploitation ofMissed VCS Folders on Web-Apps When Directory Listing is Disabled:-  Simply: Brute-Forcing the VCS structure. Background Version Control Systems The Problem
  • 15.
     Exploitation ofMissed VCS Folders on Web-Apps When Directory Listing is Disabled:-  There are tools that can do that too:  GIT-Tools by Internetwache: A collection of scripts that can be used to retrieved GIT repositories from the web-app, even if directory listing is disabled. Written in Bash and Python.  DVCS-Ripper by @kost: A tool that can perform recover different repositories even if directory listing is disabled. Written in Perl.  DVCS-Pillage by Adam Baldwin: A tool that extracts and retrieves different DVCS repositories. Background Version Control Systems The Problem
  • 16.
    Background Human-Based Missed BackupFile Artifacts  Developers usually do a backup before attempting to edit files.  Example:- Editing index.php  Before editing, many developers do the following: $cp index.php index.php.bak
  • 17.
     Developers inmany cases forgets to remove the backup file.  It may even be left on production. Background Human-Based Missed Backup File Artifacts The Problem
  • 18.
    Impact  An unauthorizedattacker can brute-forces through different patterns of human-based backing up, and check if the file exists and accessible to the public.  If succeeded, the unauthorized attacker would be able to view the source- code of the script (Source-Code Disclosure). Background Human-Based Missed Backup File Artifacts The Problem
  • 19.
    Previous Researches Pillaging DVCSRepos For Fun And Profit - Defcon 19 - Adam Baldwin – 2011  The talk discusses different leakage of Distributed Version Control Systems, and how it can leak the website’s source-code and data if it’s incorrectly accessible by unauthorized users.  A test on Alexa top 1M was done and showed that roughly 2,000 websites were vulnerable.  A tool called DVCS-Pillage was released that helps retrieving repositories from websites that exposes them.
  • 20.
    1% of CMS-PoweredSites Expose Their Database Passwords - Feross Aboukhadijeh – 2011  A research that shows how can human-based backup artifacts and backup artifacts made by code-editors leaks sensitive data on popular CMSs.  Also, tested Alexa top 200,000 websites for basic BFAs on CMSs configuration files.  Results showed a large number of high-profile websites had BFA left on production.  Wrote a tool that can detect basic BFAs for CMSs configuration files. Previous Researches
  • 21.
    Don't publicly expose.git or how we downloaded your website's sourcecode – Internetwache - 2015  A research done by Internetwache on GIT VCS, and how it can leak web- applications' source-code and data.  Demonstrated different techniques for real-world exploitation of missed GIT repositories on production.  Tested Alexa top 1M websites for web-applications that left GIT repositories on production.  Published a set of scripts to automatically tries to retrieve files from GIT repositories. Previous Researches
  • 22.
     Backup-File Artifactsare caused by different ways, mostly, it’s the admin/developer mistake to allow it accessible.  Exploitation of Human-Based BFA and BFAs that is caused by code-editors can be done as the following: Example:- Saying that index.php.bak is discovered. Wrapping Ideas Together
  • 23.
     Having themeta directory of Control Version Systems accessible also leads to source-code and data disclosure. Wrapping Ideas Together
  • 24.
    Wrapping Ideas Together Source-Codeand Data Disclosure Human-Based Backup File Artifacts Backup File Artifacts Caused by Code Editors Version Controlling System Meta Directories Backup File Artifacts
  • 25.
     Most Open-Sourceand Commercial Web Vulnerability Scanners DO NOT PERFORM TESTING FOR BACKUP FILE ARTIFACTS.  Examples of Tested Open-Source Scanners That Do Not Perform BFA Checks:- • OWASP ZAP 2.4 • Vega • W3AF – There are partial plugins that does basic testing, but it’s disabled by default. • Nikto 2.4.6 The Problem
  • 26.
     There arevery few current Scanners that performs Backup Artifacts. Testing. However, those rare scanners only test the very basic pattern of BFA.  Many Important patterns testing are MISSED! The Problem
  • 27.
    BFA Findings inReal-World Paypal BFA That Lead to RCE - Ebraheem Hegazy  Ebraheem found a script called upload.php on a Paypal-owned server.  wrote script to test for BFA, and to check if the script exist on other subdomains.  Found a BFA for upload.php, and transformed the Blackbox testing to whitebox testing.  After source-code reviewing it, he found a bug that leads to RCE. Profit: Got an RCE exploit on a Paypal server. Paypal fixed the issue, and he was awarded a nice bounty.
  • 28.
    BFA Findings inReal-World ISC.org BFA that Disclosed Database Credentials - Feross Aboukhadijeh  During Feross’s research, he tested ISC.org for BFA on Wordpress configuration files, wp-config.php.  He found a BFA left on the main production site of ISC.org, containing database credentials. Profit: The researcher had potentially valid credentials to ISC.org (“potentially” is said, as the researcher stated that he didn’t use it gain unauthorized access). Feross reported it to ISC.org, and they have fixed it.
  • 29.
    BFA Findings inReal-World A Collection of BFAs - Mazin Ahmed  Used BFAC to discover a number of BFA issues on web-applications, mostly for confidential clients.  BFA Findings Leads To: • Credentials leakage. • Turning testing to whitebox. • Finding additional security vulnerabilities. • RCE. • SQLI. • XSS. • Even more BFA issues. • etc...
  • 31.
     About theProject:  BFAC (Backup-File Artifacts Checker) is an automated tool that checks for backup artifacts that may discloses the web-application's source code.  BFAC goal is to be an all-in-one tool for backup-file artifacts black-box testing.
  • 32.
    Introducing BFAC  Aboutthe Project:  Code Specifications:-  Written in pure Python.  Compatible with both Python2.x and Python3.x.  Cross-Platform: Works on Linux, Windows, Mac, Android, and IOS.  Requires a slight amount of resources/modules.  API friendly.  Released under GNU GPLv3.0 License.
  • 33.
    Introducing BFAC  Aboutthe Project:  Features:-  Testing all common types of backup-file artifacts patterns, including human-based BFAs, and BFA that can occur via code-editors.  Includes tests for common VCS artifacts, such as GIT, Subversion, Mercurial, and Bazaar.  Smart detection techniques: Capable of detecting "Not Found", and valid pages using different tests.  Stealthy Interaction with Web Servers.  Easy to edit and customize based on needs; easy to add custom BFA patterns.  Dynamic and generic; made to be not specified to test a specific environment or server.
  • 34.
    Introducing BFAC  Aboutthe Project:  Features:-  Testing all common types of backup-file artifacts patterns, including human-based BFAs, and BFA that can occur via code-editors.  Includes tests for common CVS artifacts, such as GIT, Subversion, Mercurial, and Bazaar.  Smart detection techniques: Capable of detecting "Not Found", and valid pages using different tests.  Stealthy Interaction with Web Servers.  Easy to edit and customize based on needs; easy to add custom BFA patterns.  Dynamic and generic; made to be not specified to test a specific environment or server.
  • 35.
  • 36.
    Downloading and InstallingBFAC  Cloning BFAC $ git clone https://github.com/mazen160/bfac.git  Installing BFAC ( for *NIX machines) As simple as: $ python install.py confirm
  • 37.
    Using BFAC  Performsbasic tests on the link, showing all attempts, and using random user-agents on each request. $ bfac --url 'http://example.com/test.php' --verbose --random-agent  Ignore 500 and 503 HTTP response codes when is detected as findings. $ bfac --url 'http://example.com/test.php' --verbose --exclude- status-codes 500,503
  • 38.
    Using BFAC  Defaultoption to confirm the existence of the BFA is set to check both of the HTTP Status Codes and the Content Length (set to “both”).  Rely only on HTTP Status Codes for confirming the existence of the BFA. $ bfac --url 'http://example.com/test.php' --verbose --verify-file- availability status_code  Rely only on Content Length measures in order to confirm the existence of the BFA. $ bfac --url 'http://example.com/test.php' --verbose --verify-file- availability content_length
  • 39.
    Using BFAC  PerformBFA testing for all current testing levels (Level 4 includes tests from all below levels). $ bfac --url 'http://example.com/test.php' --verbose --level 4  Print a clean output with only findings, separated by newlines. Suitable for APIs and integration with other tools. $ bfac --url 'http://example.com/test.php' --no-text --level 4
  • 40.
    Mitigation Developer-Level:-  Awareness  Probablythe only reliable solution.  Developers' behavior regarding actions on production-level and publicly accessible applications are the main reason for this vulnerability type to occur. Software-Level:-  Access rules seems to be useful in blocking some of the patterns. However, it does not protect as needed.
  • 41.
    Questions? Mazin Ahmed Twitter: @mazen160 Email:mazin AT mazinahmed DOT net Website: https://mazinahmed.net LinkedIn: https://linkedin.com/in/infosecmazinahmed