A talk about application security, with a focus on information disclosure vulnerabilities. This includes verbose headers, verbose errors, and source code disclosures.
2. Ryan Kelso
www.hackerhalted.com 2
• Currently have the title of Application Security Engineer
• Still a developer at heart
• Been writing terrible, buggy code since I was 8
• Security+, Cybersecurity Analyst+, Insight AppSec Certified Specialist
• PWAPT, PBAT
• CFO/Treasurer of 10-Sec, Inc. (501c3)
• Co-Organizer of DC865
3. What is/isn’t this talk?
www.hackerhalted.com 3
• Information disclosures are bad, mmkay?
• While low level/informational, “Knowledge is power”
• Not a step by step, super awesome hack-everything exploitation
framework or similar
4. Banner Grabbing - Explained
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
• http://www.iana.org/assignments/message-headers/message-
headers.xhtml - IANA maintains a list of registered headers
• X- no longer means “experimental” with RFC 6648
• X-compress, x-gzip
• OWASPTop 10: Security Misconfiguration
www.hackerhalted.com 4
6. Banner Grabbing – Red Team
• Vulnerable service enumeration made easy (Automate!)
• Makes it easy to find exploits while manual testing
• CVEDetails
• Exploit-DB (Searchsploit built-in)
• 0-Days anyone?
www.hackerhalted.com 6
7. Banner Grabbing – Blue Team
• Turn the headers off!
• This doesn’t stop service fingerprinting
• This is defense in depth, just one layer
• Not all services are fingerprinted
www.hackerhalted.com 7
8. Verbose Errors - Explained
• Intended for debugging
• Default in tons of cases
• Often on in development and should be off in production
• OWASPTop 10 2017: Security Misconfiguration / Sensitive Data
Exposure
www.hackerhalted.com 8
13. Verbose Errors – Red Team
• Can leak credentials
• Makes manual SQLi a breeze in a lot of cases
• Can leak source
• Logic abuses
• Directory traversal
• Command injection
www.hackerhalted.com 13
14. Verbose Errors – Blue Team
• Turn them off! Simple configuration change
• No reason to be on in production. Ever.
• Logs are your friend in production
• Web server or application level configurable
www.hackerhalted.com 14
15. Source Code Disclosure - Explained
• Finding repositories of code
• Content-type spoofing
• Tricking the web server
• OWASPTop 10 2017: Sensitive Data Exposure / Security
Misconfiguration
www.hackerhalted.com 15
18. Source Code Disclosure - Examples
• Shodan.io
• You can find SonarQube instances without authentication, allowing full
access to source code.These aren’t intended to be repositories of code, but
they do provide full source code to see Code Quality and CodeVulnerability
issues.
www.hackerhalted.com 18
19. Source Code Disclosure – Red Team
• Credential theft
• Intellectual Property theft
• Find more vulnerabilities!
• Turn black box test into a ~white box test
• Static analysis the source! (If you didn’t find it from a Static analysis
tool that already had the info!)
www.hackerhalted.com 19
20. Source Code Disclosure – Blue Team
• Lock up your source!
• Strong authentication for all source
• Shouldn’t be included in your IIS/Apache/whatever routes
www.hackerhalted.com 20