TV
Uploaded byTjylen Veselyj
PPTX, PDF1,434 views

Security hole #5 application security science or quality assurance

This document discusses whether application security is more of a science or a quality assurance process. It argues that security and quality assurance teams should work together, as a collaborative approach is more powerful. Various security tools and techniques are demonstrated, such as exploiting file upload vulnerabilities, local file inclusion, and directory traversal. The document encourages becoming a security analyst by using OWASP resources, doing research, and participating in the security community.

Related topics:
Quality Assurance

Embed presentation

Downloaded 30 times
Application Security - Science or Quality Assurance? Nazar Tymoshyk Ph.D, Security Consultant, R&D at SoftServe
Famous Security Professionals Richard Stallman Linus Torvalds Tsutomu Shimomura Robert Morris Stephen Wozniak
Famous “Security Professionals” Adrian Lamo Kevin Mitnick Kevin Poulsen Gary McKinnon Jonathan James
What about famous QA professionals?
So you know where to move ;) Security is also metric of Software Quality “The simple truth is that catching security holes earlier costs an organization less to remediate, which makes good business sense. ”
QA Engineer Security Analyst In functional and performance testing, the expected results are In security testing, the quality documented before the test begins, and assurance team is concerned only the quality assurance team looks at how with unexpected results and testing well the expected results match the for the unknown. actual results
Weapon Passion Tools Persistence Guides Research Checklists
Collaboration and Team work “ IT security and quality IT security assurance working department, which will together are exponentially help remove more risk more powerful. The result and provide better will be a more security- continuity ” oriented QA department and a more quality- oriented
OWASP SAMM WAF Development Testing guide ASVS guide
Microsoft approach
Testing security with Tools Core Impact Burp Accunetix WVS w3af HP WebInspect OWASP ZAP IBM Rational OWASP Mantra AppScan
DEMO Let’s test small web-site with commercial and free tools
Applying Get tools from: http://goo.gl/eHl2u Science approach Targets: http://192.168.195.34 http://192.168.195.80
Smashing the app Remote code execution – one of the most dangerous vulnerabilities in web-apps How to achieve a goal: • Upload scripts to server • Remote File Inclusion (RFI) • Local File Inclusion (LFI)
Unrestricted file upload File upload – vulnerability allow remote attacker to upload files/scripts on server with special content or random extension. This vulnerability exist through incorrect file extension implementation. Incorrect methods of uploaded file extension validation : • Validation of MIME-type of uploading file vs validation of file extention • Black-list extension validation • Other errors… Unsecure web-server/application server configuration play also important role.
Upload your shell
Changing MIME type Validation sample: <?php $imageTypes = array("image/gif", "image/jpg", "image/png"); if(isset($_FILES["image"])) { if(!in_array($_FILES["image"]["type"], $imageTypes)) { die("Hacking Attempt!"); } copy($_FILES["image"]["tmp_name"], "images/{$_FILES["image"]["name"]}"); } ?> Problem: It’s easy to change type of file – as it’s setting by browser in HTTP-request. And all variables that are set by browser – can be easily changed by user.
Content Black list: validation Wrong way <?php if(isset($_FILES["image"])) { if(preg_match('#.((php)|(php3)|( php4)|(php5))$#i',$_FILES["image "]["name"]) ){ die("Hacking Attempt!"); } copy($_FILES["image"]["tmp_nam e"], "images/{$_FILES["image"]["n ame"]}"); } ?>
Regular expressions <?php if(isset($_FILES["image"])) { if(preg_match('#.jpg#i', $_FILES["image"]["name"])) { copy($_FILES["image"]["tmp_name"], "images/{$_FILES["image"]["name"]} "); } } ?> In this sample name of uploaded file is checking for string .jpg. But regular expression is working as control symbol $ that indicate EOL is missed,. As a result file shell.jpg.php will be successes fully uploaded.
Right way <?php if(isset($_FILES["image"])) { if(preg_match('#^[a-z0-9- _]+.((jpg)|(png)|(bmp))$#i', $_FILES["image"]["name"]) ){ move_uploaded_file($_FILES["image"]["tmp_name"], "ima ges/{$_FILES["image"]["name"]}"); } } ?> White list validation
Local File Inclusion Local File Inclusion – allow to include local files on remote server and execute arbitrary code. Reason: incorrect linked file validation, vulnerable server configuration Successfully LFI exploitation have three main task : • Removing of postfix • Directory Traversal • Searching files for code injection
Directory Traversal Filtration can prevent Directory Traversal. Very often developers apply Filtration of ../ : <?php include(str_replace("../", "", $_GET["page"]).".inc"); ?> ../../../etc/passwd --> Filtration --> etc/passwd --> fail  But such filtration is not enough – it’s not recursive: ..././..././..././etc/passwd --> Filtration --> ../../../etc/passwd --> profit 
Secure Validation Secure Validation – validation of filename for service symbols if(preg_match('#[^a-z0-9-_]#i', $page)) { die("Hacking Attempt!"); } include("{$page}.inc"); In this sample if we will try to add file with symbols other than A-Z, a-z, 0-9 and symbol «-» & «_» execution of PHP-script will be interrupted.
So, how to become Security Analyst Use OWASP Researches Ask and share Participate in community Samurai WTF talk on Security Hole 
Feedbacks & Questions Contact Nazar: skype: root_nt email: root.nt@gmail.com Presentation & Files: http://goo.gl/eHl2u ? Leave your Feedbacks: Join OWASP Lviv: http://goo.gl/FW4ar https://www.owasp.org /index.php/Lviv

More Related Content

PPTX
Mobile security services 2012
byTjylen Veselyj
 
PPTX
Cloud Security vs Security in the Cloud
byTjylen Veselyj
 
PPTX
Hack through Injections
byNazar Tymoshyk, CEH, Ph.D.
 
PDF
Penetration testing web application web application (in) security
byNahidul Kibria
 
PPTX
Security testing
byRihab Chebbah
 
PDF
Security testing presentation
byConfiz
 
PDF
Web Application Security 101
byCybersecurity Education and Research Centre
 
PDF
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
byAll Things Open
 
Mobile security services 2012
byTjylen Veselyj
 
Cloud Security vs Security in the Cloud
byTjylen Veselyj
 
Hack through Injections
byNazar Tymoshyk, CEH, Ph.D.
 
Penetration testing web application web application (in) security
byNahidul Kibria
 
Security testing
byRihab Chebbah
 
Security testing presentation
byConfiz
 
Web Application Security 101
byCybersecurity Education and Research Centre
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
byAll Things Open
 

What's hot

PPTX
Web application penetration testing
byImaginea
 
PPTX
Web Application Penetration Testing Introduction
bygbud7
 
PDF
Oh, WASP! Security Essentials for Web Apps
byTechWell
 
PPTX
Security testing
byKhizra Sammad
 
PPT
Penetration Testing Basics
byRick Wanner
 
PPS
Security testing
byTabăra de Testare
 
PDF
Introduction to Security Testing
byvodQA
 
PDF
OWASP Top 10 Project
byMuhammad Shehata
 
PDF
Axoss Web Application Penetration Testing Services
byBulent Buyukkahraman
 
ODP
OWASP Secure Coding
bybilcorry
 
PDF
Finacle - Secure Coding Practices
byInfosys Finacle
 
PDF
OWASP Secure Coding Practices - Quick Reference Guide
byLudovic Petit
 
PDF
Security-testing presentation
byEzhilan Elangovan (Eril)
 
PPTX
Owasp
bypenetration Tester
 
PPTX
Web application security
byKapil Sharma
 
PPTX
Owasp top 10 security threats
byVishal Kumar
 
PPTX
Secure coding guidelines
bySathyanarayana Panduranga
 
PPTX
Beyond the OWASP Top 10
byiphonepentest
 
PDF
Web App Security Presentation by Ryan Holland - 05-31-2017
byTriNimbus
 
Web application penetration testing
byImaginea
 
Web Application Penetration Testing Introduction
bygbud7
 
Oh, WASP! Security Essentials for Web Apps
byTechWell
 
Security testing
byKhizra Sammad
 
Penetration Testing Basics
byRick Wanner
 
Security testing
byTabăra de Testare
 
Introduction to Security Testing
byvodQA
 
OWASP Top 10 Project
byMuhammad Shehata
 
Axoss Web Application Penetration Testing Services
byBulent Buyukkahraman
 
OWASP Secure Coding
bybilcorry
 
Finacle - Secure Coding Practices
byInfosys Finacle
 
OWASP Secure Coding Practices - Quick Reference Guide
byLudovic Petit
 
Security-testing presentation
byEzhilan Elangovan (Eril)
 
Owasp
bypenetration Tester
 
Web application security
byKapil Sharma
 
Owasp top 10 security threats
byVishal Kumar
 
Secure coding guidelines
bySathyanarayana Panduranga
 
Beyond the OWASP Top 10
byiphonepentest
 
Web App Security Presentation by Ryan Holland - 05-31-2017
byTriNimbus
 

Viewers also liked

PPTX
Sh#3 incident forensics
byTjylen Veselyj
 
PPTX
How to get free Wi-Fi in a whole City
byYurii Bilyk
 
PPTX
Security Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
byNazar Tymoshyk, CEH, Ph.D.
 
PPTX
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
byNazar Tymoshyk, CEH, Ph.D.
 
PPTX
Building better product security
byBohdan Serednytskyi
 
PPTX
Virtual Machine Introspection - Future of the Cloud
byTjylen Veselyj
 
PPTX
Welcome to the world of hacking
byTjylen Veselyj
 
PPTX
Security Hole #11 - Competitive intelligence - Beliaiev
byNazar Tymoshyk, CEH, Ph.D.
 
PPTX
How-to crack 43kk passwords while drinking your juice/smoozie in the Hood
byYurii Bilyk
 
PPTX
Intro to Security in SDLC
byTjylen Veselyj
 
PPTX
XSS - Do you know EVERYTHING?
byYurii Bilyk
 
PPTX
Agile and Secure SDLC
byNazar Tymoshyk, CEH, Ph.D.
 
Sh#3 incident forensics
byTjylen Veselyj
 
How to get free Wi-Fi in a whole City
byYurii Bilyk
 
Security Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
byNazar Tymoshyk, CEH, Ph.D.
 
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
byNazar Tymoshyk, CEH, Ph.D.
 
Building better product security
byBohdan Serednytskyi
 
Virtual Machine Introspection - Future of the Cloud
byTjylen Veselyj
 
Welcome to the world of hacking
byTjylen Veselyj
 
Security Hole #11 - Competitive intelligence - Beliaiev
byNazar Tymoshyk, CEH, Ph.D.
 
How-to crack 43kk passwords while drinking your juice/smoozie in the Hood
byYurii Bilyk
 
Intro to Security in SDLC
byTjylen Veselyj
 
XSS - Do you know EVERYTHING?
byYurii Bilyk
 
Agile and Secure SDLC
byNazar Tymoshyk, CEH, Ph.D.
 

Similar to Security hole #5 application security science or quality assurance

PPT
BSidesDC 2016 Beyond Automated Testing
byAndrew McNicol
 
PPTX
Real-World WebAppSec Flaws - Examples and Countermeasues
byvolvent
 
PPT
Beyond Automated Testing - RVAsec 2016
byAndrew McNicol
 
PPT
Andrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
byBUSHRASHAIKH804312
 
PPTX
Ebu class edgescan-2017
byEoin Keary
 
PDF
php blunders
bydecatv
 
PDF
Finding Needles in Haystacks
bysnyff
 
PPTX
Pentesting Tips: Beyond Automated Testing
byAndrew McNicol
 
KEY
Do it-yourself-audits
byJohann-Peter Hartmann
 
PDF
Session10-PHP Misconfiguration
byzakieh alizadeh
 
PDF
Session9-File Upload Security
byzakieh alizadeh
 
PPTX
Secure programming with php
byMohmad Feroz
 
PDF
Remote File Inclusion (RFI) Vulnerabilities 101
byImperva
 
PPTX
File uploads
bypenetration Tester
 
ODP
Security In PHP Applications
byAditya Mooley
 
PPTX
Altitude SF 2017: Security at the edge
byFastly
 
PPTX
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
bylior mazor
 
PPTX
Secure coding - Balgan - Tiago Henriques
byTiago Henriques
 
PDF
Slides
byvti
 
PPTX
Secure Code Warrior - Local file inclusion
bySecure Code Warrior
 
BSidesDC 2016 Beyond Automated Testing
byAndrew McNicol
 
Real-World WebAppSec Flaws - Examples and Countermeasues
byvolvent
 
Beyond Automated Testing - RVAsec 2016
byAndrew McNicol
 
Andrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
byBUSHRASHAIKH804312
 
Ebu class edgescan-2017
byEoin Keary
 
php blunders
bydecatv
 
Finding Needles in Haystacks
bysnyff
 
Pentesting Tips: Beyond Automated Testing
byAndrew McNicol
 
Do it-yourself-audits
byJohann-Peter Hartmann
 
Session10-PHP Misconfiguration
byzakieh alizadeh
 
Session9-File Upload Security
byzakieh alizadeh
 
Secure programming with php
byMohmad Feroz
 
Remote File Inclusion (RFI) Vulnerabilities 101
byImperva
 
File uploads
bypenetration Tester
 
Security In PHP Applications
byAditya Mooley
 
Altitude SF 2017: Security at the edge
byFastly
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
bylior mazor
 
Secure coding - Balgan - Tiago Henriques
byTiago Henriques
 
Slides
byvti
 
Secure Code Warrior - Local file inclusion
bySecure Code Warrior
 

Security hole #5 application security science or quality assurance

  • 2.
    Application Security - Science or Quality Assurance? Nazar Tymoshyk Ph.D, Security Consultant, R&D at SoftServe
  • 3.
    Famous Security Professionals Richard Stallman Linus Torvalds Tsutomu Shimomura Robert Morris Stephen Wozniak
  • 4.
    Famous “Security Professionals” Adrian Lamo Kevin Mitnick Kevin Poulsen Gary McKinnon Jonathan James
  • 5.
    What about famousQA professionals?
  • 6.
    So you knowwhere to move ;) Security is also metric of Software Quality “The simple truth is that catching security holes earlier costs an organization less to remediate, which makes good business sense. ”
  • 7.
    QA Engineer Security Analyst In functional and performance testing, the expected results are In security testing, the quality documented before the test begins, and assurance team is concerned only the quality assurance team looks at how with unexpected results and testing well the expected results match the for the unknown. actual results
  • 8.
    Weapon Passion Tools Persistence Guides Research Checklists
  • 9.
    Collaboration and Teamwork “ IT security and quality IT security assurance working department, which will together are exponentially help remove more risk more powerful. The result and provide better will be a more security- continuity ” oriented QA department and a more quality- oriented
  • 10.
    OWASP SAMM WAF Development Testing guide ASVS guide
  • 11.
  • 12.
    Testing security withTools Core Impact Burp Accunetix WVS w3af HP WebInspect OWASP ZAP IBM Rational OWASP Mantra AppScan
  • 13.
    DEMO Let’s test smallweb-site with commercial and free tools
  • 14.
    Applying Get tools from: http://goo.gl/eHl2u Science approach Targets: http://192.168.195.34 http://192.168.195.80
  • 15.
    Smashing the app Remote code execution – one of the most dangerous vulnerabilities in web-apps How to achieve a goal: • Upload scripts to server • Remote File Inclusion (RFI) • Local File Inclusion (LFI)
  • 16.
    Unrestricted file upload File upload – vulnerability allow remote attacker to upload files/scripts on server with special content or random extension. This vulnerability exist through incorrect file extension implementation. Incorrect methods of uploaded file extension validation : • Validation of MIME-type of uploading file vs validation of file extention • Black-list extension validation • Other errors… Unsecure web-server/application server configuration play also important role.
  • 17.
  • 18.
    Changing MIME type Validation sample: <?php $imageTypes = array("image/gif", "image/jpg", "image/png"); if(isset($_FILES["image"])) { if(!in_array($_FILES["image"]["type"], $imageTypes)) { die("Hacking Attempt!"); } copy($_FILES["image"]["tmp_name"], "images/{$_FILES["image"]["name"]}"); } ?> Problem: It’s easy to change type of file – as it’s setting by browser in HTTP-request. And all variables that are set by browser – can be easily changed by user.
  • 19.
    Content Black list: validation Wrong way <?php if(isset($_FILES["image"])) { if(preg_match('#.((php)|(php3)|( php4)|(php5))$#i',$_FILES["image "]["name"]) ){ die("Hacking Attempt!"); } copy($_FILES["image"]["tmp_nam e"], "images/{$_FILES["image"]["n ame"]}"); } ?>
  • 20.
    Regular expressions <?php if(isset($_FILES["image"])) { if(preg_match('#.jpg#i', $_FILES["image"]["name"])) { copy($_FILES["image"]["tmp_name"], "images/{$_FILES["image"]["name"]} "); } } ?> In this sample name of uploaded file is checking for string .jpg. But regular expression is working as control symbol $ that indicate EOL is missed,. As a result file shell.jpg.php will be successes fully uploaded.
  • 21.
    Right way <?php if(isset($_FILES["image"])) { if(preg_match('#^[a-z0-9- _]+.((jpg)|(png)|(bmp))$#i', $_FILES["image"]["name"]) ){ move_uploaded_file($_FILES["image"]["tmp_name"], "ima ges/{$_FILES["image"]["name"]}"); } } ?> White list validation
  • 22.
    Local File Inclusion LocalFile Inclusion – allow to include local files on remote server and execute arbitrary code. Reason: incorrect linked file validation, vulnerable server configuration Successfully LFI exploitation have three main task : • Removing of postfix • Directory Traversal • Searching files for code injection
  • 23.
    Directory Traversal Filtration canprevent Directory Traversal. Very often developers apply Filtration of ../ : <?php include(str_replace("../", "", $_GET["page"]).".inc"); ?> ../../../etc/passwd --> Filtration --> etc/passwd --> fail  But such filtration is not enough – it’s not recursive: ..././..././..././etc/passwd --> Filtration --> ../../../etc/passwd --> profit 
  • 24.
    Secure Validation SecureValidation – validation of filename for service symbols if(preg_match('#[^a-z0-9-_]#i', $page)) { die("Hacking Attempt!"); } include("{$page}.inc"); In this sample if we will try to add file with symbols other than A-Z, a-z, 0-9 and symbol «-» & «_» execution of PHP-script will be interrupted.
  • 25.
    So, how tobecome Security Analyst Use OWASP Researches Ask and share Participate in community Samurai WTF talk on Security Hole 
  • 26.
    Feedbacks & Questions Contact Nazar: skype: root_nt email: root.nt@gmail.com Presentation & Files: http://goo.gl/eHl2u ? Leave your Feedbacks: Join OWASP Lviv: http://goo.gl/FW4ar https://www.owasp.org /index.php/Lviv

Editor's Notes

  • #4 Еще его называют «Воз» или «Стив из Apple» (ведь Возняк на пару с Джобсом основали AppleComputer). Воз начал заниматься хакерством с создания блю-боксов, которые позволяют пользователям обходить механизмы переключения в телефонных линиях, для того чтобы совершать междугородные звонки бесплатно. Джобс и Воз продавали эти блю-боксы сокурсникам и даже использовали один из них сами для звонка Папе Римскому, притворяясь Генри Киссинджером (госсекретарем США).ТсутомуШимомура осознанно открыл свой компьютер для второй атаки, чтобы выследить Митника. Вскоре после обнаружения взлома он собрал команду и продолжил работу по поимке
  • #5 Адриан Ламо — известен взломом Yahoo, Citigroup, BankofAmerica иCingular.Джонатан Джеймс — американский хакер, стал первым несовершеннолетним, осужденным за хакерство.Кевин Поулсен — взломал базу данных ФБР и получил доступ к засекреченной информации, касающейся прослушивания телефонных разговоров. Поулсен долго скрывался, изменяя адреса и даже внешность, но в конце концов он был пойман и осужден на 5 лет. После выхода из тюрьмы работал журналистом, затем стал главным редактором WiredNews. Его самая популярная статья описывает процесс идентификации 744 сексуальных маньяков по их профилям в MySpace.Гэри Маккиннон — обвиняется во взломе 53-х компьютеров Пентагона и НАСА в 2001—2002 годах в поисках информации об НЛО.Джеймс стал самым молодым хакером в истории. Еще в 16 лет его отправили в тюрьму за компьютерные атаки на подразделения Министерства обороны США. Благодаря этому взлому он получил доступ к именам пользователей и паролям, а также смог просматривать письма высокой секретности. Среди его «побед» нужно отметить проникновение в сеть NASA (он умудрился украсть ПО на сумму больше чем в $1,5 млн). После обнаружения взлома NASA пришлось отключить систему для проверки, что обошлось налогоплательщикам в $41 000. Сейчас Джеймс, как многие другие его коллеги-«черношапочники», стал законопослушным гражданином и планирует открыть компанию по обеспечению компьютерной безопасности. 
  • #20 Завжди знайдеться розширення файлу яке не входить в список