Application Security from the Inside - OWASP
1 like960 views
The document discusses strategies for enhancing application security, focusing on identifying and mitigating vulnerabilities such as SQL injection, cross-site scripting (XSS), and third-party component vulnerabilities. It emphasizes the importance of real-time monitoring, instrumentation, and leveraging debugging techniques to inspect and modify live applications. Additionally, it outlines methods for detecting these vulnerabilities and offers insights into the role of secure coding practices and keeping dependencies updated.
![7
(byebug) thread list
+ 1 #<Thread:0x007fe41b0d1ae0@2.2.0/webrick/server.rb:283 run> ...
2 #<WEBrick::Utils::TimeoutHandler::Thread:0x007fe41b0d1220@2.2.0/webrick/
utils.rb:162 sleep> 2.2.0/webrick/utils.rb:173
3 #<Thread:0x007fe4140bc408 sleep> 2.2.0/webrick/server.rb:174
(byebug) thread switch 3
3 #<Thread:0x007fe4140bc408 sleep> 2.2.0/webrick/server.rb:174
(byebug) thread switch 3
[168, 177] in 2.2.0/webrick/server.rb
172: while @status == :Running
173: begin
=> 174: if svrs = IO.select([shutdown_pipe[0], *@listeners], nil, nil, 2.0)
175: if svrs[0].include? shutdown_pipe[0]
176: break
At first sight](https://image.slidesharecdn.com/slide-v3static-160725073516/85/Application-Security-from-the-Inside-OWASP-7-320.jpg)
![11
(byebug) break ActiveRecord::ConnectionAdapters::SQLite3Adapter.exec_query
Successfully created breakpoint with id 1
(byebug) continue
[283, 292] in …/active_record/connection_adapters/sqlite3_adapter.rb
287:
=> 288: def exec_query(sql, name = nil, binds = [])
289: type_casted_binds = binds.map { |col, val|
290: [col, type_cast(val, col)]
291: }
292:
(byebug) var local
binds = []
name = Post Load
self = #<ActiveRecord::ConnectionAdapters::SQLite3Adapter:0x007fb1eb30df50>
sql = SELECT * FROM posts WHERE id=3
(byebug) self.quote("it's a string")
"'it''s a string'"
Where the database
is accessed](https://image.slidesharecdn.com/slide-v3static-160725073516/85/Application-Security-from-the-Inside-OWASP-11-320.jpg)
![#0 ActionView::OutputBuffer.<<(value#NilClass)
#1 ActionView::CompiledTemplates._app_views_posts_show_html_erb…(local_assigns, output_buffer)
#2 block in ActionView::Template.render(view, locals#Hash, buffer#NilClass, &block#Proc)
#3 #<Class:ActiveSupport::Notifications>.instrument(name#String, payload#Hash)
[…]
#18 ActionView::Rendering._render_template(options#Hash)
#19 ActionController::Streaming._render_template(options#Hash)
#0 is string concatenation
#1 is template insertion
Rendering a template](https://image.slidesharecdn.com/slide-v3static-160725073516/85/Application-Security-from-the-Inside-OWASP-15-320.jpg)
![(byebug) break ActionView::OutputBuffer.<<
[6, 15] in actionview-4.2.3/lib/action_view/buffers.rb
…
10: def <<(value)
=> 11: return self if value.nil?
12: super(value.to_s)
13: end
14: alias :append= :<<
15:
(byebug) var local
value = "my <script>alert()</script> title"
(byebug) value.html_safe?
true
String concatenation](https://image.slidesharecdn.com/slide-v3static-160725073516/85/Application-Security-from-the-Inside-OWASP-16-320.jpg)
![[6, 15] in app/views/posts/show.html.erb
8:
9: <p>
10: <strong>Title:</strong>
=> 11: <%= @post.title %>
12: </p>
13:
In Template Insertion](https://image.slidesharecdn.com/slide-v3static-160725073516/85/Application-Security-from-the-Inside-OWASP-17-320.jpg)
![irb(main):001:0> Gem.loaded_specs.map do |k, v|
puts "%20st%st%s " % [k, v.version, v.homepage]
end
rake 10.4.2
i18n 0.7.0 http://github.com/svenfuchs/i18n
tzinfo 1.2.2 http://tzinfo.github.io
activesupport 4.2.3 http://www.rubyonrails.org
erubis 2.7.0 http://www.kuwata-lab.com/erubis/
nokogiri 1.6.6.2 http://nokogiri.org
actionview 4.2.3 http://www.rubyonrails.org
sqlite3 1.3.10 https://github.com/sparklemotion/sqlite3-ruby
execjs 2.6.0 https://github.com/rails/execjs
...
CVE-2015-1819
CVE-2015-7941
CVE-2015-7942
CVE-2015-8035
An application dependencies](https://image.slidesharecdn.com/slide-v3static-160725073516/85/Application-Security-from-the-Inside-OWASP-21-320.jpg)
Application Security from the Inside - OWASP
- 1. Application security from the inside
- 2. Agenda How to make apps more secure? 1. Triggering new vulnerabilities (bad guys) 2. Detecting/protecting found issues (good guys) 1. SQL injection 2. Cross Site Scripting (XSS) 3. Third party components vulnerabilities 4. Shell injection 2
- 3. About Me Jean-Baptiste Aviat CTO at Sqreen (https://sqreen.io) We protect applications automatically Sqreen is hiring Former RedTeam security engineer at Apple
- 4. The best place for app security • Where to gather accurate information for securing an application? • How to change the tires of a car running at 100 mph? • How to make the diagnosis continuous, as modern release cycles? 4
- 5. App security: the place to be • Need to get closer to the runtime • Retrieve all required data, while the application processes it • Work with the deployed, running application • Obvious solution: instrumentation 5
- 6. Debugging allows… • Devs & hackers method to inspect live apps • Access anything in it – CPU registers – Addressable memory of the whole process: functions, symbols… – Threads • And to modify anything in it – Modify return values 6
- 7. 7 (byebug) thread list + 1 #<Thread:0x007fe41b0d1ae0@2.2.0/webrick/server.rb:283 run> ... 2 #<WEBrick::Utils::TimeoutHandler::Thread:0x007fe41b0d1220@2.2.0/webrick/ utils.rb:162 sleep> 2.2.0/webrick/utils.rb:173 3 #<Thread:0x007fe4140bc408 sleep> 2.2.0/webrick/server.rb:174 (byebug) thread switch 3 3 #<Thread:0x007fe4140bc408 sleep> 2.2.0/webrick/server.rb:174 (byebug) thread switch 3 [168, 177] in 2.2.0/webrick/server.rb 172: while @status == :Running 173: begin => 174: if svrs = IO.select([shutdown_pipe[0], *@listeners], nil, nil, 2.0) 175: if svrs[0].include? shutdown_pipe[0] 176: break At first sight
- 8. Web application specifics • Relevant information in a web application: – User request (headers, cookies, parameters…) and server response – Any function call and its arguments • Database requests • File operations • External APIs calls • Syscalls… – All current threads 8
- 9. 9 0 ActiveRecord::ConnectionAdapters::SQLite3Adapter.exec_query(sql#String, name#String…) … 7 PostsController.set_post … 23 ActionController::ParamsWrapper.process_action(action#NilClass, *args#Array) … 27 ActionController::Metal.dispatch(action#NilClass, request#ActionDispatch::Request) … 37 Rack::ETag.call(env#Hash) … 40 ActionDispatch::ParamsParser.call(env#Hash) … 44 ActionDispatch::Cookies.call(env#Hash) 45 ActiveRecord::QueryCache.call(env#Hash) … 74 WEBrick::HTTPServer.service(req#WEBrick::HTTPRequest, res#WEBrick::HTTPResponse) 75 WEBrick::HTTPServer.run(sock#TCPSocket) 76 block in WEBrick::GenericServer.start_thread(sock#TCPSocket, &block#NilClass) Looking closer…
- 10. • Application instrumentation • Different ways to identify vulnerabilities • And many solutions to prevent them – Patch a function return value – Encode a function arguments – Raise an exception to prevent further execution 10
- 11. 11 (byebug) break ActiveRecord::ConnectionAdapters::SQLite3Adapter.exec_query Successfully created breakpoint with id 1 (byebug) continue [283, 292] in …/active_record/connection_adapters/sqlite3_adapter.rb 287: => 288: def exec_query(sql, name = nil, binds = []) 289: type_casted_binds = binds.map { |col, val| 290: [col, type_cast(val, col)] 291: } 292: (byebug) var local binds = [] name = Post Load self = #<ActiveRecord::ConnectionAdapters::SQLite3Adapter:0x007fb1eb30df50> sql = SELECT * FROM posts WHERE id=3 (byebug) self.quote("it's a string") "'it''s a string'" Where the database is accessed
- 12. SQL injection detection • Inside an app, full access to: – Raw SQL query just as the database receives it – Database system (Oracle, MySQL…) – Database configuration (encoding) – Untrusted parameters • Ability to parse the complete SQL query 12
- 13. SQL injection • Untrusted entry used in a SQL request • Assume pwd is injectable • Injected query: • The SQL query has to be valid to trigger an injection • How to prove that an injection happened? 13 SELECT * FROM users WHERE pwd = ‘sun' LIMIT 1 SELECT * FROM users WHERE pwd = 'sun' OR 1=1--+’ LIMIT 1
- 14. Request just before it leaves the app to the DB: Reminder: we know the database, its charset, encoding rules… 1 user entry, multiple SQL tokens: This is an injection. 14 SELECT * FROM users WHERE password = 'sun' OR 1=1-- ' SELECT * FROM users WHERE password = sun OR 1 = 1
- 15. #0 ActionView::OutputBuffer.<<(value#NilClass) #1 ActionView::CompiledTemplates._app_views_posts_show_html_erb…(local_assigns, output_buffer) #2 block in ActionView::Template.render(view, locals#Hash, buffer#NilClass, &block#Proc) #3 #<Class:ActiveSupport::Notifications>.instrument(name#String, payload#Hash) […] #18 ActionView::Rendering._render_template(options#Hash) #19 ActionController::Streaming._render_template(options#Hash) #0 is string concatenation #1 is template insertion Rendering a template
- 16. (byebug) break ActionView::OutputBuffer.<< [6, 15] in actionview-4.2.3/lib/action_view/buffers.rb … 10: def <<(value) => 11: return self if value.nil? 12: super(value.to_s) 13: end 14: alias :append= :<< 15: (byebug) var local value = "my <script>alert()</script> title" (byebug) value.html_safe? true String concatenation
- 17. [6, 15] in app/views/posts/show.html.erb 8: 9: <p> 10: <strong>Title:</strong> => 11: <%= @post.title %> 12: </p> 13: In Template Insertion
- 18. XSS detection • Inside an app, access to: – Template engine (JSF, ERB…) – Partially rendered page – Fully rendered page – Generated page type – HTML, CSS, JSON… – Untrusted parameters 18
- 19. XSS detection • HTML can be parsed • Injection if: – User entry adds HTML to the rendered page • HTML node • HTML attribute • In such cases, we have an HTML injection 19 <div><script src=atta.ck/></script>Safari</div> <a href=‘#’ onclick=‘alert()’>Data</div>
- 21. irb(main):001:0> Gem.loaded_specs.map do |k, v| puts "%20st%st%s " % [k, v.version, v.homepage] end rake 10.4.2 i18n 0.7.0 http://github.com/svenfuchs/i18n tzinfo 1.2.2 http://tzinfo.github.io activesupport 4.2.3 http://www.rubyonrails.org erubis 2.7.0 http://www.kuwata-lab.com/erubis/ nokogiri 1.6.6.2 http://nokogiri.org actionview 4.2.3 http://www.rubyonrails.org sqlite3 1.3.10 https://github.com/sparklemotion/sqlite3-ruby execjs 2.6.0 https://github.com/rails/execjs ... CVE-2015-1819 CVE-2015-7941 CVE-2015-7942 CVE-2015-8035 An application dependencies
- 22. 3rd party components vuln. • Application knows its libraries – Version – Configuration – Dependencies • And OS libraries • Correlation with public security advisories • And restrict / correct the vulnerable paths 22
- 24. • Inside an app, access to: – Command (before execution) – Shell • Type (Bash, ksh, PowerShell, cmd.exe…) • Version (ShellShock vulnerable?) – Environment – User parameters 24
- 25. Shell injection • Similar to SQL injection • Ability to parse the executed command – Legitimate command: – Injected command: • Possible correlation with untrusted parameters 25 whois jbaviat.sqreen.io whois jbaviat.sqreen.io ; cat /etc/passwd
- 27. Sqreen: you code, we protect • We protect applications automatically • Beta program available: Contact us to be part of it • Sqreen is hiring 27