Application Security from the Inside - OWASP
-
Upload
sqreen -
Category
Technology
-
view
274 -
download
4
Transcript of Application Security from the Inside - OWASP
Application security from the inside
Agenda
How to make apps more secure? 1. Triggering new vulnerabilities (bad guys) 2. Detecting/protecting found issues (good guys)
1. SQL injection2. Cross Site Scripting (XSS)3. Third party components vulnerabilities4. Shell injection
2
About Me
Jean-Baptiste Aviat
CTO at Sqreen (https://sqreen.io)We protect applications automaticallySqreen is hiring
Former RedTeam security engineer at Apple
The best place for app security
• Where to gather accurate information for securing an application?
• How to change the tires of a car running at 100 mph?
• How to make the diagnosis continuous, as modern release cycles?
4
App security: the place to be
• Need to get closer to the runtime• Retrieve all required data, while the
application processes it• Work with the deployed, running
application• Obvious solution: instrumentation
5
Debugging allows…
• Devs & hackers method to inspect live apps
• Access anything in it– CPU registers– Addressable memory of the whole process:
functions, symbols…– Threads
• And to modify anything in it–Modify return values
6
7
(byebug) thread list
+ 1 #<Thread:[email protected]/webrick/server.rb:283 run> ...
2 #<WEBrick::Utils::TimeoutHandler::Thread:[email protected]/webrick/
utils.rb:162 sleep> 2.2.0/webrick/utils.rb:173
3 #<Thread:0x007fe4140bc408 sleep> 2.2.0/webrick/server.rb:174
(byebug) thread switch 3
3 #<Thread:0x007fe4140bc408 sleep> 2.2.0/webrick/server.rb:174
(byebug) thread switch 3
[168, 177] in 2.2.0/webrick/server.rb
172: while @status == :Running
173: begin
=> 174: if svrs = IO.select([shutdown_pipe[0], *@listeners], nil, nil, 2.0)
175: if svrs[0].include? shutdown_pipe[0]
176: break
At first sight
Web application specifics
• Relevant information in a web application:– User request (headers, cookies,
parameters…)and server response– Any function call and its arguments• Database requests• File operations• External APIs calls• Syscalls…
– All current threads8
9
0 ActiveRecord::ConnectionAdapters::SQLite3Adapter.exec_query(sql#String, name#String…)
…
7 PostsController.set_post
…
23 ActionController::ParamsWrapper.process_action(action#NilClass, *args#Array)
…
27 ActionController::Metal.dispatch(action#NilClass, request#ActionDispatch::Request)
…
37 Rack::ETag.call(env#Hash)
…
40 ActionDispatch::ParamsParser.call(env#Hash)
…
44 ActionDispatch::Cookies.call(env#Hash)
45 ActiveRecord::QueryCache.call(env#Hash)
…
74 WEBrick::HTTPServer.service(req#WEBrick::HTTPRequest, res#WEBrick::HTTPResponse)
75 WEBrick::HTTPServer.run(sock#TCPSocket)
76 block in WEBrick::GenericServer.start_thread(sock#TCPSocket, &block#NilClass)
Looking closer…
• Application instrumentation• Different ways to identify vulnerabilities• And many solutions to prevent them– Patch a function return value– Encode a function arguments– Raise an exception to prevent further
execution
10
11
(byebug) break ActiveRecord::ConnectionAdapters::SQLite3Adapter.exec_query
Successfully created breakpoint with id 1
(byebug) continue
[283, 292] in …/active_record/connection_adapters/sqlite3_adapter.rb
287:
=> 288: def exec_query(sql, name = nil, binds = [])
289: type_casted_binds = binds.map { |col, val|
290: [col, type_cast(val, col)]
291: }
292:
(byebug) var local
binds = []
name = Post Load
self = #<ActiveRecord::ConnectionAdapters::SQLite3Adapter:0x007fb1eb30df50>
sql = SELECT * FROM posts WHERE id=3
(byebug) self.quote("it's a string")
"'it''s a string'"
Where the database
is accessed
SQL injection detection
• Inside an app, full access to:– Raw SQL queryjust as the database receives it– Database system (Oracle, MySQL…)– Database configuration (encoding)– Untrusted parameters
• Ability to parse the complete SQL query
12
SQL injection
• Untrusted entry used in a SQL request
• Assume pwd is injectable• Injected query:
• The SQL query has to be valid to trigger an injection
• How to prove that an injection happened?13
SELECT * FROM users WHERE pwd = ‘sun' LIMIT 1
SELECT * FROM users WHERE pwd = 'sun' OR 1=1--+’ LIMIT 1
Request just before it leaves the app to the DB:
Reminder: we know the database, its charset, encoding rules…
1 user entry, multiple SQL tokens:This is an injection.
14
SELECT * FROM users WHERE password = 'sun' OR 1=1-- '
SELECT * FROM users WHERE password = sun OR 1 = 1
#0 ActionView::OutputBuffer.<<(value#NilClass)
#1 ActionView::CompiledTemplates._app_views_posts_show_html_erb…(local_assigns, output_buffer)
#2 block in ActionView::Template.render(view, locals#Hash, buffer#NilClass, &block#Proc)
#3 #<Class:ActiveSupport::Notifications>.instrument(name#String, payload#Hash)
[…]
#18 ActionView::Rendering._render_template(options#Hash)
#19 ActionController::Streaming._render_template(options#Hash)
#0 is string concatenation
#1 is template insertion
Rendering a template
(byebug) break ActionView::OutputBuffer.<<
[6, 15] in actionview-4.2.3/lib/action_view/buffers.rb
…
10: def <<(value)
=> 11: return self if value.nil?
12: super(value.to_s)
13: end
14: alias :append= :<<
15:
(byebug) var local
value = "my <script>alert()</script> title"
(byebug) value.html_safe?
true
String concatenation
[6, 15] in app/views/posts/show.html.erb
8:
9: <p>
10: <strong>Title:</strong>
=> 11: <%= @post.title %>
12: </p>
13:
In Template Insertion
XSS detection
• Inside an app, access to:– Template engine (JSF, ERB…)– Partially rendered page– Fully rendered page–Generated page type–HTML, CSS, JSON…
– Untrusted parameters
18
XSS detection
• HTML can be parsed• Injection if:– User entry adds HTML to the rendered page• HTML node
• HTML attribute
• In such cases, we have an HTML injection
19
<div><script src=atta.ck/></script>Safari</div>
<a href=‘#’ onclick=‘alert()’>Data</div>
Third party components vulnerabilities
20
irb(main):001:0> Gem.loaded_specs.map do |k, v|
puts "%20s\t%s\t%s " % [k, v.version, v.homepage]
end
rake 10.4.2
i18n 0.7.0 http://github.com/svenfuchs/i18n
tzinfo 1.2.2 http://tzinfo.github.io
activesupport 4.2.3 http://www.rubyonrails.org
erubis 2.7.0 http://www.kuwata-lab.com/erubis/
nokogiri 1.6.6.2 http://nokogiri.org
actionview 4.2.3 http://www.rubyonrails.org
sqlite3 1.3.10 https://github.com/sparklemotion/sqlite3-ruby
execjs 2.6.0 https://github.com/rails/execjs
...CVE-2015-1819CVE-2015-7941CVE-2015-7942CVE-2015-8035
An application dependencies
3rd party components vuln.
• Application knows its libraries– Version– Configuration– Dependencies
• And OS libraries• Correlation with public security advisories• And restrict / correct the vulnerable paths
22
Shell injection
23
• Inside an app, access to:– Command (before execution)– Shell • Type (Bash, ksh, PowerShell, cmd.exe…)• Version (ShellShock vulnerable?)
– Environment– User parameters
24
Shell injection
• Similar to SQL injection• Ability to parse the executed command– Legitimate command:
– Injected command:
• Possible correlation with untrusted parameters
25
whois jbaviat.sqreen.io
whois jbaviat.sqreen.io ; cat /etc/passwd
Sqreen: you code, we protect
• We protect applications automatically
• Beta program available:Contact us to be part of it
• Sqreen is hiring
27