Application security from the inside

Agenda

How to make apps more secure? 1. Triggering new vulnerabilities (bad guys) 2. Detecting/protecting found issues (good guys)

1. SQL injection2. Cross Site Scripting (XSS)3. Third party components vulnerabilities4. Shell injection

2

About Me

Jean-Baptiste Aviat

CTO at Sqreen (https://sqreen.io)We protect applications automaticallySqreen is hiring

Former RedTeam security engineer at Apple

The best place for app security

• Where to gather accurate information for securing an application?

• How to change the tires of a car running at 100 mph?

• How to make the diagnosis continuous, as modern release cycles?

4

App security: the place to be

• Need to get closer to the runtime• Retrieve all required data, while the

application processes it• Work with the deployed, running

application• Obvious solution: instrumentation

5

Debugging allows…

• Devs & hackers method to inspect live apps

• Access anything in it– CPU registers– Addressable memory of the whole process:

functions, symbols…– Threads

• And to modify anything in it–Modify return values

6

7

(byebug) thread list

+ 1 #<Thread:0x007fe41b0d1ae0@2.2.0/webrick/server.rb:283 run> ...

2 #<WEBrick::Utils::TimeoutHandler::Thread:0x007fe41b0d1220@2.2.0/webrick/

utils.rb:162 sleep> 2.2.0/webrick/utils.rb:173

3 #<Thread:0x007fe4140bc408 sleep> 2.2.0/webrick/server.rb:174

(byebug) thread switch 3

3 #<Thread:0x007fe4140bc408 sleep> 2.2.0/webrick/server.rb:174

(byebug) thread switch 3

[168, 177] in 2.2.0/webrick/server.rb

172: while @status == :Running

173: begin

=> 174: if svrs = IO.select([shutdown_pipe[0], *@listeners], nil, nil, 2.0)

175: if svrs[0].include? shutdown_pipe[0]

176: break

At first sight

Web application specifics

• Relevant information in a web application:– User request (headers, cookies,

parameters…)and server response– Any function call and its arguments• Database requests• File operations• External APIs calls• Syscalls…

– All current threads8

9

0 ActiveRecord::ConnectionAdapters::SQLite3Adapter.exec_query(sql#String, name#String…)

…

7 PostsController.set_post

…

23 ActionController::ParamsWrapper.process_action(action#NilClass, *args#Array)

…

27 ActionController::Metal.dispatch(action#NilClass, request#ActionDispatch::Request)

…

37 Rack::ETag.call(env#Hash)

…

40 ActionDispatch::ParamsParser.call(env#Hash)

…

44 ActionDispatch::Cookies.call(env#Hash)

45 ActiveRecord::QueryCache.call(env#Hash)

…

74 WEBrick::HTTPServer.service(req#WEBrick::HTTPRequest, res#WEBrick::HTTPResponse)

75 WEBrick::HTTPServer.run(sock#TCPSocket)

76 block in WEBrick::GenericServer.start_thread(sock#TCPSocket, &block#NilClass)

Looking closer…

• Application instrumentation• Different ways to identify vulnerabilities• And many solutions to prevent them– Patch a function return value– Encode a function arguments– Raise an exception to prevent further

execution

10

11

(byebug) break ActiveRecord::ConnectionAdapters::SQLite3Adapter.exec_query

Successfully created breakpoint with id 1

(byebug) continue

[283, 292] in …/active_record/connection_adapters/sqlite3_adapter.rb

287:

=> 288: def exec_query(sql, name = nil, binds = [])

289: type_casted_binds = binds.map { |col, val|

290: [col, type_cast(val, col)]

291: }

292:

(byebug) var local

binds = []

name = Post Load

self = #<ActiveRecord::ConnectionAdapters::SQLite3Adapter:0x007fb1eb30df50>

sql = SELECT * FROM posts WHERE id=3

(byebug) self.quote("it's a string")

"'it''s a string'"

Where the database

is accessed

SQL injection detection

• Inside an app, full access to:– Raw SQL queryjust as the database receives it– Database system (Oracle, MySQL…)– Database configuration (encoding)– Untrusted parameters

• Ability to parse the complete SQL query

12

SQL injection

• Untrusted entry used in a SQL request

• Assume pwd is injectable• Injected query:

• The SQL query has to be valid to trigger an injection

• How to prove that an injection happened?13

SELECT * FROM users WHERE pwd = ‘sun' LIMIT 1

SELECT * FROM users WHERE pwd = 'sun' OR 1=1--+’ LIMIT 1

Request just before it leaves the app to the DB:

Reminder: we know the database, its charset, encoding rules…

1 user entry, multiple SQL tokens:This is an injection.

14

SELECT * FROM users WHERE password = 'sun' OR 1=1-- '

SELECT * FROM users WHERE password = sun OR 1 = 1

#0 ActionView::OutputBuffer.<<(value#NilClass)

#1 ActionView::CompiledTemplates._app_views_posts_show_html_erb…(local_assigns, output_buffer)

#2 block in ActionView::Template.render(view, locals#Hash, buffer#NilClass, &block#Proc)

#3 #<Class:ActiveSupport::Notifications>.instrument(name#String, payload#Hash)

[…]

#18 ActionView::Rendering._render_template(options#Hash)

#19 ActionController::Streaming._render_template(options#Hash)

#0 is string concatenation

#1 is template insertion

Rendering a template

(byebug) break ActionView::OutputBuffer.<<

[6, 15] in actionview-4.2.3/lib/action_view/buffers.rb

…

10: def <<(value)

=> 11: return self if value.nil?

12: super(value.to_s)

13: end

14: alias :append= :<<

15:

(byebug) var local

value = "my <script>alert()</script> title"

(byebug) value.html_safe?

true

String concatenation

[6, 15] in app/views/posts/show.html.erb

8:

9: <p>

10: <strong>Title:</strong>

=> 11: <%= @post.title %>

12: </p>

13:

In Template Insertion

XSS detection

• Inside an app, access to:– Template engine (JSF, ERB…)– Partially rendered page– Fully rendered page–Generated page type–HTML, CSS, JSON…

– Untrusted parameters

18

XSS detection

• HTML can be parsed• Injection if:– User entry adds HTML to the rendered page• HTML node

• HTML attribute

• In such cases, we have an HTML injection

19

<div><script src=atta.ck/></script>Safari</div>

<a href=‘#’ onclick=‘alert()’>Data</div>

Third party components vulnerabilities

20

irb(main):001:0> Gem.loaded_specs.map do |k, v|

puts "%20s\t%s\t%s " % [k, v.version, v.homepage]

end

rake 10.4.2

i18n 0.7.0 http://github.com/svenfuchs/i18n

tzinfo 1.2.2 http://tzinfo.github.io

activesupport 4.2.3 http://www.rubyonrails.org

erubis 2.7.0 http://www.kuwata-lab.com/erubis/

nokogiri 1.6.6.2 http://nokogiri.org

actionview 4.2.3 http://www.rubyonrails.org

sqlite3 1.3.10 https://github.com/sparklemotion/sqlite3-ruby

execjs 2.6.0 https://github.com/rails/execjs

...CVE-2015-1819CVE-2015-7941CVE-2015-7942CVE-2015-8035

An application dependencies

3rd party components vuln.

• Application knows its libraries– Version– Configuration– Dependencies

• And OS libraries• Correlation with public security advisories• And restrict / correct the vulnerable paths

22

Shell injection

23

• Inside an app, access to:– Command (before execution)– Shell • Type (Bash, ksh, PowerShell, cmd.exe…)• Version (ShellShock vulnerable?)

– Environment– User parameters

24

Shell injection

• Similar to SQL injection• Ability to parse the executed command– Legitimate command:

– Injected command:

• Possible correlation with untrusted parameters

25

whois jbaviat.sqreen.io

whois jbaviat.sqreen.io ; cat /etc/passwd

@JbAviat

Questions?

26

jb@sqreen.io

Sqreen: you code, we protect

• We protect applications automatically

• Beta program available:Contact us to be part of it

• Sqreen is hiring

27