Security hole #5 application security science or quality assurance
-
Upload
tjylen-veselyj -
Category
Documents
-
view
1.258 -
download
0
description
Transcript of Security hole #5 application security science or quality assurance
![Page 1: Security hole #5 application security science or quality assurance](https://reader033.fdocuments.us/reader033/viewer/2022061223/54c265f14a7959ed028b456b/html5/thumbnails/1.jpg)
![Page 2: Security hole #5 application security science or quality assurance](https://reader033.fdocuments.us/reader033/viewer/2022061223/54c265f14a7959ed028b456b/html5/thumbnails/2.jpg)
Application Security -Science or Quality Assurance?
Nazar Tymoshyk Ph.D, Security Consultant, R&D at SoftServe
![Page 3: Security hole #5 application security science or quality assurance](https://reader033.fdocuments.us/reader033/viewer/2022061223/54c265f14a7959ed028b456b/html5/thumbnails/3.jpg)
Richard Stallman Linus Torvalds Tsutomu Shimomura
Stephen Wozniak
Famous Security Professionals
Robert Morris
![Page 4: Security hole #5 application security science or quality assurance](https://reader033.fdocuments.us/reader033/viewer/2022061223/54c265f14a7959ed028b456b/html5/thumbnails/4.jpg)
Jonathan James
Kevin Mitnick Kevin Poulsen Adrian Lamo
Gary McKinnon
Famous “Security Professionals”
![Page 5: Security hole #5 application security science or quality assurance](https://reader033.fdocuments.us/reader033/viewer/2022061223/54c265f14a7959ed028b456b/html5/thumbnails/5.jpg)
What about famous QA professionals?
![Page 6: Security hole #5 application security science or quality assurance](https://reader033.fdocuments.us/reader033/viewer/2022061223/54c265f14a7959ed028b456b/html5/thumbnails/6.jpg)
Security is also metric of Software Quality
“The simple truth is that catching security holes earlier costs an
organization less to remediate, which makes good business sense. ”
So you know where to move ;)
![Page 7: Security hole #5 application security science or quality assurance](https://reader033.fdocuments.us/reader033/viewer/2022061223/54c265f14a7959ed028b456b/html5/thumbnails/7.jpg)
QA Engineer Security Analyst
In security testing, the quality assurance team is concerned only with unexpected results and testing for the unknown.
In functional and performance testing, the expected results are documented
before the test begins, and the quality assurance team looks at how well the
expected results match the actual results
![Page 8: Security hole #5 application security science or quality assurance](https://reader033.fdocuments.us/reader033/viewer/2022061223/54c265f14a7959ed028b456b/html5/thumbnails/8.jpg)
Weapon
Checklists
ToolsGuides
PassionPersistenceResearch
![Page 9: Security hole #5 application security science or quality assurance](https://reader033.fdocuments.us/reader033/viewer/2022061223/54c265f14a7959ed028b456b/html5/thumbnails/9.jpg)
“ IT security and quality assurance working
together are exponentially more powerful. The result
will be a more security-oriented QA department
and a more quality-oriented
Collaboration and Team work
IT security department, which will help remove more risk and provide better continuity ”
![Page 10: Security hole #5 application security science or quality assurance](https://reader033.fdocuments.us/reader033/viewer/2022061223/54c265f14a7959ed028b456b/html5/thumbnails/10.jpg)
OWASP
Testing guideDevelopment guide ASVSWAFSAMM
![Page 11: Security hole #5 application security science or quality assurance](https://reader033.fdocuments.us/reader033/viewer/2022061223/54c265f14a7959ed028b456b/html5/thumbnails/11.jpg)
Microsoft approach
![Page 12: Security hole #5 application security science or quality assurance](https://reader033.fdocuments.us/reader033/viewer/2022061223/54c265f14a7959ed028b456b/html5/thumbnails/12.jpg)
Testing security with Tools
Accunetix WVS
Burp
w3af
IBM Rational AppScan
Core Impact
HP WebInspect OWASP ZAP
OWASP Mantra
![Page 13: Security hole #5 application security science or quality assurance](https://reader033.fdocuments.us/reader033/viewer/2022061223/54c265f14a7959ed028b456b/html5/thumbnails/13.jpg)
DEMOLet’s test small web-site with commercial and free tools
![Page 14: Security hole #5 application security science or quality assurance](https://reader033.fdocuments.us/reader033/viewer/2022061223/54c265f14a7959ed028b456b/html5/thumbnails/14.jpg)
Applying Science approach
Targets:http://192.168.195.34http://192.168.195.80
Get tools from:http://goo.gl/eHl2u
![Page 15: Security hole #5 application security science or quality assurance](https://reader033.fdocuments.us/reader033/viewer/2022061223/54c265f14a7959ed028b456b/html5/thumbnails/15.jpg)
Remote code execution – one of the most dangerous vulnerabilities in web-apps
How to achieve a goal:
• Upload scripts to server
• Remote File Inclusion (RFI)
• Local File Inclusion (LFI)
Smashing the app
![Page 16: Security hole #5 application security science or quality assurance](https://reader033.fdocuments.us/reader033/viewer/2022061223/54c265f14a7959ed028b456b/html5/thumbnails/16.jpg)
Unrestricted file upload
File upload – vulnerability allow remote attacker to upload files/scripts on server with special content or random extension.
This vulnerability exist through incorrect file extension implementation.
Incorrect methods of uploaded file extension validation :• Validation of MIME-type of uploading file vs validation of
file extention
• Black-list extension validation
• Other errors…
Unsecure web-server/application server configuration play also important role.
![Page 17: Security hole #5 application security science or quality assurance](https://reader033.fdocuments.us/reader033/viewer/2022061223/54c265f14a7959ed028b456b/html5/thumbnails/17.jpg)
Upload your shell
![Page 18: Security hole #5 application security science or quality assurance](https://reader033.fdocuments.us/reader033/viewer/2022061223/54c265f14a7959ed028b456b/html5/thumbnails/18.jpg)
Changing MIME typeValidation sample:
<?php
$imageTypes = array("image/gif", "image/jpg", "image/png");
if(isset($_FILES["image"])) {
if(!in_array($_FILES["image"]["type"], $imageTypes)) {
die("Hacking Attempt!"); }copy($_FILES["image"]["tmp_name"], "images/{$_FILES["image"]["name"]}");
} ?>
Problem: It’s easy to change type of file – as it’s setting by
browser in HTTP-request. And all variables that are set by
browser – can be easily changed by user.
![Page 19: Security hole #5 application security science or quality assurance](https://reader033.fdocuments.us/reader033/viewer/2022061223/54c265f14a7959ed028b456b/html5/thumbnails/19.jpg)
<?php if(isset($_FILES["image"])) {if(preg_match('#\.((php)|(php3)|(php4)|(php5))$#i',$_FILES["image"]["name"])) {die("Hacking Attempt!");}copy($_FILES["image"]["tmp_name"], "images/{$_FILES["image"]["name"]}"); } ?>
Content validation
Black list: Wrong way
![Page 20: Security hole #5 application security science or quality assurance](https://reader033.fdocuments.us/reader033/viewer/2022061223/54c265f14a7959ed028b456b/html5/thumbnails/20.jpg)
<?phpif(isset($_FILES["image"])) {if(preg_match('#\.jpg#i', $_FILES["image"]["name"])) {
copy($_FILES["image"]["tmp_name"], "images/{$_FILES["image"]["name"]}");} } ?>
In this sample name of uploaded file is checking for string .jpg. But regular expression is working as control symbol $ that indicate EOL is missed,.
As a result file shell.jpg.php will be successes fully uploaded.
Regular expressions
![Page 21: Security hole #5 application security science or quality assurance](https://reader033.fdocuments.us/reader033/viewer/2022061223/54c265f14a7959ed028b456b/html5/thumbnails/21.jpg)
<?phpif(isset($_FILES["image"])) {
if(preg_match('#^[a-z0-9-_]+\.((jpg)|(png)|(bmp))$#i', $_FILES["image"]["name"])
) {move_uploaded_file($_FILES["image"]["tmp_name"],
"images/{$_FILES["image"]["name"]}");} }?>
Right way
White list validation
![Page 22: Security hole #5 application security science or quality assurance](https://reader033.fdocuments.us/reader033/viewer/2022061223/54c265f14a7959ed028b456b/html5/thumbnails/22.jpg)
Local File Inclusion – allow to include local files on remote server and execute arbitrary code.
Reason: incorrect linked file validation, vulnerable server configuration
Successfully LFI exploitation have three main task :• Removing of postfix
• Directory Traversal
• Searching files for code injection
Local FileInclusion
![Page 23: Security hole #5 application security science or quality assurance](https://reader033.fdocuments.us/reader033/viewer/2022061223/54c265f14a7959ed028b456b/html5/thumbnails/23.jpg)
Filtration can prevent Directory Traversal.
Very often developers apply Filtration of ../ :
<?php include(str_replace("../", "", $_GET["page"]).".inc"); ?>
../../../etc/passwd --> Filtration --> etc/passwd --> fail
But such filtration is not enough – it’s not recursive:
..././..././..././etc/passwd --> Filtration --> ../../../etc/passwd --> profit
DirectoryTraversal
![Page 24: Security hole #5 application security science or quality assurance](https://reader033.fdocuments.us/reader033/viewer/2022061223/54c265f14a7959ed028b456b/html5/thumbnails/24.jpg)
Secure Validation – validation of filename for service symbols
if(preg_match('#[^a-z0-9-_]#i', $page)) {die("Hacking Attempt!");
}include("{$page}.inc");
In this sample if we will try to add file with symbols other than A-Z, a-z, 0-9 and symbol «-» & «_» execution of PHP-script will be interrupted.
Secure Validation
![Page 25: Security hole #5 application security science or quality assurance](https://reader033.fdocuments.us/reader033/viewer/2022061223/54c265f14a7959ed028b456b/html5/thumbnails/25.jpg)
So, how to become Security Analyst
Use OWASP
Participate in community
Ask and share
Researches
Samurai WTF
talk on Security Hole
![Page 26: Security hole #5 application security science or quality assurance](https://reader033.fdocuments.us/reader033/viewer/2022061223/54c265f14a7959ed028b456b/html5/thumbnails/26.jpg)
Feedbacks & Questions
Leave your Feedbacks:http://goo.gl/FW4ar
Contact Nazar:skype: root_ntemail: [email protected]
?Join OWASP Lviv:https://www.owasp.org/index.php/Lviv
Presentation & Files:http://goo.gl/eHl2u