security hole #5 application security science or quality assurance

Application Security -Science or Quality Assurance?

Nazar Tymoshyk Ph.D, Security Consultant, R&D at SoftServe

Richard Stallman Linus Torvalds Tsutomu Shimomura

Stephen Wozniak

Famous Security Professionals

Robert Morris

Jonathan James

Kevin Mitnick Kevin Poulsen Adrian Lamo

Gary McKinnon

Famous “Security Professionals”

What about famous QA professionals?

Security is also metric of Software Quality

“The simple truth is that catching security holes earlier costs an

organization less to remediate, which makes good business sense. ”

So you know where to move ;)

QA Engineer Security Analyst

In security testing, the quality assurance team is concerned only with unexpected results and testing for the unknown.

In functional and performance testing, the expected results are documented

before the test begins, and the quality assurance team looks at how well the

expected results match the actual results

Weapon

Checklists

ToolsGuides

PassionPersistenceResearch

“ IT security and quality assurance working

together are exponentially more powerful. The result

will be a more security-oriented QA department

and a more quality-oriented

Collaboration and Team work

IT security department, which will help remove more risk and provide better continuity ”

OWASP

Testing guideDevelopment guide ASVSWAFSAMM

Microsoft approach

Testing security with Tools

Accunetix WVS

Burp

w3af

IBM Rational AppScan

Core Impact

HP WebInspect OWASP ZAP

OWASP Mantra

DEMOLet’s test small web-site with commercial and free tools

Applying Science approach

Targets:http://192.168.195.34http://192.168.195.80

Get tools from:http://goo.gl/eHl2u

Remote code execution – one of the most dangerous vulnerabilities in web-apps

How to achieve a goal:

• Upload scripts to server

• Remote File Inclusion (RFI)

• Local File Inclusion (LFI)

Smashing the app

Unrestricted file upload

File upload – vulnerability allow remote attacker to upload files/scripts on server with special content or random extension.

This vulnerability exist through incorrect file extension implementation.

Incorrect methods of uploaded file extension validation :• Validation of MIME-type of uploading file vs validation of

file extention

• Black-list extension validation

• Other errors…

Unsecure web-server/application server configuration play also important role.

Upload your shell

Changing MIME typeValidation sample:

<?php

$imageTypes = array("image/gif", "image/jpg", "image/png");

if(isset($_FILES["image"])) {

if(!in_array($_FILES["image"]["type"], $imageTypes)) {

die("Hacking Attempt!"); }copy($_FILES["image"]["tmp_name"], "images/{$_FILES["image"]["name"]}");

} ?>

Problem: It’s easy to change type of file – as it’s setting by

browser in HTTP-request. And all variables that are set by

browser – can be easily changed by user.

<?php if(isset($_FILES["image"])) {if(preg_match('#\.((php)|(php3)|(php4)|(php5))$#i',$_FILES["image"]["name"])) {die("Hacking Attempt!");}copy($_FILES["image"]["tmp_name"], "images/{$_FILES["image"]["name"]}"); } ?>

Content validation

Black list: Wrong way

<?phpif(isset($_FILES["image"])) {if(preg_match('#\.jpg#i', $_FILES["image"]["name"])) {

copy($_FILES["image"]["tmp_name"], "images/{$_FILES["image"]["name"]}");} } ?>

In this sample name of uploaded file is checking for string .jpg. But regular expression is working as control symbol $ that indicate EOL is missed,.

As a result file shell.jpg.php will be successes fully uploaded.

Regular expressions

<?phpif(isset($_FILES["image"])) {

if(preg_match('#^[a-z0-9-_]+\.((jpg)|(png)|(bmp))$#i', $_FILES["image"]["name"])

) {move_uploaded_file($_FILES["image"]["tmp_name"],

"images/{$_FILES["image"]["name"]}");} }?>

Right way

White list validation

Local File Inclusion – allow to include local files on remote server and execute arbitrary code.

Reason: incorrect linked file validation, vulnerable server configuration

Successfully LFI exploitation have three main task :• Removing of postfix

• Directory Traversal

• Searching files for code injection

Local FileInclusion

Filtration can prevent Directory Traversal.

Very often developers apply Filtration of ../ :

<?php include(str_replace("../", "", $_GET["page"]).".inc"); ?>

../../../etc/passwd --> Filtration --> etc/passwd --> fail

But such filtration is not enough – it’s not recursive:

..././..././..././etc/passwd --> Filtration --> ../../../etc/passwd --> profit

DirectoryTraversal

Secure Validation – validation of filename for service symbols

if(preg_match('#[^a-z0-9-_]#i', $page)) {die("Hacking Attempt!");

}include("{$page}.inc");

In this sample if we will try to add file with symbols other than A-Z, a-z, 0-9 and symbol «-» & «_» execution of PHP-script will be interrupted.

Secure Validation

So, how to become Security Analyst

Use OWASP

Participate in community

Ask and share

Researches

Samurai WTF

talk on Security Hole

Feedbacks & Questions

Leave your Feedbacks:http://goo.gl/FW4ar

Contact Nazar:skype: root_ntemail: root.nt@gmail.com

?Join OWASP Lviv:https://www.owasp.org/index.php/Lviv

Presentation & Files:http://goo.gl/eHl2u