using logic flaws to steal data and how php can stab you in the back – frans rosén @ detectify
TRANSCRIPT
detectifySECURITY FOR DEVELOPERS
detectify
detectify
Knowledge Advisor, @detectify ( @fransrosen )Blogging at labs.detectify.comHackerOne #1 https://hackerone.com/thanks
Hacked a bunch of companies:
etc…
Frans Rosén #cyber
detectify
Our dear friend PHP #uraqt<3
detectify
Our dear friend PHP? #ohnoez
detectify
PHP 5.2 #onceuponatimeecho round(2047.075, 2); //2047.08echo round(2048.075, 2); //2048.07
BCMath to the rescue, or…
detectify
…do MADNESS #yiiihaaa!
detectify
String Comparison #tomatotomáto
= aka "is"== aka "kind of is"=== aka "really really is"
detectify
String Comparison #tomatotomáto
detectify
String Comparison #tomatotomáto
Thx: @homakov
detectify
URL validation in PHP/Java #left-right-left
detectify
URL validation in browser #right-left-right
detectify
Remember the AT&T Hack? #jailfail
detectify
…or how about the Apple Developer siteincident? #down4maint
detectify
I Insecure D DirectO Object R Reference
Exposing data without proper access control.
detectify
How bad is it? #owasp-no4
detectify
Eye-ball the URL #whatsup?
detectify
Eye-ball the URL #whatsup?
Ouch.
detectify
Update a user #totallylegit
detectify
Update a user #totallylegit
Ouch.
detectify
Business Impact #obvious
• Keys, Passwords• Credit Card Data• User Information / Email• Invoices / Billing Data
detectify
Business Impact #notsoobviousNumeric IDs for Order Receipts
“Not found” vs “No access”
Poll every day, you get analytics!$$$
detectify
Business Impact #evenworse
Change Delivery Address of an order.
Deleting another user’s information.
Reclaiming other user’s data. Gift Certificates anyone?
detectify
Are you fully protected?
detectify
Why so few? #ohnoez1. No secure access model.
“User X should only have access to A”
“User X that has access to A should only have access to B”
and so on…
detectify
Why so few? #ohnoez2. Numeric IDs.
Enumerable/Sequential. Decrease value with 1 and try.
Easy to test. Easy to attack.
Do hashes instead! (Don’t just hash the numbers…)
detectify
Why so few? #ohnoez3. Error messages show and tell.
“User X cannot view object owned by User Y”
“No access to this object” vs“Object does not exist”
detectify
Why so few? #ohnoez4. Inconsistent ID sources.
/receipt/view/434
/receipt/?view=434
POST /receipt/view/ HTTP/1.1receipt=434
detectify
Why so few? #ohnoez5. Lack of proper code review.
How to automate this?
detectify
Example – Twitter #bringpopcorn
Found by secgeek (Ahmed Aboul-‐Ela) https://hackerone.com/reports/27404
Credit Card deletion from other users.
Sequential IDs when deleting cards.
Bounty $2,800
detectify
Example – SquareUpdate other users / Get user info
ID as hashes, but visible using Google.
No check if user was in another company.
Bounty $3,000
https://hackerone.com/reports/23126
detectify
Example – ZapierGet log-history from other user’s Zaps.
Contained sensitive information such as OAuth tokens / Credentials,
No access control for log entries.
Bounty $3,000
https://zapier.com/engineering/bug-‐bounty-‐program/
detectify
Example – WordPressGet all users on a WordPress site.
blog.com/?author=1
WONTFIX by Wordpress
http://hackertarget.com/wordpress-‐user-‐enumeration/
detectify
Doing it right. #hellyeh1. User ID in Session or Token
/user/view/me/user/transactions
detectify
Doing it right. #hellyeh2. Access model in routes or controllers.
Stick to it! Easy to miss.
detectify
Doing it right. #hellyeh3. Code review. Don’t miss this.
detectify
Quick repetition #eatsleepraverepeat1. Careful with string comparison
2. IDORs are bad. Easy to exploit. East to find.Exploited as we speak – worth $$$
3. Numeric IDs vs Hashes
4. Generic access model
5. Review your code!
detectify
THAT’S ALL FOLKS!Questions?
by Frans Rosén (@fransrosen)
www.detectify.com