Revealing the Secrets: Source Code Disclosure, Techniques, and Impacts.

Slides:



Advertisements
Similar presentations
WordPress Installation for Beginners Sheila Bergman
Advertisements

Web 2.0 Programming 1 © Tongji University, Computer Science and Technology. Web Web Programming Technology 2012.
The Internet.
3.02H Publishing a Website 3.02 Develop webpages..
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
How to Organize a Website Using Front Page to Manage Your Growing Needs By Cristiana and Fred Baggio
Create a website with Google Sites
Voice Server. Aspiration Provide a unique service to the members of CCSU. Provide a unique service to the members of CCSU. Provide a Streaming Voice Server.
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
Lesson 4: Web Browsing.
DT211/3 Internet Application Development Active Server Pages & IIS Web server.
Creating WordPress Websites. Creating a site on your computer Local server Local WordPress installation Setting Up Dreamweaver.
Week 2 IBS 685. Static Page Architecture The user requests the page by typing a URL in a browser The Browser requests the page from the Web Server The.
07 December 2009Slide 1 of 1207 December 2009Slide 1 of 12 SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez.
1 Software Testing and Quality Assurance Lecture 32 – SWE 205 Course Objective: Basics of Programming Languages & Software Construction Techniques.
07 December 2009Slide 1 of 9 SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez.
Static VS Dynamic websites. 1-What are the advantages and disadvantages? 2- Which one should you choose and why?
 What I hate about you things people often do that hurt their Web site’s chances with search engines.
GOOGLE HACKING FOR PENETRATION TESTERS Chris Chromiak SentryMetrics March 27 th, 2007.
Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.
1 CS 3870/CS 5870 Static and Dynamic Web Pages ASP.NET and IIS.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
Lecturer: Ghadah Aldehim
Copyright Security-Assessment.com 2005 Exposing Web Vulnerabilities The State of Web Application Security by Nick von Dadelszen.
Internet Basics Dr. Norm Friesen June 22, Questions What is the Internet? What is the Web? How are they different? How do they work? How do they.
1 HTML (Set Up Public Folder) Some material on these slides is taken directly from
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
Java Omar Rana University of South Asia. Course Overview JAVA  C/C++ and JAVA Comparison  OOP in JAVA  Exception Handling  Streams  Graphics User.
The Internet {By Quinn Franklin 10BB}. What is the Internet? O The internet is an international network that links computers worldwide to eachother. O.
5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.
Project Proposal Interface Design Website Coding Website Testing & Launching Website Maintenance.
1 Session 1: Introduction to HTML Spring Today’s Agenda Cover useful terminology for today’s session HTML, browsers, servers, etc. HTML Tags Get.
Universiti Utara Malaysia Chapter 3 Introduction to ASP.NET 3.5.
XP New Perspectives on The Internet, Sixth Edition— Comprehensive Tutorial 5 1 Downloading and Storing Data Using FTP and Other Services to Transfer and.
Introducing ASP.NET 2.0. Internet Technologies WWW Architecture Web Server Client Server Request Response Network HTTP TCP/IP PC/Mac/Unix + Browser (IE,
1 UNIT 13 The World Wide Web Lecturer: Kholood Baselm.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
WEB SERVER SOFTWARE FEATURE SETS
How Web Database Architectures Work CPS181s April 8, 2003.
Don’t look at Me!. There are situation when you don’t want search engines digging through some files or indexing some pages. You create a file in the.
PHP Form Processing * referenced from
Session 1: Introduction to HTML Fall Today’s Agenda Talk about the functions of the Internet Cover useful terminology for today’s session HTML,
COSC 2328 – Web Programming.  PHP is a server scripting language  It’s widely-used and free  It’s an alternative to Microsoft’s ASP and Ruby  PHP.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
Web Design Terminology Unit 2 STEM. 1. Accessibility – a web page or site that address the users limitations or disabilities 2. Active server page (ASP)
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
1 UNIT 13 The World Wide Web. Introduction 2 Agenda The World Wide Web Search Engines Video Streaming 3.
1 UNIT 13 The World Wide Web. Introduction 2 The World Wide Web: ▫ Commonly referred to as WWW or the Web. ▫ Is a service on the Internet. It consists.
Server Object Server Object. The Server object represents a programmable interface to the HTTP service that provides a mechanism to administer and control.
Modern information gathering Dave van Stein 9 april 2009.
The Web Web Design. 3.2 The Web Focus on Reading Main Ideas A URL is an address that identifies a specific Web page. Web browsers have varying capabilities.
Web Programming Language
4.01 How Web Pages Work.
Group 18: Chris Hood Brett Poche
IS1500: Introduction to Web Development
3.02H Publishing a Website 3.02 Develop webpages..
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Lesson 4: Web Browsing.
Providing Network Services
What is Cookie? Cookie is small information stored in text file on user’s hard drive by web server. This information is later used by web browser to retrieve.
CMP Creating Your Personal and Small Business Web Sites
Part 2 Setting up a web server the easy way
4.02 Develop web pages using various layouts and technologies.
Lesson 4: Web Browsing.
4.02 Develop web pages using various layouts and technologies.
Chengyu Sun California State University, Los Angeles
Client-Server Model: Requesting a Web Page
Google Hacking Damian Gordon.
Presentation transcript:

Revealing the Secrets: Source Code Disclosure, Techniques, and Impacts

I am…  Anant Kochhar, Senior Information Security Consultant with SecurEyes  Project Manager and Researcher  Malware Detection Techniques and  Real World Cracker Techniques

Unique Insecurities…  Each developer is unique  Each application is unique  Each application is uniquely insecure.  Each developer is uniquely insecure.

Source Code Disclosure Types  Accidental Code Disclosure  Backup and Misc. Files  The Dirty Download Page

Accidental Disclosure  Part of the Source Code is available in the HTML source code.  When Dynamic pages are turned into Static pages: like from ‘.asp’ to ‘.html’  Coder don’t remove the ASP code before publishing the HTML page.  Why? Because IE is very forgiving.

Google- Looking in a domain which claims to have ALL ‘audited’ sites “mdb”“server.createobject” OR “server.mappath” site:???.??

In IE

In Mozilla Firefox

Voila…

How to avoid it…  Don’t be careless. –Go through the HTML source code of every page before it is published online.  Use both IE and Firefox to test a page.

Backup and Misc. Files  Source Codes stored in readable formats.  Coders save backup files in the website’s hosting folders.  Zipped files, ‘.bak’ extensions etc.  Coders often use bad extensions- like ‘.inc’- for ‘included’ configuration files.

How to discover…  Directory Listings.  Disclosure in HTML Source (Rare)  Other non-standard techniques.

Google-The same secured domain “zip”“parent directory”site:???.??

Directory Listing Enabled- All ‘internal pages’ visible

Interesting Folder:Election_asp Interesting File: Database Connection

Backup File of Election_asp: Election_asp.zip

All ASP Files…including Database Connection File

Database username and password in the database connection file

How to avoid it…  Disable Directory Listing  Don’t use the Hosting space as a storage space.  Name all ‘.inc’ files as ‘.inc.php’ or ‘.inc.asp’ files to make them inaccessible.

The Dirty Download Page  Better known as ‘Insecure Direct Object Ref.’  Paper in December 2007: osure_over_HTTP.pdf  Many white hats have contacted me regarding it.  Translated into Spanish- which is flattering and scary  Not the target audience.

The Comment… “look on the internet for such pages…”

How An Engine Works PHP Engine User’s Browser URL:/user_login.php HTML part of User_login.php Application Root Folder User_login.php Server

The site’s root folder

Internal Affairs… PHP Engine User’s Browser URL:/1.doc 1.doc Application Root Folder 1.doc Server

The Other Method… Stream the static content files through a dynamic page: 1) Filename passed as a parameter to the dynamic page- hereby called the ‘download’ page. 2) The download page looks for the file in the hosting folder 3) And upon finding it, streams it to the user’s browser.

oad_file.php?filename=1.doc

Internal Affairs 2 PHP Engine User’s Browser URL:/download_file.php? filename=1.doc 1.doc Application Root Folder Download_file.php1.doc Server

The Exploit… Change the filename parameter’s value to login_user.php:  Will it be processed by the engine before being streamed?  Not! The engine does not double-process a single request! It will simply stream the source code file ‘login_user.php’!

d_file.php?filename=user_login.php

Internal Affairs 3 PHP Engine User’s Browser URL:/download_file.php? filename=user_login.php Application Root Folder Download_file.phpUser_login.php user_login.php source code file Server

Google A URL which contains:  A Dynamic Page extension. ext:php OR ext:jsp OR ext:asp OR ext:aspx  A Static File extension in the URL (somewhere): inurl:doc OR inurl:pdf OR inurl:xls OR inurl:txt OR inurl:ppt OR inurl:htm

Pattern (contd.) Combining : inurl:doc OR inurl:pdf OR inurl:xls OR inurl:txt OR inurl:ppt ext:php OR ext:jsp OR ext:asp OR ext:aspx

Google Result Page Lots of false positives

Patterns (contd.) Search can be restricted to a site or a domain site:vulnerable123.com Finding the Dirty Download Page in Inurl:doc OR inurl:pdf OR inurl:xls OR inurl:txt OR inurl:ppt ext:php OR ext:jsp OR ext:asp OR ext:aspx site:vulnerable123.com

Voila…

Unique Case of Java Sites- Directory Listing through the download page

Recommended Resolutions  Indirectly refer internal objects.  For example, index the downloadable files, and pass index numbers instead of file names.  File Extensions Validations can be bypassed: Null Byte Injection

 Contact me: anant.kochhar[at]secureyes[dot]net