Presentation is loading. Please wait.

Presentation is loading. Please wait.

Revealing the Secrets: Source Code Disclosure, Techniques, and Impacts.

Similar presentations


Presentation on theme: "Revealing the Secrets: Source Code Disclosure, Techniques, and Impacts."— Presentation transcript:

1 Revealing the Secrets: Source Code Disclosure, Techniques, and Impacts

2 I am…  Anant Kochhar, Senior Information Security Consultant with SecurEyes  Project Manager and Researcher  Malware Detection Techniques and  Real World Cracker Techniques

3 Unique Insecurities…  Each developer is unique  Each application is unique  Each application is uniquely insecure.  Each developer is uniquely insecure.

4 Source Code Disclosure Types  Accidental Code Disclosure  Backup and Misc. Files  The Dirty Download Page

5 Accidental Disclosure  Part of the Source Code is available in the HTML source code.  When Dynamic pages are turned into Static pages: like from ‘.asp’ to ‘.html’  Coder don’t remove the ASP code before publishing the HTML page.  Why? Because IE is very forgiving.

6 Google- Looking in a domain which claims to have ALL ‘audited’ sites “mdb”“server.createobject” OR “server.mappath” site:???.??

7 In IE

8 In Mozilla Firefox

9 Voila…

10 How to avoid it…  Don’t be careless. –Go through the HTML source code of every page before it is published online.  Use both IE and Firefox to test a page.

11 Backup and Misc. Files  Source Codes stored in readable formats.  Coders save backup files in the website’s hosting folders.  Zipped files, ‘.bak’ extensions etc.  Coders often use bad extensions- like ‘.inc’- for ‘included’ configuration files.

12 How to discover…  Directory Listings.  Disclosure in HTML Source (Rare)  Other non-standard techniques.

13 Google-The same secured domain “zip”“parent directory”site:???.??

14 Directory Listing Enabled- All ‘internal pages’ visible

15 Interesting Folder:Election_asp Interesting File: Database Connection

16 Backup File of Election_asp: Election_asp.zip

17 All ASP Files…including Database Connection File

18 Database username and password in the database connection file

19 How to avoid it…  Disable Directory Listing  Don’t use the Hosting space as a storage space.  Name all ‘.inc’ files as ‘.inc.php’ or ‘.inc.asp’ files to make them inaccessible.

20 The Dirty Download Page  Better known as ‘Insecure Direct Object Ref.’  Paper in December 2007: http://secureyes.net/downloads/Source_Code_Discl osure_over_HTTP.pdf  Many white hats have contacted me regarding it.  Translated into Spanish- which is flattering and scary  Not the target audience.

21 The Comment… “look on the internet for such pages…”

22 How An Engine Works PHP Engine User’s Browser URL:/user_login.php HTML part of User_login.php Application Root Folder User_login.php Server

23 The site’s root folder

24 http://www.vulnerable123.com/1.doc

25 Internal Affairs… PHP Engine User’s Browser URL:/1.doc 1.doc Application Root Folder 1.doc Server

26 The Other Method… Stream the static content files through a dynamic page: 1) Filename passed as a parameter to the dynamic page- hereby called the ‘download’ page. 2) The download page looks for the file in the hosting folder 3) And upon finding it, streams it to the user’s browser.

27 http://www.vulnerable123.com/downl oad_file.php?filename=1.doc

28 Internal Affairs 2 PHP Engine User’s Browser URL:/download_file.php? filename=1.doc 1.doc Application Root Folder Download_file.php1.doc Server

29 The Exploit… Change the filename parameter’s value to login_user.php:  Will it be processed by the engine before being streamed?  Not! The engine does not double-process a single request! It will simply stream the source code file ‘login_user.php’!

30 http://www.vulnerable123.com/downloa d_file.php?filename=user_login.php

31 Internal Affairs 3 PHP Engine User’s Browser URL:/download_file.php? filename=user_login.php Application Root Folder Download_file.phpUser_login.php user_login.php source code file Server

32 Google A URL which contains:  A Dynamic Page extension. ext:php OR ext:jsp OR ext:asp OR ext:aspx  A Static File extension in the URL (somewhere): inurl:doc OR inurl:pdf OR inurl:xls OR inurl:txt OR inurl:ppt OR inurl:htm

33 Pattern (contd.) Combining : inurl:doc OR inurl:pdf OR inurl:xls OR inurl:txt OR inurl:ppt ext:php OR ext:jsp OR ext:asp OR ext:aspx

34 Google Result Page Lots of false positives

35 Patterns (contd.) Search can be restricted to a site or a domain site:vulnerable123.com Finding the Dirty Download Page in www.vulnerable123.com: Inurl:doc OR inurl:pdf OR inurl:xls OR inurl:txt OR inurl:ppt ext:php OR ext:jsp OR ext:asp OR ext:aspx site:vulnerable123.com

36 Voila…

37 Unique Case of Java Sites- Directory Listing through the download page

38 Recommended Resolutions  Indirectly refer internal objects.  For example, index the downloadable files, and pass index numbers instead of file names.  File Extensions Validations can be bypassed: Null Byte Injection

39  Contact me: anant.kochhar[at]secureyes[dot]net


Download ppt "Revealing the Secrets: Source Code Disclosure, Techniques, and Impacts."

Similar presentations


Ads by Google