Web Application 0-Day



Discovering Vulnerabilities with Google CodeSearch





By Jon Rose

Common Web Application Vulnerabilities


  • SQL Injection
  • Cross-Site Scripting
  • Handling Sensitive Data
  • Hard-Coded Passwords
  • Filesystem Interaction

Google Labs Code Search


  • Public Source Code
  • Regex Searches
Web Application Vulnerability Search through Google Code Search

Approach





Google it!

SQL Injection


Insecure use of string building techniques

  • Dynamic SQL
  • Parameterized Queries
  • Stored Procedures

SQL Injection Example


https://url.com/login.jsp?email=jrose@owasp.org&pass=Ali3n


Query = "SELECT uid FROM users
WHERE email = '"+ request.getParameter("email") +"'
AND pass = '"+ request.getParameter("pass") +"'";

SQL Injection Example


https://url.com/login.jsp?email=' or 1=1--&pass=Ali3n


SELECT uid FROM users
WHERE email = '' or 1=1--'
AND pass = 'Ali3n';

SQL Injection Code Search


SQL Injection Impact


  • Access to database records
  • Privilege escalation
  • Access to various application tiers
  • Bypass business logic

SQL Injection Recommendations


  • Perform strict input validation
  • Do not employ string building for queries
  • Use parameterized queries or stored procedures
  • Use a low privileged database account

Cross-Site Scripting (XSS)


Redisplaying User-Supplied Input

  • HTML
  • JavaScript
  • ActiveX
  • VBScript
  • Flash

Cross-Site Scripting Example


https://mysite.com/home.asp?lang=english


User-supplied value stored as HTML hidden input:



<input type=hidden name=lang
value="<%=Request.QueryString("lang")%>">

Cross-Site Scripting Example


https://mysite.com/home.asp?lang="><script>EVIL JAVASCRIPT</script>


Users can modify the HTML code:


<input type=hidden name=lang
value=""><script>EVIL JAVASCRIPT</script>">

Cross-Site Scripting Code Search


Cross-Site Scripting Impact


Cross-Site Scripting Recommendations


Handling Sensitive Data


Things I've seen exposed in files, logs, and databases:

  • Credit Card Data
  • Usernames and Passwords
  • Social Security Numbers
  • Personal Identifiable Information (PII)

Handling Sensitive Data Code Search


Insecure Logging

Database Storage

Handling Sensitive Data Impact


Handling Sensitive Data Recommendations


Hard-Coded Passwords


Passwords found in code or config files:

  • Databases
  • LDAP Servers
  • Web Services
  • Network Proxies
  • Other Systems

Hard-Coded Passwords Code Search


Hard-Coded Passwords Impact


Hard-Coded Passwords Recommendations


Filesystem Interaction


Security holes often appear when:

  • Opening files
  • Writing files
  • Uploading files
  • Downloading files

Filesystem Interaction Example


Set a = fso.OpenTextFile(request.querystring("file"))
data=a.readAll
response.write "<h1>" & data & "</h1>"

Filesystem Interaction Code Search


Filesystem Interaction Impact


Filesystem Interaction Recommendations


Other Fun Searches


  • Weak encryption
  • Remote command injection
  • XPath/LDAP injection
  • Buffer overflows
  • Format string vulnerabilites
  • /* FIXME */

Next Steps


Questions or Comments?



Thank You!



Contact Info:


Jon Rose

jrose@owasp.org