Web Application 0-Day
Discovering Vulnerabilities with Google CodeSearch
By Jon Rose
Common Web Application Vulnerabilities
- SQL Injection
- Cross-Site Scripting
- Handling Sensitive Data
|
- Hard-Coded Passwords
- Filesystem Interaction
|
Google Labs Code Search
- Public Source Code
- Regex Searches
|
|
Approach
Google it!
SQL Injection
Insecure use of string building techniques
- Dynamic SQL
- Parameterized Queries
- Stored Procedures
|
SQL Injection Example
https://url.com/login.jsp?email=jrose@owasp.org&pass=Ali3n
Query = "SELECT uid FROM users
WHERE email = '"+ request.getParameter("email") +"'
AND pass = '"+ request.getParameter("pass") +"'";
SQL Injection Example
https://url.com/login.jsp?email=' or 1=1--&pass=Ali3n
SELECT uid FROM users
WHERE email = '' or 1=1--'
AND pass = 'Ali3n';
SQL Injection Code Search
SQL Injection Impact
- Access to database records
- Privilege escalation
- Access to various application tiers
- Bypass business logic
|
SQL Injection Recommendations
- Perform strict input validation
- Do not employ string building for queries
- Use parameterized queries or stored procedures
- Use a low privileged database account
|
Cross-Site Scripting (XSS)
Redisplaying User-Supplied Input
Cross-Site Scripting Example
https://mysite.com/home.asp?lang=english
User-supplied value stored as HTML hidden input:
<input type=hidden name=lang
value="<%=Request.QueryString("lang")%>">
Cross-Site Scripting Example
https://mysite.com/home.asp?lang="><script>EVIL JAVASCRIPT</script>
Users can modify the HTML code:
<input type=hidden name=lang
value=""><script>EVIL JAVASCRIPT</script>">
Cross-Site Scripting Code Search
Cross-Site Scripting Impact
- Cookie and credential theft
- Redirect client browsers
- Perform phishing attacks
- Inject stored scripts
- Endless possibilities
Cross-Site Scripting Recommendations
- Perform strict input validation
- HTML encode output
Handling Sensitive Data
Things I've seen exposed in files, logs, and databases:
- Credit Card Data
- Usernames and Passwords
|
- Social Security Numbers
- Personal Identifiable Information (PII)
|
Handling Sensitive Data Code Search
Insecure Logging
|
Database Storage
|
Handling Sensitive Data Impact
- Identity theft
- Legal prosecution and fines
- Loss of customer confidence
Handling Sensitive Data Recommendations
- Strong encryption
- One way hashing
- Store as little as possible
- Data retention and storage policies
Hard-Coded Passwords
Passwords found in code or config files:
- Databases
- LDAP Servers
- Web Services
|
- Network Proxies
- Other Systems
|
Hard-Coded Passwords Code Search
Hard-Coded Passwords Impact
- Gain unauthorized access to systems/applications
- Extend control through password reuse
- Reveal passwords to unintended users
Hard-Coded Passwords Recommendations
- Remove passwords from the webroot
- Consider decrypting passwords on-the-fly
- Use one-way password hashes
- Leverage DPAPI and Java keystore functionality
Filesystem Interaction
Security holes often appear when:
- Opening files
- Writing files
|
- Uploading files
- Downloading files
|
Filesystem Interaction Example
Set a = fso.OpenTextFile(request.querystring("file"))
data=a.readAll
response.write "<h1>" & data & "</h1>"
Filesystem Interaction Code Search
Filesystem Interaction Impact
- Access to sensitive system/application files
- Source code disclosure
- Privilege escalation
- Denial of service
- Remote command execution
Filesystem Interaction Recommendations
- Use identifiers instead of filenames
- Enforce strict access controls
- Do not allow for files to be uploaded into the webroot
- Chroot application and drop privileges
Other Fun Searches
- Weak encryption
- Remote command injection
- XPath/LDAP injection
|
- Buffer overflows
- Format string vulnerabilites
- /* FIXME */
|
Next Steps
- Refine regular expressions
- Responsible disclosure
- Continued developer training
- Security assessments
- KISS
Questions or Comments?
Thank You!
Contact Info:
Jon Rose
jrose@owasp.org