Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Published byMilo Riley Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Living at 21 programmers’ st. Pitfalls in code review Fady Mphamed Osman Smartec-Group Fady.mohamed.osman@gmail.com 12/4/2014

2 OWASP About Me Software Engineer @ smartec group. Both embedded and desktop software. Exploit Writer. Metasploit Contributor. Addicted to code reading.

3 OWASP Agenda Abstract. Pitfalls in technology Third party libraries. Platforms. Programming Language, DBMS... etc. Pitfalls in coding. Trusting/Missing some inputs. Unfamous bug classes. Bad mitigation techniques. Good Practices. Exploiting opensource rocks.

4 OWASP Abstract What this presentation is NOT about? Not about SDLC code review. This presentation shows only some examples. Some other dangerous issues are not discussed here and you have to do some digging by yourself. The code samples here provides the very simple case. Real life situations tend to be more complex.

5 OWASP Tech. Pitfalls : Third party libs Timthumb.php Zero Day Zero day in timbthumb.php was discovered in 2011. Many wordpress themes used the script and many of them was vulnerable.

6 OWASP Tech. Pitfalls : Third party libs uploadify.php Uploadify.php is a script used to make file upload easier. The script is vulnerable by nature just put it in your script and it's vulnerable. As mentioned in thier website. A lot of opensource projects and thier plugins are using it.

7 OWASP Tech. Pitfalls : Third party libs uploadify.php You will be amazed by what you can find by using a code search engine to search for "uploadify.php"

8 OWASP Tech. Pitfalls : Platform When writing a plugin for a certain platform you have to be carefull. You can't take input from these platforms as trusted. Some of the inputs provided by these platforms by the database or the api are not filtered. See the following examples of wordpress database.

9 OWASP Tech. Pitfalls : Platform Wordpress Example 1 Wordpress doesn't filter comment agent and stores it as it in the data base.

10 OWASP Tech. Pitfalls : Platform Wordpress Example 2 It also doesn't filter the metadata from images. As a matter of fact the first plugin I tested was vulnerable to xss because of that.

11 OWASP Tech. Pitfalls : Language(php) Language weakness. Weak typing. Object Injection. Language Misconfigurations. register_globals. Some configurations causing info. leak.

12 OWASP Tech. Pitfalls : Language(php) Weakness : weak typing PHP is weakly typed, which means that it will automatically convert data of an incorrect type into the expected type. Imagine the following code.

13 OWASP Tech. Pitfalls : Language(php) Weakness : weak typing According to php documentation strcasecmp returns 0 if str1 is greater than str2, and 0 if they are equal. So it looks it will only equal 0 if the pass variable is equal to "mypass"

14 OWASP Tech. Pitfalls : Language(php) Weakness : weak typing So the url : http://127.0.0.1/fady/Owasp_Session/type_jugg ling.php?pass=mypass Will work and any other password will not work unless.. You added two brackets after pass i.e. the url will be: http://127.0.0.1/fady/Owasp_Session/type_jugg ling.php?pass[]= But why??

15 OWASP Tech. Pitfalls : Language(php) Weakness : weak typing The answer is type juggling. By passing the pass variable as an array the function "strcasecmp" will fail because it accepts only strings and will return NULL. Because of weak typing of php null is actually a zero so it will pass. The fix is actually straight forward can you spot the difference betweem vulnerable and not vulnerable code in the following slide.

16 OWASP Tech. Pitfalls : Language(php) Weakness : weak typing Vulnerable. Fixed.

17 OWASP Tech. Pitfalls : Language(php) Weakness : Object Injection It allows the attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context. First lets see how serialize works and then we can continue from there to explain object injection.

18 OWASP Tech. Pitfalls : Language(php) Weakness : Object Injection By serializing an object we mean converting that object to a string somehow to make it easier to save to a file or to transfer it through network. By unserializing we convert that string back to that object. The problem is that when unserializing an object one of the php magic functions is called may be __tostring() __wakeup() or __destruct() or another one according to the program flow.

19 OWASP Tech. Pitfalls : Language(php) Weakness : Object Injection The following example (from owasp.org): http://testsite.com/vuln.php?data=O:8:"Example1" :1:{s:10:"cache_file";s:15:"../../index.php";}

20 OWASP Tech. Pitfalls : Language(php) MisConfig.:Register Globals Register gloabals allows the user to set global variables through url. Went from on to off from php 4.2.0 and deprecated as of PHP 5.3.0 and removed as of PHP 5.4.0. Exploit : auth.php?authorized=1 since authorized variable wasn't initialized.

21 OWASP Tech. Pitfalls : Language(php) MisConfig.:Info leak expose_php : adds the php signature to server header. display_errors will display the errors to the user. Session directory should not be set to world readable directory. A very nice script to check php misconfigurations can be found at : http://phpsecinfo.com/

22 OWASP Coding Pitfalls: Inputs User agent string. Referrer. Ip adress through HTTP_X_FORWARD_FOR or any headers that can be set by user. Metadata from local files EXIF headers from images and so on.

23 OWASP Coding Pitfalls: Unfamous Vulnerabilits Object injection (Discussed before). Json hijacking. Function injection.

24 OWASP Coding Pitfalls Bad Mitigation Relying on some language defences for example "mysql_escape_string" and "mysql_real_escape_string which in some cases can be bypassed based on server configuration. Bad filteration : forgetting about null injections and other bad chars. Black listing in file uploads.

25 OWASP Good practices Disable what you don't use for example if you're not allowing users to upload files disable it. Disable configurations per folders when not needed for example disable script execution in the uploads folder using.htaccess file.

26 OWASP Why exploiting open source rocks?? You can add code to test your scenarios for example print something when a certain execution path is used. You can reuse open source exploits by simply replacing some strings and paths here and there and get a working exploits. You can easily examine closly the execution paths to find bugs.

27 OWASP Q & A

Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
©2009 Justin C. Klein Keane PHP Code Auditing Session 4.2 – File Include Vulnerabilities Justin C. Klien Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 4.2 – File Include Vulnerabilities Justin C. Klien Keane
OWASP Secure Coding Practices Quick Reference Guide

OWASP Secure Coding Practices Quick Reference Guide
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
SQL Injection Attacks Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006.

SQL Injection Attacks Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Setting Up a Sandbox Presented by: Kevin Brunson Chief Technology Officer.

Setting Up a Sandbox Presented by: Kevin Brunson Chief Technology Officer.
Create Your Own Webpage. Today’s Agenda Cut & paste code Notepad++ or Notepad at home FTP Web Hosting Wordpress.

Create Your Own Webpage. Today’s Agenda Cut & paste code Notepad++ or Notepad at home FTP Web Hosting Wordpress.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Martin Kruliš 2. 4. 2015 by Martin Kruliš (v1.0)1.

Martin Kruliš by Martin Kruliš (v1.0)1.
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
PHP Security.

PHP Security.
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.

Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.

Similar presentations

Ads by Google