1. ©2009 Justin C. Klein Keane PHP Code Auditing Session 6 Auditing Strategies & Demonstration Justin C. Klein Keane jukeane@sas.upenn.edu

2. ©2009 Justin C. Klein Keane Installing the Exercise Download and install Vmware Player or Vmware Fusion Download and extract the target image Be sure PHP Eclipse is set up with RSE

3. ©2009 Justin C. Klein Keane First Looks Start up the virtual machine and log in with root/password Retrieve the ip address Browse the IP in a web browser on your host system Connect to the target with Eclipse SSH to the target with PuTTY or similar

4. ©2009 Justin C. Klein Keane Strategies for Finding Vulns Black box testing  View the application from the end user perspective Logical pathways  Follow the flow of the code Vulnerability checklist  Examine the code once for each type of vuln Linear approach  Parse through the code systematically

5. ©2009 Justin C. Klein Keane Time vs. Thoroughness Plan your audit based on the available time and the criticality of your target  Black box testing is least time intensive but is also least thorough  Linear approach is very time intensive but also extremely thorough (it can catch orphaned code and other problems)  Vulnerability checklist and logical pathway approaches are good compromises

6. ©2009 Justin C. Klein Keane Take Notes Be sure to document vulnerabilities  Even if you can't exploit them, someone else could Be sure to note every potential exploit Tendency to “target fixate” may result in overlooking trivial vulnerabilities in hunt for severe ones Notes should include vulnerability type, file location, and relevant lines of code

7. ©2009 Justin C. Klein Keane Black Box Testing Surface analysis of the application from the user perspective  Examine the application without looking at the code  Try to identify potential areas of exploitation  Turn to the code after and try to find vulnerabilities  Can be aided by automated tools and proxies

8. ©2009 Justin C. Klein Keane Logical Pathways Follow the program flow in an IDE Begin looking at the code from points of entry Trace code through to termination and display Will overlook orphaned code and things like documentation or other artifacts Branching can sidetrack you so take careful notes

9. ©2009 Justin C. Klein Keane Vulnerability Checklist Target vulnerabilities one at a time Start with one class of vulnerability, such as SQL injection Find all functions that could trigger that vulnerability, such as mysql_query(), using utilities like 'find' and 'grep' Custom applications may abstract these functions, so you may have to look for the abstraction layer This process is more difficult with vulnerabilities that don't have a specific trigger, such as authentication bypass or logic flaws

10. ©2009 Justin C. Klein Keane Linear Approach Most thorough, and time consuming Review the application externally Review the code for flow and functional comprehension Go through each file of the application line by line looking for any class of vulnerability Utilize both internal and external perspectives

11. ©2009 Justin C. Klein Keane In a Pinch If time is an issue tailor your vulnerability review to risk assessment If the application has no valuable data, SQL injection should focus on attackers hosting malicious content or enabling social engineering rather than exposing sensitive data Be sure to understand threat models! Just because you don't see a value doesn't mean an attacker won't

12. ©2009 Justin C. Klein Keane Vulnerability Report Be sure to note every vulnerability you identify, regardless of whether it can be exploited Try and rank vulnerabilities in terms of criticality, for example:  High: exploit compromises entire host or can compromise other applications/services  Medium: exploit could cause denial of service or expose clients to attack  Low: denial of service or non sensitive information disclosure Note that type of data/application will influence severity ranking

13. ©2009 Justin C. Klein Keane Exercise Let's identify some vulnerabilities in the exercise  Authentication bypass  SQL Injection  XSS  Arbitrary command execution  Arbitrary file upload