Devfest istanbul'14 - Web Application Attacks and Trusting Frameworks
-
Upload
mehmet-ince -
Category
Engineering
-
view
975 -
download
8
Transcript of Devfest istanbul'14 - Web Application Attacks and Trusting Frameworks
![Page 1: Devfest istanbul'14 - Web Application Attacks and Trusting Frameworks](https://reader034.fdocuments.in/reader034/viewer/2022042518/55a79f921a28ab25438b469f/html5/thumbnails/1.jpg)
Devfest IstanbulWeb Application Attacks and Trusting
Frameworks
![Page 2: Devfest istanbul'14 - Web Application Attacks and Trusting Frameworks](https://reader034.fdocuments.in/reader034/viewer/2022042518/55a79f921a28ab25438b469f/html5/thumbnails/2.jpg)
whoami
● Mehmet INCE● Cyber Security Engineer/Pentest Lead at
INTELRAD● 150+ vulnerability publication● Application Security● Infosec Blogger www.mehmetince.net● PHP, Python, etc..● @mdisec
![Page 3: Devfest istanbul'14 - Web Application Attacks and Trusting Frameworks](https://reader034.fdocuments.in/reader034/viewer/2022042518/55a79f921a28ab25438b469f/html5/thumbnails/3.jpg)
Önerme
security is a serious business.
![Page 4: Devfest istanbul'14 - Web Application Attacks and Trusting Frameworks](https://reader034.fdocuments.in/reader034/viewer/2022042518/55a79f921a28ab25438b469f/html5/thumbnails/4.jpg)
![Page 5: Devfest istanbul'14 - Web Application Attacks and Trusting Frameworks](https://reader034.fdocuments.in/reader034/viewer/2022042518/55a79f921a28ab25438b469f/html5/thumbnails/5.jpg)
Web Uygulama Güvenliği’nde iddia● Framework kullanıyoruz. ( ORM, Prepared statements )● Input validation yapmaktayız.● Output encoding bizim işimiz.● Düzenli olarak farklı firmalardan penetrasyon testi hizmeti
alıyoruz.● WAF, IPS/IDS cihazlarımız var.● Yazılımımız açık kaynak kodlu. Community gücü bizimle.● Geliştiricilerimize secure coding training eğitimleri aldırıyoruz.● Bug bounty programımız var, zafiyet bulan herkese ücret
ödüyoruz.
![Page 6: Devfest istanbul'14 - Web Application Attacks and Trusting Frameworks](https://reader034.fdocuments.in/reader034/viewer/2022042518/55a79f921a28ab25438b469f/html5/thumbnails/6.jpg)
Tüm maddeleri yapan bir firmada çalışan ?
![Page 7: Devfest istanbul'14 - Web Application Attacks and Trusting Frameworks](https://reader034.fdocuments.in/reader034/viewer/2022042518/55a79f921a28ab25438b469f/html5/thumbnails/7.jpg)
Çünkü
● Drupal core - SQL injection ( stacked query enabled! ) - http://goo.gl/RPgX1z
● Wordpress 4.0.1 Stored XSS - http://goo.gl/xuvXfB
● Codeigniter Object Injection - http://goo.gl/72lzGV
![Page 8: Devfest istanbul'14 - Web Application Attacks and Trusting Frameworks](https://reader034.fdocuments.in/reader034/viewer/2022042518/55a79f921a28ab25438b469f/html5/thumbnails/8.jpg)
Çünkü...
● Symfony CSRF ( CVE-2014-6072 )
● Laravel cookie forgery, decryption, and RCE - http://goo.gl/qieZzZ
● RoR SQLi & Crypto Weakness
![Page 9: Devfest istanbul'14 - Web Application Attacks and Trusting Frameworks](https://reader034.fdocuments.in/reader034/viewer/2022042518/55a79f921a28ab25438b469f/html5/thumbnails/9.jpg)
Çünkü…
“Framework kullanıyoruz.” olmazsa olmazlardan biridir ama asla yeterli değildir, zira framework’ünde kendisi bir yazılımdır. Güvenlik açığı olabilir. ( RoR, CI, Laravel, Symfony, ASP.NET )
![Page 10: Devfest istanbul'14 - Web Application Attacks and Trusting Frameworks](https://reader034.fdocuments.in/reader034/viewer/2022042518/55a79f921a28ab25438b469f/html5/thumbnails/10.jpg)
Çünkü…
Açık kaynak güvenlik açısından önemlidir. Lakin tüm örnekler açık kaynak kodlu ve 1.000~ committer’ı olan projelerdi. http://goo.gl/fDHGFZ
( Aramıza hoşgeldin ASP.NET :p )
![Page 11: Devfest istanbul'14 - Web Application Attacks and Trusting Frameworks](https://reader034.fdocuments.in/reader034/viewer/2022042518/55a79f921a28ab25438b469f/html5/thumbnails/11.jpg)
Çünkü….
Hiçbir WAF, IPS/IDS Codeigniter Object Injection zafiyetini tespit edemez. Çünkü ? ( Exploit the OR )
![Page 12: Devfest istanbul'14 - Web Application Attacks and Trusting Frameworks](https://reader034.fdocuments.in/reader034/viewer/2022042518/55a79f921a28ab25438b469f/html5/thumbnails/12.jpg)
Yani..
security is a serious business.
![Page 13: Devfest istanbul'14 - Web Application Attacks and Trusting Frameworks](https://reader034.fdocuments.in/reader034/viewer/2022042518/55a79f921a28ab25438b469f/html5/thumbnails/13.jpg)
Codeigniter Object Injection Vuln
![Page 14: Devfest istanbul'14 - Web Application Attacks and Trusting Frameworks](https://reader034.fdocuments.in/reader034/viewer/2022042518/55a79f921a28ab25438b469f/html5/thumbnails/14.jpg)
Codeigniter Session MechanismSession class initializer method.
![Page 15: Devfest istanbul'14 - Web Application Attacks and Trusting Frameworks](https://reader034.fdocuments.in/reader034/viewer/2022042518/55a79f921a28ab25438b469f/html5/thumbnails/15.jpg)
Codeigniter Session Mechanism
![Page 16: Devfest istanbul'14 - Web Application Attacks and Trusting Frameworks](https://reader034.fdocuments.in/reader034/viewer/2022042518/55a79f921a28ab25438b469f/html5/thumbnails/16.jpg)
Codeigniter Session Mechanism
![Page 17: Devfest istanbul'14 - Web Application Attacks and Trusting Frameworks](https://reader034.fdocuments.in/reader034/viewer/2022042518/55a79f921a28ab25438b469f/html5/thumbnails/17.jpg)
Codeigniter Encryption Class
![Page 18: Devfest istanbul'14 - Web Application Attacks and Trusting Frameworks](https://reader034.fdocuments.in/reader034/viewer/2022042518/55a79f921a28ab25438b469f/html5/thumbnails/18.jpg)
Codeigniter Custom XOR
![Page 19: Devfest istanbul'14 - Web Application Attacks and Trusting Frameworks](https://reader034.fdocuments.in/reader034/viewer/2022042518/55a79f921a28ab25438b469f/html5/thumbnails/19.jpg)
Where we are
User Request Session Class initializer sess_create()
is encrypt cookie enabled ?T: Encode with Mcrypt _set_cookie()
F : Encode with Xor
![Page 20: Devfest istanbul'14 - Web Application Attacks and Trusting Frameworks](https://reader034.fdocuments.in/reader034/viewer/2022042518/55a79f921a28ab25438b469f/html5/thumbnails/20.jpg)
How to read Session Data
![Page 21: Devfest istanbul'14 - Web Application Attacks and Trusting Frameworks](https://reader034.fdocuments.in/reader034/viewer/2022042518/55a79f921a28ab25438b469f/html5/thumbnails/21.jpg)
How to exploit
- Encryption key biliniyorsa- Cookie object manipulation
- Encryption key belirsiz ise- Mcrypt aktif ise
- CBC mode exploit- Custom XOR ise
- md5 hash brute force
![Page 22: Devfest istanbul'14 - Web Application Attacks and Trusting Frameworks](https://reader034.fdocuments.in/reader034/viewer/2022042518/55a79f921a28ab25438b469f/html5/thumbnails/22.jpg)
Codeigniter Based Applications
- Bonfire Vulnerable- No-CMS Vulnerable- PyroCMS Vulnerable- FUEL CMS Vulnerable- ...
![Page 23: Devfest istanbul'14 - Web Application Attacks and Trusting Frameworks](https://reader034.fdocuments.in/reader034/viewer/2022042518/55a79f921a28ab25438b469f/html5/thumbnails/23.jpg)
DEMO
![Page 24: Devfest istanbul'14 - Web Application Attacks and Trusting Frameworks](https://reader034.fdocuments.in/reader034/viewer/2022042518/55a79f921a28ab25438b469f/html5/thumbnails/24.jpg)
Teşekkürler
twitter.com/mdisec
www.mehmetince.net