Embed Size (px)
Citation preview
Revealing the Secrets:
Source Code Disclosure, Techniques, and Impacts
I am…
Anant Kochhar, Senior Information Security Consultant with SecurEyes
Project Manager and Researcher
Malware Detection Techniques and
Real World Cracker Techniques
Unique Insecurities…
Each developer is unique
Each application is unique
Each application is uniquely insecure.
Each developer is uniquely insecure.
Source Code Disclosure Types
Accidental Code Disclosure
Backup and Misc. Files
The Dirty Download Page
Accidental Disclosure
Part of the Source Code is available in the HTML source code.
When Dynamic pages are turned into Static pages: like from ‘.asp’ to ‘.html’
Coder don’t remove the ASP code before publishing the HTML page.
Why? Because IE is very forgiving.
Google- Looking in a domain which claims to have ALL ‘audited’ sites
“mdb” “server.createobject” OR “server.mappath”site:???.??
In IE
In Mozilla Firefox
Voila…
How to avoid it…
Don’t be careless. – Go through the HTML source code of every page
before it is published online.
Use both IE and Firefox to test a page.
Backup and Misc. Files
Source Codes stored in readable formats.
Coders save backup files in the website’s hosting folders.
Zipped files, ‘.bak’ extensions etc.
Coders often use bad extensions- like ‘.inc’- for ‘included’ configuration files.
How to discover…
Directory Listings.
Disclosure in HTML Source (Rare)
Other non-standard techniques.
Google-The same secured domain
“zip”
“parent directory” site:???.??
Directory Listing Enabled- All ‘internal pages’ visible
Interesting Folder:Election_aspInteresting File: Database Connection
Backup File of Election_asp: Election_asp.zip
All ASP Files…including Database Connection File
Database username and password in the database connection file
How to avoid it…
Disable Directory Listing
Don’t use the Hosting space as a storage space.
Name all ‘.inc’ files as ‘.inc.php’ or ‘.inc.asp’ files to make them inaccessible.
The Dirty Download Page
Better known as ‘Insecure Direct Object Ref.’Paper in December 2007:http://secureyes.net/downloads/
Source_Code_Disclosure_over_HTTP.pdfMany white hats have contacted me regarding it.Translated into Spanish- which is flattering and
scaryNot the target audience.
The Comment… “look on the internet for such pages…”
How An Engine Works
PHP Engine
User’s Browser
URL:/user_login.php
HTML part of User_login.php
ApplicationRoot Folder
User_login.php
Server
The site’s root folder
http://www.vulnerable123.com/1.doc
Internal Affairs…
PHP Engine
User’s Browser
URL:/1.doc
1.docApplicationRoot Folder
1.doc
Server
The Other Method…
Stream the static content files through a dynamic page:
1) Filename passed as a parameter to the dynamic page- hereby called the ‘download’ page.
2) The download page looks for the file in the hosting folder
3) And upon finding it, streams it to the user’s browser.
http://www.vulnerable123.com/download_file.php?filename=1.doc
Internal Affairs 2
PHP Engine
User’sBrowser
URL:/download_file.php?filename=1.doc
1.docApplicationRoot Folder
Download_file.php1.doc
Server
The Exploit…
Change the filename parameter’s value to login_user.php:
Will it be processed by the engine before being streamed?
Not! The engine does not double-process a single request! It will simply stream the source code file ‘login_user.php’!
http://www.vulnerable123.com/download_file.php?filename=user_login.php
Internal Affairs 3
PHP Engine
User’s Browser
URL:/download_file.php?filename=user_login.php
ApplicationRoot Folder
Download_file.php User_login.php
user_login.php source code file
Server
A URL which contains:
A Dynamic Page extension.ext:php OR ext:jsp OR ext:asp OR ext:aspx
A Static File extension in the URL (somewhere):inurl:doc OR inurl:pdf OR inurl:xls OR inurl:txt
OR inurl:ppt OR inurl:htm
Pattern (contd.)
Combining :
inurl:doc OR inurl:pdf OR inurl:xls OR inurl:txt OR inurl:ppt ext:php OR ext:jsp OR ext:asp OR ext:aspx
Google Result Page
Lots of false positives
Patterns (contd.)
Search can be restricted to a site or a domainsite:vulnerable123.com
Finding the Dirty Download Page in www.vulnerable123.com:
Inurl:doc OR inurl:pdf OR inurl:xls OR inurl:txt OR inurl:ppt ext:php OR ext:jsp OR ext:asp OR ext:aspx site:vulnerable123.com
Voila…
Unique Case of Java Sites- Directory Listing through the download page
Recommended Resolutions
Indirectly refer internal objects.
For example, index the downloadable files, and pass index numbers instead of file names.
File Extensions Validations can be bypassed: Null Byte Injection
Contact me: anant.kochhar[at]secureyes[dot]net
