Slide1 l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 45

CMS and Other Giants The Nightmare of AppSec PowerPoint PPT Presentation


  • 94 Views
  • Uploaded on
  • Presentation posted in: General

CMS and Other Giants The Nightmare of AppSec. Irene Abezgauz Product Manager. © 2005-2011. All Rights Reserved to Seeker Security Ltd . Seeker Security. Formerly Hacktics ® (Acquired by EY) New Generation of Application Security Testing (IAST)

Download Presentation

CMS and Other Giants The Nightmare of AppSec

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Slide1 l.jpg

CMS and Other Giants

The Nightmare of AppSec

Irene Abezgauz

Product Manager

© 2005-2011. All Rights Reserved to Seeker Security Ltd.


Slide2 l.jpg

Seeker Security

  • Formerly Hacktics® (Acquired by EY)

  • New Generation of Application Security Testing (IAST)

  • Recognized as Top 10 Most Innovative Companies at RSA® 2010.

  • Recognized as “Cool Vendor” by Gartner


Slide3 l.jpg

Introduction

  • Application Security is Important!

  • CMS – Mix of 3rd Party and Customizations

  • Heavy on Code and Content

  • Hard to Secure Properly

  • Difficult to Test for Application Security


Slide5 l.jpg

Agenda

  • Size Matters… If you need to Secure it !

  • Somebody Else Did It !3rd Party Platforms

  • My CMS has Wings! So does Everybody Else’s..

  • Help!!! What can You do??


Slide6 l.jpg

Size Matters…

If you need to secure it!


Slide7 l.jpg

Size Matters

  • Large amount of pages (thousands and much more …)

  • Most are static content pages – dynamically generated HTMLs, Some aren’t …

  • Dynamic and static content mixed


Slide8 l.jpg

Size Matters


Slide9 l.jpg

Size Matters


Slide10 l.jpg

Size Matters


Slide11 l.jpg

Size Matters


Slide12 l.jpg

Size Matters


Slide13 l.jpg

Size Matters

http://www.vodafone.com/content/index/about/about_us/money_transfer.html?q=vodafone&start=10&perpage=10&area=all

  • http://www.vodafone.com/content/index/about/about_us/money_transfer.html?q=related%3A%2Fcontent%2Findex%2Fabout%2Fabout_us%2Fmoney_transfer%2Fnews%2Fsafaricom_in_anotherfirstasm-pesaenterssupermarkets


Slide14 l.jpg

Size Matters

  • Often many parameters for each page

  • Some are needed for this specific page

  • Some are passed as a habit and never actually used

  • For Example – SharePoint Collaboration Document Center – adding a new announcement


Slide15 l.jpg

Size Matters

  • MSO_PageHashCode=11-1773449651&MSOWebPartPage_PostbackSource=&MSOTlPn_SelectedWpId=&MSOTlPn_View=0&MSOTlPn_ShowSettings=False&MSOGallery_SelectedLibrary=&MSOGallery_FilterString=&MSOTlPn_Button=none&__EVENTTARGET=ctl00%24m%24g_0521eb40_6e59_4eeb_8f78_c20b66c8dcea%24ctl00%24ctl02%24ctl00%24toolBarTbl%24RightRptControls%24ctl00%24ctl00%24diidIOSaveItem&__EVENTARGUMENT=&__REQUESTDIGEST=0x757C078B42F882EFF34A131312AC47E01F6F3BECDB0A95043DCC31D76ACA1B0003D9777998AC8C2F0EF95689400DD7A956720CD542AED1B289A36426C21C1351%2C13+Sep+2011+15%3A47%3A26+-0000&_ListSchemaVersion_%7Bccae3ae4-3660-4556-89cb-aab1d923455d%7D=1&MSOSPWebPartManager_DisplayModeName=Browse&MSOWebPartPage_Shared=&MSOLayout_LayoutChanges=&MSOLayout_InDesignMode=&MSOSPWebPartManager_OldDisplayModeName=Browse&MSOSPWebPartManager_StartWebPartEditingName=false&__LASTFOCUS=&__VIEWSTATE=&__EVENTVALIDATION=%2FwEWDQLT6%2FHJCAKpn5bCCwKN%2F6CDBgL5zYOUAgLqo%2FWeCQLNrvW5AwLZqOGaAgL76ozMDAKL0KiqAgKz7beUCgLsgqilCQLMsJnGAwKx%2Ffn2Cf6RZ0n2OxRqN%2FFdf3g9LSzbuHEp&ctl00%24PlaceHolderSearchArea%24ctl01%24ctl00=http%3A%2F%2Fwin-ids6pjtg3yc%2FDocs&ctl00%24PlaceHolderSearchArea%24ctl01%24SBScopesDDL=&InputKeywords=&ctl00%24m%24g_0521eb40_6e59_4eeb_8f78_c20b66c8dcea%24ctl00%24ctl02%24ctl00%24ctl01%24ctl00%24ctl00%24ctl00%24ctl00%24ctl00%24ctl04%24ctl00%24ctl00%24onetidIOFile=a&ctl00%24m%24g_0521eb40_6e59_4eeb_8f78_c20b66c8dcea%24ctl00%24ctl02%24ctl00%24ctl01%24ctl00%24ctl00%24ctl01%24ctl00%24ctl00%24ctl04%24ctl00%24ctl00%24TextField=&ctl00%24m%24g_0521eb40_6e59_4eeb_8f78_c20b66c8dcea%24ctl00%24ctl02%24ctl00%24ctl05%24ctl00%24owshiddenversion=2&__spDummyText1=&__spDummyText2=

that’s over 25 parameters!


Slide16 l.jpg

Size Matters

  • MSO_PageHashCode=11-1773449651&MSOWebPartPage_PostbackSource=&MSOTlPn_SelectedWpId=&MSOTlPn_View=0&MSOTlPn_ShowSettings=False&MSOGallery_SelectedLibrary=&MSOGallery_FilterString=&MSOTlPn_Button=none&__EVENTTARGET=ctl00%24m%24g_3c33714d_6e52_450f_b792_1c56719d1f70%24ctl00%24toolBarTbltop%24RightRptControls%24ctl01%24ctl00%24diidIOSaveItem&__EVENTARGUMENT=&__REQUESTDIGEST=0x07A4F374C689F1DD4E6BE6D8A27EA8B027C8AB38D6DAB67211AC1D7DE7E57911FC117CC2E16AC8258C32FFC9A5EEC1656C57D26BB829725A54358A18FF97F96B%2C13+Sep+2011+15%3A44%3A05+-0000&_ListSchemaVersion_%7Ba3701259-1bf8-4cf3-b120-d584603d38ea%7D=0&MSOSPWebPartManager_DisplayModeName=Browse&MSOWebPartPage_Shared=&MSOLayout_LayoutChanges=&MSOLayout_InDesignMode=&MSOSPWebPartManager_OldDisplayModeName=Browse&MSOSPWebPartManager_StartWebPartEditingName=false&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUJNjgxOTI1NzMxD2QWAmYPZBYCZg9kFgICAw9kFgoCAQ9kFgIFJmdfM2MzMzcxNGRfNmU1Ml80NTBmX2I3OTJfMWM1NjcxOWQxZjcwD2QWAmYPZBYQAgMPZBYCAgEPZBYGAgEPFgIeB1Zpc2libGVoZAIDD2QWAmYPZBYCAgMPDxYEHg1PbkNsaWVudENsaWNrBSFpZiAoIVByZVNhdmVJdGVtKCkpIHJldHVybiBmYWxzZTseCFRhYkluZGV4AQAAZGQCBQ9kFgJmD2QWAgIDDw8WBh4JQWNjZXNzS2V5BQFDHgRUZXh0BQZDYW5jZWwfAQVYU1RTTmF2aWdhdGUoJ1x1MDAyZkRvY3NcdTAwMmZMaXN0c1x1MDAyZkFubm91bmNlbWVudHNcdTAwMmZBbGxJdGVtcy5hc3B4Jyk7cmV0dXJuIGZhbHNlO2RkAgUPZBYCZg9kFgICAw9kFgJmD2QWCAIBDw8WDh8EBQtBdHRhY2ggRmlsZR4ISW1hZ2VVcmwFHS9fbGF5b3V0cy9pbWFnZXMvYXR0YWNodGIuZ2lmHwMFAUkeC05hdmlnYXRlVXJsBR1qYXZhc2NyaXB0OlVwbG9hZEF0dGFjaG1lbnQoKR8BBR5qYXZhc2NyaXB0OlVwbG9hZEF0dGFjaG1lbnQoKTseEVBlcm1pc3Npb25Db250ZXh0CymKAU1pY3Jvc29mdC5TaGFyZVBvaW50LlV0aWxpdGllcy5QZXJtaXNzaW9uQ29udGV4dCwgTWljcm9zb2Z0LlNoYXJlUG9pbnQsIFZlcnNpb249MTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49NzFlOWJjZTExMWU5NDI5YwIeC1Blcm1pc3Npb25zKCmAAU1pY3Jvc29mdC5TaGFyZVBvaW50LlNQQmFzZVBlcm1pc3Npb25zLCBNaWNyb3NvZnQuU2hhcmVQb2ludCwgVmVyc2lvbj0xMi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj03MWU5YmNlMTExZTk0MjljDUVkaXRMaXN0SXRlbXNkZAIDDw8WAh8AaGRkAgUPDxYMHwQFC0RlbGV0ZSBJdGVtHwUFHC9fbGF5b3V0cy9pbWFnZXMvZGVsaXRlbS5naWYfAwUBWB8HCysEAh8IKCsFD0RlbGV0ZUxpc3RJdGVtcx8BBSByZXR1cm4gRGVsZXRlSXRlbUNvbmZpcm1hdGlvbigpO2RkAgcPDxYCHgxDUkJ1dHRvbk1vZGULKZ4BTWljcm9zb2Z0LlNoYXJlUG9pbnQuV2ViQ29udHJvbHMuQ2xhaW1SZWxlYXNlVGFza0J1dHRvbitDUkJ1dHRvbk1vZGUsIE1pY3Jvc29mdC5TaGFyZVBvaW50LCBWZXJzaW9uPTEyLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTcxZTliY2UxMTFlOTQyOWMCZGQCCQ9kFgJmD2QWAgIBD2QWAmYPZBYCAgkPFgIeE1ByZXZpb3VzQ29udHJvbE1vZGULKYgBTWljcm9zb2Z0LlNoYXJlUG9pbnQuV2ViQ29udHJvbHMuU1BDb250cm9sTW9kZSwgTWljcm9zb2Z0LlNoYXJlUG9pbnQsIFZlcnNpb249MTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49NzFlOWJjZTExMWU5NDI5YwIWAmYPFgIfCgsrBwJkAgsPZBYGZg9kFgICAQ9kFgJmD2QWAgIJDxYCHwoLKwcCFgJmDxYCHwoLKwcCFgJmD2QWAgIBDw8WCh4JTWF4TGVuZ3RoAv8BHwIBAAAeCENzc0NsYXNzBQdtcy1sb25nHgdUb29sVGlwBQVUaXRsZR4EXyFTQgICZGQCAQ9kFgICAQ9kFgJmD2QWAgIJDxYCHwoLKwcCFgJmDxYCHwoLKwcCFgJmD2QWAgIBD2QWAgIBDw8WCh8CAQAAHwwFB21zLWxvbmcfDQUEQm9keR4EUm93cwIPHw4CAhYCHgNkaXIFBG5vbmVkAgIPZBYCAgEPZBYCZg9kFgICCQ8WAh8KCysHAhYCZg8WAh8KCysHAhYCZg9kFgICAQ9kFghmDw8WBh8NBQdFeHBpcmVzHwQFCTkvMTQvMjAxMR4MQXV0b1Bvc3RCYWNraBYCHxEFATBkAgEPEA8WAh4LXyFEYXRhQm91bmRnZBAVGAUxMiBBTQQxIEFNBDIgQU0EMyBBTQQ0IEFNBDUgQU0ENiBBTQQ3IEFNBDggQU0EOSBBTQUxMCBBTQUxMSBBTQUxMiBQTQQxIFBNBDIgUE0EMyBQTQQ0IFBNBDUgUE0ENiBQTQQ3IFBNBDggUE0EOSBQTQUxMCBQTQUxMSBQTRUYBTEyIEFNBDEgQU0EMiBBTQQzIEFNBDQgQU0ENSBBTQQ2IEFNBDcgQU0EOCBBTQQ5IEFNBTEwIEFNBTExIEFNBTEyIFBNBDEgUE0EMiBQTQQzIFBNBDQgUE0ENSBQTQQ2IFBNBDcgUE0EOCBQTQQ5IFBNBTEwIFBNBTExIFBNFCsDGGdnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZxYBZmQCAg8QDxYCHxJnZBAVDAIwMAIwNQIxMAIxNQIyMAIyNQIzMAIzNQI0MAI0NQI1MAI1NRUMAjAwAjA1AjEwAjE1AjIwAjI1AjMwAjM1AjQwAjQ1AjUwAjU1FCsDDGdnZ2dnZ2dnZ2dnZxYBZmQCAw8PFgIeEkVuYWJsZUNsaWVudFNjcmlwdGhkZAIND2QWAmYPZBYEAgMPFgIfCgsrBwEWAmYPFgIfCgsrBwFkAgUPFgIfCgsrBwEWAmYPFgIfCgsrBwFkAg8PZBYCZg9kFgICAw8WAh8KCysHAhYCZg9kFgICAQ8WAh8EBf4DPFRSIGlkPXtBRkVGNEU4OC1ENjU4LTQ3QUEtQjVBQi05ODlBMDUyNUQzRDN9PjxURCBjbGFzcz0ibXMtdmIiPjxzcGFuIGRpcj0ibHRyIj48YSB0YWJpbmRleD0xIG9uY2xpY2s9IkRpc3BEb2NJdGVtRXgodGhpcywgJ0ZBTFNFJywgJ0ZBTFNFJywgJ0ZBTFNFJywgJ1NoYXJlUG9pbnQuT3BlbkRvY3VtZW50cy4zJykiIGhyZWY9Imh0dHA6Ly93aW4taWRzNnBqdGczeWMvRG9jcy9MaXN0cy9Bbm5vdW5jZW1lbnRzL0F0dGFjaG1lbnRzLzM5L2EudHh0Ij5hLnR4dDwvYT48L3NwYW4%2BJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7PC9URD48VEQgY2xhc3M9Im1zLXByb3BlcnR5c2hlZXQiPjxJTUcgYWx0PSdEZWxldGUnIFNSQz0iL19sYXlvdXRzL2ltYWdlcy9yZWN0LmdpZiI%2BJm5ic3A7PGEgdGFiaW5kZXg9MSBocmVmPSJqYXZhc2NyaXB0OlJlbW92ZUF0dGFjaG1lbnRGcm9tU2VydmVyKCd7QUZFRjRFODgtRDY1OC00N0FBLUI1QUItOTg5QTA1MjVEM0QzfScsMSkiPkRlbGV0ZTwvYT48L1REPjwvVFI%2BZAITDxYCHwoLKwcCZAIXD2QWBGYPZBYCAgEPZBYCZg9kFgQCAQ9kFgQCAQ8WAh8KCysHARYCZg8WAh8KCysHAWQCAw8WAh8KCysHARYCZg8WAh8KCysHAWQCAw9kFgQCAQ8WAh8KCysHARYCZg8WAh8KCysHAWQCAw8WAh8KCysHARYCZg8WAh8KCysHAWQCAQ9kFgQCAQ9kFgJmD2QWAgIDDw8WBB8BBSFpZiAoIVByZVNhdmVJdGVtKCkpIHJldHVybiBmYWxzZTsfAgEAAGRkAgMPZBYCZg9kFgICAw8PFgYfAwUBQx8EBQZDYW5jZWwfAQVYU1RTTmF2aWdhdGUoJ1x1MDAyZkRvY3NcdTAwMmZMaXN0c1x1MDAyZkFubm91bmNlbWVudHNcdTAwMmZBbGxJdGVtcy5hc3B4Jyk7cmV0dXJuIGZhbHNlO2RkAgMPZBYEAg0PZBYCZg9kFgYCAQ8WAh8EBSY8c3BhbiBzdHlsZT0ncGFkZGluZy1sZWZ0OjNweCc%2BPC9zcGFuPmQCAw8PFgQfBAUHTXkgU2l0ZR8GBTVodHRwOi8vd2luLWlkczZwanRnM3ljOjgwL015U2l0ZS9fbGF5b3V0cy9NeVNpdGUuYXNweGRkAgUPFgIfBAU5PHNwYW4gc3R5bGU9J3BhZGRpbmctbGVmdDo0cHg7cGFkZGluZy1yaWdodDozcHgnPnw8L3NwYW4%2BZAIPD2QWAmYPZBYCAgMPFgIfBAUBfGQCCQ9kFgICAQ9kFgJmD2QWAgIBDw9kFgIeBWNsYXNzBRhtcy1zYnRhYmxlIG1zLXNidGFibGUtZXhkAgsPZBYCAgMPZBYCZg9kFgQCAg9kFgICAw8WAh8AaGQCAw8PFgIfAwUBL2RkAi8PZBYCAgQPZBYCAgEPZBYCZg8PFgIfAGhkZBgBBUVjdGwwMCRQbGFjZUhvbGRlclRvcE5hdkJhciRQbGFjZUhvbGRlckhvcml6b250YWxOYXYkVG9wTmF2aWdhdGlvbk1lbnUPD2QFFEhvbWVcRG9jdW1lbnQgQ2VudGVyZGmgC8w1IPklANTRTq6iDjFHnwy4&__EVENTVALIDATION=%2FwEWDwLyy5zyDAKpn5bCCwKN%2F6CDBgL5zYOUAgLqo%2FWeCQLNrvW5AwLZuKB7ArusudMFAsze0tYPAsTg25UCAr%2B9mtoLAua14b0IAovagYEIAsOR0e0DAtDfiqYLc2%2BesVFsr0Dn92NbpXGZ53H0Zq0%3D&ctl00%24PlaceHolderSearchArea%24ctl01%24ctl00=http%3A%2F%2Fwin-ids6pjtg3yc%2FDocs&ctl00%24PlaceHolderSearchArea%24ctl01%24SBScopesDDL=&InputKeywords=&ctl00%24m%24g_3c33714d_6e52_450f_b792_1c56719d1f70%24ctl00%24ctl04%24ctl00%24ctl00%24ctl00%24ctl04%24ctl00%24ctl00%24TextField=asdfasdf&ctl00%24m%24g_3c33714d_6e52_450f_b792_1c56719d1f70%24ctl00%24ctl04%24ctl01%24ctl00%24ctl00%24ctl04%24ctl00%24ctl00%24TextField=%3Cdiv%3E%3C%2Fdiv%3E&ctl00%24m%24g_3c33714d_6e52_450f_b792_1c56719d1f70%24ctl00%24ctl04%24ctl01%24ctl00%24ctl00%24ctl04%24ctl00%24ctl00%24TextField_spSave=%3CDIV+class%3DExternalClass10DBD7507AA14EB0A345DB965125EACA%3E%0D%0A%3CDIV%3Easdfasdf%3C%2FDIV%3E%3C%2FDIV%3E&ctl00%24m%24g_3c33714d_6e52_450f_b792_1c56719d1f70%24ctl00%24ctl04%24ctl02%24ctl00%24ctl00%24ctl04%24ctl00%24ctl00%24DateTimeField%24DateTimeFieldDate=9%2F14%2F2011&ctl00%24m%24g_3c33714d_6e52_450f_b792_1c56719d1f70%24ctl00%24ctl07%24ctl00%24owshiddenversion=1&attachmentsToBeRemovedFromServer=&RectGifUrl=%2F_layouts%2Fimages%2Frect.gif&fileupload0=&__spDummyText1=&__spDummyText2=

That’s just a lot!


Slide17 l.jpg

Size Matters – manual testing…

  • Effort Estimation – even if it took only 3 weeks to build it - it won’t take 3 days to test it ! not enough time means hard to reach corners aren’t reached!

  • Difficulty to map out the application

  • Hard to Separate between infrastructure and custom code (SharePoint is easy, MyDownloadedCMS is not)


Slide18 l.jpg

Size Matters – manual testing…

  • Difficulty to map module relationships – it comes in here and goes out … god knows where!

  • Mixed static and dynamic content

  • Code often very large, complex or not available

  • A lot of different user types, components and roles


Slide19 l.jpg

Size Matters – manual testing…

  • Think about an application that has 5 user types (Superadmin, site admin, supervisor, normal user, read-only report-generation user)

  • 25 different components

  • Each user can access only part of the functionality in each component, let’s say 1/3…

  • Now imagine the nightmare of authorization bypassing testing!


Slide20 l.jpg

Size Matters – blackbox scanning…

  • Difficulties to Crawl – a lot of pages to crawl, forms to submit, different functionality, JavaScript to parse

  • Redundant testing of same code that is activated from different locations (i.e. – email to a friend links –

http://www.site.com/somepage.jsp?func=mailToAFriend


Slide21 l.jpg

Size Matters – blackbox scanning…

  • URL Rewriting / dynamically generated HTML– difficulty to identify parameters

http://www.ynet.co.il/articles/0,7340,L-4122262,00.html

http://www.amazon.com/Kindle-Wireless-Reading-Display-Generation/dp/B003FSUDM4/ref=sa_menu_kdp33/183-9381915-3823550


Slide22 l.jpg

Size Matters – code analysis…

  • Often the code is not available

  • Sometimes user code is available but not the rest

  • A LOT of code to cover

  • Cross-module relations are difficult to map – too many components to map them all

  • Massive component reuse – optimization challenges


Slide23 l.jpg

Somebody Else Did It!

3rd party platforms…


Slide24 l.jpg

Somebody Else Did It…

  • Somebody Else Did It – so it’s inherently secure

  • (Especially if “Somebody” is a big, established software firm…)

  • … Even if it initially wasn’t, then I didn’t update it for 5 years and also built 1,000,000 lines of insecure code on top of it as “minor changes”

  • Lack of knowledge on customizations or security mechanisms


Slide25 l.jpg

Somebody Else Did It…


Slide26 l.jpg

Somebody Else Did It…


Slide27 l.jpg

Somebody Else Did It…


Slide28 l.jpg

Somebody Else Did It…


Slide29 l.jpg

Somebody Else Did It…

  • Not using integrated security features – “…Windows SharePoint Services 3.0 provides 33 pre-defined permissions that you can use to allow users to perform specific actions”

  • Disabling integrated security features “the XSS defense was preventing me from using special characters, so I disabled it for the entire module…”


Slide30 l.jpg

Somebody Else Did It…

  • Updates and Maintenance

    • The (not so) good - Somebody else did it… 5 years ago

    • The bad - Somebody else did it… but I didn’t install the updates

    • The ugly - Somebody else did it… and won’t fix it


Slide31 l.jpg

Somebody Else Did It…

  • SharePoint File Upload Persistent XSS

    • Authentication and the ability to write to the SharePoint site are required to exploit this scenario.

    • Significant workarounds exist that allow SharePoint server configurations to be isolated from cross domain exploitation.

    • SharePoint administrators can restrict the uploading of files to SharePoint servers


Slide32 l.jpg

Somebody Else Did It…

  • (Just Released! Found by Seeker™)


Slide33 l.jpg

Somebody Else Did It…

  • SharePoint 2007 Central Administration XSS:

    • XSS  Perform Operations on Behalf of Users, Steal Information, Take Their Cookies, Corrupt Data…


Slide34 l.jpg

Somebody Else Did It…

POST /Reports/Pages/Default.aspx HTTP/1.1

... ctl00$MSOTlPn_EditorZone$Edit0g_7aaa0c6d_72f5_4717_9b22_80188ffdbcde$peopleEditor$hiddenSpanData=

<script>alert(“I didn’t do HTML Encoding!")</script>

  • When placed directly into textbox – encoded on client side to prevent XSS!


Slide35 l.jpg

Somebody Else Did It…

  • SharePoint 2007 & 2010 Insecure Redirect

  • Insecure Redirect  Sneakily lead users to a malicious website, there do bad things to them. Steal their credentials, tell them lies, have them tell their deepest secrets to www.evil.com!

  • The Vulnerable Parameter  Source, it’s a system wide parameter used in SharePoint for redirects all over.

  • Normal Values 

Source=http://mysite/Docs/Announcements/NewForm.aspx

Source=/Docs/Announcements/NewForm.aspx


Slide36 l.jpg

Somebody Else Did It…

  • Normal Values  anything inside the site!

  • However, this includes:

  • Actually, it permits anything starting with

  • For Example:

Source=localhost/Docs/Announcements.NewItem.aspx

“Localhost” or “127.0.0.1”

Source=Localhost.EvilSite.Com


Slide37 l.jpg

My CMS has Wings!

So Does Everybody Else’s


Slide38 l.jpg

My CMS has Wings!

  • CommunityMS – Widgetization, Add-Ons, etc.

  • UGC – User Generated Content – Web2.0

  • creates many opportunities for security flaws!

  • Administration & Backoffice – leaving the admin interface publicly accessible, not testing the admin interface as nobody has access to it.


Slide39 l.jpg

My CMS has Wings!

  • Administrative Interfaces? Just Google it!

  • SharePoint?

    • Google for inurl:/docs/lists/announcements

  • Wordpress?

  • Google for inurl:wp-login.php

  • (remote admin password reset vulnerability, anyone?)

  • PeopleSoft?

    • Google for inurl:maintain_security


  • Slide40 l.jpg

    My CMS has Wings!

    • I took a component, and then my custom code added write permissions to it. It was never secure enough for write permissions.

    • Adding components provided by dubious entities… (look what I found on Google! It’s just a widget… )


    Slide41 l.jpg

    My CMS has Wings!

    • Fresh from the Oven, released in the past week:

      • WordPress WP e-Commerce Plugin 'cs1' Parameter SQL Injection Vulnerability (14-Sep-2011)

      • WordPress 'comment_post_ID' Parameter SQL Injection Vulnerability (12-Sep-2011)

      • WordPress Easy Comment Uploads Plugin 'upload.php' Arbitrary File Upload Vulnerability (12-Sep-2011)

      • WordPress Tune Library Plugin 'letter' Parameter SQL Injection Vulnerability (10-Sep-2011)


    Slide42 l.jpg

    Help!!!

    What can You do??


    Slide43 l.jpg

    Help!!!

    • Provide enough time for thorough security testing

    • Know which components are present

    • Buy your platform from a reputable vendoror test it fully including platform components

    • Spend time to configure your security tools

    • Prefer security tools that know your specific platform


    Slide44 l.jpg

    Help!!!

    • Choose widgets and add-ons from a reputable vendor, and test them properly anyway

    • Take an expert who knows it to configure it and help you customize it

    • Use the built-in security features

    • Update and maintain it!

    • Secure it like any other development process


    Slide45 l.jpg

    Thank You!


  • Login