Application Security - Science or Quality Assurance ?

2. Application Security - Science or Quality Assurance? Nazar Tymoshyk Ph.D, Security Consultant, R&D at SoftServe

3. Famous Security Professionals Richard Stallman Linus Torvalds Tsutomu Shimomura Robert Morris Stephen Wozniak

4. Famous “Security Professionals”  Adrian Lamo Kevin Mitnick Kevin Poulsen Jonathan James Gary McKinnon

5. What about famous QA professionals?

6. To be a security bug hunter

7. So you know where to move ;) Security is also metric of Software Quality “The simple truth is that catching security holes earlier costs an organization less to remediate, which makes good business sense. ”

8. QA Engineer Security Analyst In functional and performance testing, the expected results are documented before the test begins, and the quality assurance team looks at how well the expected results match the actual results In security testing, the quality assurance team is concerned only with unexpected results and testing for the unknown. 

9. Weapon Passion Tools Persistence Guides Research Checklists

10. Collaboration and Team work “ IT security and quality assurance working together are exponentially more powerful. The result will be a more security-oriented QA department and a more quality-oriented IT security department, which will help remove more risk and provide better continuity ”

11. OWASP SAMM WAF Development guide Testing guide ASVS

12. Microsoft approach

13. Testing security with Tools Core Impact Burp Accunetix WVS w3af HP WebInspect OWASP ZAP OWASP Mantra IBM Rational AppScan

14. DEMO Let’s test small web-site with commercial and free tools

15. Applying Science approach Get tools from: http://goo.gl/eHl2u Targets: http://192.168.195.34 http://192.168.195.80

16. Smashing the app Remote code execution – one of the most dangerous vulnerabilities in web-apps How to achieve a goal: • Upload scripts to server • Remote File Inclusion (RFI) • Local File Inclusion (LFI)

17. Unrestricted file upload File upload– vulnerability allow remote attacker to upload files/scripts on server with special content or random extension. This vulnerability exist through incorrect file extension implementation. Incorrect methods of uploaded file extension validation : • Validation ofMIME-typeof uploading file vs validation of file extension • Black-list extension validation • Other errors… Unsecure web-server/application server configuration play also important role.

18. Upload your shell

19. Changing MIME type Validation sample: <?php $imageTypes = array("image/gif", "image/jpg", "image/png"); if(isset($_FILES["image"])) { if(!in_array($_FILES["image"]["type"], $imageTypes)) { die("Hacking Attempt!"); } copy($_FILES["image"]["tmp_name"], "images/{$_FILES["image"]["name"]}"); } ?> Problem: It’s easy to change type of file – as it’s setting by browser inHTTP-request. And all variables that are set by browser – can be easily changed by user.

20. Content validation Black list: Wrong way <?php if(isset($_FILES["image"])) { if(preg_match('#\.((php)|(php3)|(php4)|(php5))$#i',$_FILES["image"]["name"]) ) { die("Hacking Attempt!"); } copy($_FILES["image"]["tmp_name"], "images/{$_FILES["image"]["name"]}"); } ?>

21. Regular expressions <?php if(isset($_FILES["image"])) { if(preg_match('#\.jpg#i', $_FILES["image"]["name"])) { copy($_FILES["image"]["tmp_name"], "images/{$_FILES["image"]["name"]}"); } } ?> In this sample name of uploaded file is checking for string .jpg. But regular expression is working as control symbol$that indicate EOL is missed,. As a result file shell.jpg.php will be successes fully uploaded.

22. Right way <?php if(isset($_FILES["image"])) { if(preg_match('#^[a-z0-9-_]+\.((jpg)|(png)|(bmp))$#i', $_FILES["image"]["name"]) ) { move_uploaded_file($_FILES["image"]["tmp_name"], "images/{$_FILES["image"]["name"]}"); } } ?> White list validation

23. Local File Inclusion Local File Inclusion – allow to include local fileson remote server and execute arbitrary code. Reason: incorrect linked file validation, vulnerable server configuration Successfully LFI exploitation have three main task : • Removing of postfix • Directory Traversal • Searching files for code injection

24. Directory Traversal Filtration can prevent Directory Traversal. Very often developers apply Filtration of ../ : <?php include(str_replace("../", "", $_GET["page"]).".inc"); ?> ../../../etc/passwd --> Filtration-->etc/passwd --> fail  But such filtration is not enough – it’s not recursive: ..././..././..././etc/passwd --> Filtration--> ../../../etc/passwd--> profit 

25. SecureValidation Secure Validation– validation of filename for service symbols if(preg_match('#[^a-z0-9-_]#i', $page)) { die("Hacking Attempt!"); } include("{$page}.inc"); In this sample if we will try to add file with symbols other thanA-Z,a-z,0-9andsymbol«-» &«_»executionof PHP-script will be interrupted.

26. So, how to become Security Analyst Use OWASP Researches Ask and share Participate in community Samurai WTF talk on Security Hole 

27. Feedbacks & Questions Contact Nazar: skype: root_nt email: root.nt@gmail.com ? Presentation & Files: http://goo.gl/eHl2u Leave your Feedbacks: http://goo.gl/FW4ar Join OWASP Lviv: https://www.owasp.org/index.php/Lviv