revealing the secrets source code disclosure techniques and impacts n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Revealing the Secrets: Source Code Disclosure, Techniques, and Impacts PowerPoint Presentation
Download Presentation
Revealing the Secrets: Source Code Disclosure, Techniques, and Impacts

Loading in 2 Seconds...

play fullscreen
1 / 39

Revealing the Secrets: Source Code Disclosure, Techniques, and Impacts - PowerPoint PPT Presentation


  • 155 Views
  • Uploaded on

Revealing the Secrets: Source Code Disclosure, Techniques, and Impacts. I am…. Anant Kochhar, Senior Information Security Consultant with SecurEyes Project Manager and Researcher Malware Detection Techniques and Real World Cracker Techniques. Unique Insecurities….

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Revealing the Secrets: Source Code Disclosure, Techniques, and Impacts' - khanh


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
revealing the secrets source code disclosure techniques and impacts
Revealing the Secrets:

Source Code Disclosure, Techniques, and Impacts

slide2
I am…
  • Anant Kochhar, Senior Information Security Consultant with SecurEyes
  • Project Manager and Researcher
  • Malware Detection Techniques and
  • Real World Cracker Techniques
unique insecurities
Unique Insecurities…
  • Each developer is unique
  • Each application is unique
  • Each application is uniquely insecure.
  • Each developer is uniquely insecure.
source code disclosure types
Source Code Disclosure Types
  • Accidental Code Disclosure
  • Backup and Misc. Files
  • The Dirty Download Page
accidental disclosure
Accidental Disclosure
  • Part of the Source Code is available in the HTML source code.
  • When Dynamic pages are turned into Static pages: like from ‘.asp’ to ‘.html’
  • Coder don’t remove the ASP code before publishing the HTML page.
  • Why? Because IE is very forgiving.
google looking in a domain which claims to have all audited sites
Google- Looking in a domain which claims to have ALL ‘audited’ sites

“mdb”

“server.createobject” OR “server.mappath”

site:???.??

how to avoid it
How to avoid it…
  • Don’t be careless.
    • Go through the HTML source code of every page before it is published online.
  • Use both IE and Firefox to test a page.
backup and misc files
Backup and Misc. Files
  • Source Codes stored in readable formats.
  • Coders save backup files in the website’s hosting folders.
  • Zipped files, ‘.bak’ extensions etc.
  • Coders often use bad extensions- like ‘.inc’- for ‘included’ configuration files.
how to discover
How to discover…
  • Directory Listings.
  • Disclosure in HTML Source (Rare)
  • Other non-standard techniques.
google the same secured domain
Google-The same secured domain

“zip”

“parent directory”

site:???.??

how to avoid it1
How to avoid it…
  • Disable Directory Listing
  • Don’t use the Hosting space as a storage space.
  • Name all ‘.inc’ files as ‘.inc.php’ or ‘.inc.asp’ files to make them inaccessible.
the dirty download page
The Dirty Download Page
  • Better known as ‘Insecure Direct Object Ref.’
  • Paper in December 2007:

http://secureyes.net/downloads/Source_Code_Disclosure_over_HTTP.pdf

  • Many white hats have contacted me regarding it.
  • Translated into Spanish- which is flattering and scary
  • Not the target audience.
how an engine works
How An Engine Works

User_login.php

URL:/user_login.php

Application

Root Folder

PHP Engine

User’s

Browser

HTML part of

User_login.php

Server

internal affairs
Internal Affairs…

1.doc

URL:/1.doc

Application

Root Folder

PHP Engine

User’s

Browser

1.doc

Server

the other method
The Other Method…

Stream the static content files through a dynamic page:

  • Filename passed as a parameter to the dynamic page- hereby called the ‘download’ page.
  • The download page looks for the file in the hosting folder
  • And upon finding it, streams it to the user’s browser.
http www vulnerable123 com download file php filename 1 doc
http://www.vulnerable123.com/download_file.php?filename=1.dochttp://www.vulnerable123.com/download_file.php?filename=1.doc
internal affairs 2
Internal Affairs 2

1.doc

Download_file.php

URL:/download_file.php?

filename=1.doc

Application

Root Folder

PHP Engine

User’s

Browser

1.doc

Server

the exploit
The Exploit…

Change the filename parameter’s value to login_user.php:

  • Will it be processed by the engine before being streamed?
  • Not! The engine does not double-process a single request! It will simply stream the source code file ‘login_user.php’!
http www vulnerable123 com download file php filename user login php
http://www.vulnerable123.com/download_file.php?filename=user_login.phphttp://www.vulnerable123.com/download_file.php?filename=user_login.php
internal affairs 3

user_login.php

source code file

Internal Affairs 3

Download_file.php

User_login.php

URL:/download_file.php?

filename=user_login.php

Application

Root Folder

PHP Engine

User’s

Browser

Server

google
Google

A URL which contains:

  • A Dynamic Page extension.

ext:php OR ext:jsp OR ext:asp OR ext:aspx

  • A Static File extension in the URL (somewhere):

inurl:doc OR inurl:pdf OR inurl:xls OR inurl:txt OR inurl:ppt OR inurl:htm

pattern contd
Pattern (contd.)

Combining :

inurl:doc OR inurl:pdf OR inurl:xls OR inurl:txt OR inurl:ppt ext:php OR ext:jsp OR ext:asp OR ext:aspx

google result page
Google Result Page

Lots of false positives

patterns contd
Patterns (contd.)

Search can be restricted to a site or a domain

site:vulnerable123.com

Finding the Dirty Download Page in www.vulnerable123.com:

Inurl:doc OR inurl:pdf OR inurl:xls OR inurl:txt OR inurl:ppt ext:php OR ext:jsp OR ext:asp OR ext:aspx site:vulnerable123.com

recommended resolutions
Recommended Resolutions
  • Indirectly refer internal objects.
  • For example, index the downloadable files, and pass index numbers instead of file names.
  • File Extensions Validations can be bypassed: Null Byte Injection
slide39
Contact me:

anant.kochhar[at]secureyes[dot]net

Thank you