Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Vulnérabilités liées au téléversement de fichiers par Philippe Arteau

OWASP Montréal
November 07, 2013
Programming
0
130

Vulnérabilités liées au téléversement de fichiers par Philippe Arteau

PRÉSENTATEUR PRINCIPAL: Philippe Arteau

WEBCAST: http://www.youtube.com/watch?v=mo10to3JNBY

RÉSUMÉ: Le téléversement de fichiers fait partie intégrante des applications web modernes. Qu'il s'agisse d'images ou de documents, plusieurs risques guettent l'acceptation de fichiers provenant d'un utilisateur. Les attaques les plus communes seront présentées allant de simples "webshells" à des problèmes de configuration plus poussés liés au "same orgin policy".

BIO: Philippe est conseiller en sécurité applicative pour le Groupe Technologies Desjardins. Au quotidien, il s'occupe d'effectuer des tests d'intrusions et des revues de code pour des applications utilisées par Desjardins. Il a découvert des vulnérabilités importantes dans plusieurs logiciels populaires comme Google Chrome, DropBox, ESAPI et Jira.

OWASP Montréal

November 07, 2013
Tweet

More Decks by OWASP Montréal

See All by OWASP Montréal
OWASP_-_Operate_PCIDSS_infrastructure_using_devOps_approch.pptx.pdf
owaspmontreal
0
110
Endpoint Bypass Charles Hamilton
owaspmontreal
0
130
Hybrid approach to security testing
owaspmontreal
0
190
Threat Modeling Toolkit
owaspmontreal
0
900
NorthSec - Applied Security Event
owaspmontreal
0
170
Sécurité des applications : Les fondements
owaspmontreal
0
110
WORKSHOP ! Server Side Template Injection (SSTI)
owaspmontreal
1
900
Ransomware and healthcare - Hacking Health
owaspmontreal
0
140
OWASP Montréal reçoit Mario Contestabile
owaspmontreal
0
170

Other Decks in Programming

See All in Programming
WebComponent
milkmidi
0
2.2k
メタヒューリスティクスで広がる「解けた!」の世界
terryu16
7
2.4k
ecspressoを活用したCI/CDパイプラインをアジャイル開発現場に導入してみたら
htsuchinga
2
1.1k
ドキュメントからコードを生成したい on Rails 開発
38tter
1
250
Swift Macro に備えて構文木を 10min で学ぶ / Learn Syntax Tree for Swift Macro in 10 minutes
orgachem
1
180
FlutterでTikTokログインができるパッケージを作った話
k9i
1
180
안드로이드 UI 상태 저장 권장사항
pangmoo
1
160
Security基礎研修
techtekt
0
240
Azure Machine Learning Prompt flow 評価メトリクス解説
nohanaga
6
1.2k
「推測されやすい」パスワードを入力させないためにフロントエンドエンジニアができること
uirikuto
9
3.9k
GPT-4 32k によるドメイン駆動設計
tysoke
1
1.2k
Ruby Parser progress report
yui_knk
0
900

Featured

See All Featured
Bash Introduction
62gerente
603
210k
Designing with Data
zakiwarfel
93
4.5k
10 Git Anti Patterns You Should be Aware of
lemiorhan
644
56k
Faster Mobile Websites
deanohume
296
29k
Bootstrapping a Software Product
garrettdimon
PRO
299
110k
Docker and Python
trallard
31
2.2k
Fashionably flexible responsive web design (full day workshop)
malarkey
395
64k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
38
11k
Automating Front-end Workflow
addyosmani
1354
200k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
5
6.9k
Git: the NoSQL Database
bkeepers
PRO
420
61k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
657
120k

Transcript

  1. Presentation by Philippe Arteau
    Owasp Montreal
    Live Demo (In
    french)

    View Slide

  2. Agenda
    ● Who am I?
    ● The Basics
    ○ Web Shell
    ○ Path traversal
    ● Advanced tricks
    ○ Content-Type weakness
    ○ SWF
    ○ XXE

    View Slide

  3. Who am I ?
    ● Security Advisor at Desjardins
    ● Bug hunter
    ○ Google Chromium, Dropbox, JIRA, ESAPI, PayPal...
    ● Open-Source developper
    ○ Find Security Bugs (Findbugs security extension)
    ○ Javascript Scanner for ZAP Proxy

    View Slide

  4. Got a shell !

    View Slide

  5. Web Shell
    Consist in the upload of a malicious script file.
    Once uploaded, the script can be reach
    remotely to execute command, read file and
    more.

    View Slide

  6. Path traversal
    ● Vulnerabilities occurs when a path is build
    using user input that is not properly
    sanitize.
    Example :
    upload/$USER$/$FILE$
    upload/test/../../2_shell.php
    Ref: WASC-33: Path Traversal

    View Slide

  7. HTMHEL
    L
    XSS the easy way

    View Slide

  8. HTML
    ● Hosting user HTML files is equivalent to be
    vulnerable to XSS

    View Slide

  9. Content-Type
    ● Content-type allow should be whitelisted
    ● Content Sniffing
    ○ X-Content-Type-Options (IE specific)
    Ref:
    Browser Security Handbook
    Secure Content Sniffing for Web Browsers

    View Slide

  10. Fishing attack
    Can we trust this URL?
    ● domain *.dropbox.com
    ● ssl certificate
    ● no apparent XSS

    View Slide

  11. Flash attacks
    cross-domain attacks using SWF

    View Slide

  12. crossdomain.xml
    ● [...]domain="*.a.com"/>[...]

    View Slide

  13. SWF attack

    View Slide

  14. Bonus
    so you’re parsing XML ?

    View Slide

  15. XML
    ● Parsing XML is dangerous if advanced
    feature such as Entities are activate
    ○ XML eXternal Entities (XXE)
    ○ XML Entities Expension (XEE)
    Ref:
    WS-Attacks.org: XML Generic Entity Expansion

    View Slide

  16. XXE
    Example of XXE loading the content of a local
    file (server-side).
    ]>

    CONTENT---&xxe;---

    View Slide

  17. Protections
    There is hope..

    View Slide

  18. Protections
    ● Store files in a directory that is not publicly
    exposed
    ● Don’t use original filename as destination
    ● Validate extension
    ● Validate final path
    ● Validate file content
    ● Domain separation
    ● Make no assumption about the content

    View Slide

  19. Follow me at
    http://blog.h3xstream.com/

    View Slide