Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Vulnérabilités liées au téléversement de fichie...

OWASP Montréal
November 07, 2013
Programming
0
140

Vulnérabilités liées au téléversement de fichiers par Philippe Arteau

PRÉSENTATEUR PRINCIPAL: Philippe Arteau

WEBCAST: http://www.youtube.com/watch?v=mo10to3JNBY

RÉSUMÉ: Le téléversement de fichiers fait partie intégrante des applications web modernes. Qu'il s'agisse d'images ou de documents, plusieurs risques guettent l'acceptation de fichiers provenant d'un utilisateur. Les attaques les plus communes seront présentées allant de simples "webshells" à des problèmes de configuration plus poussés liés au "same orgin policy".

BIO: Philippe est conseiller en sécurité applicative pour le Groupe Technologies Desjardins. Au quotidien, il s'occupe d'effectuer des tests d'intrusions et des revues de code pour des applications utilisées par Desjardins. Il a découvert des vulnérabilités importantes dans plusieurs logiciels populaires comme Google Chrome, DropBox, ESAPI et Jira.

OWASP Montréal

November 07, 2013
Tweet

More Decks by OWASP Montréal

See All by OWASP Montréal
OWASP_-_Operate_PCIDSS_infrastructure_using_devOps_approch.pptx.pdf
owaspmontreal
0
150
Endpoint Bypass Charles Hamilton
owaspmontreal
0
140
Hybrid approach to security testing
owaspmontreal
0
220
Threat Modeling Toolkit
owaspmontreal
0
1.1k
NorthSec - Applied Security Event
owaspmontreal
0
210
Sécurité des applications : Les fondements
owaspmontreal
0
120
WORKSHOP ! Server Side Template Injection (SSTI)
owaspmontreal
1
1k
Ransomware and healthcare - Hacking Health
owaspmontreal
0
160
OWASP Montréal reçoit Mario Contestabile
owaspmontreal
0
270

Other Decks in Programming

See All in Programming
CSC509 Lecture 11
javiergs
PRO
0
180
受け取る人から提供する人になるということ
little_rubyist
0
230
macOS でできる リアルタイム動画像処理
biacco42
9
2.4k
EMになってからチームの成果を最大化するために取り組んだこと/ Maximize team performance as EM
nashiusagi
0
100
PHP でアセンブリ言語のように書く技術
memory1994
PRO
1
170
Compose 1.7のTextFieldはPOBox Plusで日本語変換できない
tomoya0x00
0
190
CSC509 Lecture 09
javiergs
PRO
0
140
CSC509 Lecture 13
javiergs
PRO
0
110
Contemporary Test Cases
maaretp
0
140
Make Impossible States Impossibleを 意識してReactのPropsを設計しよう
ikumatadokoro
0
200
[Do iOS '24] Ship your app on a Friday...and enjoy your weekend!
polpielladev
0
110
TypeScriptでライブラリとの依存を限定的にする方法
tutinoko
3
690

Featured

See All Featured
Building an army of robots
kneath
302
43k
The Language of Interfaces
destraynor
154
24k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
109
49k
A Tale of Four Properties
chriscoyier
156
23k
Put a Button on it: Removing Barriers to Going Fast.
kastner
59
3.5k
Imperfection Machines: The Place of Print at Facebook
scottboms
265
13k
Designing the Hi-DPI Web
ddemaree
280
34k
How to Think Like a Performance Engineer
csswizardry
20
1.1k
Building Adaptive Systems
keathley
38
2.3k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
890
Side Projects
sachag
452
42k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
38
1.8k

Transcript

  1. Presentation by Philippe Arteau Owasp Montreal Live Demo (In french)

  2. Agenda • Who am I? • The Basics ◦ Web

    Shell ◦ Path traversal • Advanced tricks ◦ Content-Type weakness ◦ SWF ◦ XXE

  3. Who am I ? • Security Advisor at Desjardins •

    Bug hunter ◦ Google Chromium, Dropbox, JIRA, ESAPI, PayPal... • Open-Source developper ◦ Find Security Bugs (Findbugs security extension) ◦ Javascript Scanner for ZAP Proxy

  4. Got a shell !

  5. Web Shell Consist in the upload of a malicious script

    file. Once uploaded, the script can be reach remotely to execute command, read file and more.

  6. Path traversal • Vulnerabilities occurs when a path is build

    using user input that is not properly sanitize. Example : upload/$USER$/$FILE$ upload/test/../../2_shell.php Ref: WASC-33: Path Traversal

  7. HTMHEL L XSS the easy way

  8. HTML • Hosting user HTML files is equivalent to be

    vulnerable to XSS

  9. Content-Type • Content-type allow should be whitelisted • Content Sniffing

    ◦ X-Content-Type-Options (IE specific) Ref: Browser Security Handbook Secure Content Sniffing for Web Browsers

  10. Fishing attack Can we trust this URL? • domain *.dropbox.com

    • ssl certificate • no apparent XSS

  11. Flash attacks cross-domain attacks using SWF

  12. crossdomain.xml • [...]<allow-access-from domain="*.a.com"/>[...]

  13. SWF attack •

  14. Bonus so you’re parsing XML ?

  15. XML • Parsing XML is dangerous if advanced feature such

    as Entities are activate ◦ XML eXternal Entities (XXE) ◦ XML Entities Expension (XEE) Ref: WS-Attacks.org: XML Generic Entity Expansion

  16. XXE Example of XXE loading the content of a local

    file (server-side). <!DOCTYPE root [<!ENTITY xxe SYSTEM "file:///var/server/path/secret.txt">]> <root> <data>CONTENT---&xxe;---</data> </root>

  17. Protections There is hope..

  18. Protections • Store files in a directory that is not

    publicly exposed • Don’t use original filename as destination • Validate extension • Validate final path • Validate file content • Domain separation • Make no assumption about the content

  19. Follow me at http://blog.h3xstream.com/