ETHICAL HACKING FROM INSIDE STEP 1: CODE REVIEW Sandro "guly" Zaccarini OPSCON 2016

guly@opscon 2016 whoami ▸ Sandro "guly" Zaccarini ▸ born purple ▸ happy to build ▸ hungry to break

guly@opscon 2016 agenda ▸ what the f...ine is ethical hacking? ▸ why would i have to pay someone to say me i'm broken?! ▸ (secure) code review, a matter of? ▸ ...playground

guly@opscon 2016 survey ▸ how many of you are devs? ▸ and devops? ▸ what about the others? ▸ how many of you "suffered" from a secure code review? ▸ and from a penetration test?

guly@opscon 2016 ethical hacking, AKA ▸ Penetration Test ▸ Intrusion Testing ▸ Vulnerability Assessment ▸ Security Assessment ▸ Red Team ▸ Cyber Attack Simulation ▸ (throw your dice)

guly@opscon 2016 ethical hacking, what the fine Ethical hacking refers to the act of locating weaknesses and vulnerabilities of computer and information systems by duplicating the intent and actions of malicious hackers [cit. http://wiki.cas.mcmaster.ca/index.php/Ethical_Hacking]

▸ Russia hacks Hillary Clinton's private e-mail ▸ CIA plans to hack back ▸ Japanese survived to Fukushima incident ▸ but lives with nuclear plant compromised since years ▸ BigY fall in disgrace ▸ huge loads of "useless" info sold online ▸ refrigerators can't save us from rotten milk ▸ but takes down researchers' websites (and all the West Coast!) is there anybody out there?

▸ 10 collect informations ▸ 20 lurk ▸ 30 knock ▸ 40 hit ▸ 50 fail (or break in) ▸ 60 GOTO 10 ethical hacking: how it's done

ethical hacking: not for the faint of heart

ethical hacking: not for the faint of heart

▸ that's why it's pricy! ▸ ...start with good habits at home then ask for help ethical hacking: not for the faint of heart https://xkcd.com/327/

▸ good design/policy ▸ code review ▸ vulnerability management ▸ penetration test ethical hacking: slice it down

▸ is merely the most comprehensive way to find security issue in given code ▸ (not the easiest/faster) (secure) code review: the what

guly@opscon 2016 (s)cr: static analysis ▸ automated with tools (scheduled or on-demand) ▸ great for coverage (even for non-security issue) ▸ based on pattern ▸ reproducible ▸ misses the context and the business logic ▸ tools are *pricy* (even if you save some devs-time) ▸ huge load of false positive

guly@opscon 2016 (s)cr: manually ▸ read&draw like a child ▸ starts with threat modeling ▸ lateral think ▸ follow guides (ping OWASP) ▸ deep understanding of both language and application ▸ very high on time consuming

guly@opscon 2016 (s)cr: different security "objects" ▸ automatic finds mostly security bug: ▸ unvalidated input ▸ sql injection ▸ unserialize misuse ▸ manual is better for security flaws: ▸ change password ▸ boundaries ▸ "ashley madison"

guly@opscon 2016 (s)cr: the who ▸ is the execution flow correct in failure cases? ▸ are sessions handled correctly? ▸ what functionality can be accessed without authentication? ▸ are inputs from external sources validated? ▸ are there any known weaknesses in third-part security controls?

guly@opscon 2016 (s)cr: the when ▸ of course, when you write it (compiler/manually) ▸ at pre-commit time (SAST) ▸ or within the CI (SAST) ▸ regularly on all codebase (SAST/manually)

guly@opscon 2016 (s)cr: the when REQUIREMENT DESIGN DEVELOPMENT TESTING RELEASE ASSESSMENT THREAT MODELING & DESIGN REVIEW (SECURE) CODE REVIEW SECURITY ASSESSMENT FINAL REVIEW

guly@opscon 2016 (s)cr: the where ▸ login page ▸ password recovery ▸ file upload ▸ search form ▸ anywhere lives a user input

guly@opscon 2016 (s)cr: the why ▸ you are accountable for your code ▸ there are legal/compliance requirements ▸ the better/secure your code is, the better it can pay your bills

guly@opscon 2016 (s)cr: measure[1] SPOOFING “Identity spoofing” is a key risk for applications that have many users but provide a single execution context at the ap- plication and database level. In particular, users should not be able to become any other user or assume the attributes of another user. TAMPERING Users can potentially change data delivered to them, return it, and thereby potentially manipulate client-side valida- tion, GET and POST results, cookies, HTTP headers, and so forth. The application should also carefully check data re- ceived from the user and validate that it is sane and applicable before storing or using it. REPUDIATION Users may dispute transactions if there is insufficient auditing or recordkeeping of their activity. For example, if a user says they did not make a financial transfer, and the functionality cannot track his/her activities through the application, then it is extremely likely that the transaction will have to be written off as a loss. INFORMATION DICLOSURE Users are rightfully wary of submitting private details to a system. Is possible for an attacker to publicly reveal user data at large, whether anonymously or as an authorized user? DENIAL OF SERVICE Application designers should be aware that their applications may be subject to a denial of service attack. The use of expensive resources such as large files, complex calculations, heavy-duty searches, or long queries should be reserved for authenticated and authorized users, and not available to anonymous users. ELEVATION OF PRIVILEGE If an application provides distinct user and administrative roles, then it is vital to ensure that the user cannot elevate his/her role to a higher privilege one.

guly@opscon 2016 (s)cr: measure[2] DAMAGE Can an attacker completely take over and manipulate the system? 
 Can an attacker crash the system?
 Can the attacker obtain access to sensitive information such as secrets, PII?
 How many data sources and systems can be impacted REPRODUCIBILITY How easy is it to reproduce an attack to work?
 Can the exploit be automated? EXPLOITABILITY How much time, effort, and expertise is needed to exploit the threat?
 Does the attacker need to be authenticated? AFFECTED USERS If a threat were exploited, what percentage of users would be affected?
 Can an attacker gain administrative access to the system? DISCOVERABILITY How easy is it for an attacker to discover this threat?

guly@opscon 2016 (s)cr: the priority ▸ STRIDE, DREAD ▸ risk (likelihold * impact) ▸ mitigation level at detection time ▸ defined mitigation(or actual fix) effort

guly@opscon 2016 (s)cr: the bad ▸ fact1: devs aren't trained to security ▸ appendix: maybe they're even not interested ▸ fact2: devs and secs speak different languages ▸ appendix: and *know* different things ▸ appendix: secs mostly prefer to bash than to help ▸ therefore: apps works, but get hacked

THE LESS DEVS THAT TALK SECURITY YOU HAVE, THE MORE YOU NEED PEER REVIEW Anonymous Coward (secure) code review: catch22

guly@opscon 2016 (secure) code review: simple checklist ▸ data validation ▸ authentication ▸ session management ▸ authorization ▸ cryptography ▸ error handling ▸ logging

guly@opscon 2016 OWASP ▸ secure code review guide ▸ developer guide, with security in mind ▸ top 10 vulnerabilities in webapp, IoT, scada, mobile ▸ cheat sheet for various stuff

No content

guly@opscon 2016 let's play a game

guly@opscon 2016 01-loggedin if ($_SESSION['loggedin'] !== true) { header('Location: /login.php'); } show_dashboard();

guly@opscon 2016 02-loglogin function mylog($mysqli) { $stmt = $mysqli->prepare("INSERT INTO loglogin(ip,user) VALUES (?,?)"); $stmt->bind_param("ss",$_SERVER['REMOTE_ADDR'],$_POST['user']); $stmt->execute(); return $mysqli->insert_id; } function showlogins($mysqli) { $sql = 'SELECT time,ip,user FROM loglogin'; $sql .= 'ORDER BY time DESC LIMIT 0,10'; $res = $mysqli->query($sql); while($row = $res->fetch_assoc()) { echo "time " . $row["time"]. " user " . $row["user"]; echo " from " . $row["ip"]. "
"; } }

guly@opscon 2016 03-nslookup '; system("nslookup " . $host); echo ''; } ?> Hostname to lookup:

guly@opscon 2016 04-fileupload $whitelist = array("jpg","png"); $ext = strtolower(end(explode('.', $file))); if (!(in_array($ext,$whitelist))) { echo "invalid file extension\n"; exit; } // avoid error on writing files with name longer than filesystem limits if ((strlen($file)) > 255) { $file = substr($file,0,255); } doUpload($file);

guly@opscon 2016 05-rememberme function doLogin() { if ($rememberme) { rememberMe($user); } doStuff(); } function rememberMe($user) { $value = hash(sha256,$user+time()); setcookie('rememberme',$value,time()+(60*60*24*365)); } function showLogin() { ?> Remember me

guly@opscon 2016 06-loggedusers function updateLogged($user) { sanitize($user); $ip = $_SERVER['REMOTE_ADDR']; $resolver = new Net_DNS2_Resolver(); $res = $resolver->query($ip, 'PTR'); /* no need to sanitize DNS response, RFC does */ $host = $res->answer[0]->rdata; $sql = "INSERT INTO tracking (usr,ip,host) value"; $sql .= "('".$user."','".$ip."','".$host."')"; return $sql; } function showLogged($id) { /* input from database already sanitized at updateLogged */ list ($user,$ip,$host) = getRecords($id); echo "User ".$user.", last login from ".$ip."(".$host.")\n"; }

guly@opscon 2016 thanks! ▸ Acta est fabula, plaudite! ▸ Wait wait, any question? ▸ feedback please! ▸ guly@guly.org ▸ @theguly