Slide 1

Slide 1 text

ETHICAL HACKING FROM INSIDE STEP 1: CODE REVIEW Sandro "guly" Zaccarini OPSCON 2016

Slide 2

Slide 2 text

guly@opscon 2016 whoami ▸ Sandro "guly" Zaccarini ▸ born purple ▸ happy to build ▸ hungry to break

Slide 3

Slide 3 text

guly@opscon 2016 agenda ▸ what the f...ine is ethical hacking? ▸ why would i have to pay someone to say me i'm broken?! ▸ (secure) code review, a matter of? ▸ ...playground

Slide 4

Slide 4 text

guly@opscon 2016 survey ▸ how many of you are devs? ▸ and devops? ▸ what about the others? ▸ how many of you "suffered" from a secure code review? ▸ and from a penetration test?

Slide 5

Slide 5 text

guly@opscon 2016 ethical hacking, AKA ▸ Penetration Test ▸ Intrusion Testing ▸ Vulnerability Assessment ▸ Security Assessment ▸ Red Team ▸ Cyber Attack Simulation ▸ (throw your dice)

Slide 6

Slide 6 text

guly@opscon 2016 ethical hacking, what the fine Ethical hacking refers to the act of locating weaknesses and vulnerabilities of computer and information systems by duplicating the intent and actions of malicious hackers [cit. http://wiki.cas.mcmaster.ca/index.php/Ethical_Hacking]

Slide 7

Slide 7 text

▸ Russia hacks Hillary Clinton's private e-mail ▸ CIA plans to hack back ▸ Japanese survived to Fukushima incident ▸ but lives with nuclear plant compromised since years ▸ BigY fall in disgrace ▸ huge loads of "useless" info sold online ▸ refrigerators can't save us from rotten milk ▸ but takes down researchers' websites (and all the West Coast!) is there anybody out there?

Slide 8

Slide 8 text

▸ 10 collect informations ▸ 20 lurk ▸ 30 knock ▸ 40 hit ▸ 50 fail (or break in) ▸ 60 GOTO 10 ethical hacking: how it's done

Slide 9

Slide 9 text

ethical hacking: not for the faint of heart

Slide 10

Slide 10 text

ethical hacking: not for the faint of heart

Slide 11

Slide 11 text

▸ that's why it's pricy! ▸ ...start with good habits at home then ask for help ethical hacking: not for the faint of heart https://xkcd.com/327/

Slide 12

Slide 12 text

▸ good design/policy ▸ code review ▸ vulnerability management ▸ penetration test ethical hacking: slice it down

Slide 13

Slide 13 text

▸ is merely the most comprehensive way to find security issue in given code ▸ (not the easiest/faster) (secure) code review: the what

Slide 14

Slide 14 text

guly@opscon 2016 (s)cr: static analysis ▸ automated with tools (scheduled or on-demand) ▸ great for coverage (even for non-security issue) ▸ based on pattern ▸ reproducible ▸ misses the context and the business logic ▸ tools are *pricy* (even if you save some devs-time) ▸ huge load of false positive

Slide 15

Slide 15 text

guly@opscon 2016 (s)cr: manually ▸ read&draw like a child ▸ starts with threat modeling ▸ lateral think ▸ follow guides (ping OWASP) ▸ deep understanding of both language and application ▸ very high on time consuming

Slide 16

Slide 16 text

guly@opscon 2016 (s)cr: different security "objects" ▸ automatic finds mostly security bug: ▸ unvalidated input ▸ sql injection ▸ unserialize misuse ▸ manual is better for security flaws: ▸ change password ▸ boundaries ▸ "ashley madison"

Slide 17

Slide 17 text

guly@opscon 2016 (s)cr: the who ▸ is the execution flow correct in failure cases? ▸ are sessions handled correctly? ▸ what functionality can be accessed without authentication? ▸ are inputs from external sources validated? ▸ are there any known weaknesses in third-part security controls?

Slide 18

Slide 18 text

guly@opscon 2016 (s)cr: the when ▸ of course, when you write it (compiler/manually) ▸ at pre-commit time (SAST) ▸ or within the CI (SAST) ▸ regularly on all codebase (SAST/manually)

Slide 19

Slide 19 text

guly@opscon 2016 (s)cr: the when REQUIREMENT DESIGN DEVELOPMENT TESTING RELEASE ASSESSMENT THREAT MODELING & DESIGN REVIEW (SECURE) CODE REVIEW SECURITY ASSESSMENT FINAL REVIEW

Slide 20

Slide 20 text

guly@opscon 2016 (s)cr: the where ▸ login page ▸ password recovery ▸ file upload ▸ search form ▸ anywhere lives a user input

Slide 21

Slide 21 text

guly@opscon 2016 (s)cr: the why ▸ you are accountable for your code ▸ there are legal/compliance requirements ▸ the better/secure your code is, the better it can pay your bills

Slide 22

Slide 22 text

guly@opscon 2016 (s)cr: measure[1] SPOOFING “Identity spoofing” is a key risk for applications that have many users but provide a single execution context at the ap- plication and database level. In particular, users should not be able to become any other user or assume the attributes of another user. TAMPERING Users can potentially change data delivered to them, return it, and thereby potentially manipulate client-side valida- tion, GET and POST results, cookies, HTTP headers, and so forth. The application should also carefully check data re- ceived from the user and validate that it is sane and applicable before storing or using it. REPUDIATION Users may dispute transactions if there is insufficient auditing or recordkeeping of their activity. For example, if a user says they did not make a financial transfer, and the functionality cannot track his/her activities through the application, then it is extremely likely that the transaction will have to be written off as a loss. INFORMATION DICLOSURE Users are rightfully wary of submitting private details to a system. Is possible for an attacker to publicly reveal user data at large, whether anonymously or as an authorized user? DENIAL OF SERVICE Application designers should be aware that their applications may be subject to a denial of service attack. The use of expensive resources such as large files, complex calculations, heavy-duty searches, or long queries should be reserved for authenticated and authorized users, and not available to anonymous users. ELEVATION OF PRIVILEGE If an application provides distinct user and administrative roles, then it is vital to ensure that the user cannot elevate his/her role to a higher privilege one.

Slide 23

Slide 23 text

guly@opscon 2016 (s)cr: measure[2] DAMAGE Can an attacker completely take over and manipulate the system? 
 Can an attacker crash the system?
 Can the attacker obtain access to sensitive information such as secrets, PII?
 How many data sources and systems can be impacted REPRODUCIBILITY How easy is it to reproduce an attack to work?
 Can the exploit be automated? EXPLOITABILITY How much time, effort, and expertise is needed to exploit the threat?
 Does the attacker need to be authenticated? AFFECTED USERS If a threat were exploited, what percentage of users would be affected?
 Can an attacker gain administrative access to the system? DISCOVERABILITY How easy is it for an attacker to discover this threat?

Slide 24

Slide 24 text

guly@opscon 2016 (s)cr: the priority ▸ STRIDE, DREAD ▸ risk (likelihold * impact) ▸ mitigation level at detection time ▸ defined mitigation(or actual fix) effort

Slide 25

Slide 25 text

guly@opscon 2016 (s)cr: the bad ▸ fact1: devs aren't trained to security ▸ appendix: maybe they're even not interested ▸ fact2: devs and secs speak different languages ▸ appendix: and *know* different things ▸ appendix: secs mostly prefer to bash than to help ▸ therefore: apps works, but get hacked

Slide 26

Slide 26 text

THE LESS DEVS THAT TALK SECURITY YOU HAVE, THE MORE YOU NEED PEER REVIEW Anonymous Coward (secure) code review: catch22

Slide 27

Slide 27 text

guly@opscon 2016 (secure) code review: simple checklist ▸ data validation ▸ authentication ▸ session management ▸ authorization ▸ cryptography ▸ error handling ▸ logging

Slide 28

Slide 28 text

guly@opscon 2016 OWASP ▸ secure code review guide ▸ developer guide, with security in mind ▸ top 10 vulnerabilities in webapp, IoT, scada, mobile ▸ cheat sheet for various stuff

Slide 29

Slide 29 text

No content

Slide 30

Slide 30 text

guly@opscon 2016 let's play a game

Slide 31

Slide 31 text

guly@opscon 2016 01-loggedin if ($_SESSION['loggedin'] !== true) { header('Location: /login.php'); } show_dashboard();

Slide 32

Slide 32 text

guly@opscon 2016 02-loglogin function mylog($mysqli) { $stmt = $mysqli->prepare("INSERT INTO loglogin(ip,user) VALUES (?,?)"); $stmt->bind_param("ss",$_SERVER['REMOTE_ADDR'],$_POST['user']); $stmt->execute(); return $mysqli->insert_id; } function showlogins($mysqli) { $sql = 'SELECT time,ip,user FROM loglogin'; $sql .= 'ORDER BY time DESC LIMIT 0,10'; $res = $mysqli->query($sql); while($row = $res->fetch_assoc()) { echo "time " . $row["time"]. " user " . $row["user"]; echo " from " . $row["ip"]. "
"; } }

Slide 33

Slide 33 text

guly@opscon 2016 03-nslookup '; system("nslookup " . $host); echo ''; } ?> Hostname to lookup:

Slide 34

Slide 34 text

guly@opscon 2016 04-fileupload $whitelist = array("jpg","png"); $ext = strtolower(end(explode('.', $file))); if (!(in_array($ext,$whitelist))) { echo "invalid file extension\n"; exit; } // avoid error on writing files with name longer than filesystem limits if ((strlen($file)) > 255) { $file = substr($file,0,255); } doUpload($file);

Slide 35

Slide 35 text

guly@opscon 2016 05-rememberme function doLogin() { if ($rememberme) { rememberMe($user); } doStuff(); } function rememberMe($user) { $value = hash(sha256,$user+time()); setcookie('rememberme',$value,time()+(60*60*24*365)); } function showLogin() { ?> Remember me

Slide 36

Slide 36 text

guly@opscon 2016 06-loggedusers function updateLogged($user) { sanitize($user); $ip = $_SERVER['REMOTE_ADDR']; $resolver = new Net_DNS2_Resolver(); $res = $resolver->query($ip, 'PTR'); /* no need to sanitize DNS response, RFC does */ $host = $res->answer[0]->rdata; $sql = "INSERT INTO tracking (usr,ip,host) value"; $sql .= "('".$user."','".$ip."','".$host."')"; return $sql; } function showLogged($id) { /* input from database already sanitized at updateLogged */ list ($user,$ip,$host) = getRecords($id); echo "User ".$user.", last login from ".$ip."(".$host.")\n"; }

Slide 37

Slide 37 text

guly@opscon 2016 thanks! ▸ Acta est fabula, plaudite! ▸ Wait wait, any question? ▸ feedback please! ▸ [email protected] ▸ @theguly