Presentation at the OWASP (Open Web Application Security Project) on how to make apps secure by protecting them from the inside.
Detecting and protecting from
1. SQL injection
2. Cross Site Scripting (XSS)
3. Third party components vulnerabilities
4. Shell injection
etc.
2. Agenda
How to make apps more secure?
1. Triggering new vulnerabilities (bad guys)
2. Detecting/protecting found issues (good
guys)
1. SQL injection
2. Cross Site Scripting (XSS)
3. Third party components vulnerabilities
4. Shell injection
2
3. About Me
Jean-Baptiste Aviat
CTO at Sqreen (https://sqreen.io)
We protect applications automatically
Sqreen is hiring
Former RedTeam security engineer at Apple
4. The best place for app
security
• Where to gather accurate information for
securing an application?
• How to change the tires of a car running at
100 mph?
• How to make the diagnosis continuous, as
modern release cycles?
4
5. App security: the place to be
• Need to get closer to the runtime
• Retrieve all required data, while the
application processes it
• Work with the deployed, running
application
• Obvious solution: instrumentation
5
6. Debugging allows…
• Devs & hackers method to inspect live
apps
• Access anything in it
– CPU registers
– Addressable memory of the whole process:
functions, symbols…
– Threads
• And to modify anything in it
– Modify return values
6
7. 7
(byebug) thread list
+ 1 #<Thread:0x007fe41b0d1ae0@2.2.0/webrick/server.rb:283 run> ...
2 #<WEBrick::Utils::TimeoutHandler::Thread:0x007fe41b0d1220@2.2.0/webrick/
utils.rb:162 sleep> 2.2.0/webrick/utils.rb:173
3 #<Thread:0x007fe4140bc408 sleep> 2.2.0/webrick/server.rb:174
(byebug) thread switch 3
3 #<Thread:0x007fe4140bc408 sleep> 2.2.0/webrick/server.rb:174
(byebug) thread switch 3
[168, 177] in 2.2.0/webrick/server.rb
172: while @status == :Running
173: begin
=> 174: if svrs = IO.select([shutdown_pipe[0], *@listeners], nil, nil, 2.0)
175: if svrs[0].include? shutdown_pipe[0]
176: break
At first sight
8. Web application specifics
• Relevant information in a web application:
– User request (headers, cookies,
parameters…)
and server response
– Any function call and its arguments
• Database requests
• File operations
• External APIs calls
• Syscalls…
– All current threads
8
10. • Application instrumentation
• Different ways to identify vulnerabilities
• And many solutions to prevent them
– Patch a function return value
– Encode a function arguments
– Raise an exception to prevent further
execution
10
11. 11
(byebug) break ActiveRecord::ConnectionAdapters::SQLite3Adapter.exec_query
Successfully created breakpoint with id 1
(byebug) continue
[283, 292] in …/active_record/connection_adapters/sqlite3_adapter.rb
287:
=> 288: def exec_query(sql, name = nil, binds = [])
289: type_casted_binds = binds.map { |col, val|
290: [col, type_cast(val, col)]
291: }
292:
(byebug) var local
binds = []
name = Post Load
self = #<ActiveRecord::ConnectionAdapters::SQLite3Adapter:0x007fb1eb30df50>
sql = SELECT * FROM posts WHERE id=3
(byebug) self.quote("it's a string")
"'it''s a string'"
Where the database
is accessed
12. SQL injection detection
• Inside an app, full access to:
– Raw SQL query
just as the database receives it
– Database system (Oracle, MySQL…)
– Database configuration (encoding)
– Untrusted parameters
• Ability to parse the complete SQL query
12
13. SQL injection
• Untrusted entry used in a SQL request
• Assume pwd is injectable
• Injected query:
• The SQL query has to be valid to trigger an
injection
• How to prove that an injection happened?
13
SELECT * FROM users WHERE pwd = ‘sun' LIMIT 1
SELECT * FROM users WHERE pwd = 'sun' OR 1=1--+’ LIMIT 1
14. Request just before it leaves the app to the
DB:
Reminder: we know the database, its
charset, encoding rules…
1 user entry, multiple SQL tokens:
This is an injection.
14
SELECT * FROM users WHERE password = 'sun' OR 1=1-- '
SELECT * FROM users WHERE password = sun OR 1 = 1
15. #0 ActionView::OutputBuffer.<<(value#NilClass)
#1 ActionView::CompiledTemplates._app_views_posts_show_html_erb…(local_assigns, output_buffer)
#2 block in ActionView::Template.render(view, locals#Hash, buffer#NilClass, &block#Proc)
#3 #<Class:ActiveSupport::Notifications>.instrument(name#String, payload#Hash)
[…]
#18 ActionView::Rendering._render_template(options#Hash)
#19 ActionController::Streaming._render_template(options#Hash)
#0 is string concatenation
#1 is template insertion
Rendering a template
16. (byebug) break ActionView::OutputBuffer.<<
[6, 15] in actionview-4.2.3/lib/action_view/buffers.rb
…
10: def <<(value)
=> 11: return self if value.nil?
12: super(value.to_s)
13: end
14: alias :append= :<<
15:
(byebug) var local
value = "my <script>alert()</script> title"
(byebug) value.html_safe?
true
String concatenation
19. XSS detection
• HTML can be parsed
• Injection if:
– User entry adds HTML to the rendered page
• HTML node
• HTML attribute
• In such cases, we have an HTML injection
19
<div><script src=atta.ck/></script>Safari</div>
<a href=‘#’ onclick=‘alert()’>Data</div>
22. 3rd party components vuln.
• Application knows its libraries
– Version
– Configuration
– Dependencies
• And OS libraries
• Correlation with public security advisories
• And restrict / correct the vulnerable paths
22