Devfest istanbul'14 - Web Application Attacks and Trusting Frameworks

  • Published on
    16-Jul-2015

  • View
    967

  • Download
    8

Transcript

  • Devfest IstanbulWeb Application Attacks and Trusting

    Frameworks

  • whoami

    Mehmet INCE Cyber Security Engineer/Pentest Lead at

    INTELRAD 150+ vulnerability publication Application Security Infosec Blogger www.mehmetince.net PHP, Python, etc.. @mdisec

  • nerme

    security is a serious business.

  • Web Uygulama Gvenliinde iddia Framework kullanyoruz. ( ORM, Prepared statements ) Input validation yapmaktayz. Output encoding bizim iimiz. Dzenli olarak farkl firmalardan penetrasyon testi hizmeti

    alyoruz. WAF, IPS/IDS cihazlarmz var. Yazlmmz ak kaynak kodlu. Community gc bizimle. Gelitiricilerimize secure coding training eitimleri aldryoruz. Bug bounty programmz var, zafiyet bulan herkese cret

    dyoruz.

  • Tm maddeleri yapan bir firmada alan ?

  • nk

    Drupal core - SQL injection ( stacked query enabled! ) - http://goo.gl/RPgX1z

    Wordpress 4.0.1 Stored XSS - http://goo.gl/xuvXfB

    Codeigniter Object Injection - http://goo.gl/72lzGV

  • nk...

    Symfony CSRF ( CVE-2014-6072 )

    Laravel cookie forgery, decryption, and RCE - http://goo.gl/qieZzZ

    RoR SQLi & Crypto Weakness

  • nk

    Framework kullanyoruz. olmazsa olmazlardan biridir ama asla yeterli deildir, zira frameworknde kendisi bir yazlmdr. Gvenlik a olabilir. ( RoR, CI, Laravel, Symfony, ASP.NET )

  • nk

    Ak kaynak gvenlik asndan nemlidir. Lakin tm rnekler ak kaynak kodlu ve 1.000~ committer olan projelerdi. http://goo.gl/fDHGFZ

    ( Aramza hogeldin ASP.NET :p )

  • nk.

    Hibir WAF, IPS/IDS Codeigniter Object Injection zafiyetini tespit edemez. nk ? ( Exploit the OR )

  • Yani..

    security is a serious business.

  • Codeigniter Object Injection Vuln

  • Codeigniter Session MechanismSession class initializer method.

  • Codeigniter Session Mechanism

  • Codeigniter Session Mechanism

  • Codeigniter Encryption Class

  • Codeigniter Custom XOR

  • Where we are

    User Request Session Class initializer sess_create()

    is encrypt cookie enabled ?T: Encode with Mcrypt _set_cookie()

    F : Encode with Xor

  • How to read Session Data

  • How to exploit

    - Encryption key biliniyorsa- Cookie object manipulation

    - Encryption key belirsiz ise- Mcrypt aktif ise

    - CBC mode exploit- Custom XOR ise

    - md5 hash brute force

  • Codeigniter Based Applications

    - Bonfire Vulnerable- No-CMS Vulnerable- PyroCMS Vulnerable- FUEL CMS Vulnerable- ...

  • DEMO

  • Teekkrler

    twitter.com/mdisec

    www.mehmetince.net

    mehmet@mehmetince.net