php code audits
play

PHP code audits OSCON 2009 San Jos, CA, USA July 21th 2009 - PowerPoint PPT Presentation

Sep 10, 2023 •113 likes •848 views

PHP code audits OSCON 2009 San Jos, CA, USA July 21th 2009 samedi 25 juillet 2009 1 Agenda Workshop presentation Black box audit Source code audit samedi 25 juillet 2009 2 Who speaks? Philippe Gamache Parler Haut, Interagir

  1. PHP code audits OSCON 2009 San José, CA, USA July 21th 2009 samedi 25 juillet 2009 1

  2. Agenda Workshop presentation Black box audit Source code audit samedi 25 juillet 2009 2

  3. Who speaks? Philippe Gamache Parler Haut, Interagir Librement : Web development, security audit, training info@ph-il.ca @SecureSymfony samedi 25 juillet 2009 3

  4. Who speaks? Damien Seguy Alter Way Consulting : Open sources expert services Father of the Elephpant Calendar maker damien.seguy@alterway.fr samedi 25 juillet 2009 4

  5. Security Book New 2009 edition Comprehensive review of security system for MySQL, PHP , etc. Published in French Planning translation samedi 25 juillet 2009 5

  6. The application http://www.cligraphcrm.com/ samedi 25 juillet 2009 6

  7. Full audit synopsis Identi fi cation of the audit goals Interview with the dev teams Black box testing Open Code audit Report samedi 25 juillet 2009 7

  8. Yes, we take questions samedi 25 juillet 2009 8

  9. Black box testing 9 samedi 25 juillet 2009 9

  10. Black box testing What is black box testing? Finding information What can I do with this application? Where are the most popular entry points? 10 samedi 25 juillet 2009 10

  11. Black box testing Look for vulnerabilities Use different tools and technics Automatic scanners By hand Fuzzing tools Scenarios How do I use to my advantage? 11 samedi 25 juillet 2009 11

  12. Black box testing Strike Attacking a vulnerability with a speci fi c purpose 12 samedi 25 juillet 2009 12

  13. Find Information Look at the application web site Features 13 samedi 25 juillet 2009 13

  14. Find Information Look at the application web site Technology 14 samedi 25 juillet 2009 14

  15. Find Information Look at the application web site Technology 15 samedi 25 juillet 2009 15

  16. Find Information Look at the application web site Technology 16 samedi 25 juillet 2009 16

  17. Find Information Look at the application web site Technology 17 samedi 25 juillet 2009 17

  18. Find Information Look at the application web site Technology 18 samedi 25 juillet 2009 18

  19. Where did I hear about this? samedi 25 juillet 2009 19

  20. Find vulnerabilities We look in Common Vulnerabilities and Exposures Also in bugtrack, xssed.com, etc... We could have look in Google, Bing, etc... No published vulnerabilities for cliGraph 20 samedi 25 juillet 2009 20

  21. Find Information HTTP/1.x 200 OK Date: Mon, 20 Jul 2009 17:29:25 GMT Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch11 mod_ssl/2.2.3 OpenSSL/0.9.8c X-Powered-By: PHP/5.2.0-8+etch11 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 586 HTTP headers Content-Type: text/html; charset=UTF-8 X-Cache: MISS from Colossus Connection: close curl, wget, Firefox Rex Swain's HTTP Viewer 21 samedi 25 juillet 2009 21

  22. Typical fi les Usual directories includes, include, inc, com, classes, lib, library admin, adm, administrator, tmp, TMP , ext, var data, db, conf, con fi g uploads, install, 22 samedi 25 juillet 2009 22

  23. Typical fi les .phps, .inc, .class, xml, ini, yaml, cfg Apache Alias : /icons/ robots.txt samedi 25 juillet 2009 23

  24. Security dilema robots.txt User-agent: * Disallow: /administrator/ Disallow: /cache/ Disallow: /components/ Disallow: /images/ Disallow: /includes/ Disallow: /installation/ Disallow: /language/ Disallow: /libraries/ Disallow: /media/ Disallow: /modules/ Disallow: /plugins/ Disallow: /templates/ Disallow: /tmp/ Disallow: /xmlrpc/ 24 samedi 25 juillet 2009 24

  25. External testing Get the list of the scripts ( fi nd .) Turn that into URLs Fetch them directly on the web site Study what’s coming back Maybe you gonna need to install it yourself samedi 25 juillet 2009 25

  26. Typical fi les https 404 and 5xx pages Blank page Bad code without error posting 26 samedi 25 juillet 2009 26

  27. Automatic scanners Nikto http://www.cirt.net/ 27 samedi 25 juillet 2009 27

  28. Find vulnerabilities What to look for ? XSS CSRF Injections Files overwrite 28 samedi 25 juillet 2009 28

  29. Automatic scanners Web Application Attack and Audit Framework (W3AF) http://w3af.sourceforge.net/ 29 samedi 25 juillet 2009 29

  30. Manual tools Firefox Access Me Firebug SQL Inject Me Web Developer XSS Me Data 30 samedi 25 juillet 2009 30

  31. Manual tools Arrays c[]=1 Surplus variables debug=1, task=view Missing variables 31 samedi 25 juillet 2009 31

  32. Manual tools action/facture_fiche.php? exp_typedoc=facture&exp_id= 2009N000196&exp_formdoc=pdf action/facture_fiche.php? exp_typedoc=facture&exp_id=2009 N000196&exp_formdoc=fiche Fatal error : Cannot redeclare fct_redimension_img() (previously declared in /var/www/crm_demo/fonctions/ fonction_img.php:68) in /var/www/crm_demo/fonctions/ fonction_img.php on line 134 32 samedi 25 juillet 2009 32

  33. Fuzzing Test by random value Stress forms Database All characters from \0 to \x255 All Unicode characters The numbers 1, 0, -1, 0.99, extreme, in fi nite 33 samedi 25 juillet 2009 33

  34. Fuzzing Strings Long Short Dictionaries of values of vulnerabilities GET, POST, COOKIE 34 samedi 25 juillet 2009 34

  35. Fuzzing Wfuzz http://www.edge-security.com/wfuzz.php WebSlayer http://www.edge-security.com/webslayer.php 35 samedi 25 juillet 2009 35

  36. Exemple Fuzzing samedi 25 juillet 2009 36

  37. Scenarios More realistic tests fragile Automate your tests Complete with fuzzing Use proxy servers 37 samedi 25 juillet 2009 37

  38. Scenarios Firefox Selenium IDE WebScarab http://www.owasp.org/index.php/ Category:OWASP_WebScarab_Project 38 samedi 25 juillet 2009 38

  39. Simplify your life Samurai Web Testing Framework http://samurai.inguardians.com/ samedi 25 juillet 2009 39

  40. Conclusion Black box Easy to set up Take into account the context of the application Often spectacular Generally shallow samedi 25 juillet 2009 40

  41. Open code audit samedi 25 juillet 2009 41

  42. Code audits Look into the PHP code Search for hidden problems Usually less spectacular than black box samedi 25 juillet 2009 42

  43. From the interview Check if dev teams knows that to secure Have it explains their approach Check what they say Check what they don’t say samedi 25 juillet 2009 43

  44. The shy version We know there are security problems but we have no time to secure them this app has been written years ago we can’t keep up with the threats samedi 25 juillet 2009 44

  45. The strong version We have secured the application We use SSL, and webwasher and crypto All content is validated and fi ltered We don’t do any dynamical include Our frameworks doesn’t allow this samedi 25 juillet 2009 45

  46. Approach What to search for? What are the entry points? How can they be exploited Or protected ? samedi 25 juillet 2009 46

  47. What to search for? Injections PHP SQL HTML system samedi 25 juillet 2009 47

  48. Keep focused Easy to loose focus Tempting to audit everything samedi 25 juillet 2009 48

  49. PHP injections PHP injections dynamical inclusion include, require and *_once back ticks eval samedi 25 juillet 2009 49

  50. Eval Easy to look for grep Fast, available, convenient 853 occurences Tokenizer Semantic, accurate 37 occurrences samedi 25 juillet 2009 50

  51. Tokenizer <?php print ("hello $world! "); ?> [1] => Array ( [6] => Array [0] => 266 ( [1] => print [0] => 309 [2] => 1 [1] => $world ) [2] => 1 ) [2] => Array ( [7] => Array [0] => 370 ( [1] => [0] => 314 [2] => 1 [1] => ! ) [2] => 1 ) [3] => ( [4] => " [8] => " [5] => Array [9] => ) ( [10] => ; [0] => 314 [1] => Array [1] => hello ( [2] => 1 [0] => PHP token ) [1] => PHP code [2] => Script line ) [2] => " samedi 25 juillet 2009 51

  52. Evals � eval('$retour=$GLOBALS["'.$matches[1].'"];') � Variable variables. � eval($contenu_thjipk); � eval($contents_essai); � Content is read into variable, then executed : an include? � eval('$hexdtime � = � "'.$hexdtime.'";') � Long way to cast a string into a string � eval('$retour2.= � '.var_dump($recept->erreur).';') � This doesn’t even work samedi 25 juillet 2009 52

  53. Assessing the code One liners One line of code is suf fi ciently to be bad Even though you must follow the code In reverse samedi 25 juillet 2009 53

  54. Inclusion � require("../params_frm.php") � require(fct_lien_page_custom(TYPE_DOMAINE."/".TYPE_DOC. "_custom.php","abs")) � require(fct_lien_page_custom("params_footer.php","abs")) � Pretty secure inclusions � But 96 variables used in includes � include(fct_lien_page_custom("action/facture_". $format.".php","abs")) � $format, anyone? � require_once("etat_simple_".$choix_page."_trt.php") � $choix_page, anyone ? samedi 25 juillet 2009 54

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Overview of the Enrollment Verification and Withdrawal Code Audits Governors Office of Student

Overview of the Enrollment Verification and Withdrawal Code Audits Governors Office of Student

Overview of the Enrollment Verification and Withdrawal Code Audits Governors Office of Student Achievement GaDOE FY19 Data Conference Athens, GA August 23, 2018 Presentation Overview 1. Academic Auditing Overview 2. Enrollment

480 views • 26 slides
Form 941: Compliance Challenges and Intensified IRS Audits and Intensified IRS Audits Avoiding

Form 941: Compliance Challenges and Intensified IRS Audits and Intensified IRS Audits Avoiding

Presenting a live 110 minute teleconference with interactive Q&amp;A Form 941: Compliance Challenges and Intensified IRS Audits and Intensified IRS Audits Avoiding Errors That Trigger Costly Penalties and Documenting a Solid Case for Examiners

1.18k views • 96 slides
1 We might not always see them, but regulations the rules government imposes on businesses and

1 We might not always see them, but regulations the rules government imposes on businesses and

The Auditor-General provides assurance to Parliament on the accountability and performance of the Victorian Public Sector. The Auditor-General conducts financial audits and performance audits, and reports on the results of these audits to

672 views • 16 slides
1 When children are successful in transitioning from early childhood education and care to

1 When children are successful in transitioning from early childhood education and care to

The Auditor-General provides assurance to Parliament on the accountability and performance of the Victorian Public Sector. The Auditor-General conducts financial audits and performance audits, and reports on the results of these audits to

393 views • 18 slides
1 Victoria's 79 local councils are responsible for providing a wide range of services to their

1 Victoria's 79 local councils are responsible for providing a wide range of services to their

The Auditor-General provides assurance to Parliament on the accountability and performance of the Victorian Public Sector. The Auditor-General conducts financial audits and performance audits, and reports on the results of these audits to

498 views • 16 slides
Balt ltimore Cit ity Fis iscal l Outlook and Audits March 5, 5, 20 2020 20 1 Biennial

Balt ltimore Cit ity Fis iscal l Outlook and Audits March 5, 5, 20 2020 20 1 Biennial

Balt ltimore Cit ity Fis iscal l Outlook and Audits March 5, 5, 20 2020 20 1 Biennial Audits Transfer responsibility from the Director of Finance to the Department of Audits (City Auditor) so there is no longer a conflict of

680 views • 20 slides
Report of the Auditor-General 2015-16 Financial Audits Volume 4 Audits of State entities 30 June

Report of the Auditor-General 2015-16 Financial Audits Volume 4 Audits of State entities 30 June

Report of the Auditor-General 2015-16 Financial Audits Volume 4 Audits of State entities 30 June and 31 December 2016 Presentation to Members of Parliament 23 May 2017 Report Contents 31 December Audits University of Tasmania

353 views • 14 slides
Auditor-General conducts financial audits and performance audits, and reports on the results of

Auditor-General conducts financial audits and performance audits, and reports on the results of

The Auditor-General provides assurance to Parliament on the accountability and performance of the Victorian Public Sector. The Auditor-General conducts financial audits and performance audits, and reports on the results of these audits to

243 views • 20 slides
Sector. The Auditor-General conducts financial audits and performance audits, and reports on the

Sector. The Auditor-General conducts financial audits and performance audits, and reports on the

The Auditor-General provides assurance to Parliament on the accountability and performance of the Victorian Public Sector. The Auditor-General conducts financial audits and performance audits, and reports on the results of these audits to

236 views • 21 slides
Noise Audits What they are and the training required to do them The Hearing Loss Prevention/

Noise Audits What they are and the training required to do them The Hearing Loss Prevention/

Noise Audits What they are and the training required to do them The Hearing Loss Prevention/ Noise Rule includes a section on noise audits. The following three modules provide information on noise audits: Module 1 is a general overview of

570 views • 18 slides
Sampling Strategies in Sales Tax Audits Sampling Strategies in Sales Tax Audits Selecting a

Sampling Strategies in Sales Tax Audits Sampling Strategies in Sales Tax Audits Selecting a

Presenting a live 110 minute teleconference with interactive Q&amp;A Sampling Strategies in Sales Tax Audits Sampling Strategies in Sales Tax Audits Selecting a Sampling Methodology and Negotiating With Auditors THURSDAY, NOVEMBER 17, 2011 1pm

912 views • 65 slides
Office of Internal Audits Budget Hearing Presentation Office of Internal Audits What is

Office of Internal Audits Budget Hearing Presentation Office of Internal Audits What is

Office of Internal Audits Budget Hearing Presentation Office of Internal Audits What is internal auditing? An independent and objective assurance and consulting activity guided by the philosophy of adding value to improve the

287 views • 7 slides
Audits of NFA Letters OAC 3745 300 14 Certified Professional 8 Hour Training Audits of

Audits of NFA Letters OAC 3745 300 14 Certified Professional 8 Hour Training Audits of

Audits of NFA Letters OAC 3745 300 14 Certified Professional 8 Hour Training Audits of NFAs Performed annually on NFA letters submitted during the prior calendar year in request of a CNS Performed by the Ohio EPA Required by

589 views • 17 slides
1 The High Value High Risk, or HVHR, assessments were critical inputs to government decisions for

1 The High Value High Risk, or HVHR, assessments were critical inputs to government decisions for

The Auditor-General provides assurance to Parliament on the accountability and performance of the Victorian Public Sector. The Auditor-General conducts financial audits and performance audits, and reports on the results of these audits to

239 views • 13 slides
PKF Audit &amp; Conseil LUXEMBOURG HOW WE CAN HELP OUR CLIENTS AUDIT SERVICES Legal audits

PKF Audit &amp; Conseil LUXEMBOURG HOW WE CAN HELP OUR CLIENTS AUDIT SERVICES Legal audits

PKF Audit &amp; Conseil LUXEMBOURG HOW WE CAN HELP OUR CLIENTS AUDIT SERVICES Legal audits Legal audits requirements (companies exceeding 2 criteria for 2 successive years) Contractual audits Annual revenues &gt; EUR 8.8m

537 views • 9 slides
Implementing Risk-Limiting Post-Election Audits in California J.L. Hall 1 , 2 L.W. Miratrix 3 P.B.

Implementing Risk-Limiting Post-Election Audits in California J.L. Hall 1 , 2 L.W. Miratrix 3 P.B.

Risk-Limiting Audits Defined Risk-Limiting Audits in CA Discussion Simpler Risk-Limiting Audits? Conclusions Implementing Risk-Limiting Post-Election Audits in California J.L. Hall 1 , 2 L.W. Miratrix 3 P.B. Stark 3 M. Briones 4 E. Ginnold 4

631 views • 23 slides
material, code, or functionality, and should not be relied upon in making purchasing decisions.

material, code, or functionality, and should not be relied upon in making purchasing decisions.

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should

326 views • 31 slides
Finding'the'niche'market'in' housing'finance'in'Malawi Seminar'on'Housing'Finance'in'Malawi

Finding'the'niche'market'in' housing'finance'in'Malawi Seminar'on'Housing'Finance'in'Malawi

1 Finding'the'niche'market'in' housing'finance'in'Malawi Seminar'on'Housing'Finance'in'Malawi Sunbird'Lilongwe'Hotel,'Malawi 13'April'2016 2 www.auhf.co.za

810 views • 12 slides
Building a National Scale Learning Platform Hi Hiren n Dos oshi Dec 2018 Co-Founders:

Building a National Scale Learning Platform Hi Hiren n Dos oshi Dec 2018 Co-Founders:

Building a National Scale Learning Platform Hi Hiren n Dos oshi Dec 2018 Co-Founders: Mission: Improve literacy and numeracy by Increasing access to learning opportunities for 200 million children of India by 2020 Agenda 1. Large scale

479 views • 24 slides
Priority and Planning in Reef and Coastal Ecosystem CBD Capacity Building Workshop Ria

Priority and Planning in Reef and Coastal Ecosystem CBD Capacity Building Workshop Ria

Priority and Planning in Reef and Coastal Ecosystem CBD Capacity Building Workshop Ria Saryanthi, Burung Indonesia Bangkok, 28 June 2016 WALLACEA HOTSPOT BIOLOGICAL IMPORTANCE Forest ecosystem: primary forest, monsoon forest, dry forest

518 views • 12 slides
CITY CAPITAL SA PROPERTY HOLDINGS LTD 123.7 51.9 71.8 Values at 30 November 2016 Cents/

CITY CAPITAL SA PROPERTY HOLDINGS LTD 123.7 51.9 71.8 Values at 30 November 2016 Cents/

CITY CAPITAL SA PROPERTY HOLDINGS LTD 123.7 51.9 71.8 Values at 30 November 2016 Cents/ Cents/ Gain NET ASSET VALUATION AT: 30 NOVEMBER 2016 R R R share share since 30/11/2016 31/12/2009 31/12/2009 Number of shares in issue at 30

784 views • 26 slides
Smart Energy Lets build a beautiful world around Private &amp; Confidential, (c) Antriksh

Smart Energy Lets build a beautiful world around Private &amp; Confidential, (c) Antriksh

TLA INTERNATIONAL ENERGY CONFERENCE-2016 15 th April, India Habitat Center, New Delhi. Smart Energy Lets build a beautiful world around Private &amp; Confidential, (c) Antriksh Photonergy 1 Walk in to Future New Delhi, India, Monday, 15 th

713 views • 27 slides
DARWE DARWEN N EVEN EVENING ING &amp; &amp; LEISURE LEISURE ECO ECONO NOMY MY BLACKBU

DARWE DARWEN N EVEN EVENING ING &amp; &amp; LEISURE LEISURE ECO ECONO NOMY MY BLACKBU

BLACKBU BLACKBURN RN AND AND DARWE DARWEN N EVEN EVENING ING &amp; &amp; LEISURE LEISURE ECO ECONO NOMY MY BLACKBU BLACKBURN RN Black Blackbu burn rn Tow Town n Cen Centre tre Evening Evening Eco Econo nomy my Plan

510 views • 37 slides
Supersonic Technology Development Supersonic Technology Development Gulfstream Aerospace

Supersonic Technology Development Supersonic Technology Development Gulfstream Aerospace

Supersonic Technology Development Supersonic Technology Development Gulfstream Aerospace Corporation FAA Public Meeting Supersonics July 14, 2011 / Washington, DC Civil Supersonics / Concorde is Gone What Now? Civil Supersonics /

395 views • 12 slides

More recommend