Title: Revealing the Secrets:
1- Revealing the Secrets
- Source Code Disclosure, Techniques, and Impacts
2I am
- Anant Kochhar, Senior Information Security
Consultant with SecurEyes - Project Manager and Researcher
- Malware Detection Techniques and
- Real World Cracker Techniques
3Unique Insecurities
- Each developer is unique
- Each application is unique
- Each application is uniquely insecure.
- Each developer is uniquely insecure.
4Source Code Disclosure Types
- Accidental Code Disclosure
- Backup and Misc. Files
- The Dirty Download Page
5Accidental Disclosure
- Part of the Source Code is available in the HTML
source code. - When Dynamic pages are turned into Static pages
like from .asp to .html - Coder dont remove the ASP code before publishing
the HTML page. - Why? Because IE is very forgiving.
6Google- Looking in a domain which claims to have
ALL audited sites
mdb
server.createobject OR server.mappath
site???.??
7In IE
8In Mozilla Firefox
9Voila
10How to avoid it
- Dont be careless.
- Go through the HTML source code of every page
before it is published online. - Use both IE and Firefox to test a page.
11Backup and Misc. Files
- Source Codes stored in readable formats.
- Coders save backup files in the websites hosting
folders. - Zipped files, .bak extensions etc.
- Coders often use bad extensions- like .inc- for
included configuration files.
12How to discover
- Directory Listings.
- Disclosure in HTML Source (Rare)
- Other non-standard techniques.
13Google-The same secured domain
zip
parent directory
site???.??
14Directory Listing Enabled- All internal pages
visible
15Interesting FolderElection_aspInteresting File
Database Connection
16Backup File of Election_asp Election_asp.zip
17All ASP Filesincluding Database Connection File
18Database username and password in the database
connection file
19How to avoid it
- Disable Directory Listing
- Dont use the Hosting space as a storage space.
- Name all .inc files as .inc.php or .inc.asp
files to make them inaccessible.
20The Dirty Download Page
- Better known as Insecure Direct Object Ref.
- Paper in December 2007
- http//secureyes.net/downloads/Source_Code_Disclos
ure_over_HTTP.pdf - Many white hats have contacted me regarding it.
- Translated into Spanish- which is flattering and
scary - Not the target audience.
21The Comment look on the internet for such
pages
22How An Engine Works
User_login.php
URL/user_login.php
PHP Engine
Users Browser
Application Root Folder
HTML part of User_login.php
Server
23The sites root folder
24http//www.vulnerable123.com/1.doc
25Internal Affairs
1.doc
URL/1.doc
PHP Engine
Users Browser
Application Root Folder
1.doc
Server
26The Other Method
- Stream the static content files through a dynamic
page - Filename passed as a parameter to the dynamic
page- hereby called the download page. - The download page looks for the file in the
hosting folder - And upon finding it, streams it to the users
browser.
27http//www.vulnerable123.com/download_file.php?fil
ename1.doc
28Internal Affairs 2
Download_file.php
1.doc
URL/download_file.php? filename1.doc
PHP Engine
Users Browser
Application Root Folder
1.doc
Server
29The Exploit
- Change the filename parameters value to
login_user.php - Will it be processed by the engine before being
streamed? - Not! The engine does not double-process a single
request! It will simply stream the source code
file login_user.php!
30http//www.vulnerable123.com/download_file.php?fil
enameuser_login.php
31Internal Affairs 3
Download_file.php
User_login.php
URL/download_file.php? filenameuser_login.php
PHP Engine
Users Browser
Application Root Folder
Server
32Google
- A URL which contains
- A Dynamic Page extension.
- extphp OR extjsp OR extasp OR extaspx
- A Static File extension in the URL (somewhere)
- inurldoc OR inurlpdf OR inurlxls OR inurltxt
OR inurlppt OR inurlhtm
33Pattern (contd.)
- Combining
- inurldoc OR inurlpdf OR inurlxls OR inurltxt
OR inurlppt extphp OR extjsp OR extasp OR
extaspx
34Google Result Page
Lots of false positives
35Patterns (contd.)
- Search can be restricted to a site or a domain
- sitevulnerable123.com
- Finding the Dirty Download Page in
www.vulnerable123.com - Inurldoc OR inurlpdf OR inurlxls OR inurltxt
OR inurlppt extphp OR extjsp OR extasp OR
extaspx sitevulnerable123.com
36Voila
37Unique Case of Java Sites- Directory Listing
through the download page
38Recommended Resolutions
- Indirectly refer internal objects.
- For example, index the downloadable files, and
pass index numbers instead of file names. - File Extensions Validations can be bypassed Null
Byte Injection
39- Contact me
- anant.kochharatsecureyesdotnet