Revealing the Secrets: - PowerPoint PPT Presentation

About This Presentation
Title:

Revealing the Secrets:

Description:

Anant Kochhar, Senior Information Security Consultant with SecurEyes ... File Extensions Validations can be bypassed: Null Byte Injection. Contact me: ... – PowerPoint PPT presentation

Number of Views:43
Avg rating:3.0/5.0
Slides: 40
Provided by: anantk1
Category:

less

Transcript and Presenter's Notes

Title: Revealing the Secrets:


1
  • Revealing the Secrets
  • Source Code Disclosure, Techniques, and Impacts

2
I am
  • Anant Kochhar, Senior Information Security
    Consultant with SecurEyes
  • Project Manager and Researcher
  • Malware Detection Techniques and
  • Real World Cracker Techniques

3
Unique Insecurities
  • Each developer is unique
  • Each application is unique
  • Each application is uniquely insecure.
  • Each developer is uniquely insecure.

4
Source Code Disclosure Types
  • Accidental Code Disclosure
  • Backup and Misc. Files
  • The Dirty Download Page

5
Accidental Disclosure
  • Part of the Source Code is available in the HTML
    source code.
  • When Dynamic pages are turned into Static pages
    like from .asp to .html
  • Coder dont remove the ASP code before publishing
    the HTML page.
  • Why? Because IE is very forgiving.

6
Google- Looking in a domain which claims to have
ALL audited sites
mdb
server.createobject OR server.mappath
site???.??
7
In IE
8
In Mozilla Firefox
9
Voila
10
How to avoid it
  • Dont be careless.
  • Go through the HTML source code of every page
    before it is published online.
  • Use both IE and Firefox to test a page.

11
Backup and Misc. Files
  • Source Codes stored in readable formats.
  • Coders save backup files in the websites hosting
    folders.
  • Zipped files, .bak extensions etc.
  • Coders often use bad extensions- like .inc- for
    included configuration files.

12
How to discover
  • Directory Listings.
  • Disclosure in HTML Source (Rare)
  • Other non-standard techniques.

13
Google-The same secured domain
zip
parent directory
site???.??
14
Directory Listing Enabled- All internal pages
visible
15
Interesting FolderElection_aspInteresting File
Database Connection
16
Backup File of Election_asp Election_asp.zip
17
All ASP Filesincluding Database Connection File
18
Database username and password in the database
connection file
19
How to avoid it
  • Disable Directory Listing
  • Dont use the Hosting space as a storage space.
  • Name all .inc files as .inc.php or .inc.asp
    files to make them inaccessible.

20
The Dirty Download Page
  • Better known as Insecure Direct Object Ref.
  • Paper in December 2007
  • http//secureyes.net/downloads/Source_Code_Disclos
    ure_over_HTTP.pdf
  • Many white hats have contacted me regarding it.
  • Translated into Spanish- which is flattering and
    scary
  • Not the target audience.

21
The Comment look on the internet for such
pages
22
How An Engine Works
User_login.php
URL/user_login.php
PHP Engine
Users Browser
Application Root Folder
HTML part of User_login.php
Server
23
The sites root folder
24
http//www.vulnerable123.com/1.doc
25
Internal Affairs
1.doc
URL/1.doc
PHP Engine
Users Browser
Application Root Folder
1.doc
Server
26
The Other Method
  • Stream the static content files through a dynamic
    page
  • Filename passed as a parameter to the dynamic
    page- hereby called the download page.
  • The download page looks for the file in the
    hosting folder
  • And upon finding it, streams it to the users
    browser.

27
http//www.vulnerable123.com/download_file.php?fil
ename1.doc
28
Internal Affairs 2
Download_file.php
1.doc
URL/download_file.php? filename1.doc
PHP Engine
Users Browser
Application Root Folder
1.doc
Server
29
The Exploit
  • Change the filename parameters value to
    login_user.php
  • Will it be processed by the engine before being
    streamed?
  • Not! The engine does not double-process a single
    request! It will simply stream the source code
    file login_user.php!

30
http//www.vulnerable123.com/download_file.php?fil
enameuser_login.php
31
Internal Affairs 3
Download_file.php
User_login.php
URL/download_file.php? filenameuser_login.php
PHP Engine
Users Browser
Application Root Folder
Server
32
Google
  • A URL which contains
  • A Dynamic Page extension.
  • extphp OR extjsp OR extasp OR extaspx
  • A Static File extension in the URL (somewhere)
  • inurldoc OR inurlpdf OR inurlxls OR inurltxt
    OR inurlppt OR inurlhtm

33
Pattern (contd.)
  • Combining
  • inurldoc OR inurlpdf OR inurlxls OR inurltxt
    OR inurlppt extphp OR extjsp OR extasp OR
    extaspx

34
Google Result Page
Lots of false positives
35
Patterns (contd.)
  • Search can be restricted to a site or a domain
  • sitevulnerable123.com
  • Finding the Dirty Download Page in
    www.vulnerable123.com
  • Inurldoc OR inurlpdf OR inurlxls OR inurltxt
    OR inurlppt extphp OR extjsp OR extasp OR
    extaspx sitevulnerable123.com

36
Voila
37
Unique Case of Java Sites- Directory Listing
through the download page
38
Recommended Resolutions
  • Indirectly refer internal objects.
  • For example, index the downloadable files, and
    pass index numbers instead of file names.
  • File Extensions Validations can be bypassed Null
    Byte Injection

39
  • Contact me
  • anant.kochharatsecureyesdotnet
  • Thank you
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Revealing the Secrets:" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!