devfest istanbul'14 web app security and framework
DESCRIPTION
Devfest istanbul'14 web app security and frameworkTRANSCRIPT
![Page 1: Devfest istanbul'14 web app security and framework](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e049a1a28ab266a8b484e/html5/thumbnails/1.jpg)
Devfest Istanbul
Web Application Attacks and Trusting
Frameworks
![Page 2: Devfest istanbul'14 web app security and framework](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e049a1a28ab266a8b484e/html5/thumbnails/2.jpg)
whoami
● Mehmet INCE
● Cyber Security Engineer/Pentest Lead at
INTELRAD
● 150+ vulnerability publication
● Application Security
● Infosec Blogger www.mehmetince.net
● PHP, Python, etc..
● @mdisec
![Page 3: Devfest istanbul'14 web app security and framework](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e049a1a28ab266a8b484e/html5/thumbnails/3.jpg)
Önerme
security is a
seriousbusiness.
![Page 4: Devfest istanbul'14 web app security and framework](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e049a1a28ab266a8b484e/html5/thumbnails/4.jpg)
![Page 5: Devfest istanbul'14 web app security and framework](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e049a1a28ab266a8b484e/html5/thumbnails/5.jpg)
Web Uygulama Güvenliği’nde iddia● Framework kullanıyoruz. ( ORM, Prepared statements )
● Input validation yapmaktayız.
● Output encoding bizim işimiz.
● Düzenli olarak farklı firmalardan penetrasyon testi hizmeti
alıyoruz.
● WAF, IPS/IDS cihazlarımız var.
● Yazılımımız açık kaynak kodlu. Community gücü bizimle.
● Geliştiricilerimize secure coding training eğitimleri aldırıyoruz.
● Bug bounty programımız var, zafiyet bulan herkese ücret
ödüyoruz.
![Page 6: Devfest istanbul'14 web app security and framework](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e049a1a28ab266a8b484e/html5/thumbnails/6.jpg)
Tüm maddeleri yapan bir
firmada çalışan ?
![Page 7: Devfest istanbul'14 web app security and framework](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e049a1a28ab266a8b484e/html5/thumbnails/7.jpg)
Çünkü
● Drupal core - SQL injection ( stacked query
enabled! ) - http://goo.gl/RPgX1z
● Wordpress 4.0.1 Stored XSS -
http://goo.gl/xuvXfB
● Codeigniter Object Injection -
http://goo.gl/72lzGV
![Page 8: Devfest istanbul'14 web app security and framework](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e049a1a28ab266a8b484e/html5/thumbnails/8.jpg)
Çünkü...
● Symfony CSRF ( CVE-2014-6072 )
● Laravel cookie forgery, decryption, and RCE
- http://goo.gl/qieZzZ
● RoR SQLi & Crypto Weakness
![Page 9: Devfest istanbul'14 web app security and framework](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e049a1a28ab266a8b484e/html5/thumbnails/9.jpg)
Çünkü…
“Framework kullanıyoruz.” olmazsa olmazlardan biridir ama
asla yeterli değildir, zira framework’ünde kendisi bir
yazılımdır. Güvenlik açığı olabilir. ( RoR, CI, Laravel,
Symfony, ASP.NET )
![Page 10: Devfest istanbul'14 web app security and framework](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e049a1a28ab266a8b484e/html5/thumbnails/10.jpg)
Çünkü…
Açık kaynak güvenlik açısından önemlidir.
Lakin tüm örnekler açık kaynak kodlu ve
1.000~ committer’ı olan projelerdi.
http://goo.gl/fDHGFZ
( Aramıza hoşgeldin ASP.NET :p )
![Page 11: Devfest istanbul'14 web app security and framework](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e049a1a28ab266a8b484e/html5/thumbnails/11.jpg)
Çünkü….
Hiçbir WAF, IPS/IDS Codeigniter Object
Injection zafiyetini tespit edemez. Çünkü ?
( Exploit the OR )
![Page 12: Devfest istanbul'14 web app security and framework](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e049a1a28ab266a8b484e/html5/thumbnails/12.jpg)
Yani..
security is a
seriousbusiness.
![Page 13: Devfest istanbul'14 web app security and framework](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e049a1a28ab266a8b484e/html5/thumbnails/13.jpg)
Codeigniter Object Injection Vuln
![Page 14: Devfest istanbul'14 web app security and framework](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e049a1a28ab266a8b484e/html5/thumbnails/14.jpg)
Codeigniter Session Mechanism
Session class initializer method.
![Page 15: Devfest istanbul'14 web app security and framework](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e049a1a28ab266a8b484e/html5/thumbnails/15.jpg)
Codeigniter Session Mechanism
![Page 16: Devfest istanbul'14 web app security and framework](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e049a1a28ab266a8b484e/html5/thumbnails/16.jpg)
Codeigniter Session Mechanism
![Page 17: Devfest istanbul'14 web app security and framework](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e049a1a28ab266a8b484e/html5/thumbnails/17.jpg)
Codeigniter Encryption Class
![Page 18: Devfest istanbul'14 web app security and framework](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e049a1a28ab266a8b484e/html5/thumbnails/18.jpg)
Codeigniter Custom XOR
![Page 19: Devfest istanbul'14 web app security and framework](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e049a1a28ab266a8b484e/html5/thumbnails/19.jpg)
Where we are
User RequestSession Class
initializersess_create()
is encrypt cookie
enabled ?T: Encode with Mcrypt _set_cookie()
F : Encode with Xor
![Page 20: Devfest istanbul'14 web app security and framework](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e049a1a28ab266a8b484e/html5/thumbnails/20.jpg)
How to read Session Data
![Page 21: Devfest istanbul'14 web app security and framework](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e049a1a28ab266a8b484e/html5/thumbnails/21.jpg)
How to exploit
- Encryption key biliniyorsa- Cookie object manipulation
- Encryption key belirsiz ise- Mcrypt aktif ise
- CBC mode exploit
- Custom XOR ise
- md5 hash brute force
![Page 22: Devfest istanbul'14 web app security and framework](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e049a1a28ab266a8b484e/html5/thumbnails/22.jpg)
Codeigniter Based Applications
- Bonfire Vulnerable
- No-CMS Vulnerable
- PyroCMS Vulnerable
- FUEL CMS Vulnerable
- ...
![Page 23: Devfest istanbul'14 web app security and framework](https://reader033.vdocuments.site/reader033/viewer/2022051516/559e049a1a28ab266a8b484e/html5/thumbnails/23.jpg)
DEMO