php code audits
play

PHP code audits OSCON 2009 San Jos, CA, USA July 21th 2009 - PowerPoint PPT Presentation

Sep 10, 2023 •113 likes •848 views

PHP code audits OSCON 2009 San Jos, CA, USA July 21th 2009 samedi 25 juillet 2009 1 Agenda Workshop presentation Black box audit Source code audit samedi 25 juillet 2009 2 Who speaks? Philippe Gamache Parler Haut, Interagir

  1. PHP code audits OSCON 2009 San José, CA, USA July 21th 2009 samedi 25 juillet 2009 1

  2. Agenda Workshop presentation Black box audit Source code audit samedi 25 juillet 2009 2

  3. Who speaks? Philippe Gamache Parler Haut, Interagir Librement : Web development, security audit, training info@ph-il.ca @SecureSymfony samedi 25 juillet 2009 3

  4. Who speaks? Damien Seguy Alter Way Consulting : Open sources expert services Father of the Elephpant Calendar maker damien.seguy@alterway.fr samedi 25 juillet 2009 4

  5. Security Book New 2009 edition Comprehensive review of security system for MySQL, PHP , etc. Published in French Planning translation samedi 25 juillet 2009 5

  6. The application http://www.cligraphcrm.com/ samedi 25 juillet 2009 6

  7. Full audit synopsis Identi fi cation of the audit goals Interview with the dev teams Black box testing Open Code audit Report samedi 25 juillet 2009 7

  8. Yes, we take questions samedi 25 juillet 2009 8

  9. Black box testing 9 samedi 25 juillet 2009 9

  10. Black box testing What is black box testing? Finding information What can I do with this application? Where are the most popular entry points? 10 samedi 25 juillet 2009 10

  11. Black box testing Look for vulnerabilities Use different tools and technics Automatic scanners By hand Fuzzing tools Scenarios How do I use to my advantage? 11 samedi 25 juillet 2009 11

  12. Black box testing Strike Attacking a vulnerability with a speci fi c purpose 12 samedi 25 juillet 2009 12

  13. Find Information Look at the application web site Features 13 samedi 25 juillet 2009 13

  14. Find Information Look at the application web site Technology 14 samedi 25 juillet 2009 14

  15. Find Information Look at the application web site Technology 15 samedi 25 juillet 2009 15

  16. Find Information Look at the application web site Technology 16 samedi 25 juillet 2009 16

  17. Find Information Look at the application web site Technology 17 samedi 25 juillet 2009 17

  18. Find Information Look at the application web site Technology 18 samedi 25 juillet 2009 18

  19. Where did I hear about this? samedi 25 juillet 2009 19

  20. Find vulnerabilities We look in Common Vulnerabilities and Exposures Also in bugtrack, xssed.com, etc... We could have look in Google, Bing, etc... No published vulnerabilities for cliGraph 20 samedi 25 juillet 2009 20

  21. Find Information HTTP/1.x 200 OK Date: Mon, 20 Jul 2009 17:29:25 GMT Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch11 mod_ssl/2.2.3 OpenSSL/0.9.8c X-Powered-By: PHP/5.2.0-8+etch11 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 586 HTTP headers Content-Type: text/html; charset=UTF-8 X-Cache: MISS from Colossus Connection: close curl, wget, Firefox Rex Swain's HTTP Viewer 21 samedi 25 juillet 2009 21

  22. Typical fi les Usual directories includes, include, inc, com, classes, lib, library admin, adm, administrator, tmp, TMP , ext, var data, db, conf, con fi g uploads, install, 22 samedi 25 juillet 2009 22

  23. Typical fi les .phps, .inc, .class, xml, ini, yaml, cfg Apache Alias : /icons/ robots.txt samedi 25 juillet 2009 23

  24. Security dilema robots.txt User-agent: * Disallow: /administrator/ Disallow: /cache/ Disallow: /components/ Disallow: /images/ Disallow: /includes/ Disallow: /installation/ Disallow: /language/ Disallow: /libraries/ Disallow: /media/ Disallow: /modules/ Disallow: /plugins/ Disallow: /templates/ Disallow: /tmp/ Disallow: /xmlrpc/ 24 samedi 25 juillet 2009 24

  25. External testing Get the list of the scripts ( fi nd .) Turn that into URLs Fetch them directly on the web site Study what’s coming back Maybe you gonna need to install it yourself samedi 25 juillet 2009 25

  26. Typical fi les https 404 and 5xx pages Blank page Bad code without error posting 26 samedi 25 juillet 2009 26

  27. Automatic scanners Nikto http://www.cirt.net/ 27 samedi 25 juillet 2009 27

  28. Find vulnerabilities What to look for ? XSS CSRF Injections Files overwrite 28 samedi 25 juillet 2009 28

  29. Automatic scanners Web Application Attack and Audit Framework (W3AF) http://w3af.sourceforge.net/ 29 samedi 25 juillet 2009 29

  30. Manual tools Firefox Access Me Firebug SQL Inject Me Web Developer XSS Me Data 30 samedi 25 juillet 2009 30

  31. Manual tools Arrays c[]=1 Surplus variables debug=1, task=view Missing variables 31 samedi 25 juillet 2009 31

  32. Manual tools action/facture_fiche.php? exp_typedoc=facture&exp_id= 2009N000196&exp_formdoc=pdf action/facture_fiche.php? exp_typedoc=facture&exp_id=2009 N000196&exp_formdoc=fiche Fatal error : Cannot redeclare fct_redimension_img() (previously declared in /var/www/crm_demo/fonctions/ fonction_img.php:68) in /var/www/crm_demo/fonctions/ fonction_img.php on line 134 32 samedi 25 juillet 2009 32

  33. Fuzzing Test by random value Stress forms Database All characters from \0 to \x255 All Unicode characters The numbers 1, 0, -1, 0.99, extreme, in fi nite 33 samedi 25 juillet 2009 33

  34. Fuzzing Strings Long Short Dictionaries of values of vulnerabilities GET, POST, COOKIE 34 samedi 25 juillet 2009 34

  35. Fuzzing Wfuzz http://www.edge-security.com/wfuzz.php WebSlayer http://www.edge-security.com/webslayer.php 35 samedi 25 juillet 2009 35

  36. Exemple Fuzzing samedi 25 juillet 2009 36

  37. Scenarios More realistic tests fragile Automate your tests Complete with fuzzing Use proxy servers 37 samedi 25 juillet 2009 37

  38. Scenarios Firefox Selenium IDE WebScarab http://www.owasp.org/index.php/ Category:OWASP_WebScarab_Project 38 samedi 25 juillet 2009 38

  39. Simplify your life Samurai Web Testing Framework http://samurai.inguardians.com/ samedi 25 juillet 2009 39

  40. Conclusion Black box Easy to set up Take into account the context of the application Often spectacular Generally shallow samedi 25 juillet 2009 40

  41. Open code audit samedi 25 juillet 2009 41

  42. Code audits Look into the PHP code Search for hidden problems Usually less spectacular than black box samedi 25 juillet 2009 42

  43. From the interview Check if dev teams knows that to secure Have it explains their approach Check what they say Check what they don’t say samedi 25 juillet 2009 43

  44. The shy version We know there are security problems but we have no time to secure them this app has been written years ago we can’t keep up with the threats samedi 25 juillet 2009 44

  45. The strong version We have secured the application We use SSL, and webwasher and crypto All content is validated and fi ltered We don’t do any dynamical include Our frameworks doesn’t allow this samedi 25 juillet 2009 45

  46. Approach What to search for? What are the entry points? How can they be exploited Or protected ? samedi 25 juillet 2009 46

  47. What to search for? Injections PHP SQL HTML system samedi 25 juillet 2009 47

  48. Keep focused Easy to loose focus Tempting to audit everything samedi 25 juillet 2009 48

  49. PHP injections PHP injections dynamical inclusion include, require and *_once back ticks eval samedi 25 juillet 2009 49

  50. Eval Easy to look for grep Fast, available, convenient 853 occurences Tokenizer Semantic, accurate 37 occurrences samedi 25 juillet 2009 50

  51. Tokenizer <?php print ("hello $world! "); ?> [1] => Array ( [6] => Array [0] => 266 ( [1] => print [0] => 309 [2] => 1 [1] => $world ) [2] => 1 ) [2] => Array ( [7] => Array [0] => 370 ( [1] => [0] => 314 [2] => 1 [1] => ! ) [2] => 1 ) [3] => ( [4] => " [8] => " [5] => Array [9] => ) ( [10] => ; [0] => 314 [1] => Array [1] => hello ( [2] => 1 [0] => PHP token ) [1] => PHP code [2] => Script line ) [2] => " samedi 25 juillet 2009 51

  52. Evals � eval('$retour=$GLOBALS["'.$matches[1].'"];') � Variable variables. � eval($contenu_thjipk); � eval($contents_essai); � Content is read into variable, then executed : an include? � eval('$hexdtime � = � "'.$hexdtime.'";') � Long way to cast a string into a string � eval('$retour2.= � '.var_dump($recept->erreur).';') � This doesn’t even work samedi 25 juillet 2009 52

  53. Assessing the code One liners One line of code is suf fi ciently to be bad Even though you must follow the code In reverse samedi 25 juillet 2009 53

  54. Inclusion � require("../params_frm.php") � require(fct_lien_page_custom(TYPE_DOMAINE."/".TYPE_DOC. "_custom.php","abs")) � require(fct_lien_page_custom("params_footer.php","abs")) � Pretty secure inclusions � But 96 variables used in includes � include(fct_lien_page_custom("action/facture_". $format.".php","abs")) � $format, anyone? � require_once("etat_simple_".$choix_page."_trt.php") � $choix_page, anyone ? samedi 25 juillet 2009 54

Recommend

Overview of the Enrollment Verification and Withdrawal Code Audits Governors Office of Student

Overview of the Enrollment Verification and Withdrawal Code Audits Governors Office of Student

Overview of the Enrollment Verification and Withdrawal Code Audits Governors Office of Student Achievement GaDOE FY19 Data Conference Athens, GA August 23, 2018 Presentation Overview 1. Academic Auditing Overview 2. Enrollment

480 views • 26 slides
Form 941: Compliance Challenges and Intensified IRS Audits and Intensified IRS Audits Avoiding

Form 941: Compliance Challenges and Intensified IRS Audits and Intensified IRS Audits Avoiding

Presenting a live 110 minute teleconference with interactive Q&amp;A Form 941: Compliance Challenges and Intensified IRS Audits and Intensified IRS Audits Avoiding Errors That Trigger Costly Penalties and Documenting a Solid Case for Examiners

1.18k views • 96 slides
1 We might not always see them, but regulations the rules government imposes on businesses and

1 We might not always see them, but regulations the rules government imposes on businesses and

The Auditor-General provides assurance to Parliament on the accountability and performance of the Victorian Public Sector. The Auditor-General conducts financial audits and performance audits, and reports on the results of these audits to

672 views • 16 slides
1 When children are successful in transitioning from early childhood education and care to

1 When children are successful in transitioning from early childhood education and care to

The Auditor-General provides assurance to Parliament on the accountability and performance of the Victorian Public Sector. The Auditor-General conducts financial audits and performance audits, and reports on the results of these audits to

393 views • 18 slides
1 Victoria's 79 local councils are responsible for providing a wide range of services to their

1 Victoria's 79 local councils are responsible for providing a wide range of services to their

The Auditor-General provides assurance to Parliament on the accountability and performance of the Victorian Public Sector. The Auditor-General conducts financial audits and performance audits, and reports on the results of these audits to

498 views • 16 slides
Balt ltimore Cit ity Fis iscal l Outlook and Audits March 5, 5, 20 2020 20 1 Biennial

Balt ltimore Cit ity Fis iscal l Outlook and Audits March 5, 5, 20 2020 20 1 Biennial

Balt ltimore Cit ity Fis iscal l Outlook and Audits March 5, 5, 20 2020 20 1 Biennial Audits Transfer responsibility from the Director of Finance to the Department of Audits (City Auditor) so there is no longer a conflict of

680 views • 20 slides
Report of the Auditor-General 2015-16 Financial Audits Volume 4 Audits of State entities 30 June

Report of the Auditor-General 2015-16 Financial Audits Volume 4 Audits of State entities 30 June

Report of the Auditor-General 2015-16 Financial Audits Volume 4 Audits of State entities 30 June and 31 December 2016 Presentation to Members of Parliament 23 May 2017 Report Contents 31 December Audits University of Tasmania

353 views • 14 slides
Auditor-General conducts financial audits and performance audits, and reports on the results of

Auditor-General conducts financial audits and performance audits, and reports on the results of

The Auditor-General provides assurance to Parliament on the accountability and performance of the Victorian Public Sector. The Auditor-General conducts financial audits and performance audits, and reports on the results of these audits to

243 views • 20 slides
Sector. The Auditor-General conducts financial audits and performance audits, and reports on the

Sector. The Auditor-General conducts financial audits and performance audits, and reports on the

The Auditor-General provides assurance to Parliament on the accountability and performance of the Victorian Public Sector. The Auditor-General conducts financial audits and performance audits, and reports on the results of these audits to

236 views • 21 slides
Noise Audits What they are and the training required to do them The Hearing Loss Prevention/

Noise Audits What they are and the training required to do them The Hearing Loss Prevention/

Noise Audits What they are and the training required to do them The Hearing Loss Prevention/ Noise Rule includes a section on noise audits. The following three modules provide information on noise audits: Module 1 is a general overview of

570 views • 18 slides
Sampling Strategies in Sales Tax Audits Sampling Strategies in Sales Tax Audits Selecting a

Sampling Strategies in Sales Tax Audits Sampling Strategies in Sales Tax Audits Selecting a

Presenting a live 110 minute teleconference with interactive Q&amp;A Sampling Strategies in Sales Tax Audits Sampling Strategies in Sales Tax Audits Selecting a Sampling Methodology and Negotiating With Auditors THURSDAY, NOVEMBER 17, 2011 1pm

912 views • 65 slides
Office of Internal Audits Budget Hearing Presentation Office of Internal Audits What is

Office of Internal Audits Budget Hearing Presentation Office of Internal Audits What is

Office of Internal Audits Budget Hearing Presentation Office of Internal Audits What is internal auditing? An independent and objective assurance and consulting activity guided by the philosophy of adding value to improve the

287 views • 7 slides
Audits of NFA Letters OAC 3745 300 14 Certified Professional 8 Hour Training Audits of

Audits of NFA Letters OAC 3745 300 14 Certified Professional 8 Hour Training Audits of

Audits of NFA Letters OAC 3745 300 14 Certified Professional 8 Hour Training Audits of NFAs Performed annually on NFA letters submitted during the prior calendar year in request of a CNS Performed by the Ohio EPA Required by

589 views • 17 slides
1 The High Value High Risk, or HVHR, assessments were critical inputs to government decisions for

1 The High Value High Risk, or HVHR, assessments were critical inputs to government decisions for

The Auditor-General provides assurance to Parliament on the accountability and performance of the Victorian Public Sector. The Auditor-General conducts financial audits and performance audits, and reports on the results of these audits to

239 views • 13 slides
PKF Audit &amp; Conseil LUXEMBOURG HOW WE CAN HELP OUR CLIENTS AUDIT SERVICES Legal audits

PKF Audit &amp; Conseil LUXEMBOURG HOW WE CAN HELP OUR CLIENTS AUDIT SERVICES Legal audits

PKF Audit &amp; Conseil LUXEMBOURG HOW WE CAN HELP OUR CLIENTS AUDIT SERVICES Legal audits Legal audits requirements (companies exceeding 2 criteria for 2 successive years) Contractual audits Annual revenues &gt; EUR 8.8m

537 views • 9 slides
Implementing Risk-Limiting Post-Election Audits in California J.L. Hall 1 , 2 L.W. Miratrix 3 P.B.

Implementing Risk-Limiting Post-Election Audits in California J.L. Hall 1 , 2 L.W. Miratrix 3 P.B.

Risk-Limiting Audits Defined Risk-Limiting Audits in CA Discussion Simpler Risk-Limiting Audits? Conclusions Implementing Risk-Limiting Post-Election Audits in California J.L. Hall 1 , 2 L.W. Miratrix 3 P.B. Stark 3 M. Briones 4 E. Ginnold 4

631 views • 23 slides
On 6 May 2015, the Auditor-General tabled his performance audit report, Occupational Violence

On 6 May 2015, the Auditor-General tabled his performance audit report, Occupational Violence

The Auditor-General provides assurance to Parliament on the accountability and performance of the Victorian Public Sector. The Auditor-General conducts financial audits and performance audits, and reports on the results of these audits to

440 views • 16 slides
NASA Feedback to DLA Land &amp; Maritime Moratorium on Wafer Fab Audits Michael J. Sampson

NASA Feedback to DLA Land &amp; Maritime Moratorium on Wafer Fab Audits Michael J. Sampson

NASA Feedback to DLA Land &amp; Maritime Moratorium on Wafer Fab Audits Michael J. Sampson Co-Manager, NASA Electronic Parts and Packaging Program (NEPP) NASA Goddard Space Flight Center, Code 370, Quality and Reliability Division Greenbelt,

645 views • 23 slides
Canadian Sales Tax Audits: Preparation Strategies Canadian Sales Tax Audits: Preparation Strategies

Canadian Sales Tax Audits: Preparation Strategies Canadian Sales Tax Audits: Preparation Strategies

Presenting a live 110 minute teleconference with interactive Q&amp;A Canadian Sales Tax Audits: Preparation Strategies Canadian Sales Tax Audits: Preparation Strategies Getting Ready for Tougher GST, PST and HST Examinations THURSDAY, SEPTEMBER

1.14k views • 77 slides
Report of the Auditor-General 2016-17 Financial Audits Volume 4 Audits of State entities 30 June

Report of the Auditor-General 2016-17 Financial Audits Volume 4 Audits of State entities 30 June

Report of the Auditor-General 2016-17 Financial Audits Volume 4 Audits of State entities 30 June and 31 December 2017 Presentation to Members of Parliament 12 June 2018 Report Contents Final 30 June and 31 December audits 2017

583 views • 23 slides
80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up

80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up

Slammer s Bandwidth-Limited Growth 80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up due to released Jan 2004 Nimda endemic dies off released with Oct. onset of Blaster (and 2005; not since

450 views • 34 slides
Financial Aid Audits Calendar Year 2021 Financial Aid Audits During calendar year 2021, our

Financial Aid Audits Calendar Year 2021 Financial Aid Audits During calendar year 2021, our

Financial Aid Audits Calendar Year 2021 Financial Aid Audits During calendar year 2021, our office will audit state awards disbursed during the 2019-2020 academic year for select Ohio colleges and universities and select Pennsylvania colleges

526 views • 24 slides
Agenda Internal Controls Audits and Auditors Audit Process Overview How to Prepare

Agenda Internal Controls Audits and Auditors Audit Process Overview How to Prepare

12/11/2017 WA S H I N G T O N S T AT E U N I V E R S I T Y Award Administration ard Administration Part Three: Part Three: Audits and Audits and Audit Issues Audit Issues Presented by: Heather Lopez Chief Audit Executive, Internal Audit

461 views • 25 slides
Use of Annual Audits: Overview and Trends ASBCS BOARD MEETING MAY 13, 2019 1 Audit Background

Use of Annual Audits: Overview and Trends ASBCS BOARD MEETING MAY 13, 2019 1 Audit Background

Use of Annual Audits: Overview and Trends ASBCS BOARD MEETING MAY 13, 2019 1 Audit Background 2 Charter Audits A.R.S. 15-183(E)(6) and 15-914 Charter Audits Must Be Conducted by Independent Certified Public Accountant (CPA)

371 views • 34 slides

More recommend