OWASP NoVa May 7 Meetup: Secure Code Warrior CTF Tournament

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
move that over is that any better yeah cool cool cool so I am sitting out now all right so good evening everyone we are here for another virtual event with the OWASP nova team I have Dan from from secure code warriors whose gracious enough to help present Thank You Dwayne gracious enough to help us have this CTF event the slack channel is open I'm going to post the invite link in there very very shortly the code has been sent out but that number is 1 2 5 3 5 8 5 4 so feel free to take it away just one little housekeeping note we're gonna have another virtual meet-up in about two weeks and good luck so Dan if you want to guess introduced yep appreciate it thank you so much I'm just gonna share my screen here I mean one second we go alright can you see my screen yeah I can see you just fine ok great thanks everybody I really appreciate the opportunity to join your OAuth chapter tonight and we're gonna do something really fun tonight it's a secure coding tournament my name is Dan Lewin I'm an account executive here with stick your code warrior been with the organization for over two years now and who is secure code warrior we're a global application security firm we've been around for over five years and really what our vision is to really empower developers to become the first line of defense in the organization by making security highly visible and really providing them with the skills in the tool so they can go about writing secure code from the very beginning what we did our founders created a cloud-based platform and where we think it's the you know the smartest and easiest way to help improve an application security program because we're allowing developers secure their code from the start and what ultimately that does it really benefits the organization it helps them achieve faster and more secure product development it will provide a bring in more developers that become more security conscious able to defend their own applications and I think want to keep the key pieces of how our platform can really benefit an organization it really builds out a positive security culture so there's are three things in and really what we're doing we're changing the paradigm from from traditional to a more hands-on approach to traditional loge has been around key learning and classroom instruction this is very passive teaching methods and these are great great when it comes to concepts but it's usually a point in time when it comes to training but but something that has trained one month in three four five six months down the road that that person may lose the knowledge retention around that so what we find is a lower knowledge retention rate over time whereas secure code where we provide a more a more hands-on practice by doing approach so think of something like working with your hands this can really come benefit to learn something and then you can retain this knowledge for a longer period of time where we fit in the software security development life cycle in the SPLC we we actually we don't left but we start left we're in the prevent stage and we're not here to replace existing vulnerability testing tools out there's a lot of great tools out there and you know and it's best to continue using those but again we are here to enable developers to make them better secure code developers in and we start from the very beginning and in doing so limit you know we want to limit the number of vulnerabilities that go into your software so at the end of the day the cost of fixing a security bug will start to go down as I mentioned we are a cloud-based platform we have a number of unique features that are built into the platform with access to the platform today you have access to the learning in the training these are specific training resources of videos on specific types of vulnerabilities we also have the training which is you're going to spend the bulk of it where you're going to help build and maintain skills and that's really self-paced scalable learning it's going to cover multiple languages and frameworks it covers things such as the OWASP top 10 as well as other top of security vulnerabilities and we have over 35 different languages that are in the platform with over 4,500 challenges so quite a bit of language and content this covers everything from web-based mobile infrastructure that code even got some C C++ even COBOL the mainframe that's in our platform today so really covering a lot of the gamut out there so you can take some of this training practice prepare for the tournament go in the tournament we have 20 languages tonight we'll go over that you can choose from you only select one language to compete but you know tournaments is a big piece of our platform it's going to help you know help change the culture and then in the culture shift and awareness around the organization makes it fun it's something you know you're learning at the same time it's making something that's really fun and entertaining so I hope you enjoy I'm just going to show you an example real quick what what it looks like in a challenge so when you go into into our platform and then you go into the training you're gonna be tasked a couple of ways you're going to be tasked to locate identify or fix a particular vulnerability in the language or framework that you're working in today in this particular example I'm actually working through GS JSP and my vulnerability category I have here is around injection flaws and I'm focusing on an SQL injection so I'm tasked here to identify one of honorable block of source code from over here you may have some more difficult challenges where they may ask to find two or three vulnerable blocks of source code but in this particular case we can go through this entire cotry and we can basically identify which one we think is the best to highlight once you figure out this is the block of code you would click on the little yellow triangles and if that is the vulnerable piece of code you would hit next to see if you got by the answer right or wrong but when I highly recommend your first time going around is to use the hint button and this is what the practice by doing is you're learning along the way the first hint is free there's no point taking off typically it's going to talk about what is the vulnerability about there's going to be a video a short video that's going to accompany it it's going to be part of it so you can review that in your own time but it's just another way to kind of help you identify or locate that particular vulnerability you can go back close it off and continue to move through the through the exercise if you need more help you can use more hints hints will help you identify the answer the challenge is you will start getting points taken and the idea of the game is to score as many points as possible so the first hint is free but I you know highlight they recommend you know using that for the first hint but after that try to figure out and solve the problem so just wanted to kind of show you what a typical problem is you're going to be going into the tournament here as you can see you can enter the play you're gonna see something like this the screen the first time is gonna be a little walk through it except and then you're on your way into into playing so I don't want to take too much time here to know everybody wants to get into the actual tournament but just some tournament details we do have twenty different languages that we selected for this there is about thirty-six challenges a mix of easy medium and difficult it could take anywhere from hour to two hours on average for people I it's not about who finishes first it's by the person who maximizes the most amount of points from it there's three types of things that you're going to be tasked to do you're gonna be tasked to identify a particular vulnerability within the block of code you're going to be tasked to locate a name vulnerability and then you're gonna cast a fixed of our goal piece of code as well just to give you an idea of the scoring easy points is about a hundred of mediums two hundred three hundred four hard points there is lives lost if you if you can get the problem right the first time you get a hundred percent of that if you come back for a second a third time if you start to get a percentage taken off as I mentioned you get a first hint that is free so I absolutely you know recommend using that just for my knowledge standpoint but then you can also as you start to use more hints there will be points taken off so you'll have to about eight thirty to complete and then afterwards we'll have I will announce winners and prizes the end of the tournament so excited to do that secure code where we'll provide you with a first place secure code wear a hoodie and then for the second third place winners will definitely provide some t-shirts I posted this in the slack channel if you haven't already signed up you can go to this link here and register and and then you're on your way we will keep this open for another two weeks so not only get hands on this tournament but you also get access to the to the platform for another two weeks so you know please enjoy it you know learn and we'd love to hear your feedback on on you know how do you like our platform the type of training the join code here is one two five three there is a space than five eight five four this was also in the slack I believe Ben is also posted as in the inmate or tweeted this so you should have a joint code to get into the tournament and then finally I'll post distant slack but it would love to just get your feedback from the tournament itself what's your thought to the platform it takes less than five minutes so please please do sort survey so with that good luck I wish you the best it's a fun engaging and tournament then I'll turn it over to you and you know I know you want to go through some exercises I'll let you run through that in the platform great and thank you so much Dan for providing this wonderful tool for us I am so that we aren't just sitting here staring at blank screen or watching the leaderboard for the next you know two hour or hour 48 minutes I was going to go through some of the exercises I just when I start in the training itself to not really give an unfair advantage towards certain challenges within the tournament and then after you know 45 minutes to an hour or however long I feel like going through the pseudo-code stuff I was going to jump right into the tournament and see you know okay if I can solve any of these challenges so without any further ado here we go so the stream seems to be alright and these are the current standings so you can see that we have so you can see that we have right now Anthony is enly with 520 points and you know you can see where you stand among the rest of the crowd I think we have about 20 people right now in so I'm going to go right into training now I've done a few of these as practice but this is going to be entire life so see this is their training platform and I'm going through the pseudocode examples which are not an exact which are not a language that's available within this competition so this will be a lot more language agnostic for those who are really strong coders I'm just going to go through my thought process I'm going to walk you through the challenge itself the tasks ahead and then I'm going to walk through how I would solve it or where I think the issue is so the first step is to locate the vulnerability so I'm trying to follow the stream as well to and manage that so the first thing we have to do within this pseudocode example is to locate the vulnerability so we want to just click on whichever there are three different groups and I need to read through it and try and figure out where the issue is now this specifically is an injection flaw with XML so I kind of have a slight advantage in terms of knowing what to look for and it says there is one vulnerable block in the source code that you need to locate so I have to choose one of these now the first one is let's see you're trying to declare the user string so you're creating a specific username that is sorry you're creating a specific user based on the username and password that are passed through to it looks like you the username and password fields are sent to the XML and directly appended in okay so that's already my the place where I would assume something could go wrong in terms of XML objection then there's also show usernames where your reenacts ml from a file I would assume that that will be on the back end and likely somewhat controlled but if it's something that the end-user has access to then parsing the XML could lead to some kind of issue but again it's unlikely that that would be a direct source of XML injection and then show user details so obtain the username from the user search the user base for the username in the database and then display these or details so I am going to assume that it's the first part where you are directly appending username and password which are user controlled user controlled objects and that's where the vulnerability for XML injection would be introduced sorry Dan I'm going to remove you from the stream so that it only shows me and not a blank blank screen and I'm trying to also help in the feed so let me sorry all right so I'm gonna hit next and hopefully that is where the issue was great so I was able to correctly identify it and now I need to figure out what the solution would be so there's a couple different ways one would be to parse user input the other one would be to not trust not trust user input this one also mentions remove all special characters by name and password that is a good solution it might not be the best one though there are other ways of doing it this one looks to be using a library so we're adding the user name directly in not quite sure that is the one that we're looking for oh yeah sorry and on this screen you can see on the left with the current the current source code and then on the right is the change that the change that's going to be made so remove all greater less than and greater than characters from the user name/password that's like blacklisting so that is the wrong solution to this and that it would prevent certain types of xml injection but it isn't the Umbrella solution that we're looking for so this is a very very specific vulnerability that it will be that this would resolve and that is very easy to work around throughout fuse station so this is a solution but it's by no means the best one and same thing here so we're replacing some quote double quote with the Unicode única version of it and that is definitely not that's the exact same problem so it's solving the issue by addressing very very specific exploits that would make them benign but that isn't the actual solution so I am going to say that it's this one remove all special characters from user name and password all right so that I sort of fell for the same thing so that is a specific solution that would wrap up three and four but the correct solution was to go for the library and and try and get store procedures to prevent to explicitly treat the user input as user input and basically untrusted so that means that the correct solution was number two all right so this is an injection flaw specifically ldap injection so we have again we are finding a username and we are performing a search query based on the username which was the past parameter I'm just I'm not going to automatically assume that this is correct but this looks like the vulnerable function to me simply because the username is directly integrated with the query that's being performed so assuming that comes from a user input that should not be considered trusted you should definitely not fold that user input directly into the query and then execute that query sorry we're trying also trying to troubleshoot some issues here so let's see here I mean it try and pass this off to somebody else so that way I can continue focusing here I do apologize for the delays and going back and forth I'm trying to also help people who are having issues connect alright and then the other part is we're obtaining the username from user find user data username and save the results in user object yeah I'm going to assume that the LDAP injection potential is when you are directly adding untrusted user input directly into the query so I'm going to hit next and I was correct good so the various solutions to this are to escape characters such as a wild card and or or symbols so that is a blacklist solution which is not what we're looking for executed with the execute query with a least privileged possible that is definitely a good a good security practice but I don't think that's the solution that we're looking for for this specific one and I don't see that at how that would prevent LDAP injection execute query and save only the first 50 matches of user that doesn't really have anything to do with LDAP injection so I'm going to move right along alright so we are escaping LDAP built-in encoding and saving an escape username so we are treating what was untrusted as now what was untrusted user input we are applying we were applying in a secure method so this solution is combining everything where we have where we have characters that will be rendered in a benign format and we're also executing this with the lease privileges so this is definitely the best solution and I'm going to hit accept yep so we are good so now we have no sequel injection excuse me all right so no sequel injection we are looking for a place where that might occur so we had the statement itself where we're taking a project product and we're searching it's based on a function where we're returning the product name okay and then we are executing the statement and saving in products then this is the fine function being called that's not likely to be the source for the sequel and no sequel injection and then find our products and save in products that's also unlikely to be the source so what this is doing is performing a executing a statement based on product name which is again user input so this is the only one that actually takes in user input as opposed to the other two functions which means that this is going to be the fit the very first one is might be the source for the no sequel injection all right and that's good so view the solutions this is probably gonna be a very very similar solution where we are treating this as untrusted user input which means that we want to render all special characters as in a benign format and and possibly parse the parse the the source for user input or maybe use a special library as well as prepared statements that's the general process that you would want to do that doesn't necessarily apply with the know sequel statements but this first solution is if the statement executed if the statement executes without errors then save in products you can get syntactically correct no sequel injection exploitable so I would assume this is not correct we're moving is very very difficult do to solve the solution again that's like blacklisting remove all special characters from product name in the front end that is good but there are also ways to maybe push this through the back end so while that might solve a lot of the issues it is not a complete solution I don't think alright and lastly we want to replace this ah so we are declaring that product name is a user input so this is slimmer too similar to the prepared statements of sequel injection so I'm going to said this is the correct one so what this would do is form a parameterised query alright so I'm going to back out of this now and try and do some other trainings because I was going through OS a 1 and a 2 which is mostly injection based so now I'm going to try the next set so this is more sense of data exposure and xx ease thanks a lot Sean I appreciate the sport oh and actually right now I figure I can just show off the leaderboard so I'm going to back out this for one second right here so wow it looks like it looks like Ahri is in the lead with two thousand two hundred and thirty points we've got about a hour thirty minutes to go so keep up the good work okay so again I'm going through pseudocode which is not an option during the tournament but I figured this would be very very good to demonstrate the secure code warrior how to use the tool and a way that would be more universal for everyone who is viewing this video at a lair date or you know right now so the vulnerability is sense of data exposure where you are storing passwords in plain text so let's see here if username exists then you want to check for the input a password match that the database password login as the user redirect to homepage and display content excuse me this is the login function it doesn't seem to be storing any data it might have some passwords being passed in clear text but I don't specifically see that and that's also not quite what we're looking for with the plain text storage so that even looking the register function already sets off some alerts in the back of my mind and what they're doing is obtained the username and password from the user create user and database with the username and password yes so I'm going to assume that is the place where the password is being stored and cleared in plain text but the last function just to check so it's show user data and all you're doing is putting data from the database yes so I would say that registering at the point of registration is when the password gets stored in plain text and correct so now let's figure out how to resolve this issue now B now the first solution is to fix the login function so let's see here if the inputted password matches the fixed password then take no action add pepper the password and save and Peppard password so I'm assuming that pepper is kind of like a salt which is a randomized token that will get edit in and applied to give the hashed password a unique identifier if say both of us have a password of one two three four five you can look through a database of hashed passwords and if you see that the hashed password is identical to somebody else that means that they would have the same stored password so by applying a salt or in this case a pepper you are adding a randomized token at the start or end of the clear-text password so that when it goes through the hashing algorithms it will be randomized so that way if I have a password of one two three four five and you have a password of one two three four five by adding in that randomized token at the along with that clear-text password it will then appear differ it when it goes to the algorithms it will be different between the two of us so if you the database is compromised you wouldn't be able to know that we do in fact have the same sports so this looks like a pretty good solution because you are actually storing the hashed values instead of the clear text passwords but I still want to move on and see what the other solutions entail so this one is a base64 encoded value that's just looking at that I can tell you that that is wrong that is these 64 encoding is not a hashing algorithm all that's doing is like it the name implies encoding it so that would be the same as hex encoding something where you are converting you are translating the the characters and it is very easy to undo that so for example the easiest example is rot13 or a Caesar cipher where you are going through the alphabet and you're either moving it the letter A to 13 characters later so a becomes n or with Caesar it's a becomes I believe D so you're moving you're shifting the letters over from what they are which abuse cases abuse skates it for the human eye but a computer is very easily able to detect and unencoded and that's done for say compression or for managing the the data itself and either gain in a way that the computer understands or gaining it in a way that it's easy to transmit but the very very short story of that is that basic C for encoding is in no way hashing so this solution is absolutely wrong so we calculate the md5 hash yes this is hashing md5 s aren't necessarily the strongest so let me see here calculate the md5 value from password and save it and hash passwords all right so not only our md5 s I mean they're fine enough but they aren't necessarily the strongest hashing algorithm but additionally this falls into the same situation I described before where if two people have the same passwords simply performing an md5 hash will have the same hash stored in the database and so it's very easy to one use a rainbow table to match that md5 hash and to recognize that multiple people in the database have the same password so this is wrong or it's not a this is an inadequate solution and lastly shot 256 so shot 2 should be sha-256 hash value that is a stronger hashing algorithm than md5 however you're still falling into the exact same trap where you aren't applying a salt so if you get access to those though the database and you just see a list of hash values you can very easily crack them which means that the solution is the first one great so I'll do one more of these and then I will move on to the next group all right so this is the exact same problem I'm going to go ahead and skip this so that we can see something slightly different kind of hoping get to an xx EE but everything's we do plaintext storage passwords okay so that is one of the problems is that the that's one of the reasons why we didn't include pseudocode in the tournament is that there's slightly fewer questions simply because you can't really doing an x XE so xml external entity injection will be very very difficult to describe the pseudocode but it's something that you can very easily display and say JavaScript or Java so I'm just want to go through this one and then probably go on to the next category so let's see here if the username exists again at login is not the point of entry so I know that the registration is the issue yep and the solution is going to most likely the not this one not base64 encoding md5 was the first hash sorry the first solution was md5 hashing which already shows weaknesses so we want to again apply a salt or in this case a pepper which is a randomized token that will make a hash value unique all right and if well let's see what the next question is okay so finish this group of sensitive data exposure insufficient layer protection so I believe this is the next group but I just want to verify yeah so I'm going to work on missing function level access control which is a very big issue when you're dealing with Mike microservices so this is a very very common finding that I have on a pretty regular basis where once you're authenticated you might have full access to all the micro services even if some of those micro services are say administrative controls so this is a very very critical issue in terms of securing an application so let's see here the very first thing is login user there's aren't really much in there that's associated with function level access control there are tons of security vulnerabilities that you have to deal with within the login step for F to top my head sequel injection but function level access control once you are logging in you aren't really the login function is not really a source for missing functional access control again missing missing function level access control might be if you are trying to say skip login so I'm at a banking site and I'm trying to I don't know view a user's balance or transfer money within a user's a to and from one account to another and I'm trying to do that without actually authenticating so that would be trying to circumvent the login step which means that the source for the vulnerability would be the check to see whether or not you are a user admin and funnily enough that is the exact scenario I described when I was just introducing this issue where a lot of times the check for whether or not you are a user admin is missing so I'm going to assume that this I believe that this is the source for the function level access control and correct so let's look at the solution so the problem was if the role so the problem itself was if the role is a user or admin which means that any valid user once you have authenticated once you get a session token you can view the admin page so the very first solution looks to be the resolution where it's actually checking to see if you are an administrator only and not just a user I think the better better solution or the intended solution for the original pseudo code was if the role is both a user and admin so if there may be authenticated and there an administrator but again a lot of times you can't be an administrator without also being an authenticated user so that is unnecessary and opens you up to security vulnerabilities such as this one so the other so the other solution is a lot more complex v yeah this just looks wrong to me where there is now no check whatsoever for show the admin page but let's see what the request itself does so we have Korean admin pages list create logged in pages list so you're creating various lists of users and so let's see here if the that's a little better so if the role if the current user's role is an EM men and they are requesting access to an admin pages list then display the requested page okay so that's that's pretty good logic if the role in the session exists and the requested page is in the logged in pages then display the requested page so if their administrator get them to the and they request the administrators page send them to the send them to that page if the role in the session exists and the requested page is logged in so if they are authenticated and are requesting access to and authenticated page grant them access to that that logic is good that helps prevent you from being unauthenticated and being able to access specific page otherwise if you're requesting page in the no login page display the requested page so if you don't have if you're not authenticated then display the request page yeah that's that's sound logic there are lots of static content pages that you should be able to access primarily the login page and where you don't necessarily need to authenticate and then lastly there's an error page yeah so if if the page or requesting it cannot be found display an error and return them back to the home page that is a very very good check so right now this is my this is a much stronger solution than the first one oh let me this looks very very similar to the first one so let me try and figure out what sorry this looks very similar the second one so let me try and figure out what the slight difference is so the logic the difference is the logic in the first one so the second one is correct where if the role is an administrator and you're requesting a page in the administrator pages list display that page the third solution if the role in session exists and the requested pages and admin pages list then display the request page that's the wrong logic so that is saying if you have a session open so if you have authenticated and you're requesting an admin page then display that requested page so any user will be able to to view the administrator page which is the exact opposite of what you want to happen so this is more robust but it's not the correct solution and lastly this is the definitely this is the wrong solution so if the role so if you are a user then display the control panel which is the admin page that's that's definitely wrong so it's between number one where you're making sure that you are at least an administrator before displaying the control panel so I do like how succinct that is I do like how succinct the first solution is but I do like that this one has a lot more error handling so I'm going to said this is the correct answer also because it not only checks that your it doesn't automatically grant you access to the admin administrator control it checks that your session is an administrator and that you're requesting an admin page so I like I do like the more robust logic for this one so I'm going to said this is the correct answer yep and we are correct all right so access control is this vulnerability using input from an untrusted source simple answer don't but let's see where the where the problem comes in for exits control so let's see here so login if the user name and past sorry you're obtaining the username and password from the user if the user name and password match so if they match that given user so if then pick is logging in as passwords one two three that matches with what's in the database that is technically an untrusted source and that is a good means of bypassing say a login screen I don't I want to keep going through just to make sure that that is the solution to this then we have show absences so if the session exists get the user ID from the cookie fetch the absences for the user ID from the database and the display then so this is not this is not going from an untrusted source actually sorry so the cookie is in the control of the end user and you would be getting the user ID from the cookie that I would consider to be untrusted but the rest of it is not so fetching absences from the database that's your from a functional standpoint you want to assume that your database is trusted from an actual standpoint I tend to assume that databases are interested but that's way beyond what this is trying to train us for so for this purpose I'm going to assume that the database is trusted which means that fetching a specific a specific value from the database is assumed to be trusted and then display that so right now I don't trust the cookie value and I don't trust the username and passwords however the last one so given an absence so you can create an absence based on date and reason and we are inserting an abscess in the database with a date and reason hmm okay so this one's actually kind of tricky because all three of these could potentially be untrusted sources so for example you are logging in a user and you are applying a username and password to match the only difference and the only way to distinguish between these three and this specific example is that the user function is taking in no parameters and the absences is taking in no parameters so I'm assuming that this is somewhere closer towards the back end or not directly interacting with with user input so this might be some kind of back-end function because it seems like the cookie is not coming directly from the user so this might be the cookie this might be the cookie that the server itself is tracking and it's using that information to obtain the user ID and so where it says obtain user name and password from the user that might be some external function and then right here it already has the user name and password to match so I'm going to say the only place that takes in input would be the date and particularly the reason so I'm going to say that those are untrusted because those are the only those are the only sources of input for this as far as I can read nope okay so I was wrong let's see here and why we try so if I take it at its word then I would say that the username and password untrusted because those are coming directly from the user so I think I talked myself out of the correct answer the first time around No okay this isn't good so it looks like well it looks like the cookie the cookie is in the control of the end user and that is being used to obtain the user ID so I was on the completely wrong mindset and how to solve this yep all right so this is all just a great learning experience so how do we solve this well you don't trust the cookie coming from a user so the solution in itself is to save the user ID in the session redirect the user show absences with user ID in URL I don't like that part of it and then get the user ID from the session so I do agree that we should begin the user ID from the session I disagree that the user ID should be passed in the URL so let me see if there's a different solution that addresses the that still have pulls these ready from the session without passing the user ID in the URL let's see you're redirecting the user again from based on the URL and you're getting the you as your ID from the URL the URL is absolutely in control the end user so this would not solve the problem save the user ID as a local variable no that's that's the completely wrong approach let's see if the fourth one has it save the user ID in a hidden field hidden fields are also in the control of end users so we're going back to solution one yeah so I 100% agree that the saving the user ID in session is good I don't like that we're still passing the user ID in the URL but but that this is still the best answer in my opinion and it's correct cool I'm sorry so I I'm back in here with Xbox control so I might want to move on to the next one since I've already done this yeah I've done this exact example and this one and I've done this one yeah so I'm going to go back out here go back to Mission Control and I will go to the last example and when I solved these I'm going to officially join in the tournament so you know leaders beware because even with a even with an hour hour-and-a-half delay well we'll see how many points I can rack up all right so we have an injection flaw which is D serialization of untrusted data now we are creating a user where train users are based on the username and password and then we are serializing the user object saving as a serialized user then we are later fetching the file with name username and deserializing the user object oh sorry so I need to read the full pseudocode obtain user name and password from user so this is definitely untrusted you are serializing untrusted data and let's see if that's correct nope all right I was wrong hmm because you are in fact oh yeah sorry the issue the question was talking about deserializing untrusted data and here he were affecting a file with name username and the username is the past parameter which then got deserialized so that would be the correct answer yep and let's see what the solution is use a secure deserializing library that is a very strong solution I really firmly believe that this would be the best answer but let's keep going to figure out figure out that's correct blacklisting I know that's that answer is wrong blacklisting should never be your first solution it can maybe augment something but it shouldn't be like this all classes for D serialization that is that is excessively difficult the creating a list of say invalid characters one at a time is always going to be a losing battle I'm just because of the way that abuse Gatien occurs or the ever-changing libraries or classes I would never recommend a solution two or three so then we are using a secure deserializing library to deserialize the user object if this occurs without air oh this is good so if this occurs without errors then display the user otherwise logged the error so let's see what the difference between solution 1 and solution 4 is so whitelist lasting sorry whitelist classes for deserializing yeah so I'm going to say that this one is possibly better because you are choosing the specific library used to deserialize as opposed to just saying that you can use any as opposed to say including you know three libraries that you can use for D serialization I think this is a more specific solution and I would trust the developers to know the exact library to use so I would say this is a better solution than one and two and three should not be the solutions nope alright so it looks like solution one was the correct one there we go yeah so unfortunately with pseudocode there's only a limited it is very difficult to show the other Oh wasp here let me go back to Mission Control to explain the problem so I was in a a 8 through a 10 it is very difficult to show within pseudocode insufficient logging and monitoring or using components with known vulnerabilities doing that well within pseudocode is definitely difficult to do so i have walked through as many of these as I can and I'm going to start going through some of the torn-up problems so let's see how huh let's see how well this goes so I have a tendency towards Java so let's see here um other JSP and I can only choose one right yeah so I'm going to JSP hopefully this goes over well and except okay so I need to identify the type of vulnerability present in the code and select from the objects below so the vulnerable files and lines of code have been marked with the X's all right so let's start out very very slow do the exact same process so the problem is or the vulnerability is within this identity manager and we are trying to save delivery details and it looks like this delivery details is primarily vulnerable so we have here is a select statement that automatically I'm thinking well I was thinking I was thinking injection but let's see here so we have a query string of selecting from the database where the order ID is this passed parameter of order ID then we are directly executing the query which is bad although we do it we are we are defining that the order ID is untrusted or rather is user inputs so this is kind of creating this appears to be creating a parameterised query and then we're committing that okay so I think that that looked okay to me all right now the problem here is oh delivery address all right so this this looks much more pressing for an issue where we are taking the house number and directly displaying it within okay this cross-site scripting this is Dom based cross-site scripting as opposed to store cross-site scripting all right so where are we getting order details from so we're gaining it from an XML or escaping from yeah I'm still why's that this is Dom based cross-site scripting hmm all right looks like it was stored let me try and figure out why I was thinking that's wrong oh because it's pointing directly from the babe from the database and this is not yeah and this is not user input all right cool okay I am going to start with a level 1 problem and shout out that I'm doing something wrong go right ahead that not that not that anybody is doing that at the moment but if you want to give me suggestions or pointers or anything like that please feel free to do so in the chat window and/or YouTube channel I have both of them up so if you want you can we can try and make this a little more collaborative instead of just me talking into a screen so let's see here so we are identifying the type of vulnerability present in the code all right so we have the file upload service and the file uploads serve Licht are the two problems are the two problem files the only issue here is that we are reading the object so I think the service itself is where the vulnerability comes in there we go so that makes us a little bit easier to see all right so we have the file upload serve serve this implementation we're logging everything on this okay so we have the document build Factory already my own personal alarms are going off for XML parsing vulnerabilities so that would be xx ease but that wasn't an option so let me actually read and see what's see what's going on in here by the way we have just under an hour for the Romania in the tournament that will end in 54 minutes so try and if you're making great progress I keep up the good work and we will in the slack Channel we have the leaders as of six minutes ago the person in first place had five thousand eight hundred and thirty points so congratulations that is that is great work I will definitely not be able to go and go up that high but we'll see how many of these I can work through in between now and the end of the challenge tournament so anyways we are building the XML document and we are including information about the employee itself or themself so we have their ID their name their gender their age and we are getting these values from the XML from the XML that was being read okay so this is definitely untrusted user input that's being that's being parsed from an XML document yeah I don't trust I don't trust that I don't trust that user input so let's keep going in and then it looks like we are or this code is then writing that employee object so in reading it alright so it is this application is taking employee data from an XML from an uploaded XML document it is parsing that XML and then creating employee objects based on those based on the parsed based on the input that's being parsed and then lastly reading those various objects and it looks like when you are reading the employee objects that's where the vulnerability becomes triggered so this is definitely some kind of injection flaw let's see what our options are side channel attack I don't think so this seems more like an injection flaw than anything else I do not see information exposure I wasn't really although yeah this could potentially be information exposure simply because if you're reading an employee object and that employee object is invalid then you could be displaying the stack trace to screen yeah that could potentially be an issue I would I would be less concerned about that than I am about the directly reading and writing of the employee objects from an XML document and then untrusted transport credentials well I didn't really see any credentials being passed in here so I am going to say that this is an injection flaw also sorry URL caching I didn't really see any this was not taking in any URL inputs that I saw now if it were at point of upload there are some interesting flaws that you can look for where you can try and maybe rewrite files within the application server so if you are changing say the uploaded files file name that would actually be a really good vulnerability or if you are yeah so that that would be a good volley but that doesn't really apply here and I don't see you're all caching as a possibility so I'm going to say that this reading in from an XML file of an employee and then storing that as a binary file and then reading that object I would say that has the potential for one reading untrusted data and then 2d serialization so I will say that this is an injection flaw yep and we are correct so I am on the scoreboard huh now the solution well don't upload files no let's see here so the solution comes from this file that it's adding called blacklist object I'm going to skim right over this but like I keep saying blacklisting is never the adequate solution so you have a list of characters that you will not allow within the uploaded XML document this is the this is an outright wrong solution so this I'm going to just move on to the next one and what we are doing is trying to resolve the issue within the employee object itself so what it's doing is okay so it's trying to see if the class within the huh cool so at the moment the third place is changing up by the minute so good job you guys are really making this into a race so congratulations but this solution itself we are trying to verify that the input class is matches the employee class so that seems like a good solution and there are no differences in this file so all this comes down to is verifying essentially that the schema within the uploaded XML after being read matches what you're expecting within the employee object that seems like a pretty good solution but let's keep going and see if there's a better one okay so we are using the whitelist object input screen input stream much of a difference here except that you are applying this whitelisted object inputs input stream and what we are trying to do is okay so we are sort Eclair in a protected class and we are trying to set the employee class as as the whitelist value okay this seems good to me yeah this this definitely isn't a really good solution so read unshared the only difference there is this unshared function call which I don't see anywhere else yeah this this is this is not a quit all right so then I'm going to say that creating this whitelist object and defining the employee class as the whitelist object seems to be the correct solution to me and let's see here yeah this looks pretty good so I'm just going to say this looks good enough yep cool so the correct logic for this one is that the solution uses his own on object input stream to securely deserialize the untrusted data so before solution one I think was trying to like cast the employee class in a certain way so that was not the best solution alright and again this is a good solution if the list of expesive expected classes is small and can easily be identified yeah you waitlisting really only applies when you can correctly identify and apply exactly what you want your application inputs to be if they are if they can be a massive list then well you probably need to redesign it because there's some likely going in my opinion there will likely be some other issues there in terms of the applications inside but that's just you know my two cents so then we have moving right along the next all right so we have again the file upload and so the problem here is these sorry from here is these three lines where we have an object input stream where we're obtaining from a binary and employee binary file then we are declaring the employee object and them are closing the object I'm sorry then we're declaring the employee casting the employee object and then reading the object from that binary file now the file the binary file itself is being written from being written right here we are writing the various employee objects and they are coming from you this XML file this is very very similar logic to why I was looking at before only the vulnerability is slightly different okay so my natural inclination is to say the exact same issue but I feel like that's wrong I don't think it would be local file inclusion particularly because you don't because this is directly reaching out to the employee binary file oh okay so this actually could be the local file inclusion because you are directly reaching out to the employee at binary typically when I see something like this I think I would only I would be concerned if you had control over the file that's being extracted so for instance if you are looking at an application and within the URL it's going to a specific location to retrieve a PDF well if you instead change that from you know you know three dot PDF to one dot PDF then you might be able to view somebody else's somebody else's file that's typically what I think of when I see something like this so I don't while employed out binary is a local file I don't really see that as the issue here unless I'm missing something yes so these three lines are the only three lines that are the vulnerability so wants us to focus here which means I don't oh cool and we have a posting of tonight's presentation in the slash channel I don't defecate on think it's password enumeration simply because all there's no passwords being read in or passwords being applied to view this object ah information exposure it could be so doing this might reveal all employees within that within that binary file or again I might be just reading into this too much and we should assume that there is some kind of vulnerability already in the employee binary at which point reading the object would lead to a DC realization of untrusted data let me go back to here string file path alright I'm just going to try and focus on these three lines without digging too much in the co because I think that might lead me down the wrong path where I convinced myself that a wrong answer is correct I'm just gonna say D serialization of untrusted data again I don't it's definitely not passed for enumeration I don't see any place where we are directly controlling the file path so I don't think it is a local file inclusion yeah I don't I'm leaning more towards d serialization untrusted data than I am information exposure and I'm correct cool yeah so again I think I am reading a little bit too much into these so I probably should just go with my first instincts because it's it's definitely trying to narrow your focus by showing you just three lines of trying to show you the three lines of code to look at and I think I'm trying to take in way too much and kind of skew my opinions of what the problem actually is alright so the first solution is to set up a direct object input stream and remove this remove this input stream and set up some kind of regular expression for the blacklisting and set up some kind of regular expression for whitelisting so you want to ensure that your employee is within a specific group I don't really like this solution at all yeah you are you are moving from the employee object input stream to the broader object input stream and I think that would be harder - harder to secure so I don't like that one see here serial killer oh okay oh I see what this is doing alright so this is trying to prevent a very specific vulnerability so when reading in when serializing deserializing data one of the very common exploits from a couple years ago was called why so serial and that is very very effective when reading in data from say an XML or in this case a beam shell now what this does is explicitly prevent certain Y so serial payloads by looking for regular expressions of those exploits this is this is a very very specific solution to a general problem and again blacklisting is never really the correct answer so I'm going to move on to the next one again we have yeah so this is another instance of serial killer and it's much less robust hmm well for starters this one is like solution to accept that doesn't apply the whitelist so I am probably going to go with solution too yeah but again let me work backwards so this does include the whitelist expression which is good and solution 2 also does that but also so it includes the the the whitelist regular expression so it ensures that you are applying the employee employ of the employee binary in there and it's also checking for specific issues that's not the worst solution that's actually pretty good mine serial killer file this one creates it but I don't actually see where it calls it as I'm missing something here okay so number solution two looks like the best solution to me wait that class bring this in okay what was three again okay what's the difference between this one and solution two ok so I don't think the difference is right here so it's probably in oh right so difference between solution 2 and solution 1 is solution 2 and solution for is that solution for doesn't have the regular expression for the whitelisting so solution 2 is definitely the best answer of these because while it does rely on blacklisting which i don't like it also does properly implement whitelisting so it's looking explicitly for this employee and yeah I mean that that's fine as long as you aren't only relying on blacklisting and you have a robust a good solution in this case line 35 right here that is a good practice so you can prevent specific vulnerabilities that you know you will be susceptible for but also ones that you wouldn't know to look for and that's what you're doing with with whitelisting you're explicitly looking for the employee within the binary I'm sorry you're explicitly looking for the input data to be in a specific form while also preventing known bad things so yeah I'm going to say this one nope all right I was wrong ok so the application uses a security serialization library for Java called serial killer this library allows whitelisting and blackness in classes however the library is configured incorrectly oh I see so the serial killer configuration sets profiling to true oh that's where I messed up all right and where we try that so it's the same basic theory the big problem of where I messed up is that line right there missed it because right here it's set to true alright which means that solution one is the correct answer because they're both functionally the same but this profiling is sets a two blocking mode which is much more valuable and useful than having the blacklist in place okay that's fair I missed that I'm Way off tonight all right let's see here oh yeah so the leaderboard right now will black out in about seven minutes as I kind of fumble around a little bit here oh right I jumped too soon to the solution okay so the problem with solution one was this right here was that it was using the object input stream so never actually applied the the serial-killer I jumped too quickly to the solution so number three was the correct answer number yeah because it applies the serial-killer function and if you go in here it has profile set to false which I missed before why this answer is better than solution two and it still has the white listing so let's let's go through all these again so number four is definitely wrong because it has no white listing applied even though it does correctly apply blocking mode solution two has everything right except for line seven where you where you where profile set to true which means that blocking mode is not applied and blocking mode was applied in solution 1 except that that function was never called because you aren't actually referencing the serial-killer configuration right here oh all right well it looks like we aren't doing any blackout for 20 minutes so you will know who is in lead to right up until the last minute and it's definitely me because I am trailing very far behind in terms of points so again this one applies serial-killer function and also applies the configuration file added here which means I got all right let's see I don't think I'm doing too great there okay so authentication good here's the lines so we're applying filter from the requests to find the request and the response URI in session ok excuse me so we are validating the URI that's coming in so if the URI contains I'm going to assume that this is some kind of URI injection so if the URI that's coming in from the request contains a very very specific list and does not contain font awesome then you actually apply this filter Wow okay sorry so it's checking to make sure that the URI contains certain values and does not contain something but the logic itself is broken there because this part will be evaluated to get there yeah so this logic would be very easy to bypass because the and and or logic is broken and if he end in lore or logic is broken then you could actually circumvent this login function right here so I'm going to say this is improper authentication yep and I was correct okay so specifically the user Docs is unprotected yeah so this last function right there alright so the first solution don't actually see here so the first solution is to just remove a tailing end to that of user Docs so we aren't actually applying we aren't adding that into the that the the check don't like that solution don't like that sufficient enough this is that ah so this is where they defer okay so the original verb let me let me just verify this because I want to see if all of the solutions on this within this class just remove just remove this from the function call yep so these are quite different so I'll have to go through one by one all right so within the API content itself we're looking at the session we are getting the current user from the j-setting user okay so that's the cookie J session user now so we're removing all of the validation logic for checking users okay and we're adding bad credentials all right here again Wow all right this is a bit complicated don't necessarily okay well this is definitely strong yeah well this one's 100% wrong I don't really need to go through much more of the logic in here hard-coding a secret value is always wanna be wrong so we don't even need to really focus on the rest of the logic in this so we have is if so we're setting the current user based on the je session user attribute now if the current na user is null then send them to an error otherwise allow them to view a URL document that they're requesting so I see this as allowing any valid user access to so long as they're a current use as long as they have a current user which means any authenticated user they will be able to they will be able to reach that URL document so I don't think this is the correct answer let's see - okay so are still getting the user we're checking to see whether or not that user is an API partner that's good and then we're letting them view that okay pretty decent control and where else just removing the user back endpoint so now you're only able to go to very very certain endpoint directories without authentication otherwise you need to go in and have a valid session which which is fine so there are static files which you should be able to access without authentication which makes sense so let's so let's see what solution one does so let's make sure that your an API partner so for instance you might be you might have higher privileges and I don't like how much this is removing in terms of validating all the various fields I choice go ahead and say too then alright let's make sure that you are an API partner if you're not then sends you a matter page and if you are it allows you to access the documents my say this looks good and I'm wrong alright so the problem is that access control to roll partner which ensures that not all users can access the documentation said only partners can it then redirects the user doing I'm protected session I'm protected resource okay so all right so let me see where my logic is wrong Oh miss this feel like solution one was kind of solving the wrong problem oh yeah definitely like solution 3 in solution for if you and I don't like solutions three or four so guess I'll just go with the solution one yeah cool all right so now only the partner API developers using their own private credentials cool sorry so the new problem here is get encrypt password well if you are on the slack Channel it's getting interesting over there so I'm going to go back to focusing on this so let's see here a string and cryptic password we have string getting cryptic password where we are just returning the value password when passed in a salt and string password this doesn't appear to be doing anything that is definitely problem so based on the function calls I would assume that the get encrypt password is encrypting the password based on the salt but all you're doing is returning the password which means that this is not doing anything I don't see yeah I don't see anywhere else that the cryptography is being applied so I'm just going to say this is week week algorithm used and that the encrypt password function which is intended to encrypt the password using a salt is just returning the password yeah this this is wrong yep cool yep so these are week custom algorithm without a key is a problem or saving the password is plaintext does not provide protection against tax in case of breach yeah it's right here again there is you're just you're not encrypting the password a court based on what I'm reading so let's let's let's fix that all right and it looks like the person in first place has nine thousand one hundred and thirty points and we have about eight minutes to go so I'll probably solve one or two well try to solve this one and then I will probably solve one more and then just do a little countdown of going back to the leaderboard so let's see what the solutions are we have password plus simple salt so I don't like this one at all because you have a static salt value which means that when you're coming to the exact same problem before way back when where if you have two passwords with the same salt you're just you're not actually encrypting anything different so using by applying the same salt to 2 of the same passwords so my passwords 1 2 3 4 5 your passwords 1 2 3 or 5 if we apply the same salt to it and then go through the hashing algorithm the end result will still be the same the point is that a salt is a unique value and this salt that's being passed was not actually used so solution 1 is wrong solution 2 so generate password is null you have a message you you have message digest you apply a salt and Jerry password ok this um yeah so you're updating based on assault and then you're generating the new function you know this seems terms of general flow that looks alright yeah yeah returning just clear text password and assault is not the right solution and base64 is encoding not encrypting the this one is 100 percent wrong this is not a this is still isn't encrypting anything this is encrypting things but it's applying the static salt value it's also kind of doing its own encryption algorithm which I don't like at all and so we have solution two and I'm going to see if I can solve one of these really really quickly so cool so looks like finished all level one so I'm going to try and do a level two in five minutes let's see what I can do all right really really quickly now so if registration of a user based on user name and password right and the signup process okay so extreme response registration yep so there are five minutes left and then we will close this down Oh preparedstatement okay yeah so the problem is that you are playing text or in your password you are doing everything pretty well prepared statement you are writing to the database untrusted users in a parameterised query which is good problem is that you are directly storing the password so I'm gonna say that the problem is plain text or passwords cool and the solution would be to apply user manager okay so we are applying a hash value which is good but again I don't see a salt still don't see assault so I don't think that's the best answer oh nice and we have the final countdown going on this life Channel so no pressure in fact if you want I can actually play this I don't know if you'll be able to hear it but got the final countdown oh no not going to be able to hear it alright so alright we have create hash based on password and this does apply salt alright so I do like this one much better let's see if 3 & 4 work so the user manager the only difference this doesn't go there we go okay des is very weak you're applying a static value sorry yeah this is not a hash value this is encryption which means that you then need to do key management and all types of other problems here so I don't this is definitely not good so definitely at three among other issues for passwords hashing is it tends to be better in fact easier to manage and I definitely don't I haven't seen if you are going to encrypt your passwords definitely don't use DES and so let's see here this one is basics for encoding okay so that's wrong so the correct answer is this one solution too cool and we are down to last minute so I'm going to stop let's see I didn't break the didn't break the thousand mark but you can see that we have 28 seconds left so we will you know what let's see if I can do one in 20 seconds so cross-site scripting sorry you were directly for that last one you were directly storing values for username and inserting their into the database so that one lit lit up for me for store cross-site scripting I didn't really get a chance to do full analysis but that was my first inclination so Wow I'm going to bring back up uh the stream so let's see hey Dan are you there yes I am cool very close finish that we had there at the at the end it was it was getting crazy I'd say the last 45 minutes in the in the in the tournament here and you know big big congratulations to Philip Marlowe finishing up and first with with ninety four ninety nine thousand four hundred thirty points you know jumping to the lead there and then we've gotten second place and I don't hate to say butch of the name but it's junk shell she finished up in second place with eight thousand seven and sixty points and that's only ten points more than our third place are a Kalfas so it was really close there and it was neck to neck and I'd say in the last twenty minutes even into first place but really congrats to everybody that participated tonight Ben I thought you did a great job just you know walking through problems listening you know going through some of these challenges and I just hope everybody took something away from this you know that this is something that was both fun and entertaining but it's also a learning experience and hopefully that what you learn in this you can take in in and recreate some of the knowledge and utilize in your own secure coding practices so the first-place winner is going to get a get a secure code water your hoodie so you know send me a private message and slack or you can send me an email at d lu and that's le wi n at secure codeword calm I will get out to a hoodie to you and then for the second third place winners congrats again you'll get a secure codeword t-shirt but again then it was a pleasure I really appreciate the opportunity present secure cover to your chapter shorten thank you so much again I really really do appreciate this this was a really cool tool you saw that some of my coding skills are there some of them are a little off but yeah it was it was great just to have fun practicing so congratulations and thank you everybody who participated just one last note we will have our next virtual meetup on Thursday the 21st that's one scheduled for so keep a lookout for that and again I really really do want to say Dan and secure code warrior I hope you all had a great night I hope you all learn something and I'll see you next time take care
Info
Channel: Owasp Nova
Views: 228
Rating: undefined out of 5
Keywords:
Id: DR0GlM8Ng40
Channel Id: undefined
Length: 123min 26sec (7406 seconds)
Published: Thu May 07 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.