Application Security Science or Quality Assurance?
Nazar Tymoshyk Ph.D, Security Consultant, R&D at SoftServe
Famous Security Professionals
Richard Stallman
Robert Morris
Linus Torvalds
Tsutomu Shimomura
Stephen Wozniak
Famous “Security Professionals”
Adrian Lamo
Kevin Mitnick
Gary McKinnon
Kevin Poulsen
Jonathan James
What about famous QA professionals?
To be a security bug hunter
So you know where to move ;)
Security is also metric
of Software Quality
“The simple truth is that catching
security holes earlier costs an
organization less to remediate, which
makes good business sense. ”
QA Engineer
In functional and performance testing,
the expected results are documented
before the test begins, and the quality
assurance team looks at how well the
expected results match the actual results
Security Analyst
In security testing, the quality
assurance team is concerned only
with unexpected results and testing
for the unknown.
Weapon
Passion
Persistence
Research
Tools
Guides
Checklists
Collaboration and Team work
“ IT security and quality
assurance working
together are exponentially
more powerful. The result
will be a more securityoriented QA department
and a more qualityoriented
IT security department,
which will help remove
more risk and provide
better continuity ”
OWASP
SAMM
WAF
Development
guide
Testing guide
ASVS
Microsoft approach
Testing security with Tools
Core Impact
Burp
Accunetix WVS
w3af
HP WebInspect
OWASP ZAP
IBM Rational
AppScan
OWASP Mantra
DEMO
Let’s test small web-site with
commercial and free tools
Applying
Science
approach
Get tools from:
http://goo.gl/eHl2u
Targets:
http://192.168.195.34
http://192.168.195.80
Smashing the app
Remote code execution – one of the most dangerous vulnerabilities in
web-apps
How to achieve a goal:
•
Upload scripts to server
•
Remote File Inclusion (RFI)
•
Local File Inclusion (LFI)
Unrestricted file upload
File upload – vulnerability allow remote attacker to upload
files/scripts on server with special content or random extension.
This vulnerability exist through incorrect file extension implementation.
Incorrect methods of uploaded file extension validation :
• Validation of MIME-type of uploading file vs validation of
file extension
•
Black-list extension validation
•
Other errors…
Unsecure web-server/application server configuration play also important
role.
Upload your shell
Changing MIME type
Validation sample:
<?php
$imageTypes = array("image/gif", "image/jpg", "image/png");
if(isset($_FILES["image"])) {
if(!in_array($_FILES["image"]["type"],
die("Hacking Attempt!");
$imageTypes)) {
}
copy($_FILES["image"]["tmp_name"], "images/{$_FILES["image"]["name"]}");
} ?>
Problem: It’s easy to change type of file – as it’s setting by
browser in HTTP-request. And all variables that are set by
browser – can be easily changed by user.
Content
validation
Black list:
Wrong way
<?php if(isset($_FILES["image"])) {
if(preg_match('#\.((php)|(php3)|(
php4)|(php5))$#i',$_FILES["image
"]["name"])
){
die("Hacking Attempt!");
}
copy($_FILES["image"]["tmp_nam
e"],
"images/{$_FILES["image"]["name
"]}"); } ?>
Regular expressions
<?php
if(isset($_FILES["image"])) {
if(preg_match('#\.jpg#i',
$_FILES["image"]["name"])) {
copy($_FILES["image"]["tmp_name"],
"images/{$_FILES["image"]["name"]}");
} } ?>
In this sample name of uploaded file is checking for
string .jpg. But regular expression is working as control
symbol $ that indicate EOL is missed,.
As a result file shell.jpg.php will be successes fully
uploaded.
Right way
<?php
if(isset($_FILES["image"])) {
if(preg_match('#^[a-z0-9-_]+\.((jpg)|(png)|(bmp))$#i',
$_FILES["image"]["name"])
){
move_uploaded_file($_FILES["image"]["tmp_name"],
"images/{$_FILES["image"]["name"]}");
}
}
?>
White list
validation
Local File
Inclusion
Local File Inclusion – allow to include local files on remote server
and execute arbitrary code.
Reason: incorrect linked file validation, vulnerable server
configuration
Successfully LFI exploitation have three main task :
• Removing of postfix
•
Directory Traversal
•
Searching files for code injection
Directory
Traversal
Filtration can prevent Directory Traversal.
Very often developers apply Filtration of ../ :
<?php include(str_replace("../", "", $_GET["page"]).".inc"); ?>
../../../etc/passwd --> Filtration --> etc/passwd --> fail 
But such filtration is not enough – it’s not recursive:
..././..././..././etc/passwd --> Filtration --> ../../../etc/passwd --> profit 
Secure Validation
Secure Validation – validation of filename for service
symbols
if(preg_match('#[^a-z0-9-_]#i', $page)) {
die("Hacking Attempt!");
}
include("{$page}.inc");
In this sample if we will try to add file with symbols
other than A-Z, a-z, 0-9 and symbol «-» & «_» execution
of PHP-script will be interrupted.
So, how to become Security Analyst
Use OWASP
Researches
Ask and share
Samurai WTF
Participate in
community
talk on Security
Hole 
Feedbacks & Questions
Contact Nazar:
skype: root_nt
email: root.nt@gmail.com
Presentation & Files:
http://goo.gl/eHl2u
Leave your Feedbacks:
http://goo.gl/FW4ar
?
Join OWASP Lviv:
https://www.owasp.org
/index.php/Lviv