Revealing the Secrets Source Code Disclosure Techniques and
- Slides: 39
Revealing the Secrets: Source Code Disclosure, Techniques, and Impacts
I am… v Anant Kochhar, Senior Information Security Consultant with Secur. Eyes v Project Manager and Researcher v Malware Detection Techniques and v Real World Cracker Techniques
Unique Insecurities… v Each developer is unique v Each application is uniquely insecure. v Each developer is uniquely insecure.
Source Code Disclosure Types v Accidental Code Disclosure v Backup and Misc. Files v The Dirty Download Page
Accidental Disclosure v Part of the Source Code is available in the HTML source code. v When Dynamic pages are turned into Static pages: like from ‘. asp’ to ‘. html’ v Coder don’t remove the ASP code before publishing the HTML page. v Why? Because IE is very forgiving.
Google- Looking in a domain which claims to have ALL ‘audited’ sites “mdb” “server. createobject” OR “server. mappath” site: ? ? ?
In IE
In Mozilla Firefox
Voila…
How to avoid it… v Don’t be careless. – Go through the HTML source code of every page before it is published online. v Use both IE and Firefox to test a page.
Backup and Misc. Files v Source Codes stored in readable formats. v Coders save backup files in the website’s hosting folders. v Zipped files, ‘. bak’ extensions etc. v Coders often use bad extensions- like ‘. inc’- for ‘included’ configuration files.
How to discover… v Directory Listings. v Disclosure in HTML Source (Rare) v Other non-standard techniques.
Google-The same secured domain “zip” “parent directory” site: ? ? ?
Directory Listing Enabled- All ‘internal pages’ visible
Interesting Folder: Election_asp Interesting File: Database Connection
Backup File of Election_asp: Election_asp. zip
All ASP Files…including Database Connection File
Database username and password in the database connection file
How to avoid it… v Disable Directory Listing v Don’t use the Hosting space as a storage space. v Name all ‘. inc’ files as ‘. inc. php’ or ‘. inc. asp’ files to make them inaccessible.
The Dirty Download Page v Better known as ‘Insecure Direct Object Ref. ’ v Paper in December 2007: http: //secureyes. net/downloads/Source_Code_Discl osure_over_HTTP. pdf v Many white hats have contacted me regarding it. v Translated into Spanish- which is flattering and scary v Not the target audience.
The Comment… “look on the internet for such pages…”
How An Engine Works User_login. php URL: /user_login. php Application Root Folder PHP Engine Server HTML part of User_login. php User’s Browser
The site’s root folder
http: //www. vulnerable 123. com/1. doc
Internal Affairs… 1. doc URL: /1. doc Application Root Folder PHP Engine Server 1. doc User’s Browser
The Other Method… Stream the static content files through a dynamic page: 1) Filename passed as a parameter to the dynamic page- hereby called the ‘download’ page. 2) The download page looks for the file in the hosting folder 3) And upon finding it, streams it to the user’s browser.
http: //www. vulnerable 123. com/downl oad_file. php? filename=1. doc
Internal Affairs 2 1. doc Download_file. php URL: /download_file. php? filename=1. doc User’s Browser Application Root Folder PHP Engine Server 1. doc
The Exploit… Change the filename parameter’s value to login_user. php: v Will it be processed by the engine before being streamed? v Not! The engine does not double-process a single request! It will simply stream the source code file ‘login_user. php’!
http: //www. vulnerable 123. com/downloa d_file. php? filename=user_login. php
Internal Affairs 3 Download_file. php User_login. php URL: /download_file. php? filename=user_login. php source code file Application Root Folder PHP Engine Server User’s Browser
Google A URL which contains: v A Dynamic Page extension. ext: php OR ext: jsp OR ext: aspx v A Static File extension in the URL (somewhere): inurl: doc OR inurl: pdf OR inurl: xls OR inurl: txt OR inurl: ppt OR inurl: htm
Pattern (contd. ) Combining : inurl: doc OR inurl: pdf OR inurl: xls OR inurl: txt OR inurl: ppt ext: php OR ext: jsp OR ext: aspx
Google Result Page Lots of false positives
Patterns (contd. ) Search can be restricted to a site or a domain site: vulnerable 123. com Finding the Dirty Download Page in www. vulnerable 123. com: Inurl: doc OR inurl: pdf OR inurl: xls OR inurl: txt OR inurl: ppt ext: php OR ext: jsp OR ext: aspx site: vulnerable 123. com
Voila…
Unique Case of Java Sites- Directory Listing through the download page
Recommended Resolutions v Indirectly refer internal objects. v For example, index the downloadable files, and pass index numbers instead of file names. v File Extensions Validations can be bypassed: Null Byte Injection
v Contact me: anant. kochhar[at]secureyes[dot]net
- Source code disclosure
- Difference between source code and machine code
- The ocean floor revealing plate tectonics
- A revealing introduction to hidden markov models
- Tru face revealing gel
- âq1
- A revealing introduction to hidden markov models
- Order revealing encryption
- Busceral
- Castles secrets mysteries and legends
- Dark romanticism vs gothic
- Unlocking the secrets of mohenjodaro
- The secrets of successful strategy execution
- The secrets of old age
- Trade secrets examples
- Definition of trade secrets
- Cs 279
- Mohenjo daro weights and scales
- Leadership secrets of santa claus
- Market maker secrets
- Leadership skills of attila the hun
- Job's daughters secrets
- Happy family secrets
- Forex strategy secrets
- Call revealer
- Unlocking the secrets of mohenjodaro
- Les 7 secrets de monsieur unisson
- Richard greene public speaker
- Secrets through the smoke worksheet answers
- Unlocking the secrets of the sun
- Trade secrets outline
- The real secrets of the top 20
- The five secrets
- Happy family with god
- Secrets destroy families
- Nova secrets of the mind
- Toy repairman toy story 2
- Aws secrets engine
- Oh my secrets
- Logo tgv à l'envers