Video Converter
Audio Converter
Image Converter
PDF Converter
File Compressor
secure in 2010 broken in 2011

Secure in 2010? Broken in 2011! Matias Madou, PhD Principal - PowerPoint PPT Presentation

Sep 10, 2022 •458 likes •1.03k views

Secure in 2010? Broken in 2011! Matias Madou, PhD Principal Security Researcher Matias Madou Principal Security Researcher, Fortify an HP Company Static Analysis Rules Insider Threat Research Runtime products: RTA and

  1. Secure in 2010? Broken in 2011! Matias Madou, PhD Principal Security Researcher

  2. Matias Madou • Principal Security Researcher, Fortify an HP Company – Static Analysis Rules – Insider Threat Research – Runtime products: RTA and SecurityScope – Hybrid 2.0: Correlation – Gray-box analysis • Contributor to Building Security in Maturity Model (BSIMM) Europe • History in code obfuscation (and binary rewriting)

  3. Overview • Introduction • The Test Application: Secure in 2010 • What’s new in 2011? – New vulnerabilities – New analysis techniques • Continues Testing

  4. Introduction History of the experiment: Gather empirical results while developing gray-box analysis. Test Application, criteria: • Extensively used • Undergone security improvements

  5. The Test Application • Selection criteria for the project working on: – Open source, java or .NET – Widely used • Apache 10.04

  6. The Test Application • Products and Projects based on Apache OFBiz: – OpenTaps

  7. The Test Application • End Users: – 1-800-Flowers – Olympus.de – United.com – BT.com – …

  8. The Test Application • Security? – Multiple vulnerabilities found in CVE – Other (Exploit Search) – … and an interesting video on how to become an admin by exploiting a XSS

  9. The Test Application

  10. The Test Application

  11. The Test Application

  12. The Test Application • Bug Tracking: Security Issues grouped together

  13. The Test Application • In the end: All known issues are fixed in Apache OFBiz 10.04 Secure in 2010!

  14. So… what’s new in 2011? 1) New vulnerabilities: Denial-of-service: Parse Double 2) Analysis techniques: Gray box analysis

  15. Denial-of-Service: Parse Double • Problem description:

  16. Denial-of-Service: Parse Double More concrete: • Value: 2.2250738585072012e-308 • API: Double.parseDouble(value) Infinite loop! http://blog.fortify.com/blog/2011/02/08/Double-Trouble

  17. Denial-of-Service: Parse Double • Feb 01, 2011? No, no. March 04, 2001! • Why is this fixed within 1 month after the rediscover?

  18. Denial-of-Service: Parse Double Examples: • Application: Apache Tomcat • Usage: Tomcat uses parseDouble() on the value of the Accept-Language HTTP header when an application calls request.getLocale() Infinite loop! http://blog.fortify.com/blog/2011/02/08/Double-Trouble

  19. Denial-of-Service: Parse Double What is the problem? • Root case is a Java problem, not an application problem! • Everybody uses the fixed java version, right? (Version Java 6 Update 24 or later) • Everybody runs a patched or latest Tomcat version, right? (Tomcat 7.0.8, 6.0.32, 5.5.33 or later)

  20. Denial-of-Service: Parse Double Tomcat fix

  21. Denial-of-Service: Parse Double Java fix

  22. Denial-of-Service: Parse Double • Seen in the field: adding the pattern to WAF • Problems: 1. Does not protect against persistent 2. Are you sure your patterns cover everything? Pattern often used: 2.2250738585072012e-308 How about: 0.22250738585072012e-307

  23. Denial-of-Service: Parse Double • Seen in the field: adding the pattern to WAF • Problems: 2. Are you sure your patterns cover everything?

  24. Denial-of-Service: Parse Double How many issues in Apache OFBiz? Used analysis techniques: • Static Analysis (White Box) • Penetration Testing (Black Box)

  25. Denial-of-Service: Parse Double Static Analysis (White Box)

  26. Denial-of-Service: Parse Double Penetration Testing (Black Box): http://yourofbiz.com/ecommerce/control/modifycart (update_0, update_1, …) http://yourofbiz.com/ecommerce/control/additem/showcart (quantity, add_product_id) http://yourofbiz.com/ecommerce/control/additem/quickadd (quantity) http://yourofbiz.com/ecommerce/control/additem/keywordsearch (quantity) http://yourofbiz.com/ecommerce/control/additem/advancedsearch (quantity) http://yourofbiz.com/ecommerce/control/additem/showPromotionDetails (quantity) http://yourofbiz.com/ecommerce/control/additem/product (quantity,add_amount) http://yourofbiz.com/ecommerce/control/additem/lastViewedProduct (update_0) http://yourofbiz.com/ecommerce/control/additem/showForum (quantity) http://yourofbiz.com/ecommerce/control/additem/category (quantity) http://yourofbiz.com/ecommerce/control/additem/main (quantity) http://yourofbiz.com/ecommerce/control/additem (quantity) http://yourofbiz.com/ecommerce/control/additem/setDesiredAlternateGwpProductID (…) …

  27. Gray Box Analysis

  28. Black-Box Testing • System-level tests • No assumptions about implementation • Example: fuzzing • Good: concrete results • Bad: a losing game

  29. White-Box Testing • Examine implementation • Test components in isolation • Example: static analysis • Good: thorough • Bad: too thorough • Bad: no “show me” exploits

  30. Gray-Box Testing • System-level tests (like black-box) • Examine implementation (like white-box)

  31. Hybrid == Gray Box Analysis… Right? • NO!

  32. Hybrid Analysis Application Dynamic Static Monitor Analysis Analysis Correlation Engine Correlated Vulnerability List

  33. Internals: Lining Up an Attack with the Code Dynamic Static Monitor http://www. sales.xyz.com?n =… File: MyCode.cs File: MyCode.cs Line: 27 Line: 27 ID: 234 ID: 234 Source trace: <com.my.xxx>

  34. Gray-box analysis: Integrated Analysis Application Dynamic Analysis Real-Time Analysis Real-time link • Find More • Fix Faster

  35. Find More • Detect new types of vulnerabilities – Privacy violation, Log Forging • Find more of all kinds of vulnerabilities – Automatic attack surface identification – Understand effects of attacks

  36. Attack surface identification /login.jsp /pages/account.jsp /pages/balance.jsp /backdoor.jsp • File system • Configuration-driven • Programmatic

  37. Attack surface identification Point to a particular start page and scan: • Crawl will find some directories

  38. Attack surface identification Point to a particular start page and scan • Crawl is no longer necessary! The Runtime Component just tells the pen tester the attack surface.

  39. Understand effects of attacks ✗ /backdoor.jsp ✔ sysadmin$./sh Command Injection

  40. Fix Faster • Provide Actionable Details – Stack trace – Line of code • Group Symptoms with a Common Cause

  41. Actionable Details /login.jsp

  42. Group Symptoms with a common cause • Counting issues seems to be hard! /login.jsp /pages/account.jsp /pages/balance.jsp 1 Cross-Site Scripting Symptom 2 Cross-Site Scripting Symptoms 3 Cross-Site Scripting Symptoms 1 Cross-Site Scripting Cause

  43. Fix Faster: Actionable details

  44. Fix Faster: Actionable details

  45. Fix Faster: Group symptoms

  46. Group symptoms: details • Detailed information on where to fix the issue

  47. For the record: the proof • The page • Page Source

  48. More to come: Automated anti-anti automation

  49. Solution Which one are you talking about? • Solution to fix the code • Solution to keep it protected

  50. Solution to fix the code • It’s still open source, so you can DIY (found in the bug databse)

  51. Solution to fix the code Right now and no time: (vulns in these slides) • Run the Java 6 Update 24 or later (no DoS: Parse Double issues) • In Framework/webslinger/modules/defaults.zip: www/Errors/Codes/404.vtl Remove ${webslinger.payload.pathInfo} • In: Remove the mapKey

  52. Solution to keep it protected • Continues testing ?

  53. Solution to keep it protected • How about the application in production? WAF Static Analysis Security Integration Design Code Test Operate /Staging Development IT / Operations Gray-box Analysis Penetration Testing

  54. Solution to keep it protected • Code changes, keep scanning • New vulnerabilities are discovered. Update with the latest security information No rocket science, right?

  55. Solution to keep it protected • Try out new assessment techniques • Work the scans. Tune them to work in your environment

Recommend

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

DIMACS Workshop On Secure Routing March 10, 2010 How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing Protocols? $ $ Sharon Goldberg Microsoft Research &amp; Boston University y Michael Schapira

705 views • 54 slides
Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~#

Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~#

Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~# whoami Eric Biako Bsc. IT, CEH v9 Information security officer @ E-connecta Moderator @ https://legalhackmen.com IDOR ( Broken Access Control )

519 views • 12 slides
Galatians Whos Your Mama? Broken people know theyre broken! They know they need Jesus

Galatians Whos Your Mama? Broken people know theyre broken! They know they need Jesus

Galatians Whos Your Mama? Broken people know theyre broken! They know they need Jesus &amp; have given up on being their own savior! Abraham Sarah (wife) Isaac (son) Hagar (maidservant) Ishmael (son) Abraham, our broken spiritual

264 views • 21 slides
Eye and Brain Eye and Brain Central visual pathways 1 2/22/2010 2 2/22/2010 3 2/22/2010 4

Eye and Brain Eye and Brain Central visual pathways 1 2/22/2010 2 2/22/2010 3 2/22/2010 4

2/22/2010 Eye and Brain Eye and Brain Central visual pathways 1 2/22/2010 2 2/22/2010 3 2/22/2010 4 2/22/2010 5 2/22/2010 6 2/22/2010 7 2/22/2010 8 2/22/2010 9 2/22/2010 10 2/22/2010 11 2/22/2010 12 2/22/2010 13

596 views • 20 slides
All wireless communication stacks are equally broken Jiska Classen Secure Mobile Networking Lab

All wireless communication stacks are equally broken Jiska Classen Secure Mobile Networking Lab

All wireless communication stacks are equally broken Jiska Classen Secure Mobile Networking Lab - SEEMOO Technische Universitt Darmstadt, Germany A foundation talk??? Wireless communication is fun damentally broken focus: everything in

690 views • 42 slides
ANNOUNCEMENT Date: 8 April 2020 Number: 668/08042020 BROKEN HILL ALLIANCE PRESENTATION Broken

ANNOUNCEMENT Date: 8 April 2020 Number: 668/08042020 BROKEN HILL ALLIANCE PRESENTATION Broken

ANNOUNCEMENT Date: 8 April 2020 Number: 668/08042020 BROKEN HILL ALLIANCE PRESENTATION Broken Hill Alliance: As part of the new 2020 focus on PGM-nickel-copper exploration, Impact Minerals Limited (ASX:IPT) announced to ASX on 24 February

348 views • 10 slides
Broken Hill North Mine Community Consultative Committee 04 October 2019 KPIs MOD 2 Broken Hill

Broken Hill North Mine Community Consultative Committee 04 October 2019 KPIs MOD 2 Broken Hill

Broken Hill North Mine Community Consultative Committee 04 October 2019 KPIs MOD 2 Broken Hill North Mine, MOD 1 CoC Schedule 2, 8 (c), specified, 16 ore laden truck movements per day when averaged over a calendar quarter. PBH found this

147 views • 13 slides
Review of prices for water and sewerage services in Broken Hill, and prices for the Broken Hill

Review of prices for water and sewerage services in Broken Hill, and prices for the Broken Hill

Review of prices for water and sewerage services in Broken Hill, and prices for the Broken Hill Pipeline, from 1 July 2019 Public Hearing 20 November 2018 Outline Overview of WaterNSW and Essential Water reviews Review of WaterNSWs prices

522 views • 22 slides
GOD BLESSED THE BROKEN LINES This much I know is true. God blessed the broken lines

GOD BLESSED THE BROKEN LINES This much I know is true. God blessed the broken lines

GOD BLESSED THE BROKEN LINES This much I know is true. God blessed the broken lines that led me straight to Christ. MATTHEW 1:1-17 UNCONDITIONAL &amp; CONDITIONAL I. UNDERLYING COVENANTS Edenic &amp; Adamic Covenants A. 1.

366 views • 20 slides
AI Is Broken Sophie Searcy AI Is Broken slides at soph.info/ai-traps Sophie Searcy Caveats

AI Is Broken Sophie Searcy AI Is Broken slides at soph.info/ai-traps Sophie Searcy Caveats

AI Is Broken Sophie Searcy AI Is Broken slides at soph.info/ai-traps Sophie Searcy Caveats AI lumping together Data Science, Artificial Intelligence, Machine Learning, Data Mining, etc. Audience Conversant in AI topics. Not

761 views • 47 slides
Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10

Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10

Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017 Rank Name 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities 5 Broken Access

212 views • 6 slides
Secure Returns SAFE AS A VAULT Secure SECONDS TO UPLOAD Efficient ACCESSIBLE ANYWHERE

Secure Returns SAFE AS A VAULT Secure SECONDS TO UPLOAD Efficient ACCESSIBLE ANYWHERE

Secure Returns SAFE AS A VAULT Secure SECONDS TO UPLOAD Efficient ACCESSIBLE ANYWHERE Convenient What is Secure Returns ? Secure Returns is a secure website where you and your clients can securely upload &amp; download confidential

203 views • 9 slides
Ubiquitous and Secure Networks and Services Ubiquitous and Secure Networks and Services

Ubiquitous and Secure Networks and Services Ubiquitous and Secure Networks and Services

Ubiquitous and Secure Networks and Services: SunSpot Development Platform Ubiquitous and Secure Networks and Services Ubiquitous and Secure Networks and Services Ubiquitous and Secure Networks and Services Ubiquitous and Secure Networks and

489 views • 25 slides
Financial Results for 4/2010- -9/2010 9/2010 Financial Results for 4/2010 and and Financial

Financial Results for 4/2010- -9/2010 9/2010 Financial Results for 4/2010 and and Financial

Financial Results for 4/2010- -9/2010 9/2010 Financial Results for 4/2010 and and Financial Forecasts for 4/2010- -3/2011 3/2011 Financial Forecasts for 4/2010 November 4 , 2010 November 4 , 2010 Statements made in this overview of

524 views • 27 slides
Perfect Secrecy A cryptosystem is unconditionally secure if it cannot be broken, even with

Perfect Secrecy A cryptosystem is unconditionally secure if it cannot be broken, even with

Perfect Secrecy A cryptosystem is unconditionally secure if it cannot be broken, even with infinite computational resources. (There are other (weaker) types of security; well talk about those later.) A cryptosystem is unconditionally secure

643 views • 4 slides
and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure

and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure

CS 1655 / Spring 2010 Secure Data Management and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure Coding From: Secure Coding: Principles and Practices by Mark G. Graff &amp; Kenneth R. Van Wyk

755 views • 17 slides
Using Twitter Strategically Amanda Carnes, MPH, CHES Social Media Lead Education, Training, and

Using Twitter Strategically Amanda Carnes, MPH, CHES Social Media Lead Education, Training, and

Using Twitter Strategically Amanda Carnes, MPH, CHES Social Media Lead Education, Training, and Communication Team Division of Viral Hepatitis National Center for HIV/AIDS, Viral Hepatitis, STD &amp; TB Prevention Division of Viral Hepatitis

456 views • 23 slides
Semantic Markup Languages: A Gentle Introduction Yolanda Gil USC/Information Sciences Institute

Semantic Markup Languages: A Gentle Introduction Yolanda Gil USC/Information Sciences Institute

Semantic Markup Languages: A Gentle Introduction Yolanda Gil USC/Information Sciences Institute gil@isi.edu Yolanda Gil 1 Outline I: The Big Picture The Semantic Web

863 views • 41 slides
Routing Process of distributing information through network so routers can build forwarding

Routing Process of distributing information through network so routers can build forwarding

Routing Process of distributing information through network so routers can build forwarding tables Forwarding vs. routing tables Forwarding table maps network number to interface, data link address Routing table maps network

330 views • 12 slides
The web is broken Let's fjx it! Roberuo Clapis Michele Spagnuolo Roberuo Clapis Michele

The web is broken Let's fjx it! Roberuo Clapis Michele Spagnuolo Roberuo Clapis Michele

#HackInBo Bologna, Italy 2019 The web is broken Let's fjx it! Roberuo Clapis Michele Spagnuolo Roberuo Clapis Michele Spagnuolo Sofuware Engineer Senior Information Security (Security) Engineer We work in a focus area of the Google

711 views • 48 slides
L A O G 1 You had one job L A O G 1 7 tool categories... Lets begin... 1/7

L A O G 1 You had one job L A O G 1 7 tool categories... Lets begin... 1/7

L A O G 1 You had one job L A O G 1 7 tool categories... Lets begin... 1/7 1. MozBar - plugin Demo 2. Ayima redirect checker - plugin Demo 3. Broken link checker - plugin Demo 4. Keywords Everywhere - Plugin Demo 2/7

642 views • 51 slides
An Internet Architecture for the 21st Century Adrian Perrig Network Security Group, ETH Zrich

An Internet Architecture for the 21st Century Adrian Perrig Network Security Group, ETH Zrich

An Internet Architecture for the 21st Century Adrian Perrig Network Security Group, ETH Zrich monumental structure stood the test of time &amp; seems immutable 2 Just like todays Internet ? Can we fix its issues, though?

555 views • 40 slides
1 Web APIs that Developers Love Kai Spichale @kspichale 2 Communication Decoupling from

1 Web APIs that Developers Love Kai Spichale @kspichale 2 Communication Decoupling from

1 Web APIs that Developers Love Kai Spichale @kspichale 2 Communication Decoupling from among developers implementation Client API Implementation Integration &amp; reuse Operations with input and output 3 Developer Perspective ?

729 views • 54 slides
Routing In Ad Hoc Networks 1. Introduction to Ad-hoc networks 2. Routing in Ad-hoc networks 3.

Routing In Ad Hoc Networks 1. Introduction to Ad-hoc networks 2. Routing in Ad-hoc networks 3.

Routing In Ad Hoc Networks 1. Introduction to Ad-hoc networks 2. Routing in Ad-hoc networks 3. Proactive routing protocols DSDV 4. Reactive routing protocols DSR, AODV 5. Non-uniform routing protocols ZRP, CEDAR 6. Other

400 views • 22 slides

More recommend

Explore More Topics

Stay informed with curated content and fresh updates.

animals pets art culture automotive transportation business finance computer internet construction architecture education-career electronics communication

Logo Sambuz

Unleash a World of Digital Possibilities—Browse, Share, and Explore Content Without Boundaries

Useful Links

About Us Privacy Services FAQ's Contact

Newsletter

Stay Informed & Inspired—Subscribe for the Latest Updates, Tips, and Exclusive Content Directly to Your Inbox.

Mail Us

mail@sambuz.com

2026 SAMBUZ, All right reserved.