Introduction to Web Security

Introduction
to
Web Security

Code Immersion Day
Fri 03 Aug 2018

A "bit" more about myself

The digital age

* End at 5 mins
- Realised something? I was referring to webpages all the way just now
- No Powerpoint slides, including this slide
- Everything going online, from school info, to journalism, to retail shops, and usually start with creation of website.
- The general rule of thumb would be the mantra, "Cheap, Fast, Good" - cost little to do up, get it up tomorrow, and showcase a world-class design.
- (To quiz) Iron Triangle: Speed, Quality, Good - can only have 2 out of 3
- Hokkien for this mantra
- Eg. Neighbour knock on door, ask you to do e-commerce site for $50 (Grin emoji), want it in 3 days (Downcast emoji), ppl see alr will have rainbow over heads (Anxious emoji)
- But is that all there is to it? How about the security of the website? Is it even important at all?

Being Paranoid

Validate input
Filter output
Robustness principle - Be conservative in what you send, be liberal in what you accept

Filter output

09 Apr 2018: CVE-2018-9857
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9857
PHP Scripts Mall Match Clone Script 1.0.4 has XSS via the search field to searchbyid.php (aka the "View Search By Id" screen)
Exploit Demo

Validate input

22 Dec 2016: CVE-2016-10033
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10033
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
Demo

Validate input - vulnerability

setFrom
validateAddress
mailSend

$params = sprintf('-f%s', $this->Sender);
$params:
-f"evil\" -oQ/tmp/ -X/var/www/html/asg1/demo/footer.php sender"@vulnerable.com

// This will cause sendmail to execute with (other options omitted for brevity):
Arg no. 0 = [/usr/sbin/sendmail] // binary
Arg no. 1 = [-fevil\] // set sender name
Arg no. 2 = [-oQ/tmp/] // set queue group
Arg no. 3 = [-X/var/www/html/cs4239-asg1-patch/footer.php] // path of log file
Arg no. 4 = [-sender"@vulnerable.com] // invalid option

Validate input - patch

Compare v5.2.17 and v5.2.18

$params = sprintf('-f%s', escapeshellarg($this->Sender));
$params: // note the single quotes
-f'"evil\" -oQ/tmp/ -X/var/www/html/cs4239-asg1-patch/footer.php sender"@vulnerable.com'

// This will cause sendmail to execute with (other options omitted for brevity):
Arg no. 0 = [/usr/sbin/sendmail]
Arg no. 1 = [-f"evil\" -oQ/tmp/ -X/var/www/html/cs4239-asg1-patch/footer.php sender"@vulnerable.com] // valid email local-part within quotes

Demo

Validate input - bypass

Patch in v5.2.18 incomplete, leading to CVE-2016-10045
Another patch via PHPMailer 5.2.20
Compare v5.2.18 and v5.2.20
Demo