2. Application Security -
Science or Quality Assurance?
Nazar Tymoshyk Ph.D, Security Consultant, R&D at SoftServe

3. Famous Security Professionals
Richard Stallman Linus Torvalds Tsutomu Shimomura
Robert Morris Stephen Wozniak

4. Famous “Security Professionals”
Adrian Lamo Kevin Mitnick Kevin Poulsen
Gary McKinnon Jonathan James

5. What about famous QA professionals?

6. So you know where to move ;)
Security is also metric
of Software Quality
“The simple truth is that catching
security holes earlier costs an
organization less to remediate, which
makes good business sense. ”

7. QA Engineer Security Analyst
In functional and performance
testing, the expected results are In security testing, the quality
documented before the test begins, and assurance team is concerned only
the quality assurance team looks at how with unexpected results and testing
well the expected results match the for the unknown.
actual results

8. Weapon
Passion Tools
Persistence Guides
Research Checklists

9. Collaboration and Team work
“ IT security and quality IT security
assurance working department, which will
together are exponentially help remove more risk
more powerful. The result and provide better
will be a more security- continuity ”
oriented QA department
and a more quality-
oriented

10. OWASP
SAMM WAF Development
Testing guide ASVS
guide

11. Microsoft approach

12. Testing security with Tools
Core Impact Burp
Accunetix WVS w3af
HP WebInspect OWASP ZAP
IBM Rational OWASP Mantra
AppScan

13. DEMO
Let’s test small web-site with
commercial and free tools

14. Applying Get tools from:
http://goo.gl/eHl2u
Science
approach
Targets:
http://192.168.195.34
http://192.168.195.80

15. Smashing the app
Remote code execution – one of the most dangerous vulnerabilities in
web-apps
How to achieve a goal:
• Upload scripts to server
• Remote File Inclusion (RFI)
• Local File Inclusion (LFI)

16. Unrestricted file upload
File upload – vulnerability allow remote attacker to upload
files/scripts on server with special content or random extension.
This vulnerability exist through incorrect file extension implementation.
Incorrect methods of uploaded file extension validation :
• Validation of MIME-type of uploading file vs validation of
file extention
• Black-list extension validation
• Other errors…
Unsecure web-server/application server configuration play also important
role.

17. Upload your shell

18. Changing MIME type
Validation sample:
<?php
$imageTypes = array("image/gif", "image/jpg", "image/png");
if(isset($_FILES["image"])) {
if(!in_array($_FILES["image"]["type"], $imageTypes)) {
die("Hacking Attempt!"); }
copy($_FILES["image"]["tmp_name"], "images/{$_FILES["image"]["name"]}");
} ?>
Problem: It’s easy to change type of file – as it’s setting by
browser in HTTP-request. And all variables that are set by
browser – can be easily changed by user.

19. Content Black list:
validation Wrong way
<?php if(isset($_FILES["image"])) {
if(preg_match('#.((php)|(php3)|(
php4)|(php5))$#i',$_FILES["image
"]["name"])
){
die("Hacking Attempt!");
}
copy($_FILES["image"]["tmp_nam
e"], "images/{$_FILES["image"]["n
ame"]}"); } ?>

20. Regular expressions
<?php
if(isset($_FILES["image"])) {
if(preg_match('#.jpg#i', $_FILES["image"]["name"])) {
copy($_FILES["image"]["tmp_name"], "images/{$_FILES["image"]["name"]}
");
} } ?>
In this sample name of uploaded file is checking for
string .jpg. But regular expression is working as control
symbol $ that indicate EOL is missed,.
As a result file shell.jpg.php will be successes fully
uploaded.

21. Right way
<?php
if(isset($_FILES["image"])) {
if(preg_match('#^[a-z0-9-
_]+.((jpg)|(png)|(bmp))$#i', $_FILES["image"]["name"])
){
move_uploaded_file($_FILES["image"]["tmp_name"], "ima
ges/{$_FILES["image"]["name"]}");
} }
?> White list
validation

22. Local File
Inclusion
Local File Inclusion – allow to include local files on remote server
and execute arbitrary code.
Reason: incorrect linked file validation, vulnerable server
configuration
Successfully LFI exploitation have three main task :
• Removing of postfix
• Directory Traversal
• Searching files for code injection

23. Directory
Traversal
Filtration can prevent Directory Traversal.
Very often developers apply Filtration of ../ :
<?php include(str_replace("../", "", $_GET["page"]).".inc"); ?>
../../../etc/passwd --> Filtration --> etc/passwd --> fail 
But such filtration is not enough – it’s not recursive:
..././..././..././etc/passwd --> Filtration --> ../../../etc/passwd --> profit 

24. Secure Validation
Secure Validation – validation of filename for service
symbols
if(preg_match('#[^a-z0-9-_]#i', $page)) {
die("Hacking Attempt!");
}
include("{$page}.inc");
In this sample if we will try to add file with symbols
other than A-Z, a-z, 0-9 and symbol «-» & «_» execution
of PHP-script will be interrupted.

25. So, how to become Security Analyst
Use OWASP Researches
Ask and share Participate in
community
Samurai WTF
talk on Security
Hole 

26. Feedbacks & Questions
Contact Nazar:
skype: root_nt
email: root.nt@gmail.com
Presentation & Files:
http://goo.gl/eHl2u
?
Leave your Feedbacks: Join OWASP Lviv:
http://goo.gl/FW4ar https://www.owasp.org
/index.php/Lviv