GF - Parsing Differential Problem

all right good afternoon everyone thank you for attending our presentation uh if you're looking for the right room you are looking at parsing the differential problem uh boon sim will be presenting today so uh thank you for attending i have a couple quick announcements before we start one is of course we'd like to thank our sponsors who make this possible without the help from sponsors such as lastpass and palo alto networks we wouldn't be able to do these along with other sponsors such as and vincent flextrack and even blue cat it's their support along with others who support and donate including the donors and volunteers who make this event possible with even their time so thank you for being here and for

supporting that uh just remember as a courtesy please keep your cell phones off or in like a buzz mode the entire presentation is being recorded there is no need and no reason to uh take pictures of the screen or take video it's all going to be online so there's no problem there it's all being broadcast up to youtube and we'll be there for future purposes so there's no reason for you to have to worry about that also remember please do keep your masks on and above your nose it helps keep everybody safe and one thing we would ask is if you do have questions towards the end of the talk please use the microphone in the center

of the room it's not so much for us we can hear you here it's because it is being recorded that helps us capture that question in the recording so that whoever watches the recording will be able to hear that question as well so please if you have a question towards the end come up and use the microphone in the middle of the room um also as a reminder if for any reason you do take a picture before or afterwards we do have a policy here at b-sides that says you explicitly need permission for anybody who might be in that photo right we're a little sensitive towards uh capturing the uh photos or images of certain people who would choose to

remain more anonymous so and we do try to respect that so please try not to take any photos where you don't have explicit permission of anybody who might be captured within that so all right with that i'd like to go ahead and give a round warm welcome to boone boone go ahead and take her away

hi so good afternoon everyone today i'll be talking about passing differential problem so if you have heard about this good if you have not then let me take you down some memory lane and a bit of storytelling on why we should care about this and how it not just affects what we do in cyber security but software engineers as well because i myself am currently a software engineer so i'm from singapore and in a day i'm a software engineer and at night i teach at a local university so i'm a part-time lecturer teaching cloud systems and i play for ctfsg ctf team and that's my handle so key takeaways for today which i'll be delivering is

what is passing differential problem some of you might not know what it is right and how does this affect us like why should we care and how can we address it throughout the entire ecosystem so just imagine this that we have a single system that we built freshly like hey i have a super app idea let's build something right and we also always start with this monolithic architecture everything is locked into one giant service and then we expose different paths and resources right so but as we progress we would think hey the system is getting larger and let's try to implement different subsystems into the ecosystem and that's how we grow right we don't recreate the thing and

[Music] break it eventually we try to add new new features or new subsystems into the entire ecosystem as we grow we might introduce different systems with different languages so it could be at the very beginning i'm using django as my primary language or system or framework and then i decide hey i'm i'm i want to be like fang i want to use go and then i'm like i want to go dangerous let's use node.js so these are some of the different ways of creating things and part of it is also the motivation to explore the path of least resistance to go systems i work in a super app company right um it's a ride-hailing app similar

to uber in southeast asia and what we do is we have a large system that's built in a single language but new businesses and new technologies also new features are built in using different technologies because the people they hire to do all this um are comfortable and something else like hey um i'm going to build a note you build a car rental system in node.js and once that proof of concept is done you realize that hey we have gotten knee deep into node.js we shouldn't be refactoring these things right but the main set of features and services they are written in an entirely different language with an entirely different pipeline so one of the motivations to expand with different

languages is to explore the path of least resistance not just in a scope of technical work but also business decisions as well so what could go wrong if different systems have recurring variables right so for instance and system one is written in go and system two is written in django what could go wrong right so let's take a look at some sample code so this is something that could be written right for the top part it's go so you have a param there's you got it from this url.url.query.get so this is the reading directory from the http package and then this gets the value that's tagged to foo and in django you do the same thing as

well in django's way of doing it is to use request.get.get and you get that value of that variable it looks the same right if let's say i pass it from the first lesson to the second system it should be reading the same thing correct when in fact it's not so the first one we read as john and the second one we read as mayor now with this in mind what if my first layer of system is a check or security check or some sort of a firewall right and that got through my firewall and the back end downstream systems that is reading the value of the variable is a totally entirely different framework and it's reading the for

example an sql injection payload so that bypasses the first layer of check and breaks universal logic within the system so why does this happen so these two images they are from the official packages and library documentations so as you can see in the first top part of this slide the goal http package defines that using the get function it will return you the very first the very first variable even though you have multiple questions it will return the first one but in django it will return the second one it's a bit funny because i when reading a source code it it kind of feels like it's quite messy but if you take these two together

it makes sense so the get item the get function from django implements the get underscore underscore get item which takes the last occurring variable in the request parameter so that is why when we have this goal we'll see it as john and django will see it as the second variable which is the sql injection payload so this is what we call the passing differential problem this was first this term was first used in the langsec language security langsat approach where they described this as the different interpretation of messages or data streams by com components breaks any assumptions that components adhere to a specification so this is nothing new and i'll tell you why ten years ago

in the tangled web when macau published the book in 2011. it was mentioned in briefly in the second or third the third chapter about passing differentials and also orange as mentioned this but in a different form of passing the passing between dns and also phone function where he made a variable about http parameter pollution which stems towards the which stems from the passing differential problem and also read more recently a gitlab blog talking about how passing differential can be used to exploit a file write or file read from drcv20206833 so this is nothing new and it's been mentioned briefly in many cases and in fact there is whatever and in fact there is available resources online so this is

from this table is some payload of all things if some of you know that we bought street i thought that it should be there so i compiled different sources from the information from different sources and i made a commit to it and it's there already and people have been contributing to it and it's good that we know what are we dealing with because as a software engineer it's it's quite scary to know that my peers do not know that different systems handle different different languages sorry different variables differently so if let's say you look net and apache and php juice they handle it way differently from say node.js or even go or python flask and django

so if you have this type of architecture you should look at this as well so that you can make sure that your system conforms to what you require to do

so unlike url uri right we have i if ietf ifc39862 tell us how we should pass dns as it is there isn't to this day any i ifc is telling us how we should handle url variables and especially in multiple occurrences and this makes it confusing for different frameworks because let's say you are you're a full stack developer working with different languages you'll be like hey what's happening you know and so most of the times it could be this right and this is just the tip of the iceberg it can also be observed in the entire body for example if you see the hdp post body it can happen be haters it can happen and let's not

forget that http haters can be criticalized or uncounter clinicalized and moreover i was reading some django documentation yesterday because i was making dislikes django would replace your hyphens in your headers with underscores to to match their haters and do a dictionary so i'm not i'm not saying that there's a security impact but it is a interesting implementation that they are doing this because if you see in diff other web packages they could be just matching those by just making it lower case so that is one example of why we should pay attention to what kind of frameworks we are using so i've been saying about all these problems and how it affects us but what can we do

right of course number one is to be aware what we're using and uh not to assume uniformity across the entire stack and if we are if we have the time and we are committed enough we can create test coverages to include such cases to see that you know if there is any breakage of logic or we can just do it at the api gateway level and just normalize the normalize the variables and pass it down to the downstream services now today i've talked about web itself right so passing differential problem with technologies is something that has been mentioned and spoken in small little places for the past decade what about the cloud so i think this is something that i

would like to leave you guys with as a pondering thing to think about because this is something i'm still working on the differentials within cloud systems and how multi-cloud affects us and how we should be using it correctly so yeah um thank you any questions