Removing Damn Vulnerable Code by Dan Conn

um if you don't know my name's Dan Paul how much better for application of words as developer for quite a few years um um yeah I've been interesting subscript for actually quite a while um carbonating now I've never been on Celebrity love Island that's another damn con I mean it might a little bit different but you know he's uh he's much better at recent so what is down vulnerable code well it's probably where we've made a mistake we'll do it um there are so many mistakes that probably you make day in day out and that's fine you know that's what we need to do we need to do that to make progress well how do we remove it well

it was my first chance of a web application written by us and they um what they uh essentially build is these small applications to potentially make life better so this originally was a PHP application that um that basically was meant to be used as a intentionally uh fire it up politically you'd be able to play around see all sorts and I've kind of gone there's a whole plethora of them now which is the OS vulnerable web applications directory they've kind of removed the damn bit I don't know why I prefer it but um essentially there's a whole load of these things and the ability is for cyber security researchers for web Developers for anyone that really wants to eat probably

these down find them up and actually see what what things can do without going to jail as people don't like it when you actually do it on their own systems permissions unfortunately what unfortunately um there's many of them I've asked web goat in particular um is one written by a guy called Bruce Mayhew he actually works at Center type um he's basically he very richly built this he was the chair of the project for quite some time um and yeah it's in particular the focus there is Java applications so there are yeah there are different languages they all have their own kind of small affordable you know PHP in particular um that's about prep Java equally has some very bad horrible

code that you can produce um there's a newcomer uh the Aus vulnerable app and what I quite like about this one is uh it's written by Saturn Labs um and it's incubation project at the moment what I quite like about this one is that it's actually extensible so a lot of um down vulnerable websites they are you know you have a limit to what you can do them because they're pre-built with certain types of attack and if you 've you know you you complete all those attacks then you can't really go much further with them this one actually allows you to add your own experts um meaning that you can you know it's infinite but you know

Tyson so what exploits can you get we're going to kind of focus mainly on the Java workbook except for the first one but we're going to do it through the medium of means so that's truthiness some languages can't handle the truth and what this essentially means is when you are creating a better code you'll have like a equals one so let's say maybe you're creating an authorization program you go when this is one that means you've got admin rights in a simple way is hopefully a little bit more complex than that is then certain languages like PHP will allow um certain values that also mean one so in fact anything that isn't zero is considered true when you when you put

the two together so PHP is language that can't handle through Java funny enough doesn't have this problem because you're strongly types when you say I want an integer or I want a big alien that's what you get everybody's disco injection now we all like cheese we might be searching cheese and then trying to see what do we get back if we do an or one equals one attack you know normally that will give you a lot of things unless somebody's actually using characterize queries like they should be what an error-based SQL injection this app goes is if it doesn't find something it might have tried to establish that there's not a table that it's looking

for whether it's doing a select query so it'll give you information based on what you search for so essentially you can you know normally you'll do this in the text area box as opposed to a Google search but there's no meaning for that so that's what use this one so what we have here is you know we've tried to look for cheese and then it's thought oh there's a table which is we're expecting in this query what you're probably doing in reality is go selects are from a table name that you just get users um from somewhere you'd probably hope that the where Clause doesn't get activated so probably don't add one yourself but the idea is that you're

probably going to guess there's a weight loss somewhere you're going to add this all one equals one with a little comment on the end to basically what essentially what that coin does it's multi-line formula it kills the rest of the query so if I had any special stipulations after that hopefully they get dropped and then you get back all your users in this case it hasn't worked because it's expecting users from the cheese query but then it will tell you oh well I actually know there's no table there crosses up the list yeah try and find maybe another one sometimes it might even tell you the table is actually looking for as well so then you know

well that's definitely a table thank you very much let's carry on certainly have lines go injection um and that's you know it's essentially the same thing just without errors so you're you're trying to guess you're still using the same let's go injections um I might be a little bit more complex than normal because well I would be worried if you suddenly tried these on some websites that you've got information about you probably shouldn't get information back on that one um well those you know sometimes you can get caught out with you know replacing that for hex values that's quite a common way around it um essentially a blind escrow injection is that you're pulling this information

through your testing you don't know anything about the underlying system the actual website isn't giving you anything about the underlying system but it is giving you the information back so you can then after pivoting a few times reduce what the information is you're getting unrestricted file at load attack so um so this is actually one that's quite close to my heart um mainly because when I first yes of cyber security was have having to deal with the aftermarket one of these attacks um in our particular case it was about 10 years ago it was a website that wanted to like cut images really nicely using a really nice plug-in helpful one called Tom Thumb what we didn't know was that old thumb

wouldn't just accept images it would actually accept anything so and the way it opened an image was that it would say exact this thing why are you an open image like that I have no idea right it's a bit stuffed but that's what they did and it was maybe you know they were being very helpful in resizing images that's their focus their focus wasn't really on making good PHP but PHP isn't the only language that does this either it's um yeah um PHP isn't the only language that I society that you've got um Java you've got like every language it's not really a language based thing it's it's more a please restrict all these files unless

you actually want the one you want um so yeah it's it's actually quite common you can still find you know people that haven't really thought about this problem Frameworks help if they're dealing with your inputs because they hopefully have thought around these things but I say if you're using plugins and there are open source property check the code before you put it in your system and make sure that it's only accepting the things you want so now we have service heart request ordering which is a little bit similar right so this is it's it's similar in the case it's not the same as as um they're taking a file and accepting everything but it is allowing the

website to go beyond what it should be doing in this domain so in particular really common one is let's add a load of slashes yeah we know that the file protocol was accepted and that's a load add a load of slashes because we think it's on the next space system and then we'll put Etc password and hopefully get load of passwords again this shouldn't work you know you should have like really good access controls you know not 777 or anything so you'll do that [Music]

okay so how are these things better so there's actually a lot of things that we can do better that don't involve anything other than a little bit of Common Sense the one bit of research and there's something about this uh in the construction that you open ssf was uh they've got a lot of data for example on how different packages are used and what we found was what makes quite a bit good athletes remaining Central and see you know we've basically run it through uh artificial intelligence system and see if is there any common commonality between good things and what we essentially found was the best thing you could do is code review so um

simple right and you'd be surprised how many people don't actually do code reviews or they review them themselves and they think that that's a good thing it happens you know and sometimes it's not necessarily that they want to do that it's normally they're just a very small team you know if you're the dev and this is happening on the security guy and you know it was going to review your code um but that having just one other person give it a once over allow them to push and protect your branches as well don't have you know it's a bit uncommon these days when you have various uh all right let's you know push it out yeah continuous deployment any

branch can go to master that's what we want well actually the whole process of choosing one branch and hitting that protecting that and ensuring that code reviews go into that one branch improves uh the quality of the software made the other thing is heading dependencies and don't include in your own your binary using your source code so as much as you can kind of avoid that through build management tools actually helps a lot um so yeah even if you get everything right um the support that we did kind of said that six out of seven vulnerabilities in open source projects are basically transitive expenses as well so even if you do everything right you use all the

you know use the web applications you remove all your secure code you're probably still screwed so never mind or you can basically help the tools so all code is down vulnerable um Embrace using get getting developers to play with actually these tools because actually that's where it gives a lot of understanding is if you are not new cyber security if you're new to cyber security you have no knowledge of it you might have in a situation I was where the senior debts didn't really know about school okay either so we were kind of I went on a learning experience for a few years learning about these but the the two main tools that helped me work

yeah web go vulnerable app and the downloadable web app the original PHP one and I think these you know allowing developers to basically play around and see what they can do with it and understand why this is a bad attack why you should probably throw into queries why you shouldn't you know get access control correct and stuff like this will will basically help them understand as well and it might be for yourself yeah you need Social Security sales um all languages are susceptible to attack it's not just the ones that we think about like Viola um it's just you know either we know about them and we're very well aware of the attacks or we you know find them so

that's just what happens um and Source can help things that you might miss you know it's good to kind of have a good layer of that and yeah security is for everyone it's still something that I maintain and I think everyone in this room should say um the more that we can actually get people involved in it at a lower level was much better thanks for listening [Music] [Applause]

um we're a common question looking for the original the dbwi about four months ago and the site appears to now be selling Juvia's nutritionists be careful and if you look on the way back she seems to have changed about July yeah so if you look at an older diversions on there it still shows a bit you wouldn't expect now whether they're going to exactly need to be a new terminal no at the website advantages I mean it's a good sideline right one thing yeah so the downloadable website the original one it can be accessed directed by a URL what I would say is go to the iOS um directory and actually get the links from there because they will be what

they should be what the OS directories tend to link to is actually the githubs or their own internal page so there you know that it's not yeah yeah yeah yeah yeah yeah definitely yeah well I guess it's uh URLs are not always experiment that's what they'd like to do yeah have you got any tips for anything other interesting students school yeah I mean so I don't want to touch it too much because there is a really good talk about this coming up about security tankers but um that is a great way you basically engage with them um I think my I've worked in some places where you have a really high level of Engagement you also have somewhere where

some developers just don't care and I think I don't think that either is actually an accurate depiction of what the real landscape's moment is it's actually quite wide-ranging if people are interested in that are interested in it and I think that's I find like some way sometimes things that haven't worked as well it's like you must do that because people will just switch off yeah no one likes to really be told what to do you can kind of push them along the journey but it's much better but hopefully there's all loads come up with that so yeah please and as they say that's lunch [Applause]