�ݺ�ߣ

detectify
SECURITY FOR DEVELOPERS
detectify

detectify
Knowledge Advisor, @detectify ( @fransrosen )
Blogging at labs.detectify.com
HackerOne #1 https://hackerone.com/thanks
Hacked a bunch of companies:
etc…
Frans Rosén #cyber

detectify
Our dear friend PHP #uraqt<3

detectify
Our dear friend PHP? #ohnoez

detectify
PHP 5.2 #onceuponatime
echo round(2047.075, 2); //2047.08
echo round(2048.075, 2); //2048.07
BCMath to the rescue, or…

detectify
…do MADNESS #yiiihaaa!

detectify
String Comparison #tomatotomáto
= aka "is"
== aka "kind of is"
=== aka "really really is"

detectify

detectify
Thx: @homakov

detectify
URL validation in PHP/Java #left-right-left

detectify
URL validation in browser #right-left-right

detectify
Remember the AT&T Hack? #jailfail

detectify
…or how about the Apple Developer site
incident? #down4maint

detectify
I Insecure 
D Direct 
O Object 
R Reference
Exposing data without
proper access control.

detectify
How bad is it? #owasp-no4

detectify
Eye-ball the URL #whatsup?

detectify
Eye-ball the URL #whatsup?
Ouch.

detectify
Update a user #totallylegit

detectify
Update a user #totallylegit
Ouch.

detectify
Business Impact #obvious
• Keys, Passwords
• Credit Card Data
• User Information / Email
• Invoices / Billing Data

detectify
Business Impact #notsoobvious
Numeric IDs for Order Receipts
“Not found” vs “No access”
Poll every day, you get analytics!
$$$

detectify
Business Impact #evenworse
Change Delivery Address of an order.
Deleting another user’s information.
Reclaiming other user’s data. Gift
Certificates anyone?

detectify
Are you fully protected?

detectify
Why so few? #ohnoez
1. No secure access model.
“User X should only have access to A” 
“User X that has access to A should only have access to B”
and so on…

detectify
Why so few? #ohnoez
2. Numeric IDs.
Enumerable/Sequential. Decrease value with 1 and try.
Easy to test. Easy to attack.
Do hashes instead! (Don’t just hash the numbers…)

detectify
Why so few? #ohnoez
3. Error messages show and tell.
“User X cannot view object owned by User Y”
“No access to this object”
vs
“Object does not exist”

detectify
Why so few? #ohnoez
4. Inconsistent ID sources.
/receipt/view/434
/receipt/?view=434
POST /receipt/view/ HTTP/1.1
receipt=434

detectify
Why so few? #ohnoez
5. Lack of proper code review.
How to automate this?

detectify
Example – Twitter #bringpopcorn
Found
by
secgeek
(Ahmed
Aboul-‐Ela)

https://hackerone.com/reports/27404
Credit Card deletion from other users.
Sequential IDs when deleting cards.
Bounty $2,800

detectify
Example – Square
Update other users / Get user info
ID as hashes, but visible using Google.
No check if user was in another company.
Bounty $3,000
https://hackerone.com/reports/23126

detectify
Example – Zapier
Get log-history from other user’s Zaps.
Contained sensitive information such as
OAuth tokens / Credentials,
No access control for log entries.
Bounty $3,000
https://zapier.com/engineering/bug-‐bounty-‐program/

detectify
Example – WordPress
Get all users on a WordPress site.
blog.com/?author=1
WONTFIX by Wordpress
http://hackertarget.com/wordpress-‐user-‐enumeration/

detectify
Doing it right. #hellyeh
1. User ID in Session or Token
/user/view/me
/user/transactions

detectify
2. Access model in routes or controllers.
Stick to it! Easy to miss.

detectify
3. Code review. Don’t miss this.

detectify
Quick repetition #eatsleepraverepeat
1. Careful with string comparison 
2. IDORs are bad. Easy to exploit. East to find. 
Exploited as we speak – worth $$$
3. Numeric IDs vs Hashes 
4. Generic access model
5. Review your code!

detectify
THAT’S ALL FOLKS!
Questions?
by Frans Rosén (@fransrosen)
www.detectify.com

�ݺ�ߣ

Using logic flaws to steal data and how PHP can stab you in the back – Frans Rosén @ detectify

More Related Content

Using logic flaws to steal data and how PHP can stab you in the back – Frans Rosén @ detectify