![Page 1: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/1.jpg)
Finding Needles in HaystacksAn introduction to code review
Louis Nyffenegger @PentesterLab [email protected]
Luke Jahnke @BitcoinCTF
![Page 2: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/2.jpg)
Introduction01
Agenda
Code review02Lab 1: A PHP Application03Lab 2: A Golang Application04Lab 3: A Ruby on Rails Application
05
Conclusion06
PentesterLab.com / @PentesterLab
![Page 3: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/3.jpg)
About Luke
PentesterLab.com / @PentesterLab
Security Engineers:
BitcoinCTF:
Pentester/Code Reviewer/Security consultant… at Elttam (https://www.elttam.com.au/
Challenges must be solved sequentially
Prize is paid in Bitcoins
@bitcoinctf on Twitter
Run one of the hardest web CTF: BitcoinCTF
![Page 4: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/4.jpg)
About Louis
PentesterLab.com / @PentesterLab
Security Engineers:
PentesterLab:
Pentester/Code Reviewer/Security consultant/Security architect
Platform to learn web security/penetration testing
100% Hands-on
Available for individuals (free and PRO) and enterprises
Run a website to help people learn security
![Page 5: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/5.jpg)
Code Review
![Page 6: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/6.jpg)
Why would you want to do code review?
PentesterLab.com / @PentesterLab
• Can be faster than penetration testing
• Compliance (PCI 6.3.2)
• You’re tired of penetration testing
• You want to find better bugs
• You want to check if some code is back-doored
• You want to write an exploit for a bug
![Page 7: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/7.jpg)
Multiple ways to go about code review
PentesterLab.com / @PentesterLab
• Grep for bugs
• Follow user input
• Read some random code
• Read all the code
• Check one functionality at a time (login, password reset…)
![Page 8: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/8.jpg)
Grep for Bugs
PentesterLab.com / @PentesterLab
• Just search for:
• Potential issues
• Dangerous functions
• “FIXME”, “HACK”
• grep and find are your friends: $ grep -R ‘system\(\$_’ *
$ find . -name \*.php -exec grep -Hn 'exec' {} \;
![Page 9: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/9.jpg)
Grep for Bugs
PentesterLab.com / @PentesterLab
• Pros:
• Super fast
• Good way to find low hanging fruits
• Cons:
• You end up using very complex regular expressions
• You need to know all the dangerous functions
• Very low coverage
![Page 10: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/10.jpg)
Follow user inputs
PentesterLab.com / @PentesterLab
• Find all the routes/URI available
• Find all the way to provide data to the application (example in PHP):
• $_POST / $_GET / $_REQUEST
• $_COOKIE / $_SERVER
• Data coming from the database
• Data read from a file or from a cache
• …
![Page 11: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/11.jpg)
Follow user inputs
PentesterLab.com / @PentesterLab
• Pros:
• Good coverage
• Cons:
• Need a good understanding of the framework/language
• You find yourself reading the same code again and again
![Page 12: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/12.jpg)
By functionality
PentesterLab.com / @PentesterLab
• Pick one functionality:
• “Password reset”
• “Database access”
• “Authentication”
• And review all the code associated with it
![Page 13: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/13.jpg)
By functionality
PentesterLab.com / @PentesterLab
• Pros:
• Excellent coverage for the functionalities reviewed
• Improve your pentest-FU
• Work especially well across multiple applications
• Cons:
• No coverage for the functionalities that didn’t get reviewed
![Page 14: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/14.jpg)
Read everything
PentesterLab.com / @PentesterLab
• Just start reading the code one file at the time
• Don’t try to find vulnerabilities, try to find weaknesses
• Keep (really good) notes
![Page 15: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/15.jpg)
Read everything
PentesterLab.com / @PentesterLab
• Pros:
• Excellent coverage
• Improve your pentest-FU
• Work especially well across multiple applications
• Cons:
• Hard to keep track of everything
• Very time consuming
![Page 16: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/16.jpg)
Top Down vs Bottom up
PentesterLab.com / @PentesterLab
• Both approaches have Pro and Cons
• You can mix them as well
• Top down is probably easier for large applications
• Try both :)
![Page 17: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/17.jpg)
What should you look for?
PentesterLab.com / @PentesterLab
• Everything!
• If you don’t know a function/class/method:
• Google it
• Test the behaviour
• It’s going to take time (especially at the beginning):
• The more code you review, the easier it gets
![Page 18: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/18.jpg)
Testing a function’s behaviour
PentesterLab.com / @PentesterLab
• Just copy the snippet you are reviewing
• Run it (Locally/Docker/VM)https://medium.com/@PentesterLab/use-docker-for-your-pentesting-labs-879fe9feeca8
• Try to find some edge cases
• Save this example for the next time you see this function
• For PHP, you can use ‘php -a’
![Page 20: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/20.jpg)
What should you look for?
PentesterLab.com / @PentesterLab
• Weird behaviour
• Differences between 2 functions/methods/classes
• Security checks already in place
• Comparison and conditions (if/else)
• Complexity
• Regular expressions/string matching
• What is missing?
![Page 21: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/21.jpg)
What now?
PentesterLab.com / @PentesterLab
• Three applications riddled with bugs:
• Simple PHP application
• Very simple Golang application
• More complex Ruby application
• The goal is to start on your own to try to find potential issues and work from them
![Page 22: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/22.jpg)
What now?
PentesterLab.com / @PentesterLab
• No silly questions (we are all here to learn)
• Work in team if you want/like
• Don’t get stuck: if you cannot understand something:
• Google the function/method/…
• Ask us
• Or move to the next line of code
![Page 23: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/23.jpg)
What now?
PentesterLab.com / @PentesterLab
• 3 stages:
• You search on your own with no help
• We give you the list of bugs
• We do a walkthrough
• Today’s goal is to make you confident you can review code and find cool bugs
![Page 24: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/24.jpg)
Lab 1: PHP Application
![Page 25: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/25.jpg)
The application
PentesterLab.com / @PentesterLab
Dropbox on a budget written in PHP
The application allows users to • Store a file • Retrieve a file
![Page 26: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/26.jpg)
The application
PentesterLab.com / @PentesterLab
• Get the code:
• git clone https://github.com/PentesterLab/cr/
• wget https://github.com/PentesterLab/cr/archive/master.zip
•Very simple application with a dozen security issues
![Page 27: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/27.jpg)
List of weaknesses
PentesterLab.com / @PentesterLab
๏ Hardcoded credentials
๏ Information leak
๏ Weak password hashing mechanism
๏ Cross-Site Scripting
๏ No CSRF protection
![Page 28: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/28.jpg)
List of weaknesses
PentesterLab.com / @PentesterLab
๏ Crypto issue
๏ Signature bypass
๏ Authentication bypass
๏ Authorisation bypass
๏ Remote Code Execution
๏ …
![Page 29: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/29.jpg)
Lab 2: Golang Application
![Page 30: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/30.jpg)
The application
PentesterLab.com / @PentesterLab
A simple multi-factor authentication
Two main API functions: • Generate code and send code via SMS • Verify code
![Page 31: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/31.jpg)
The application
PentesterLab.com / @PentesterLab
• Get the code:
• git clone https://github.com/PentesterLab/cr-go/
• wget https://github.com/PentesterLab/cr-go/archive/master.zip
•Very simple application with a dozen security issues
![Page 32: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/32.jpg)
List of weaknesses
PentesterLab.com / @PentesterLab
๏ Weak Random Generator
๏ Random Generator seeded based on current time
๏ Information Leak via JWT
๏ Using unverified JWT token
๏ No expiry on JWT token
![Page 33: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/33.jpg)
List of weaknesses
PentesterLab.com / @PentesterLab
๏ Information Leak via /_status endpoint
๏ Time Constant comparison of the one-time code
๏ Weak CORS policy
๏ No limit on the number of attempts
๏ No limit on the number of attempts due to signed sessions
![Page 34: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/34.jpg)
Lab 3: Ruby-on-Rails application
![Page 35: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/35.jpg)
Ruby-on-Rails - Introduction
PentesterLab.com / @PentesterLab
Commonly used web framework: • Used a lot by startups (especially in early stage) • Used by Github/Shopify/Gitlab/… • A lot of very interesting vulnerabilities
Barrier to entry: • You need to understand the framework to get
efficient at finding issues
![Page 36: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/36.jpg)
Ruby-on-Rails - MVC
PentesterLab.com / @PentesterLab
Source: http://blog.ifuturz.com/ruby-on-rails/ruby-on-rails-mvc-learn-with-fun.html
![Page 37: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/37.jpg)
Ruby-on-Rails - MVC
PentesterLab.com / @PentesterLab
Source: http://blog.ifuturz.com/ruby-on-rails/ruby-on-rails-mvc-learn-with-fun.html
URL Mapping
(HTML) rendering
Business Logic Authorisation/Authentication
Database mapping
![Page 38: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/38.jpg)
Ruby-on-Rails - Code Structure
PentesterLab.com / @PentesterLab
/ /config/routes.rb /app/controllers/ /app/views/ /app/models/
![Page 39: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/39.jpg)
Ruby-on-Rails - Code Structure
PentesterLab.com / @PentesterLab
/app/models/test.rb /app/controllers/tests_controller.rb /app/views/tests/index.html.erb /app/views/tests/show.html.erb /app/views/tests/show.json.jbuilder /app/views/tests/…
![Page 40: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/40.jpg)
Ruby-on-Rails - example of routes.rb
PentesterLab.com / @PentesterLab
Rails.application.routes.draw do resources :users
get 'register' => 'users#register', as: 'register' post 'register' => 'users#post_register', as: ‘post_register' […]end
See: http://guides.rubyonrails.org/routing.html
![Page 41: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/41.jpg)
Ruby-on-Rails - example of a model
PentesterLab.com / @PentesterLab
class Todo < ApplicationRecord belongs_to :userend
![Page 42: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/42.jpg)
Ruby-on-Rails - database structure
PentesterLab.com / @PentesterLab
ActiveRecord::Schema.define(version: 2018_07_12_063817) do create_table "todos", options: "ENGINE=InnoDB DEFAULT CHARSET=utf8", force: :cascade do |t| t.string "title" t.string "data" t.bigint "user_id" t.datetime "created_at", null: false t.datetime "updated_at", null: false t.index ["user_id"], name: "index_todos_on_user_id" end
![Page 43: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/43.jpg)
Ruby-on-Rails - Example of a controller
PentesterLab.com / @PentesterLab
class ApplicationController < ActionController::Base # GET /todos/1 # GET /todos/1.json def show end
# GET /todos/new def new @todo = Todo.new end […] end
![Page 44: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/44.jpg)
Ruby-on-Rails - ApplicationController
PentesterLab.com / @PentesterLab
class ApplicationController < ActionController::Base before_action :myfunction […] def myfunction end end
![Page 45: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/45.jpg)
Ruby-on-Rails - example of a view
PentesterLab.com / @PentesterLab
<div class="container"> <p id="notice"><%= notice %></p> <h1>Todos</h1>
<table class="table"> <tbody> <% @todos.each do |todo| %> <tr> <td><%= todo.title %></td> <td><%= todo.data %></td> </tr> <% end %> </tbody> </table>
![Page 46: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/46.jpg)
Ruby-on-Rails - Filters
PentesterLab.com / @PentesterLab
before_action (formerly before_filter): • Happens before an action takes place • Great to enforce permissions or authentication
after_action (formerly after_filter): • Happens after an action takes place • Rarely used (sometimes for logging or queuing
data)
![Page 47: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/47.jpg)
Ruby-on-Rails - Filters
PentesterLab.com / @PentesterLab
You can also disable a before_action (example): skip_before_action :verify_authenticity_token, :only => [:my_csrfable_function]
![Page 48: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/48.jpg)
Ruby-on-Rails - configurations
PentesterLab.com / @PentesterLab
Database configuration in /config/database.yml
By default sessions are signed. The secret is stored in config/initializers/secret_token.rb
Rails 5.2 introduces encrypted credentials
![Page 49: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/49.jpg)
Ruby-on-Rails - Scaffolding
PentesterLab.com / @PentesterLab
Rails allows developer to generate a lot of code automatically using scaffolding (views/model/controller):
$ rails generate scaffold test name:string order:integer
![Page 50: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/50.jpg)
Ruby-on-Rails - Scaffolding
PentesterLab.com / @PentesterLab
Scaffolding generates a lot of code that can potentially have security impacts:
• Information leak via HTML/JSON mapping • Unnecessary actions • Unauthenticated actions
![Page 51: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/51.jpg)
Ruby-on-Rails - Brakeman
PentesterLab.com / @PentesterLab
A static analysis tool (SAST) for Ruby on Rails application: https://brakemanscanner.org/ Amazing coverage for low hanging fruits and code hygiene
![Page 52: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/52.jpg)
Ruby-on-Rails - Getting started
PentesterLab.com / @PentesterLab
• Start with the db/schema.rb file to get an idea of the data/application
• Check the config/routes.rb to see what methods are available
• Focus on the controllers for this review • Look at the models&views as well
![Page 53: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/53.jpg)
The application
PentesterLab.com / @PentesterLab
• Get the code:
• git clone https://github.com/PentesterLab/cr-rails/
• wget https://github.com/PentesterLab/cr-rails/archive/master.zip
•Very simple application with a dozen security issues
![Page 54: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/54.jpg)
List of weaknesses
PentesterLab.com / @PentesterLab
๏ Hardcoded and trivial credentials
๏ Using high-privilege account to connect to the database
๏ Password leak
๏ Weak algorithm used for password storage
๏ CSRF to disable MFA
๏ Insecure connection to MFA backend
![Page 55: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/55.jpg)
List of weaknesses
PentesterLab.com / @PentesterLab
๏ Mass-Assignment on users to become admin
๏ No unique constraint on email
๏ Authentication bypass
๏ Host injection in the link for the password reset
๏ Password reset bypass
![Page 56: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/56.jpg)
Conclusion
![Page 57: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/57.jpg)
Recommendations
PentesterLab.com / @PentesterLab
๏ Keep reviewing code: ๏ Even just to understand it ๏ (Hacking) Tools you use everyday?
๏ Few hundred lines a day, keeps boredom away ๏ The more you do the easier it gets
![Page 58: Finding Needles in Haystacks - DEF CON CON 26/DEF CON 26 workshops...01 Introduction Agenda 02 Code review 03 Lab 1: A PHP Application 04 Lab 2: A Golang Application Lab 3: A Ruby](https://reader035.vdocuments.us/reader035/viewer/2022070910/5fa1a2516d23b20eab2f2414/html5/thumbnails/58.jpg)
Conclusion
PentesterLab.com / @PentesterLab
• Code Review is fun and simple :) • Keep practicing • Make sure you checkout:
• PentesterLab and PentesterLab PRO • BitcoinCTF