00:04
Hello and welcome to the side. Very secure coding course my name miss anywhere, and this is sans Top 25 category. Risky resource management.
00:16
Now, as we review the Sands, Top 25
00:20
realized that all 25 issues air actually grouped into three main categories. Category one. Insecure interaction between components category. Too risky Resource management and Category three Porous defenses.
00:35
This module focuses on that risky resource management. You see the rankings listed in this category below 3 13 14 16 18 2023 24
00:51
Now several of these items we have already covered in the Buffer Overflows module. If you take a look at this chart, you can see that Rankings 3 18 2023 24 have already been addressed. So please go back to Module 11
01:11
if you need to review any of that information.
01:15
So that just leaves us with three areas to cover in this module
01:19
rank 13 which is C W E. 22. Improper limitation of a path name to a restricted directory.
01:27
Ranking number 14 C W e. 494 Download of code without integrity check
01:34
and ranking 16 to C W E 8 29 Inclusion of functionality from untrusted controls fear so first and overall definition for this category. The risky resource management category identifies weaknesses
01:52
related to improper handling of system. Resource is
01:56
by software. Such handling includes creation, usage, transfer or destruction. When you think of system resource is concrete. Lee. You can think in terms of a directory, for example, or file system.
02:12
So first, let's go into our ranking number 13. See W 22 Paths Reversal
02:19
Realize it's called many things. It's called directory Divers A ll, also called the dot dot slash attack.
02:28
Basically, what we have here is a manipulation of the euro
02:31
to execute either to execute an arbitrary
02:37
a file that's been uploaded or to execute
02:43
but or could be done to reveal or access the contents of files, directories or any other information that may be available on the Web server.
02:53
An explanation for ranking 14 c W e 4 94 Download of code without integrity check.
03:01
This is where we don't have any kind of validation being done or verification, if you will, of a particular class or jar file or d allow that we're using inside of our program. That's generally that verification is generally done with some sort of check some because you're not
03:21
performing this level of validation or very
03:24
to ensure that this class is loaded by the authority or by the source that you believe it to be. It's going to allow for the loading of attacker control classes, order files or deal l's instead,
03:43
in the code that you see there, you can see that we're actually really creating a new U R L
03:49
based on a file that we get out of a subdirectory
03:53
and, of course, loading that up through the class loader.
03:58
Now. Possible attacks in this category in this module can include malware payload delivery, as we just saw by not doing any kind of check some or any kind of verification of your source that can allow for the opportunity for malware too easily be
04:16
loaded into a program.
04:19
Another possible attack is path manipulation. This can come in the form of file system manipulation,
04:28
where we don't canonical eyes our paths prior to doing validation against them. Also, it can relate to Web server directory paths, and we'll see that in the demo
04:42
now the combination of these can lead to information, disclosure, information leakage, and we'll see that as well. Mainly, This is the viewing of information by unauthorized access.
04:56
And then finally, denial of service in this through the exhaustion of system Resource is now our case study is on the Department of Homeland Security. That actually fell victim to a path reversal attack. What happened was wth e
05:14
d. H s site was using WordPress
05:16
and wordpress has a lot of plug ins and the WordPress. It has been susceptible to a lot of vulnerabilities over the years because of these plug ins.
05:30
In this particular case, the path reversal attack allowed hackers to obtain the contents of the main configuration file that used for WordPress. Now, inside of that file, they have, of course, their table names, their database connection, user name and password so
05:49
as well as some other damaging information.
05:53
Now, because th s didn't want other companies or other users to fall victim to the same attack,
06:00
they for educational purposes actually published all of this information on the Web site that I give at the bottom of the slide.
06:11
But you can actually see the line where the vulnerability takes place. If you look at the vulnerability line
06:18
at the very end, you see the download dot PHP. Question mark file equals. We're going to see this in the demo also. So all you have to do is on the next line, do your dot, dot, slash and go back up to the WordPress config.
06:35
So there's a wordpress config dot PHP that was then able to be viewed.
06:42
And so you're going to see as well in the demo how this type of attack can actually be exploited.
