1
00:00:02,050 --> 00:00:05,960
Let's talk about how we can prevent these vulnerabilities now.

2
00:00:06,310 --> 00:00:11,970
The first thing is a lot of these vulnerabilities exist because of the functionality they provide.

3
00:00:11,980 --> 00:00:14,630
For example the file upload problem we had.

4
00:00:14,980 --> 00:00:19,510
It allows the user to upload any file extension any file type.

5
00:00:19,510 --> 00:00:20,440
This shouldn't happen.

6
00:00:20,440 --> 00:00:24,070
There shouldn't be a way for users to upload any files they want.

7
00:00:24,340 --> 00:00:28,360
Maybe if you want them to upload a picture then make sure they're uploading a picture check the file

8
00:00:28,360 --> 00:00:28,960
types.

9
00:00:28,960 --> 00:00:33,410
If you're expecting them to upload a song an empty three file make sure it's a media file.

10
00:00:33,520 --> 00:00:36,000
It's not a BHP or an executable code.

11
00:00:36,130 --> 00:00:43,750
Usually you should never allow users to upload any executable filters can be used to check whether to

12
00:00:43,750 --> 00:00:49,120
check the extinction and make sure that the file is being uploaded that is a JPEG or whatever but that's

13
00:00:49,120 --> 00:00:49,930
not a good way.

14
00:00:49,930 --> 00:00:56,980
The best way is to check the file type and make sure the file type is a picture or is a media file instead

15
00:00:56,980 --> 00:01:01,950
of checking the extension because that can be bypassed as well.

16
00:01:02,170 --> 00:01:08,020
The second type of vulnerabilities that we looked at was the code execution vulnerabilities and these

17
00:01:08,020 --> 00:01:12,770
exploits we were able to run any code we wanted on the target computer.

18
00:01:12,820 --> 00:01:15,100
Again this functionality should be avoided.

19
00:01:15,100 --> 00:01:20,050
You should avoid allowing users to run any sort of code on your server.

20
00:01:20,440 --> 00:01:25,930
Try to avoid all these functions such as the evolved pass through and all of these functions that allow

21
00:01:25,930 --> 00:01:32,680
a user to run operating system code on the server if you absolutely had to use something like it then

22
00:01:32,680 --> 00:01:36,970
make sure you analyze the input before you execute it.

23
00:01:37,060 --> 00:01:43,150
For example in the example we seen where the code was doing a ping and it would think anything we put

24
00:01:43,150 --> 00:01:43,890
in the text box.

25
00:01:43,890 --> 00:01:50,890
So I'm put in here slash the text box just to show that this is the input that we put in the text box.

26
00:01:50,890 --> 00:01:54,870
This is what the program actually looks like if it looks too complicated forget about it.

27
00:01:54,870 --> 00:01:56,760
We're just talking about the concept here.

28
00:01:56,830 --> 00:02:04,260
So we're gonna be talking about this year so say for example you put what we did is we put a normal

29
00:02:04,260 --> 00:02:12,410
IP and then we put the semicolon and then we put a command that we wanted to do so we did for example

30
00:02:12,440 --> 00:02:20,210
airlines L.A. The problem with this is the web application used to take this the way it is copied and

31
00:02:20,210 --> 00:02:27,800
run it in here which will when you when you execute this command it will do the pink first and then

32
00:02:27,800 --> 00:02:31,570
it will do the Allies L.A. which is the command that we wanted.

33
00:02:31,760 --> 00:02:37,460
What you need to do is for example if you had to do it what I advise is you just don't use these functions

34
00:02:37,730 --> 00:02:40,410
if you had to use a function a function like this.

35
00:02:40,640 --> 00:02:46,260
Then what you should do is check that the input is what you're expecting for example you're expecting

36
00:02:46,280 --> 00:02:48,360
an IP address and nothing else.

37
00:02:48,440 --> 00:02:54,260
So you can use projects to make sure and I'm not going to talk about projects or what projects is rejects

38
00:02:54,260 --> 00:02:58,210
is basically a rule that will make sure that the input looks on the following format.

39
00:02:58,220 --> 00:03:05,270
So it takes a digit digit dot digit digit dot digit digit that the two digit which if I put anything

40
00:03:05,270 --> 00:03:09,190
else than the web application should refuse it.

41
00:03:09,260 --> 00:03:13,400
You can also make sure that there is no semicolons and that there is no spaces.

42
00:03:13,430 --> 00:03:17,780
So everything comes in as one thing and then it gets executed.

43
00:03:17,780 --> 00:03:25,100
Again this is a way of making it more secure but the best thing is just to avoid these functions the

44
00:03:25,100 --> 00:03:30,320
third type of vulnerability that we looked at was the file inclusion and we looked at two types the

45
00:03:30,320 --> 00:03:36,350
local file inclusion which allowed us to include any file on the system and then read files which will

46
00:03:36,350 --> 00:03:38,940
cause a file disclosure vulnerability.

47
00:03:39,020 --> 00:03:43,970
And then you'd be able to read any file on the server and then we looked at the remote file inclusion

48
00:03:43,970 --> 00:03:49,670
which is very dangerous which allowed us to include any file from any web server.

49
00:03:49,700 --> 00:03:57,110
So we were able to include BHP shales and then get connection from the target's computer to prevent

50
00:03:57,110 --> 00:04:00,580
these first of all make sure you prevent the remote file inclusion.

51
00:04:00,590 --> 00:04:06,320
So just in case anything goes wrong people can't include files from outside your server and you can

52
00:04:06,320 --> 00:04:12,020
do that the same way we enabled it using the page behind me by disabling the allow yourself left open

53
00:04:12,260 --> 00:04:14,330
and allow your I'll include.

54
00:04:14,330 --> 00:04:18,140
And if we go here to our to exploit well I'll just show you very quick.

55
00:04:18,140 --> 00:04:26,990
So if we do pseudo Nano which is the text editor it ECPAT PCG IPH be that tiny the same file that we

56
00:04:26,990 --> 00:04:27,500
used.

57
00:04:27,560 --> 00:04:30,170
This is the file for the HP settings.

58
00:04:30,170 --> 00:04:41,370
If you open that file and now I'm going to do control w I'll look for allow your URL

59
00:04:47,870 --> 00:04:55,860
and you to make sure that they allow your Elif openly said to off and allow your l include is said to

60
00:04:55,860 --> 00:04:56,650
off as well.

61
00:04:59,170 --> 00:05:02,670
Control x y and enter and that'll save it for you

62
00:05:06,570 --> 00:05:10,820
the other way to prevent these exploits is to use static file inclusion.

63
00:05:10,980 --> 00:05:17,160
So instead of using dynamic file inclusion which we see and you can hard code the files that you want

64
00:05:17,160 --> 00:05:23,250
to include in the code and not get them using get or post for example what's happening and the examples

65
00:05:23,250 --> 00:05:31,330
we see in the vulnerable examples is we have a page called page or index that BHP and then this index

66
00:05:31,330 --> 00:05:31,540
does.

67
00:05:31,540 --> 00:05:38,320
BHP takes a parameter called page and then it takes another page for example news that BHP and it includes

68
00:05:38,410 --> 00:05:40,540
this new space within the code.

69
00:05:40,540 --> 00:05:55,060
So what's the code look like in the page code you'll see something like include.

70
00:05:55,080 --> 00:06:01,280
So what this will do basically and that looks like this I believe what this do.

71
00:06:01,300 --> 00:06:10,970
It includes whatever comes after the page parameter so the code will dynamically takes whatever that

72
00:06:11,120 --> 00:06:15,020
comes in after the page parameter and includes it in the current page.

73
00:06:15,020 --> 00:06:19,750
So this will be in the index that BHP page OK.

74
00:06:19,800 --> 00:06:24,780
This is very bad because even if it's not get sometimes people use posed an impost.

75
00:06:24,780 --> 00:06:25,590
You won't see this.

76
00:06:25,830 --> 00:06:30,510
So it will be posted but you can use a proxy such as birth proxy.

77
00:06:30,510 --> 00:06:37,050
And this would look like that and then you can modify it and get it to include anything you want and

78
00:06:37,050 --> 00:06:39,430
then it's displayed on the page.

79
00:06:39,510 --> 00:06:45,830
What we really want to do is we want the user not to be able to manipulate with what's going to be included.

80
00:06:45,840 --> 00:06:52,900
So if you wanted to include a page called news that BHP just included inside this without giving the

81
00:06:52,900 --> 00:06:54,480
user the ability to change it.

82
00:06:54,490 --> 00:07:02,050
I know you're going to program your code to just have it looking like this but the users we know we

83
00:07:02,050 --> 00:07:06,970
see how users can play with this and just get that to include anything they want.

84
00:07:06,970 --> 00:07:10,680
So the best way to do it is just to get it to include page that BHP.

85
00:07:10,930 --> 00:07:14,990
So your code is not using any variables it's it's hardcoded.

86
00:07:15,000 --> 00:07:18,600
It might make your code log longer but it's much more secure.