 So yeah, absolute pleasure to be here to talk to you today. Hello. My name's Simon. I'm from the UK I'd love to hear where you're from. So please ping in the chat and I'll say hey I'll give you a call out, but I'm gonna jump straight in because I think I have about 30 minutes So I'm gonna is that right Edson? I have about 30 minutes. So I'm I'm Finishing about a quarter past ish. Is that is that correct 30 minutes 30 minutes. Okay. Cool. Cool I'll try I'll try and do that. Hey, I can see in a client Raphael and so this is strange a danger So let me go this full screen. Oh, maybe I can't give shout out because I'm going on to slides rubbish But hey, let's let's let's let's go ahead. I'm gonna do a few slides slides are boring So I'm gonna jump into life hacking as soon as I possibly can this is called strange a danger It's about how we find security vulnerabilities and our applications before well before they find you before someone else finds them My name's Simon Maple. I run the DevRel team here at SNCC at SNCC We are very fond of creating developer solutions for security. So security solutions for developers as it were How do we get developers being more secure and and using you know doing security focused activities as part of their usual day job? I've been in Java for well over 20 years now and My background is as an engineer for IBM working on web sphere and other amazing middleware products like that I Also run the virtual jug the London Java user group and I've got a couple of awards there If you wanted to reach out, please do on Twitter at SJ Maple Okay, let's start with with something that hopefully everyone is aware of and and and absolutely loves I'm sure DevOps it helps us deliver value very very fast. It allows us to write some code in an IDE and push that to To production later that day later that hour. We can do it very quick We can do it often and we can do it in a predictable way However, when we do things like that, there are a number of other things that don't fit that model One of which is security and that's why DevSecOps is a Wonderful incredible buzzword which which was created and loved by many What is what are the problems though? That's something like DevSecOps solved? Well with this speed up of people wanting to push code to production often and quickly How does things like the traditional security audit? How does that fit in we do that from what I understand once every 25 years where the whole Security team come from their dungeon. They come to the developer and they say no you cannot push this because we have a hundred Vulnerabilities that are open if you push that so what happens is the developers they end up hating the security team a Security team end up hating the developers because they put in all these shiny libraries. How do we solve this problem? Well DevSecOps is similar to that DevOps mentality where we try and pull these different silos these different teams together So that security has made a first-class citizen in that pipeline so every time we push we make we have security considered We have security tests running and we know when regressions occur because customer data could be compromised Yes, Equifax know that all too well as do any Equifax user This was the winner one of the headliners that have has made the news over the last few years I'm realistically the reason that this breach occurred and so many millions of US customers Had their sensitive data breach Was because of a popular library called Apache struts and Apache struts as we know is an open source library One of the reasons why open source libraries are so useful is because everyone can just use them and adopt them and grow Based on them one of the horrible things about open source software is that when there is an issue Whether it's a bug or a security problem that bug or security problem exists in many many different Places now. That's not a criticism of open source. That is that is almost like a It's a it's an issue that exists because of the popularity of open source now when we think about something like Struts we can see that when the Apache struts vulnerability that affected Equifax Was announced it was you know mid-march There was the spike in the number of people that were attacked number of tax that occurred rose significantly and this is because a Exploit code test code became available and anyone who was anyone could just run this test code And I'll show you how anyone who was anyone could run that test code because I'm about to run it now What I've got if I come back Here Maximilian lots of Star Wars stuff. Yes, it's my Millennium Falcon and my atta and these are these are Legit toys from the 70s, which I got hey Mark. Hey Uday. Hey, Libina. Hey Vijay good to see you all from lots of different places. So sorry. I'm getting there. I'm getting distracted, right? Let's let's go to let's go to my browser From here what I'm going to do is I'm going to show you this to-do application This is a very simple to do application as you can see I can create a to-do. Let's buy my wife some flowers She definitely deserves them flowers. There we go. Let's add a due date of 14th of January 1970 I better make that high I guess add that there we have an idea of 11 We have a title we have a due date etc. Etc. If I click on about We can see all the different tools that that we use here all the different frameworks. We're using struts a vulnerable version We're using spring version 3.2 a very early version of spring We're using hibernate because we love to make poor life decisions So here because we know we're using a vulnerable version of struts We're going to actually exploit that now So I'm going to come back here and on this page here I'm going to show you not in that directory though Let's go back one and into my exploits directory. I'm going to show you this head as far Okay in this head as far. Oh No, that was not all I wanted at all in this head as far This is a header that we're going to be sending on a request to my vulnerable struts endpoint We'll see a content type straight away that content type is illegal So we're going to go straight down into an exception path once we hit this endpoint Now it is illegal because of this percent Oops it is illegal because of this percent and brace and there's also a brace at the end there Now when we go through this exception path We'll go through a library called ognl Which as one of the things it can do is it evaluates certain pieces of text to give us a richer Output or for our error messages and that's how one of the ways it can be used now It's going to evaluate anything within this percent brace A piece of text which is great because we've got a bunch of code that can execute here of which We're going to create a new process builder passing in commands The commands we're passing in our bash and bash is going to run a command called cmd And this is just in big letters command. We can substitute this in just a sec So let me go to my Little cruise sheet here Let's grab this one. I'll walk you through this As we run it so I am cutting that file exploit headers file I just showed you we are doing a string substitution and on the command keyword there for ENV This is going to print out our environment variables I'm just going to curl this to an endpoint that endpoint currently is set to my local host But instead I'm going to point that to Figure I'm going to point that to this and This is my to-do application which is actually in fact running on a Heroku app environment So let's curl a Heroku application that to-do list and now that's all we're going to do We're going to send just a plain curl request get HTTP request over to that endpoint We're setting up our header so that we're passing in an illegal content type Which evaluates OJ and I will evaluate a piece of that code if I hit return there Hopefully after setting all that up. There we go. There are our environment variables You can see our Java options. You can see our path You can see our working directory our Java home and a whole bunch of other stuff and believe you me some people not anyone on this Call I'm sure but some people will put sensitive information into their environment variables and an evil person like me evil love Will pick that up and potentially do some nasty stuff with that at this point. I have Execution rights I can write I can execute commands of my choosing And that will run under the process and use the privileges Of the process of the user that is running that process in this case I think this is just a tomcat server or something like that So I am now running under the user of that tomcat service and I can now execute whatever commands I can under that user so that was the exploit Let me come back here and we'll go through a couple more slides and then we'll start hacking again So Lo and behold, this is your application We have a very small circle in the middle and that's your code That's the code that you write in your IDE and then we have this huge amount of code around the edges And these this is all your open-source dependencies and this is very common to see Your your code being the much smaller piece of your application And it's because we leverage so much amazing open-source stuff So here's a great example and why don't I ask you if if I can? To in fact, I can't see it just now that sucks But let me ask you to put your answers in the chat as I go through this There are 19 lines of code in here. There are two direct dependencies and this is just an application which grabs a file and stores it in Amazon's s3 now I'm gonna ask you a couple of questions I want you to put those answers in to the chat and I can't see it right now But as soon as I stop this presentation, I'll be able to see that And I'll be at a I'll be at a maybe give a prize to someone or maybe it will just be some some kudos How many indirect dependencies do you think we have on this application? So we have two direct dependencies how many indirect or transitive Do you think we're gonna have on that on that application? So these are the dependencies that each of those two dependencies will pull in I'll give you a quick second to put your put your ideas in there The answer It's 19 so only 17 dependencies now I can't see the answers right now But I'm sure because this is the Java track and not the JavaScript track Everyone's gonna be trolling on JavaScript and they're probably putting in millions hundreds of millions Trillions maybe but it's just 19. So it's not as bad as it could be however now the next question How many lines of code do you think we're gonna be deploying? Is it this is this is the lines of code in our application there for 19 lines of code in our IDE plus The number of dependencies that we have so how many lines of code are in all of that? Now typically I'm gonna guess right now that some people are putting maybe tens of thousands or a certain number of thousands Some people might go crazy and say let's put 10 million or something like that the answer is in between It's about 191,000 so almost 200,000 lines of code now The key here is don't just look at what's in your IDE the application you deploy is 200,000 lines of code here where the application you see is this 19 lines of code to be very conscious of what you're deploying and of course You're not necessarily going to go through all of those lines of code They may not all be active in endpoints But we have to be very conscious of what we're deploying because what we maintain and what we have to secure is what we deploy It's not the code in our IDE alone How many more slides have I got let me see let me see let me see I'll do it through Oh, no, I don't want to go through too many slides. Let me go through this one How do we how do we then go about fixing this? So we know there are vulnerabilities We know we sometimes introduce them ourselves. We know sometimes Sorry, we know sometimes we introduce them with our pull requests We know sometimes they're introduced in existing code that we've deployed into production We need to know and test at every stage and the key thing here is testing early This is like the typical shift left or giving that Responsibility to the developer to make sure they're empowered enough to test their code before they push to a repo to maintain that When they do get to the repo tests are made so that people can Understand if they're introducing new vulnerabilities and can't regress and also so that when we get to production Even if today there are no known vulnerabilities in our code in our open source libraries and open source Projects even though there's nothing there today What if there's something that is found tomorrow or a week later or a year later? If we're not going through this pipeline who is testing for that and how do we know that these new things have come around? So these are some of the things that when you think about I'm happy to Mean you can see some little SNCC logos here I'm happy to talk about this offline as well if people are interested in learning about how SNCC can do that But let's let's hack. Let's go terminal. So I'm gonna jump To Here we go. Oh, actually, let's have a look at that. Let's have a look at what people thought So actually sir, okay, so so not too bad 20 54 42 14 Leap from Sebi nice one 200 indirect so of around the same kind of the same kind of number as we had 1500 lines of code 29 K from Osama 1850 4,000 100,000. So yeah, almost pretty low Sebi with another ridiculous answer. That's awesome. I love it Sebi Okay, that's cool. That's cool. That's cool Right, let's let's jump to another application. This is actually a node application two reasons one because it doesn't matter too much It's a vulnerability is a vulnerability and we're just gonna exploit a particular vulnerability here called directory traversal And secondly, it's actually more fun to hack nodes because it's easier Well, that's a lie. That's what I say from a Java background. Anyway, okay So this is a to-do list application. I'm gonna buy some milk. That's my to-do. There we go There's my to-do up. There's my little to-do. Let's uh, let's buy my wife some more flowers by wife flowers Add these regular to-do. I can also click on about The bestest to do up ever just an about page which has been served from us as a static file This is all fine now. What I'm gonna do is I'm gonna show you how we can scan this I'm gonna do it from both sides the blue side as well as the the red side So let's go ahead and scan this. I'm gonna go into my integrations This is just using SNCC, but you can use whatever you wish From here, I am going to go into my repo and I'm going to open up goof And what we're now doing is we're connecting to github. We're looking at the the goof application from github and we're now going to we're now going to Try and find the manifest files which are in that application from the manifest files will be able to build up a Dependency graph and we can see where vulnerabilities exist in that dependency graph So if I was to view the lock here, this shouldn't take too long In fact, it's already found that it's already found the bait the Jason package So it's recognized. It's a it's a JavaScript node application and any second now and it takes literally a few seconds It'll it'll we can view the project in fact and hopefully see see the snapshot here Here we go. Okay, so we can see the number of dependencies And this is a great way of looking at your bill of materials You can see direct dependencies, transitive and where your vulnerabilities exist But what we want to do is look at a specific directory traversal And I've a directory traversal here we go a directory traversal vulnerability is one whereby we are we have maybe access to a specific vulnerability and we are looking at how we can potentially break out of that Sorry, we have access to a directory and we're looking at how we can break out of that directory Into potentially a private directory or something like that. So how are we going to do that? Let's have a look. This is coming from an ST module So the ST module is one in which provide it serves public. Sorry serves static content to users So let me go back over to the application How let's ask in the comments. How are we going to hack this? Let's do this together We want to hack this is a directory traversal any ideas of where we even start which part of the application Do we want to attack which part of the application? Do we want to hack? so, so yeah, please do Please do ping in the comments as to as to which page or how I should go about doing that And we'll I'm not gonna hack this you're gonna hack this. So let's let's let's try and let's try and do this together What do you think? Okay, nothing just yet. So the two it's it's there's nothing in the there's nothing. I haven't shown you It's it's these two pages the about page and this page with with looking for For ideas in the input box in the input field in the text box. Okay. What should I what should I do here? Inject code into the data to be evaluated and dot-dot slashes. Okay dot-dot slashes. So dot-dot slashes in here, maybe I Got got slashed to the URL. Okay. Now we're getting somewhere. So which URL the The home page or perhaps our about page if we look at our about page Maybe maybe our about page. Whoops. Maybe our about page is a little bit more interesting So if we look at our about it's got it's got a directory structure in there. So if I come back here Let's go to a fresh Go to a fresh page and let's curl it Okay, so there's our there's our Oops There's a there's a about page. There's our about document. We can see this is the URL I'm gonna do a dot-dot slash. I presume so add Chris Chris Holmes is saying add dot-dot slash To the to the URL so something like this. Okay, hopefully this is gonna work. Let's see if this works Okay, so we can see This is just some HTML we can see by my wife and flowers we see the dot-dot slash we see by milk This is actually the home page Give to do homepage. So what's happened is ST is a ST is a real library. Okay? It's a real library that recognizes. We're trying to do a dot-dot slash So we're on the right lines, but we can't type dot-dot slash because it is looking for dot-dot slash Okay, Mark Harding. Awesome. Mark Harding has suggested replace with percent 2e instead of a dot now percent 2e is as all great hackers know well done Mark Harding is the URL encoding of a dot so if we do a dot-dot as URL encoding what we're suggesting here is That ST isn't going to be looking for percent 2e and it's not going to be normalized because we're sending curl So if I do this bang we have a Directory traversal we can see that because we're outside of the public directory and I'm just gonna quickly go back to my Browser and in fact while I'm doing while I'm gonna show You back in the browser think about what you want me to do next think about as an as an attacker What would you do if you if you just broke in and started looking at this where where would you want to go? So think about that just for a second in the meantime what I'm gonna do is from here I'm gonna do exactly the same thing with percent 2e And 2e forward slash and by doing percent 2e percent 2e here We actually get back to the home page and that is because my browser Normalizes the percent 2e it turns that it decodes that back into a dot before sending that okay as a result as a result The ST directory does see the the the directory So it does see the dots and as a result knows it's a it's a it's a Directory traversal so Marco wants to do something crazy. Look RM minus RF the DB directory So what is this? Let's go back to it. Let's go back to our vulnerability Let's go back to our vulnerability and see what our vulnerability is so fast to come back here We're in Directory traversal right so fast to go into directory traversal and let's click on more about this issue We can see this is our CVSS score. So our CVSS score is is you know the the the score out of 10 based on the how the vulnerability or how by exploiting this vulnerability The how much pain you'd get based on what it can do What kind of build up you need? What is the attack vector etc? And you can see that the scope here is unchanged So what unchanged means is if someone was to exploit this you can be effectively read only you can't make changes To the to the end system. So this is just as a result of us doing this. We can only read so that's a good idea Marco But what can we read? Well, let's have a look in this directory We've got a whole bunch of stuff. So we could have a look at why don't we have a look at the app.js? See our source code here Maybe we do something instead. Maybe we have a look at our package Package dot no, what was it package dot Jason and that here's all our other direct dependencies, which we could potentially Try and find other vulnerabilities to so maybe we could see something like human eyes MS is an interesting one Human eyes MS has a let's have a look at it Human eyes MS has another vulnerability in it Oops Did not mean to do that Human eyes MS. Let's let's do a quick search on human eyes MS human eyes It's got a read-us That's marked fresh marked marked Moment braces Human eyes MS. Okay, human eyes MS pulls in MS which pulls in a Sorry and that has a regular expression Directory traverse so regular expression denial of service. So let's try and hack this What is what is this first of all? Well a regular expression. We know what that is a denial of service We know what that is a regular expression denial of service is by computing a regular expression which takes so many cycles We are we are effectively taking up the resources so much could be computational could be something else But we could cause a denial of service on that thread So let's try and cause an exploit right now. If I go back here What you'll see is if I was to say by milk at this time in 30 sec. No, let's say yeah 30 seconds. No, let's go two days What it's done is it's it's parsed that it recognizes I'm doing in followed by a time and as a result It's turned that into milliseconds so I can maybe do something like a I don't know a Reminder or a notification and then it's just representing it here embraces as 2d So what I could do is provide a string which causes this thing called a catastrophic Baptracking and catastrophic backtracking is where I would do something along the lines of that and This is a string whereby I can type a pattern like a and a number of bees and that will match However, if I type a and a number of bees and then a C This number of bees Can be matched in a number of different ways It could be matched by the plus or it could be a matched by the star or a combination thereof So it could maybe do the first couple with the plus the next couple with another plus because of the star and so on We don't know but as soon as it gets to a C some Regular expression engines will backtrack and we'll try and find all permutations of this B plus B plus star whereby It'll try and match these bees and see if we can find a C at the end Of course that will never happen But it would try and exhaust all those possibilities and as the number of bees in here grows the the number of steps exponentially grow that we need to exhaust so Let me come back here and let's actually try that so what I'm going to do is I'm going to quickly Type MS to I'm gonna just to save my typing I'm going to try and send this I'm going to echo some content It says buy milk in and then we're going to print out 60 Character fives minutes. Okay, and we're going to send that across so I execute that there We go buy milk in and there's 65 minutes. Okay. Is this going to actually cause a? Denial of service well, let's ramp this up to six hundred six thousand sixty thousand Run that again. It comes back very very quickly enough. I was to come back to my Refresh this page you can see the result the requests are coming in just fine despite that being infinity days The requests are coming in just fine. However, the problem here. The reason we're not getting a delay is because this Actually resolves first time it finds the match What we need to do is stop it from finding that match and we can do that by just adding a typo at the end So now it has to pass through all these fives it gets to minutes But because there's an instead of an s here. We're replacing that with an a it's gonna backtrack through all of these fives So if I hit return there we hang we pause I'll come back here and I'll type hello And I'll hit the mic. I'll hit my keyboard hard And display it making a loud noise nothing happened until which time is that times out or the number of permutations? complete and a minute about Now That thread comes back and it executes it goes to all those other It goes to all those other requests so regular expression denial of service through a Sorry a denial of service through a regular expression being way way too long ways you can fix this of course You could you know look at the look at the the string you get and if your string is Anywhere near this size You would you would you know make sure you can't You won't pass that you would you would not even look at it another way is up is you know fixing the fixing the actual vulnerability by Going up to a newer version of your of your library now in this case the vulnerable module is MS the The the library which is pulling in MS So this is our direct dependency is humanized MS at 101 the fix is to upgrade Humanized MS to 102 and this is the minimum version which pulls in a fixed version of MS Okay, so now if I was to go in and click fix this vulnerability The idea of being this is going to now send a request back to back over to GitHub and Let me just click now open a fix pull request and we'll see We'll see this, you know working nicely in in conjunction there So I click on files change you can see the file That we changed there one zero two versus Versus one zero one what you'll also see is a number of other things in that I am making checks on all of my all of my You know Changes to make sure our Delta Doesn't get doesn't get affected. So are we introducing any new changes? into into you know into our repository based on this pull request and those are both licensed changes and and SNCC in terms of the Vulnerabilities so we can do this at various stages here. I've shown you the The repo you can also fast to come over here. Maybe and say let's do this via a repository here is Here is that Java goof Java goof application, which I've just got in IntelliJ. I've done a quick scan You can scan whichever Maven project you want and you can see all the vulnerabilities here And I can click on one of these to say let's upgrade a specific version The suggested upgrades are always given here And I can just kind of like come a long click and it'll show me which motion I need to upgrade So this is super important But I think there are a number of other things other than tooling which is which are extremely important and that is that our thing that our thing is like, you know Changing that mentality to pulling security in earlier in the development environment having security mavens that exist in your In your development team so that there are individual developers that recognize and understand that you get that you know, you get much much You know more Experience and expertise in the develop in the development stage also code reviews are absolutely key making sure that when you go through a code review You're not just looking at code of your that you're writing but also code that you're pulling in one other thing Actually, I'll show you is If I go to my pull requests One other thing that's really really important and I'll show it in snick here But you can you know, you can do this however you like is what happens when you get a vulnerability that is That's existed for ages in your production environment, but that hasn't been known Well, one of the things that we can do here is raise an automatic pull request So this is an automatic pull request, which you know, you're just kind of like running in the background By that's happening automatically. You don't actually have to put anything through the pipeline and what you'll see here is A file change that has occurred This is the this is the smallest version jump you can get which includes this fix And this is that the product has had vulnerabilities that couldn't be fixed or couldn't be patched because no upgrade was available But now and your upgrades have been made available and as a result we can automatically we automatically send a pull request Which can patch that very similar if it's a new vulnerability that wasn't known previously So there's a whole bunch of other things like this that can be done, but it's all about making Putting security into the developer flow and the developer workflow That's that's everything I've got to say. I hope I hope you enjoyed. I think I'm pretty much at time now I hope you enjoyed. I hope you enjoyed the session and Happy to take questions If if there are any Simon you are perfectly on time. Thank you very much. Excellent. Yeah, British as usual In the chat Yeah, the last one Question sneak sync sneak sneak versus white sauce bolt. Okay. Yeah, so white sauce again an SCA tool So now we know right seby. That's what snick stands for Yeah, white sauce is a is a another tool that does similar things from our point of view we have Our the way we work is from a very developer first oriented way so Everything that we do is focused on developers and I think if you was to try both together You will you know enjoy the snick The snick way of working the way it allows you to do things in a much in a much more kind of like developer friendly way we also have in in certainly in my opinion and also a number of other people who are who are Who are using our database? We have a number of major groups using our database We have an entire security team which really do some amazing work in both finding new vulnerabilities and also working with Vendors that do that. So I think I would say our vulnerability databases more complete in that sense as well But I would say, you know, it's all about user experience and I think you'll find if you use snick You can you'll see the differences. It's very much more like a yeah, would you use? I would you use IntelliJ or would you use Eclipse? It's all about that user experience So give give that a go and I think you'll find out, you know, there's significant difference in terms of the usability Amazing. I couldn't see any more questions in the chat Well, Samo, I was amazed by what snick can do. So yes, maybe I should run it on my projects Absolutely, if it's they are vulnerable Absolutely, and yeah, if you if you want, you know, it's in it's entirely we have paid plans But it's entirely free just to go ahead and sign up and you can use that both that Both, you know, as I've shown in in the in the repo as well as with Docker scanning We're already integrated with with Docker on Docker desktop and things like that So you're more than welcome to kind of like try all that out for free and use that month on month So please please do go ahead and try it out awesome So in a well in in behalf of the definition organizing team Thank you very much Simon for this amazing presentation and I hope to see you soon in the next opportunity Thanks very much a pleasure pleasure to speak to thank you for having me