Web Security with Python | Path Traversal with Python

Cyber Security Python
Transcript

English (Auto-generated)

one. It is heads and we are ready for our first actual video where we're gonna look at a real vulnerability is gonna be with a flask application. I'm not choosing flask for any particular reason. I mean I have a lot of python experience, but I'm definitely not like a flask developer or anything. So if any of you were hoping to learn like flask best practices from this video, Yeah, it might not be the guy, but we will talk about um, path traversal in this one. We will show you how that vulnerability might get introduced into an app, how someone would find it, how you would detect it and exploit it. And finally, one way that you could fix it, like I said, since I'm far from an expert in flask, there might be issues with my fix and I definitely welcome you all to bring those issues up. I'm actually gonna have a GIT hub repo shortly, which I'll announce in the next podcast that you can go and raise those issues and there'll be a little area where you can get recognized for contributing to the cook. Anyway, you'll see here that we have a little Hello World app. You can look this up by just it's literally just flask Hello world is from their documentation. Like I said that gIT hub repo will have open soon. We'll have this kind of code on it. But for now let's imagine that we are an inept. Well that we are an inexperienced junior coder once they had a feature where people can access the files in this directory. So maybe we have like PDFs or something realistic in here that people like, hey, I need this or that from this directory and we decided to take it as like a get parameter. So someone would say like, you know, local host, whatever you RLS that they like our site dot com slash files. And then they're gonna use get parameters, you're gonna say like file name equals and I don't know like reports dot pdf or what have you, You might wonder why we just didn't wouldn't do this the obvious way and have it be like reports slash pdf, like file slash reports. The reason is actually that flask accounts for this. So if you try to do the vulnerability, we're gonna do flask will basically block it, it'll prevent it, but it won't prevent it if you do things with get requests. So we're showing you how even though flash provides a protection from this by default, um there are situations where you could implement this kind of functionality and flask safe by default, behavior isn't gonna help you and that's exactly what we're going to look at right now. So first we have to get our get parameter, we're going to use that request library, I just imported up there and we'll call it like I think it's request dot r g dot yet and here we can choose whatever we want in the name of the get primary to be, I think here, I was gonna do like what was it? A file name. So yeah let's do and I'll change this to files. Right, okay. So we have files world We're gonna get one called file name. I'm sure I'm gonna run flask run because at this flask app variable make sure I can run this code once it starts. I don't know. Mhm. There we go. Okay. So we'll be able to run this but actually still isn't ready yet. Just want to get that set up. So we'll say our file name equals that. So we get that file and then we're just gonna open the file and then serve it. Excuse me. So we'll stay with file as open file. Let's open our file what's called Fsf file overriding like some fancy python thing that a keyword for like a built in. So we have with F. Is that we will say file content equals F dot read. You don't have to worry about closing it because with will take care of that for us and now we can return the contents of the file. Easy peasy. We should be ready with just that. So let's see if it's working so we're gonna run it man. And it's pretty mad at me. So let's see what I did wrong. So with F as open file name. I think I had that the other way around. There you go. Okay. Sorry about that. Alright so we'll open a new terminal and please curl call it local host Running on Port 3000 or 5000 5000 5000. Just like that. Yeah, she becomes a 44 because of our only thing is this files thing and now it gives us an internal server error because we tried to open up this non existent file, right? We have to pass the filing, we could add some kind of air handling if we were doing this in real life but we just want to get to the vulnerability as quickly as possible. So first let's finish poorly implementing our functionality so that we can hack it. We're gonna put our file name right? And the files, the only files here are hello dot pi and high dot html. Let's try them both because they should both work. So it's mad at me because I have this uh I have some of these special characters here in the shell is actually interpreted. So there we go. So cool. There's high dot html. That's wonderful. And we can actually read the code for the server itself which in and of itself seems like kind of a security issue but there it is. Wonderful. Okay, so what's the problem? Right. Well, the problem is when someone basically decides to start doing things like Yes. Thanks. So the developer didn't think of this. Um this is a past reversal. We're gonna go a directory up from where we were so that we can start reading files on the rest of the system. This is pretty much like the definition of a path, traversal vulnerability and ultimately, I mean depending on an operating system and you're on, you can go up a bunch get to the root directory, sorry, my keyboard is set to a different countries. So I give you those weird characters so we can go all the way up and then you start getting like Etsy PSs, w gonna get rid of P. S. S. W. D. I'm gonna Mac right now, so that's definitely not gonna do the trick. Like it'll it's more paranoid than that. Obviously you can set it to be as well, but a lot of people don't in any case and that will give you the hashes of all the password on the system. So you could use something like a rainbow table to begin trying to crack them. But just to just to show that this works, let me see something that's directory up from there. Just make something against to do it right here so that you guys can be here with me. I'm gonna go to directory. I'm gonna go one file up. I'm in my code folder and it looks like I have something right here called guest dot pi. So let's just how do you get that? It's gonna go dot dot slash and then give it guest dot pi. This isn't gonna work, but I'm gonna let you, let's see if it works. Oh, it did work. Okay. Because I mean I'm on Mac, so I have this really old version of curl. This actually isn't supposed to work because curl will actually glob these dot dots. It'll prevent that because it's like, well that's suspicious. Maybe it's not doing it because I'm gonna get parameter. Yeah, that's probably it. But if you did ever have that issue with curl, you can always pass it path as his. So if you're in the interested in the offensive side of security and you're wondering why curl isn't letting you do your path Traversal exploits. That's why. But in this case it's seeing it, it's gonna get parameter. I thought it was Mac has this really old version of curl, which it does. Let's see. Really old version. Okay, 2019. That's not too bad. In any case. Um That's something to be aware of. So it did it. There you go. We can read files that are up higher in the file system and that's no good. What we want to be doing is serving files here in this directory. So, oh, what do we do about that? Ah Well what do we do about that? There's a lot of approaches we could take to this. Um The obvious thing is what we don't want these dot dots, right? So like we could make a list of things that are here, inside of this, there's more sophisticated approaches um use your imagination, definitely worth looking up like best practices in reality what you're gonna do if you're a software developer and you're in this situation is you basically look it up, you look it up, looks like python, past reversal and see what kind of things you find and what you're gonna find is libraries, libraries that are out there that exists to do this work for you, right? And that's fine. There's nothing wrong with importing a library that says like, you know, pip, install, make path, traverse, you know, escape path traverse als and boom, that that solves the problem for you. But the problem for us, if we're interested in security or especially if you're a security engineer or something like that or a cybersecurity student is you're gonna be the person implementing those libraries. And so when they're like, yeah we need to make this library for language that doesn't have this sort of thing yet. You're not gonna be able to pip install it, right? That's why security engineers at that level anyway exist. That's what you're doing when you're doing the really interesting work, that's what we want to be able to do. So let's try our best, let's come up with something that's probably inadequate and like I said, hopefully there's something wrong with it because if one of you guys finds it, if one of you guys, you guys find that we will have a repository where you can report it and you'll get some kind of recognition. But let's try our best. So first thing we're gonna think is let's just make a function call it like escape calf traversal and you'll give it a path that will do its best. So on this is gonna be unique specific cause we're on a Mac right now and I'm guessing most of you are either going to be on the macaron Linux or using like Linux Subsystem Windows subsystem for Linux or something like that. I'm on the eunuchs side of things for sure. But my thinking is we can escape these dot dots. Like usually it's gonna be almost every time it's gonna be via dot dot right to go the direct parent directory. If you guys don't know anything about that on Linux and UNIX systems, it's actually yeah, there you go. So we have two special directories inside of every folder instead of every directory. One is called dot which refers to the current directory we're in and another is called dot dot which means the directory above us. That's useful because if you want to go up a directory actually did this earlier when I was inside of our code. He said cd change directory dot dot go 11 folder up to the folder that were inside of Really? Okay, so we have this escape path. Traversal and the obvious thing to do is just get rid of dot dot right, so let's try that. Just look something up real quick. Sorry. Okay. I just wanted just wanted to make sure because I've been a I've been doing javascript all day and in javascript you just to like replace all and I know there's replaced as well. I think that just replaces like the first instance of it though. So anyway, let's take a look. So we can say something like path here. Return path dot replace dot And we're just gonna replace it with I don't know, we can replace it with a dot, replace it with. Nothing problem with. This approach is like, let's say we replace dot dot with nothing no dot dots. What do we do in that case if someone had something with like an odd number of dots, I don't think that would work. Let me try it. This will see these two dots. I think it will see these two dots and it'll leave this dot, right? Maybe something like that. And let's see if we have it over here again, get rid of these two, these two, these two these two and these two, I think I would work. My initial approach was just replace it with a single dot but I think if you replaced double dot then you'll always end up Yeah, you'll be fine because they can't put they can't put double bots like there's no there's no way they could put a repeating amount of them I think and end up still having two of them because of the way python is gonna do it like they would replace these ones and then replace these ones that might happen where you have an odd number here and an odd number here. But then those two odds are gonna become too. But like I said if if someone out there can think of a way, I mean that seems very brittle. And usually what I would do is I would say while dot dot in path this is my instinct because half equals that. Once there's no more dot dots in it we return it, there's a downside and that somebody could send us like a bazillion dots and we're going to be in a little loop here so that could make our application that might be a somewhat inefficient approach but it should be pretty quick. Nevertheless. I think just replacing the two with nothing is good enough but if someone out there can think of a reason that that's wrong by all means criticized me make me into a fool. I love it. So in any case that's our fix. Let's try it out. Let's see if this prevents the vulnerability we did earlier. So I'm gonna stop this. Let's see if we can no longer read guest dot pi if we can't go a director. So I should have called that something cooler than guest dot pilot, you know corporate secrets or some things that we feel more like hackers but feel free to experiment with this at home. In fact we encourage you. Okay, so we're going to look at this file name and it's we can even just use some like simple exception handling here. I want to see what the error is first and then we'll add exception happening and then I promise we'll be done because that's no longer security, that's just software engineering at that point. So we have our file name and we are going to say file name equals escape path traversal of finally, it would probably be better to make this more like built in because if you're thinking like a like a like a security engineer and you're doing this for developers, you know, that if you make a function that developers have to explicitly call every single time they need to do this, they're gonna forget. So what you probably want to do is have some method that like you're you're a P I is using where, when they call it by default, it calls this behind the scenes and then they don't have to think about this stuff because there's so many different security considerations, they have to take into account, but they have to hold in their brain each time that they're bound to forget them. And that's exactly the kind of stuff that introduces vulnerabilities and it's not like Attackers have to think of all this stuff cause they're just gonna automatically try it with like a bunch of tools, you know, like the display or something just generating stuff. Um So we want this stuff to be done automatically, but we're just trying to show how, how it works underneath the hood. Right? So anyway, we've escaped it and now that shouldn't work anymore. So let's give it a shot first. We'll turn it back on. It didn't crash immediately. It's always a good sign. Go back to a million years ago. And now we get this internal server error obviously because the file doesn't exist. So yeah, file not found error. We'll wrap this in a try. Mhm Yeah. From my founder and then now we hear, if that happens, we can return, Oh no, while not found mm even do something cooler to be like if that file did exist like on the file system, like before it was escaped, we could be like, oh, hey, this person's probably trying a directory traversal who finally found that's interesting. It doesn't have a new line, but there you go. That's it. That is path traversal. Uh some simple fixes. You can do a simple vulnerability and a simple way of finding that exploit. Um I hope that's been informative for you. We're going to continue exploring vulnerabilities. Like I said, before we continue with vulnerabilities. We'll have a video showing you our github repo where you can point out issues which you're very encouraged to do because I also want to teach people things that are, you know, actually true and that's that's reaching that truth is a collaborative process, right? So help is appreciated. And I hope you guys have fun experimenting with this. Set it up yourself. Think try to find ways that it's still broken. Try to find other situations where this could arise. Try to imagine those sorts of things definitely read. There's like a billion blog posts about path traversal vulnerabilities, including real ones, like ones that have been found where where pen testers like bug bounty hunters basically published like blogs saying, hey here's how I found this path traversal blog bug and like get hubs A. P. I. Or something so they get really technical but spend some time on it. It's fun and happy hacking.
153 Views 0 Likes 1 Comments

Using a simple flask hello world app to show how a hapless dev can easily introduce a vulnerability. We then exploit the vuln and fix it :)

Comment
Leave a comment (supports markdown format)
@jesusvilla 4 months ago

I had the sniffles lol