Information leak: why would hackers know your code logic?
Why does the error message leak code logic?
First, the error information feedback is Syntax error, that is, syntax error. Entering a single letter "g" in the password position will certainly not cause an error, so this SQL statement is an error caused by an extra single quote. If you use PreparedStatement and other methods, this error will not occur. Therefore, the SQL query in the background should be a string concatenation directly, without filtering single quotes.
Second, part of the WHERE condition shown in the error message is username = '' and password = ''. This is another login logic, so as long as the user name and password are correct, this SQL statement will return the user information required by the hacker. Therefore, the SQL statement in the background should be in the form of select from where.
Based on this information, hackers can easily launch SQL injection attacks.
"Black Box Testing (Functional Testing)" is to directly run the application without obtaining the code, and then scan the application's requests and responses. For example, in the scenario of error information leakage, the "black box" detection can initiate some requests to the application that will inevitably lead to errors (such as the single quotes in the above example), and then observe whether the application returns the complete error log or returns The processed page.
Error information leakage is an indirect way of information leakage. The indirect way of information leakage is mainly to put together various pieces of scattered information to restore the overall appearance of the code, and then launch targeted attacks.
In addition to the error message, where else will the code logic be leaked?
Return information disclosure and annotation information disclosure.
The front-end code basically can be displayed in the browser without compiling, so hackers can easily see the comment information in the front-end code. However, if key information such as server IP, database address, and authentication password appears in these annotations. Once this critical information is leaked, it will cause very serious consequences.
"White Box Testing (Structure Testing)" means to directly obtain the source code online and then scan it. The principle of "white box" scanning annotation information is relatively simple, because the comments in each language will be accompanied by Special tags (such as / * in Java and PHP) can be identified more accurately. In addition, "white box" detection is usually used to detect code vulnerabilities or logic vulnerabilities.
When requesting a picture address, the server will return three results according to the "survival" of the address and the type of data returned: "picture does not exist" "format error" and the picture is displayed normally. The hacker uses the logic of returning information through the server to use an SSRF that requests a picture to find out the "survival" of the entire back-end service.
When you log in to the application, the application's return logic may be like this: if the entered user name and password are correct, the login is successful; if the application does not have this user, it returns "user name does not exist"; if the entered user name and password If they do not match, it returns "Password Error".
What are the common direct leaks?
The first method of leakage is related to hidden files in the version management tool.
SVN will create a .svn folder in the project directory, which stores the source file information of each version of the application, which is also the data basis for SVN to implement code rollback. If the SVN can apply any version of the code through the data extraction in .svn, so can the hacker. As long as you do not delete the .svn directory in the code when it is online, it means that hackers can access all the files in the .svn URL. Next, just by executing a simple script, the hacker can trace back a complete version of the code.
For this kind of source code leakage caused by extra content in the directory (.svn / .git), on the one hand, we need to conduct manual code review of the online code to ensure that irrelevant files and folders are properly cleared; on the other hand, We can also restrict some sensitive paths in the HTTP service.
In addition to being a version management tool, Git is also a very popular code management tool. In addition to the hidden file vulnerability mentioned earlier (Git generates .git, which also contains file information for various versions of the application), Git also has the problem of uploading code to public platforms. However, uploading code using GitHub is usually a personal behavior, so it is difficult for us to prevent it from a technical level.
The company should start with strengthening employee safety awareness training and strengthening the company's management system to prevent employees from uploading codes privately. In addition, the company can also initiate a patrol inspection on GitHub (the more well-known tool is Hawkeye), by periodically retrieving company code keywords (such as commonly used package names, domain names, etc.) for testing. The result of matching through these methods is likely to be the code publicly disclosed by employees. After confirmation, we can contact the person who uploaded it to delete it.
to sum up
Basically, the first step of all attacks starts with information leakage. And hackers have no way to attack an unknown system, so hackers will use this leaked information to infer the overall architecture and logic of the application.
There are many ways and reasons for information leakage. Among them, in addition to information leakage caused by hackers actively launching attacks, there are many information leakage caused by non-technical reasons.
- Information shielding: through technical means, the resources that should not be accessed should be shielded to avoid information leakage;
- Code detection: from two directions of "white box" and "black box", to detect codes, applications, etc., and provide early warning of possible leaks;
- Manual audit: For leakage caused by non-technical reasons, strengthen manual audit. At the same time, from the company's system, to improve employee safety awareness.
