GitHub Enterprise SQL Injection (opens in new tab)

I find it hilarious how people think there are all these "amazing engineers" around. Sometimes it even seems like hero worship. The reality is that the vast majority of engineers are mediocre even at high-profile tech companies and hot startups. That's not a bad thing and I don't mean it as a criticism; modern civilization has largely been built by mediocre engineers. And even the best engineers make frequent mistakes.

While there are many ways to catch this sort of thing (code review, static analysis, education) I have to place the "blame" here on ActiveRecord. The 'order' API takes an arbitrary string by default. 99.999% of the time, this value can be restricted to a column name or can safely be escaped. For the 0.0001% of the time that something more complex (e.g. Sorting by a calculation like sum(column)) should require a separate, more cautious or complex API call. The common assumption is that all ActiveRecord APIs are "safe" and that simply isn't the case. Brakeman couldn't catch this since it's in Sinatra code and not rails code. Code review didn't catch this because the API was assumed safe by reviewers. Education didn't catch this because not everyone has seen rails-sqli.org. Mind boggling, but still very possible.

Basically any language that has easy string interpolation and takes SQL via a string has this as a potential issue.

The implementations across languages are remarkably similar, I suppose due to the lineage of the original C apis from the various DB vendors.

I don't see any easy way to fix it. If it's possible, and easy to do, it will keep happening.

We have been enjoying 2017 for quite some time now

It's possible to an extent. The disassembler being used is a commercial product called IDA from Hex-Rays [1]. They also sell a decompiler plugin for IDA. While it can generate C-like output, it being 'readable' is debatable. Because of the lack debug symbols, compiler optimizations, and other things in release binaries, the decompiler output has some confusing characteristics. Just to name a few things: improperly guessed calling convention, odd code flow (lots of goto statements, labels, and inverted loops), messy dynamic string creation [2], bit shifts instead of multiplication/division for powers of 2, pointer arithmetic to access struct fields, stack variables reused for multiple purposes, etc. With all that being said, the Hex-Rays decompiler is the best I've seen so far. It's great to have when you want a quick overview of a function you are reverse engineering, if you or your company is willing to pay the exorbitant cost that is.

Additionally, there is open source decompiler called Snowman [2] that is pretty neat also.

[1] https://www.hex-rays.com/index.shtml [2] http://reverseengineering.stackexchange.com/questions/3546/e... [3] https://github.com/yegord/snowman

The application is written in Ruby and the code was just slightly[1] obfuscated so there was no need to decompile the actual application he was analyzing.

[1] "This obfuscation is intended to discourage GitHub Enterprise customers from making modifications to the VM. We know this 'encryption' is easily broken."

Decompilers exist (like Boomerang), but it is more likely the author used something like IDA Pro, which has a code flow graph feature.

http://boomerang.sourceforge.net/

> GitHub chooses to encrypt their source code to prevent modifications. Our experience at GitLab is that customer modifications don't cause a lot of extra load on our support team. But of course that might be caused by having different architectures and customers.

Most of the companies I have worked at that require code obfuscation and / or encryption do so because they believe someone will steal their source and re-use it or at least discover how it works and re-implement it in an attempt to steal customers (typically they suggest China in all of those). I'm not sure what GitHub's reasoning is but I hadn't heard of someone doing it to prevent additional support load.

That's an interesting an angle I hadn't thought of.

It's amazingly easy to prevent for high value target type web apps use stored procedures only. The web app db user should only have permissions to execute appropriate stored procedures.

Is there a specified reason for it being marked as dangerous? It comes up fine for me. Granted it doesn't support SSL it seems (get that fixed, Orange!) so maybe you're using a plugin that marks non-SSL as dangerous?

> For those that this website is marked as dangerous

What's causing that, your ISP?

Probably has to do with the .tw TLD.

It's a bit of both. It's not so much a checklist as a classes of bugs, but close enough. That includes vulnerabilities like SQL injection, command injection, stored and reflected XSS, et cetera. The WAHH (Web Application Hacker's Handbook) is a good place to start here; it walks through a lot of these standard classes of web app vulns.

Something WAHH touches on, and experienced pentesters get a feel for, is more complex interactions. Often that means chaining several not-so-bad bugs together to build something really exciting. Sometimes they're just obscure consequences of say, a rather complex authorization system. These are typically a lot harder to find, and may involve simultaneous code audits. Ideally, your long-term in-house security people find these, because any attacker that does is in the 95th cleverness percentile.

So, TL;DR: start with WAHH; then go find some vulns, and start thinking about what the app does in terms of alternative things a program could do that a reasonable programmer who was just trying to get it to work might not have thought about.

If you're looking for tools to play with, you can do worse than downloading Kali and running it on a VM. If nothing else, it'll give you a pretty big catalog of tools to start looking at. I think WAHH covers basic Burp Suite usage, but Kali has some other tools like sqlmap and BeEF that aren't too tricky to get started with.

WAHH: http://mdsec.net/wahh/ Kali: https://www.kali.org/

So there are various ways to learn about the basics (aside from experience); look into SQL injection, XSS and CSRF as a starter then once you understand and can attempt to perform those, you can work your way through this comprehensive if dry guide:

https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table...

It literally contains almost everything for Webapps.

The next step is finding your own exploits or doing bug bounties.

If you are more interested in the other side of hacking (i.e. everything but webapps, usually OS level stuff) someone more informed than me can probably give you advice, but starting with microcorruption or similar won't hurt.

Regarding the tools, I recognize two-third of the tools from my web security class. So there are places where you can learn this.

Interesting that this is a standard use-case for ActiveRecord [0] and does not include any built-in protection against SQL injection. You can pass a hash of symbols into the method, but there is no safe way to pass string arguments with sanitizing them yourself.

[0] http://guides.rubyonrails.org/active_record_querying.html#or...

This one?

  2016/12/26 05:48 Report vulnerability to GitHub via HackerOne
  2016/12/26 08:39 GitHub response that have validated issue and are working on a fix.
  2016/12/26 15:48 Provide more vulneraiblity detail.
  2016/12/28 02:44 GitHub response that the fix will included with next release of GitHub Enterprise.
  2017/01/04 06:41 GitHub response that offer $5,000 USD reward.
  2017/01/05 02:37 Asked Is there anything I should concern about if I want to post a blog?
  2017/01/05 03:06 GitHub is very open mind and response that it’s OK!
  2017/01/05 07:06 GitHub Enterprise 2.8.5 released!

Or this one?

  Day 1 - Setting VM
  Day 2 - Setting VM
  Day 3 - Learning Rails by code reviewing
  Day 4 - Learning Rails by code reviewing
  Day 5 - Learning Rails by code reviewing
  Day 6 - Yeah, I found a SQL Injection!