Evolving Polyscripting: Applying the MTD technique to a “Damn Vulnerable Web Application”

When I first wrote about Polyscripting it was to introduce a new application of our Moving Target Defense (MTD) cybersecurity approach, one that applies MTD directly to a programming language. The concept was in the early stages of development; the post was largely written to explain the thinking behind the idea. This time around, we are demonstrating the technique in a “reach out and touch it” kind of way.

The Open Web Application Security Project (OWASP) has an application that enables users to try out different exploitations to a php website. It is aptly named the “Damn Vulnerable Web Application,” or DVWA. This education-focused site can be modified to simulate different levels of application security from low security(very vulnerable) to impossible (meticulously written to stop given attack vectors). The purpose is to showcase the varying degrees and methods by which hackers can exploit a website, and ways in which you can change how you write an app to proactively make exploits more difficult.

One such attack vector is remote code execution by way of file uploading. The gist is this: a malicious actor uploads a file with the intention of inserting a backdoor or injecting some other code to be executed. They then access this file (often at a later date, repeatedly) to gain an entrance into the server and/or gain access to sensitive data.

However, when Polyscripted, even with the fewest, weakest security checks in place, this attack vector is rendered ineffective. Any kind of attack vector that relies on injected php code being executed will instead result in a syntax error. Polyverse’s Polyscripting and the DVWA are open source, so we welcome and encourage anyone to try it out for themselves.

Give it a go!

Demo

To start the server and run the site within a Docker container on localhost, execute the command:

docker run -d -p 80:80 polyverse/dvwa

Navigate to localhost:80 in a web browser

From here, the site should look and navigate like the original OWASP website, but the php interpreter has been scrambled and the source code has been transformed into matching Polyscripted-php.

To sign in, use the following credentials:

username = admin
password = password
(Damn. Vulnerable)

Click the “Create Database” button. A database will be initialized. Afterwards, you will need to login again using the same credentials as above.

After logging in, the landing page will be the main DVWA website. Navigate to the “File Upload” link on the left side of the page.

From here upload any .php file. We have included a few examples on the polyverse github repo. After uploading the file, the page will display the location to which the file was uploaded.

Navigate to the location in your browser. Example:

http://localhost:80/hackable/uploads/php-reverse-shell.php

Normally, navigating to that page would cause the source code on the page to execute. However, with Polyscripted-php what is displayed instead is a syntax error.

No back entrance. No remote code execution. No unwanted malicious code running without you knowing about it.

To see more:

https://github.com/polyverse/dvwa

Why It Matters

Last week cybersecurity consultancy Secarma released a report detailing a php vulnerability that leaves several popular content-management systems (CMSs) open to exploitation, notably WordPress. Although WordPress was notified of the problem a year ago, no fix has yet been implemented. It is also worth noting that although this vulnerability has existed for years, it was not reported to WordPress users. Regardless of the security mechanisms in place, the tricky part about cybersecurity is that we often protect against known threats, but unintentionally leave ourselves open to anything else — until the next big hack hits.

This is not unusual. As a default in cybersecurity we get comfortable thinking that as long as we follow a list of guidelines or tick enough boxes, we are thwarting hackers and preventing hacks. A Moving Target Defense approach recognizes that attack vectors shift and hackers are creative. MTD removes key assumptions that hackers make when trying to gain access to information. For example, one assumption would be that the underlying language of WordPress is php. Polyscripting the [php] language effectively makes a hacker’s payload containing php code useless, because the Polyscripted php is 100% unique — unique to a particular site in a particular instance at a particular time. Only the Polyscripted php will run.

Because the assumption is rendered false, and the attack vector is thwarted. In other words, you are taking the hammer out of the toolkit rather than letting them try another nail.

Instead of trying to foresee every scenario code that could get injected, and guarding against every possible individual case, Polyscripting does not allow for foreign php code to be executed at all. It simply removes the entire possibility of that attack vector from the equation.

Polyscripting is gaining momentum. Currently at Polyverse we are working on applying the technique to WordPress to get a more real-world demo up and running. Our roadmap includes other web-hosting sites, scrambling the grammar, scrambling built-in functions, and applying the same techniques to other languages. Check out the open source project.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.