Oh No They Didn't! 7 Web App Security Stories (v1.0)


Published on

This is the first iteration of a talk that goes through some of the more ..."interesting" failures in web app security over the 2009-2010 assessment calendar.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Oh No They Didn't! 7 Web App Security Stories (v1.0)

  1. 1. 1<br />15 October 2010<br />Oh No They Didn’t!<br />Rafal M. Los<br />HP Security Evangelist<br />
  2. 2. Web Application Security is Hard…<br />2<br />15 October 2010<br />
  3. 3. Story #1 – “Loyalty-free”<br />The Story…<br />Utilizing a restaurant delivery service; website driven interaction<br />During transaction, credit card input incorrectly, transaction rejected but “loyalty points” accrue<br />Result: Logic flaw exposing the website to scripted attack via CSRF<br />Lesson(s) Learned…<br />Purchase process should be protected against CSRF (many options)<br />Test, test, test and test again<br />Manual security testing is required; you can’t just “scan”!<br />Logic flaws can be discovered … advanced EFD-based tools needed<br />3<br />15 October 2010<br />
  4. 4. Story #2 – Web coupons<br />The Story…<br />Large national pizza chain wants 2-part marketing campaign<br />2 coupons: 1 for $5 pizza, one for FREE pizza<br />Marketing agency creates Flash! app, codes logic into client (both coupon codes)<br />Accidental discovery leads to 11,000 free pizzas …oops<br />Lesson(s) Learned…<br />Never perform critical business logic on the client<br />Marketing teams don’t know about security … don’t understand<br />Flash! can/will be decompiled and inspected…be aware<br />4<br />15 October 2010<br />
  5. 5. Client-Side Data Validation: FAIL<br />… <br />button 9 {<br /> on (release, keyPress '<Enter>') {<br /> if (password eq ‘ PASSWORD ') {<br />getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/778.html', '');<br /> } else {<br /> if (password eq ' PASSWORD ') {<br />getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/781.html', '');<br /> } else {<br /> if (password eq ' PASSWORD ') {<br />getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/783.html', '');<br /> } else {<br /> if (password eq ‘ PASSWORD ') {<br />getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/771.html', '');<br /> } else {<br /> if (password eq ‘ PASSWORD ') {<br />getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/799.html', '');<br /> } else {<br />…<br />5<br />
  6. 6. Story #3 – Hold this encryption key<br />The Story…<br />Flash application sending “encrypted” data across the wire; context: play a game, win a prize<br />“Encryption” scheme (including key) embedded in Flash application<br />Download, decompile, repurpose and win every time?<br />Lesson(s) Learned…<br />It’s not encryption if you also give me the scheme + key<br />Flash! can/will be decompiled and inspected…be aware<br />Security testing would reveal weakness … other ideas for solving this?<br />6<br />15 October 2010<br />
  7. 7. Client-Side Encryption: FAIL<br />try {<br />strURI = ExternalInterface.call("getLittleServer");<br /> …<br /> n1 = parseInt(strN1);<br /> n2 = parseInt(strN2);<br />nAlgo = n1 * n2 * nScore + nScore;<br />strToPass = nGameId + "," + nScore + "," + nTime + "," + nAlgo;<br />encrypted_data = MD5.hash(strToPass);<br />submission_data = "score=" + nScore + "|gameId=" + nGameId + "|timestamp=" + nTime + "|key=" + encrypted_data;<br /> variables = new URLVariables();<br /> variables.attr1 = submission_data;<br /> request = new URLRequest(strURI);<br />request.data = variables;<br />navigateToURL(request, "_self");<br /> return submission_data;<br /> …<br />7<br />
  8. 8. Story #4 – Pwn3d (ouch)<br />The Story…<br />Commercial, templated online restaurant menu & ordering system<br />Developer believed there was no need to test “why would anyone want to hack this?”<br />SQL Injection hole found … app had already been compromised<br />App was distributing Zeus bot (and other malware) to customers!<br />Lesson(s) Learned…<br />Arrogance is more deadly than lack of knowledge<br />SQL Injection is not a highly complex attack (‘or 1=1 to detect)<br />Not only vulnerable, now a liability and an investigation<br />8<br />15 October 2010<br />
  9. 9. Story #5 - Predictable<br />The Story…<br />Online retail shopping cart, sends email with “customer ID” –based order retrieval system (no passwords!)<br />Customer can save shipping details, payment information…<br />Predictable customerID parameter in URL (CustID=aaaabbbcccdddd)<br />Alpha-numeric, non-case-sensitive …but predictable<br />Lesson(s) Learned…<br />It can be a hassle, but require users to fully “register” (userID + pwd)<br />Randomize at least a 32-bit alpha-numeric string for CustID<br />Predictable IDs exposed customer data, critical payment info!<br />9<br />15 October 2010<br />
  10. 10. Story #6 – Name your own price<br />The Story…<br />Critical application for customers to purchase extremely high-value replaceable parts for power-generation systems<br />Parameter “NetCost” present in URL and POST body<br />Server acceptsNetCost price from POST body, final page of checkout<br />Lesson(s) Learned…<br />Never, ever, ever, ever trust anything you send to the client<br />The server should always hold the “record of truth”<br />Validate against server-known data, prior to processing checkout<br />Test, test, test … this is a business logic flaw!<br />10<br />15 October 2010<br />
  11. 11. Story #7 – But wait, there’s MORE<br />The Story…<br />Demonstrating web app security testing tool vs customer application<br />SQL Injection hole found, exploited at the MS SQL Server<br />Server was clustered, on internal network, extended stored procedures<br />Mission-critical web-application database on internal, AD-based network<br />Lesson(s) Learned…<br />So many layers of fail … layered upon SQL Injection (testable!)<br />Separate your databases by criticality<br />Remove non-necessary stored procedures, secure priviliges<br />11<br />15 October 2010<br />
  12. 12. Contribute …<br />Do you have a story that’s too funny not to be true?<br />SHARE IT!<br />12<br />15 October 2010<br />
  13. 13. 13<br />15 October 2010<br />Done.<br />Rafal M. Los<br />Security Evangelist<br />@Wh1t3Rabbit<br />Rafal@HP.com<br />Hp.com/go/white-rabbit<br />