Your SlideShare is downloading. ×
0
Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Oh No They Didn't! 7 Web App Security Stories (v1.0)

821

Published on

This is the first iteration of a talk that goes through some of the more ..."interesting" failures in web app security over the 2009-2010 assessment calendar.

This is the first iteration of a talk that goes through some of the more ..."interesting" failures in web app security over the 2009-2010 assessment calendar.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
821
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. 1
    15 October 2010
    Oh No They Didn’t!
    Rafal M. Los
    HP Security Evangelist
  • 2. Web Application Security is Hard…
    2
    15 October 2010
  • 3. Story #1 – “Loyalty-free”
    The Story…
    Utilizing a restaurant delivery service; website driven interaction
    During transaction, credit card input incorrectly, transaction rejected but “loyalty points” accrue
    Result: Logic flaw exposing the website to scripted attack via CSRF
    Lesson(s) Learned…
    Purchase process should be protected against CSRF (many options)
    Test, test, test and test again
    Manual security testing is required; you can’t just “scan”!
    Logic flaws can be discovered … advanced EFD-based tools needed
    3
    15 October 2010
  • 4. Story #2 – Web coupons
    The Story…
    Large national pizza chain wants 2-part marketing campaign
    2 coupons: 1 for $5 pizza, one for FREE pizza
    Marketing agency creates Flash! app, codes logic into client (both coupon codes)
    Accidental discovery leads to 11,000 free pizzas …oops
    Lesson(s) Learned…
    Never perform critical business logic on the client
    Marketing teams don’t know about security … don’t understand
    Flash! can/will be decompiled and inspected…be aware
    4
    15 October 2010
  • 5. Client-Side Data Validation: FAIL

    button 9 {
    on (release, keyPress '<Enter>') {
    if (password eq ‘ PASSWORD ') {
    getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/778.html', '');
    } else {
    if (password eq ' PASSWORD ') {
    getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/781.html', '');
    } else {
    if (password eq ' PASSWORD ') {
    getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/783.html', '');
    } else {
    if (password eq ‘ PASSWORD ') {
    getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/771.html', '');
    } else {
    if (password eq ‘ PASSWORD ') {
    getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/799.html', '');
    } else {

    5
  • 6. Story #3 – Hold this encryption key
    The Story…
    Flash application sending “encrypted” data across the wire; context: play a game, win a prize
    “Encryption” scheme (including key) embedded in Flash application
    Download, decompile, repurpose and win every time?
    Lesson(s) Learned…
    It’s not encryption if you also give me the scheme + key
    Flash! can/will be decompiled and inspected…be aware
    Security testing would reveal weakness … other ideas for solving this?
    6
    15 October 2010
  • 7. Client-Side Encryption: FAIL
    try {
    strURI = ExternalInterface.call("getLittleServer");

    n1 = parseInt(strN1);
    n2 = parseInt(strN2);
    nAlgo = n1 * n2 * nScore + nScore;
    strToPass = nGameId + "," + nScore + "," + nTime + "," + nAlgo;
    encrypted_data = MD5.hash(strToPass);
    submission_data = "score=" + nScore + "|gameId=" + nGameId + "|timestamp=" + nTime + "|key=" + encrypted_data;
    variables = new URLVariables();
    variables.attr1 = submission_data;
    request = new URLRequest(strURI);
    request.data = variables;
    navigateToURL(request, "_self");
    return submission_data;

    7
  • 8. Story #4 – Pwn3d (ouch)
    The Story…
    Commercial, templated online restaurant menu & ordering system
    Developer believed there was no need to test “why would anyone want to hack this?”
    SQL Injection hole found … app had already been compromised
    App was distributing Zeus bot (and other malware) to customers!
    Lesson(s) Learned…
    Arrogance is more deadly than lack of knowledge
    SQL Injection is not a highly complex attack (‘or 1=1 to detect)
    Not only vulnerable, now a liability and an investigation
    8
    15 October 2010
  • 9. Story #5 - Predictable
    The Story…
    Online retail shopping cart, sends email with “customer ID” –based order retrieval system (no passwords!)
    Customer can save shipping details, payment information…
    Predictable customerID parameter in URL (CustID=aaaabbbcccdddd)
    Alpha-numeric, non-case-sensitive …but predictable
    Lesson(s) Learned…
    It can be a hassle, but require users to fully “register” (userID + pwd)
    Randomize at least a 32-bit alpha-numeric string for CustID
    Predictable IDs exposed customer data, critical payment info!
    9
    15 October 2010
  • 10. Story #6 – Name your own price
    The Story…
    Critical application for customers to purchase extremely high-value replaceable parts for power-generation systems
    Parameter “NetCost” present in URL and POST body
    Server acceptsNetCost price from POST body, final page of checkout
    Lesson(s) Learned…
    Never, ever, ever, ever trust anything you send to the client
    The server should always hold the “record of truth”
    Validate against server-known data, prior to processing checkout
    Test, test, test … this is a business logic flaw!
    10
    15 October 2010
  • 11. Story #7 – But wait, there’s MORE
    The Story…
    Demonstrating web app security testing tool vs customer application
    SQL Injection hole found, exploited at the MS SQL Server
    Server was clustered, on internal network, extended stored procedures
    Mission-critical web-application database on internal, AD-based network
    Lesson(s) Learned…
    So many layers of fail … layered upon SQL Injection (testable!)
    Separate your databases by criticality
    Remove non-necessary stored procedures, secure priviliges
    11
    15 October 2010
  • 12. Contribute …
    Do you have a story that’s too funny not to be true?
    SHARE IT!
    12
    15 October 2010
  • 13. 13
    15 October 2010
    Done.
    Rafal M. Los
    Security Evangelist
    @Wh1t3Rabbit
    Rafal@HP.com
    Hp.com/go/white-rabbit

×