Uploaded on

SOURCE Seattle 2011 - Rafal Los

SOURCE Seattle 2011 - Rafal Los

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Defying Logic Theory, Design, and Implementation of Complex Systems for Testing Application LogicRafal Los – Security EvangelistSource Seattle 201 1© Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here
  • 2. Otherwise titled:‖See, I told you so...‖© Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here
  • 3. Act 1 – The PledgeFOUNDATIONS
  • 5. Define: Application LogicJust what is ―application logic‖?―Design components of a program, including the sequencingof steps prescriptive for how to execute intended businessprocesses in a piece of software‖
  • 6. Logic Primer A business process, ordering some food Log In Select Add Verify Order Restaurant Items Log Out Loyalty Transaction Add (quit) Points Success Payment
  • 7. Logic Primer A broken business process? Log In Select Add Verify Order Restaurant Items Log Out Loyalty Add (quit) Points Payment Transaction Success
  • 8. Logic PrimerCan we manipulate intended process? Log In Select Add Verify Order Restaurant Items Log Out Loyalty Add (quit) Points Payment Transaction Success
  • 9. Logic PrimerIn this simple example: Manipulate a business process Early loyalty points without paying –Points = fraud (free stuff!) –Free meals = financial lo$$ to vendor Business process manipulated = theft, fraud, financial loss
  • 10. Define: Logic DefectA defect that exposes the component business processes (orexecution flows) to manipulation from the attacker perspectiveto achieve unintended and undesirable consequences fromthe design perspective; without disrupting the generalfunction or continuity of the application.
  • 11. New ClassificationsHow is this different than existing classifications?• OWASP Top 10• WASC Threat Classification v2• MITRE CWE Top 25A fundamentally different way of looking at software vulnerabilities.
  • 12. Building Onto CWEMITRE CWE Top 25―Classification of business-logic weaknesses is worth deeper investigationby researchers. While business logic rules are domain-specific, there maybe some domain-independent patterns to them. We are likely to find newwrinkles to old problems, and maybe some new problems that will beeasier to find once we know what to call them.‖ –Steven Christey (MITRE)
  • 13. Logic Defect Classes 2 Classes of logic-based defects• Privilege manipulation• Transaction control manipulation
  • 14. Privilege ManipulationFlaw based on broken or incompleteauthentication/authorization mechanism• Horizontal/vertical privilege escalation• Access unauthorized content• Perform privileged system functions
  • 15. Privilege Manipulation <input type="text" name="username" size="30" tabindex="100" value=―Wh1t3Rabbit" id="username― Role=―user”> <input type="text" name="username" size="30" tabindex="100" value=―Wh1t3Rabbit" id="username― Role=―admin‖>
  • 16. Transaction Control ManipulationFlaw based on broken business processcontinuity allowing for manipulation ofintended business process/flow• Circumvent system limitations• Tamper with application flow• Manipulate business resources
  • 17. Transaction Control Manipulation I want MORE than 10 tickets!
  • 18. Transaction Control Manipulation
  • 19. Transaction Control Manipulation
  • 20. Manipulating “Logic”The server should control the logic of the application.In this case, the server should know 30 is not a valid number…right?!………………………..Nope.
  • 21. To Be ClearThe key point to remember:This research seeks to better enable the tester through automation.We are addressing ‗designed processes‘We are not addressing ‗back-end business process‘ (non-visible)
  • 22. Starting a WaveFEW previously given talks or papers on logic vulnerabilities• Ideas  talks  papers  experiments?• A more tangible/usable effort is neededNO real R&D effort by a vendor in this space as far as wecould tell —proprietary or open source
  • 23. Lots of Talking…―So why aren‘t there any readily available, even semi-maturetools or frameworks for testing application logic?‖
  • 25. Logic vs. Automation Application Logic Automation hard to define! opattern-dependent domain-specific oprogrammatic Industry oscale is in repeatability Business process ono concept of process not pattern-based not easy to ‗RegEx‘
  • 26. Challenges For humans For technology understand the application map the application • Business processes processes • ‗Application flow‘ • simple, flexible maps drive automation identify control logic • work with technology • critical parameters document & repeat differentiate test success or failure
  • 27. Application LogicApplication ―logic‖ is tricky…• found on the server side• found in the client ―cache‖ (offline use?)• no consistent patterns to match/test –Remember the AT&T/iPad email hack?• logic implies human thought required
  • 28. Simple LogicSimplest logic block example…If <expression> Then do somethingElseIf <expression> Then do somethingElse do something elseEnd If
  • 29. Challenges Bridging a vast disconnect Client (browser) App Server DOM IF (var1 = A) { var1=A do IsUser; } var2=B ELSEIF (var1 = B) { do IsAdmin; } var3=1 ENDIF var4=@b var5=
  • 30. ChallengesHow to overcome random ―fuzzing‖identify var1 as a critical parameter• Human or automation-drivenmanipulate var1• human or technology driven• ―fuzzing‖ or data-set driven Technology enables scalability & repeatability
  • 31. Future State  Fantasy Point ‗n‘ shoot application logic testing • This was never a good strategy anyway* Dynamic testing tool ‗learns‘ business processes, logic flow and thinks • I‘ve seen this movie before …‖SkyNet?‖ Security continues to operate independent of business
  • 32. Future State  RealityLogic testing enabled through automation• Base logic mapping on QA methodology• Continue to evolve combined functional, exploratory & security testingTechnology allows repeatable testing throughout applicationafter initial setup
  • 33. This Has Been ComingInitially I talked about mapping application execution flow…Dynamic testing technology maturedStatic testing technology maturedNew ―hybrid‖ technology gives even greater insight intoapplication function
  • 34. Act 3 – The PrestigeBUILDING TEST FRAMEWORKS
  • 35. OverviewTest framework will constitute 3 phases I. Capturing the assumed application behavior II. Manipulation of the workflows to evoke (un)expected behavior patterns III. Analyzing the results of the workflow manipulations to detect non-conformance with defined business processes
  • 36. 3 Step ProcessModel the business process• create valid workflowsManipulate application workflow• ‗fuzzing logic‘Analyze the results• Were we successful in evoking a non-standard response?
  • 37. Modeling the Business ProcessesPurpose: Discover business processes that define theapplication workflowChallenge: Application workflow specifications are rarelydocumented and are often unknown to the testersSolution: Passively monitor & record normal user behaviorthrough the application
  • 38. Modeling the Business ProcessesProposed ApproachDevise a mechanism to:• Capture permissible user actions• Store the state of the application before and after the invocation of each user event• Record expected transitions between application states
  • 39. Manipulating the Application WorkflowPurpose: Induce deviations in the application behavior thatdo not conform with the assumed business rulesChallenge: Meaningfully manipulating application‘sbehavior with minimal knowledge about its purpose &contextSolution: Apply pre-defined modifications to the stateidentifiers and state transactions recorded in phase I
  • 40. Manipulating the Application WorkflowProposed Approach Discover logic defects by:• Modifying the state of the application before passing it as an input to a transaction• Fuzz the sequence of user actions captured during the phase I to detect bugs in transaction control
  • 41. Analyzing the ResultsPurpose: Determine the success of workflow manipulationChallenge: Measuring the deviation in application behaviorwith minimal understanding of application contextSolution: Apply comparison metrics to infer deviations in theapplication workflows
  • 42. Analyzing the ResultsProposed approach• Measure the impact of workflow manipulations on the application state –compare state identifiers (e.g. system variables, page DOM) in the tainted workflow with the original• Apply pre-defined set of rules to detect violations of the business rules governing the application flow –E.g. An acceptable application end state can be reached despite inaccuracies in one or more intermediate states of the workflow
  • 43. DEMO! a rough idea of how this could work one day
  • 44. So now what? Thanks! How are you going to address this in YOUR apps?