ISSA Infraguard ISACA Tampa 06192009


Published on

Business Logic Flaws

1 Comment
  • Shows the true facts of spammers,nice slide share.
    If you are in need of any scammers related news.please visit my blog
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

ISSA Infraguard ISACA Tampa 06192009

  1. 1. Mo’ Money Mo’ Problems Making A LOT more money on the Web the black hat way Jeremiah Grossman Founder & Chief Technology Officer 06.19.2009 © 2009 WhiteHat, Inc.
  2. 2. Jeremiah Grossman • Technology R&D and industry evangelist (InfoWorld's CTO Top 25 for 2007) • Frequent international conference speaker • Co-founder of the Web Application Security Consortium • Co-author: Cross-Site Scripting Attacks • Former Yahoo! information security officer © 2009 WhiteHat, Inc. | Page 2
  3. 3. WhiteHat Security • 200+ enterprise customers • Start-ups to Fortune 500 • Flagship offering “WhiteHat Sentinel Service” • 1000’s of assessments performed annually • Recognized leader in website security • Quoted hundreds of times by the mainstream press © 2009 WhiteHat, Inc. | Page 3
  4. 4. Threat Capabilities Threats / Attackers Fully Targeted Discover unlinked / hidden functionality Exercise business processes Customize Business Logic Flaw Exploits ‘The Analyzer’, allegedly hacked into a multiple financial institutions using SQL Injection to steal credit and debit card Leverage information leakage numbers that were then used by thieves in several Interact with other customers countries to withdraw more than $1 million from ATMs. Perform multi-stage attacks, Guess, Petco, CardSystems, USC, etc. Directed Opportunistic Authenticated crawling Authenticated attacks Cyber criminals use XSS vulnerabilities to create very Intelligent HTML form submission convincing Phishing scams that appear on the real- website as opposed to a fake. JavaScript malware Test for technical vulnerabilities steals victims session cookies and passwords. Customize exploits Y! Mail, PayPal, SunTrust, Italian Banks,etc SQL Injection (data extraction) Cross-Site Scripting (Phishing) Random Opportunistic Unauthenticated crawling With Mass SQL Injection automated worms insert Unauthenticated attacks malicious JavaScript IFRAMEs (pointing to malware servers) into back-end databases and used the capability Test all attack surface discovered to exploit unpatched Web browsers. According to Destructive attacks Websense, “75 percent of Web sites with malicious code Automated HTML form submission are legitimate sites that have been compromised.” SQL Injection (code insertion) Persistent Cross-Site Scripting Advanced Filter Evasion Techniques Generic exploits © 2009 WhiteHat, Inc. | Page 4
  5. 5. Website Classes of Attacks Business Logic: Humans Required Technical: Automation Can Identify Authentication Command Execution • Brute Force • Buffer Overflow • Insufficient Authentication • Format String Attack • Weak Password Recovery Validation • LDAP Injection • CSRF* • OS Commanding • SQL Injection Authorization • SSI Injection • Credential/Session Prediction • XPath Injection • Insufficient Authorization • Insufficient Session Expiration Information Disclosure • Session Fixation • Directory Indexing • Information Leakage Logical Attacks • Path Traversal • Abuse of Functionality • Predictable Resource Location • Denial of Service • Insufficient Anti-automation Client-Side • Insufficient Process Validation • Content Spoofing • Cross-site Scripting • HTTP Response Splitting* WASC 24 (+2)* Classes of Attacks © 2009 WhiteHat, Inc. | Page 5
  6. 6. WhiteHat Security Top Ten Percentage likelihood of a website having a vulnerability by class Cross-Site Scripting Information Leakage Content Spoofing Insufficient Authorization SQL Injection Predictable Resource Location Session Fixation Cross-Site Request Forgery Insufficient Authentication HTTP Response Splitting Total Websites: 1,031 Identified vulnerabilities: 17,888, Unresolved: 7,157 (60% resolution rate) Websites having had at least one HIGH, CRITICAL, or URGENT issue: 82% Lifetime average number of vulnerabilities per website: 17 Websites currently with at least one HIGH, CRITICAL, or URGENT issue: 63% Current average of unresolved vulnerabilities per website: 7 WhiteHat Website Security Statistics Report (March 2009) © 2009 WhiteHat, Inc. | Page 6
  7. 7. QA overlooks them Tests what software should do, not what it can be made to do Scanners can’t identify them Lack intelligence and don’t know if something worked (or not) WAFs / IDSs can’t defend them HTTP requests appear completely normal Hackers exploit them 230+ millions websites, 1+ million using SSL © 2009 WhiteHat, Inc. | Page 7
  8. 8. Promo codes for cheapskates Online advertising campaigns distribute coupon and promo codes redeemable for discounts and other freebies. Some codes are more valuable than others. © 2009 WhiteHat, Inc.
  9. 9. • X% and $X off sales • Free Shipping • 2 for 1 Specials • Add-Ons & Upgrades © 2009 WhiteHat, Inc. | Page 9
  10. 10. MacWorld Hacker VIP Client-Side Hacking Back to Back Free MacWorld Platinum Pass ($1,695) © 2009 WhiteHat, Inc. | Page 10
  11. 11. Free Pizza Tastes Better March 31, 2009... 1. Go to the Domino's Pizza site. 2. Order a medium one-topping pizza. 3. Enter coupon code “BAILOUT”. FREE! Still have to go pick it up! © 2009 WhiteHat, Inc. | Page 11
  12. 12. Share the Knowledge “Spoke to a Domino's rep, who told me the free-pizza code was created internally for a promotion that was never actually green-lit.” 11,000 X $7.00 = $70,000 Oops! © 2009 WhiteHat, Inc. | Page 12
  13. 13. Other Tricks • Guess / Brute Force • (No CAPTCHAs) • Stacking Multiple Codes • Delete Cookies (Don’t Forget Flash) © 2009 WhiteHat, Inc. | Page 13
  14. 14. Low-Tech Google Hacking When Google becomes a major source of public record, interesting opportunities begin to arise. © 2009 WhiteHat, Inc.
  15. 15. Super BlackHat SEO Target large universities with public webcams and redirect the feeds to a subscription website. Call in bomb threats (hoax) to Boston College, Purdue, Clemson, University of North Carolina, and Florida State to drive traffic. Advertise live police response video footage via Skype and profit ($?) Juvenile male suspect arrested. event=displayArticlePrinterFriendly&uStory_id=14cd304c-26e2-40ab-a51d-4a2d79274cd9 © 2009 WhiteHat, Inc. | Page 15
  16. 16. Google Earth Recon Roofer Tom Berge used the aerial photographs of towns across the world, to pinpoint museums, churches and schools across south London with lead roof tiles (darker colour). Berge and his accomplices used ladders and abseiling ropes to strip the roofs and took the lead away (£100,000) in a stolen vehicle to be sold for scrap. sentenced to eight months in prison – suspended for two years – after confessing to more than 30 offenses. valuable-lead-roofs.html © 2009 WhiteHat, Inc. | Page 16
  17. 17. Google Maps vs. Spammers © 2009 WhiteHat, Inc. | Page 17
  18. 18. Buyers Remorse People order things online, then change their minds, and cancel. Strict management processes need to be in place. © 2009 WhiteHat, Inc.
  19. 19. Quantina Moore-Perry, 33, of Greensboro, N.C., Ordered (then cancelled) over 1,800 items online at QVC including handbags, housewares, jewelry and electronics Products were shipped anyway Auctioned off on eBay Profited $412,000 Woman admits fleecing shopping network of more than $412,000 merchandise-317045.php © 2009 WhiteHat, Inc. | Page 19
  20. 20. “QVC became aware of the problem after being contacted by two people who bought the items, still in QVC packaging, on the online auction site.” Pleaded guilty in federal court to wire fraud. © 2009 WhiteHat, Inc. | Page 20
  21. 21. FTC - Unordered Merchandise © 2009 WhiteHat, Inc. | Page 21
  22. 22. iCan fix you iPod Sometimes electronics break or are defective and customers would like to return the item. Online systems are designed to facilitate this process. © 2009 WhiteHat, Inc.
  23. 23. Nicholas Arthur Woodhams, 23 from Kalamazoo, Michigan sets up shop online to repair iPods. Abuse Apple's Advance Replacement Program by guessing iPod serial numbers backed with Visa-branded gift cards ($1 pre-auth). Repeat the process 9,075 times, resell the “replacements” at heavily discounted prices ($ $49), and deny any Apple credit charges. Charged with trademark infringement, fraud, and money-laundering. © 2009 WhiteHat, Inc. | Page 23
  24. 24. Scams that scale “Federal prosecutors have asked U.S. District Court Judge Robert Bell to let them seize real estate and personal property -- including a 2004 Audi and a 2006 drag racer -- as well as more than $571,000 in cash belonging to Woodhams, all alleged to be proceeds from his scam.” © 2009 WhiteHat, Inc. | Page 24
  25. 25. Magic Cookies Online merchants and advertisers enlist the services of affiliate networks to drive traffic and/or customers to their websites in exchange for a share of the revenue generate. © 2009 WhiteHat, Inc.
  26. 26. The Players Merchant: Pays commissions to affiliates for customer clicks, account sign-ups, purchases, etc. Affiliate: Collects commissions for driving customers towards merchants in the form of cost per-click (CPC) or cost per-acquisition (CPA). Customer: The person who buys stuff or signs-up for promotions. Affiliate Network: Technology framework connecting and monitoring the merchant, affiliate, and customer. © 2009 WhiteHat, Inc. | Page 26
  27. 27. © 2009 WhiteHat, Inc. | Page 27
  28. 28. The way it’s supposed to 1. Affiliate signs-up with an affiliate network and places special links on their web page(s) <a href=”http://AffiliateNetwork/p? program=50&affiliate_id=100/”>really cool product!</a> 2. When users click the link their browser is sent through affiliate network where they receive a special tracking cookie and then redirected to the merchant page. Set-Cookie: AffiliateID=100 3.If the customer buys something within X time period (i.e. affiliate cookie still exists) the affiliate receives a commission. Using effective SEO tactics... © 2009 WhiteHat, Inc. | Page 28
  29. 29. © 2009 WhiteHat, Inc. | Page 29
  30. 30. © 2009 WhiteHat, Inc. | Page 30
  31. 31. © 2009 WhiteHat, Inc. | Page 31
  32. 32. “It was a check for 2 months because the first check they sent was so big it was rejected by his bank.” © 2009 WhiteHat, Inc. | Page 32
  33. 33. Cookie-Stuffing Circa 2002 Nothing besides pesky affiliate networks terms of service requires the user to actually “click a link” to be cookied with an affiliate ID. Instead of: <a href=”http://AffiliateNetwork/p?program=50&affiliate_id=100/”>really cool product!</a> Use: <img src=”http://AffiliateNetwork/p?program=50&affiliate_id=100/”> or: <iframe src=”http://AffiliateNetwork/p?program=50&affiliate_id=100/” width=”0” height=”0”></iframe> Invisible! Affiliate Programs Vulnerable to Cross-site Request Forgery Fraud © 2009 WhiteHat, Inc. | Page 33
  34. 34. Aggressive affiliates figure out they can post their code anywhere online and not just on their own websites (message boards, guest books, social networks, etc). By 2005, Merchants and Affiliate Networks got wise to cookie stuffing, start monitoring referers and conversion rates, and began kicking out suspicious affiliates. © 2009 WhiteHat, Inc. | Page 34
  35. 35. Cookie-Stuffing Circa 2007 Affiliates start posting their code on SSL pages. “Clients SHOULD NOT include a Referer header field in a (non- secure) HTTP request if the referring page was transferred with a secure protocol.” - RFC 2616 Bottom line: No referer is sent to the affiliate to be tracked. FYI: Not every browser behaves this way, but there are many other methods to do the same using meta-refreshes and JavaScript. SEO Code Injection © 2009 WhiteHat, Inc. | Page 35
  36. 36. Trading on Semi- public Information Insider: someone with a fiduciary role within a company. A corporate executive, investment banker or attorney. Not a hacker. © 2009 WhiteHat, Inc.
  37. 37. Getting the word out... Business Wire provides a service where registered website users receive a stream of up-to-date press releases. Press releases are funneled to Business Wire by various organizations, which are sometimes embargoed temporarily because the information may affect the value of a stock. Press release files are uploaded to the Web server (Business Wire), but not linked, until the embargo is lifted. At such time, the press release Web pages are linked into the main website and users are notified with URLs similar to the following: http://website/press_release/08/29/2007/00001.html http://website/press_release/08/29/2007/00002.html http://website/press_release/08/29/2007/00003.html Before granting read access to the press release Web page, the system ensures the user is properly logged-in. © 2009 WhiteHat, Inc. | Page 37
  38. 38. Just because you cannot see it does not mean it is not there... An Estonian financial firm discovered that the press release Web page URLs were named in a predictable fashion. And, while links might not yet exist because the embargo was in place, it didn’t mean a user couldn’t guess at the filename and gain access to the file. This method worked because the only security check Business Wire conducted was to ensure the user was properly logged-in, nothing more. According to the SEC, which began an investigation, Lohmus Haavel & Viisemann profited over $8 million by trading on the information they obtained. SEC Vs. The Estonian Spiders © 2009 WhiteHat, Inc. | Page 38
  39. 39. A Ukrainian hacker breaks into Thomson Financial and steals a gloomy results announcement for IMS Health, hours before its release to the stock market ... • Hacker enters ~$42,000 in sell orders betting the stock will fall • The stock fell sharply making the hacker ~$300,000 • Red flags appear and the SEC freezes the funds • Funds are ordered to be released, “Dorozhko’s alleged ‘stealing and trading’ or ‘hacking and trading’ does not amount to a violation” of securities laws, Judge Naomi Reice Buchwald • The Times speculates that the DoJ has simply deemed the case not worth pursuing - probably due to the difficulties involved in gaining cooperation from local authorities to capture criminals in Ukraine. Ukrainian Hacker Makes a Killing in Stock Market Fraud Ukrainian hacker may get to keep profits © 2009 WhiteHat, Inc. | Page 39
  40. 40. Pump and Dump Scams Evolve A large traffic spike on a Sunday night pushed a 2002 story of a bankruptcy filling by United Airlines to the most viewed business story category on the South Florida Sun Sentinel's Web site. Google indexed the new link and the story appeared on Google News. A Miami advisory firm performed a Google search for bankruptcies Monday morning that returned the 2002 UAL story, which they mistook as being current, and was subsequently distributed through the Bloomberg News Service. United Airlines' stock price sank more than 75%, slipping down from $12 to a $3 level before trading was suspended. After the dust settled, shares returned to near normal levels. © 2009 WhiteHat, Inc. | Page 40
  41. 41. Hackers for Hire The cybercrime industry posses sophisticated business models that include Software-as-a-Service, SLA agreements, and discrete distribution of services. Hackers and Botnets can be easily rented. © 2009 WhiteHat, Inc.
  42. 42. © 2009 WhiteHat, Inc. | Page 42
  43. 43. Online Permit Management In 2006, the Brazilian environment ministry did away with paper dockets and implemented an online program to issue permits documenting how much land a company could legally log and tracking the timber leaving the Amazon state of Para. "We've pointed out before that this method of controlling the transport of timber was subject to fraud.” André Muggiati Campaigner Amazon office in Manaus Greenpeace International © 2009 WhiteHat, Inc. | Page 43
  44. 44. Amazonian Rainforest Hack Allegedly 107 logging companies hired hackers to compromised the system, falsifying online records to increase the timber transport allocations. Police arrested 30 ring leaders. As a result an estimated 1.7 million cubic metres of illegal timber have been smuggled out of the Amazon, enough to fill 780 Olympic-sized swimming pools. © 2009 WhiteHat, Inc. | Page 44
  45. 45. $833,000,000 Tip of the iceberg: same computer system is used in two other Brazilian states. © 2009 WhiteHat, Inc. | Page 45
  46. 46. Other Permits Managers © 2009 WhiteHat, Inc. | Page 46
  47. 47. Hiring the Good Guys KPMG audited 70 FAA Web applications and identified 763 high-risk vulnerabilities “By exploiting these vulnerabilities, the public could gain unauthorized access to information stored on Web application computers. Further, through these vulnerabilities, internal FAA users (employees, contractors, industry partners, etc.) could gain unauthorized access to ATC systems because the Web applications often act as front-end interfaces (providing front-door access) to ATC systems.” © 2009 WhiteHat, Inc. | Page 47
  48. 48. Business logic flaws = $$$ Prime target for the bad guys. Test often, test everywhere Threat Model. Not all vulnerabilities can be identified in the design phase, by analyzing the code, or even during QA. Detect attacks by profiling HTTP requests appear legitimate, but active attacks will appear anomalous. He who has the most points, credits, or in-system cash is probably a cheater. © 2009 WhiteHat, Inc. | Page 48
  49. 49. Google Hacking - $ low six figures Scamming eCommerce - $ mid six figures Manipulating return policy systems - $ high six figures Exploiting Affiliate Networks - $ seven figures Gaming the stock market - $ high seven figures defrauding online permits - $ high nine figures Free pizza with secret coupon codes... PRICELESS © 2009 WhiteHat, Inc. | Page 49
  50. 50. Questions? Why aren’t you doing this? Jeremiah Grossman Blog: Twitter: Email: WhiteHat Security © 2009 WhiteHat, Inc.