Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Eurostar 16 abuse cases - from scratch to the hack

60 views

Published on

Presentation on Business Logic Attacks

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Eurostar 16 abuse cases - from scratch to the hack

  1. 1. Abuse Cases From scratch to the hack Miguel Hernandez Ruiz
  2. 2. Do the testers know about the business flows supported by the application?
  3. 3. As starter…
  4. 4. The Menu • As starter • A hacking story • What we are looking for • A methodological Approach • Abuse cases from use cases • Abuse cases from scratch • Take away
  5. 5. A hacking story Disclaimer: I have found both images online with no copyrights, if you find out they actually are copyrighted please let me know as soon as possible Name: Paul Age: 27 Job: Developer Name: Mike Age: 22 Job: none Paul work as IT Engineer for an IT Company which provides a shopping cart solution to several clients. He has never been concerned about security, neither his boss… Mike is a university student with too much free time and he is a security passionate person who loves finding out application vulnerabilities. He is really aware about application in-security… Name: Josh Age: 40 Job: Boss Josh is a successful business man who owns three different companies operating in different sectors. He has heard about security concerns in applications but “this won’t happen to him”…
  6. 6. A hacking story MY APP = Yabadabadooooooooooooooooooooo ooooo! Break another app Break another app Break another app Break another app
  7. 7. A hacking story Ouch! My boss recently told me that our customers complained about some security bugs reported by a Hacker in our application… Actually I think they were there since the first version but I am happy they didn’t realise it before… Anyway I am ready to fix them in the new release… I will close the issues all in a raw…
  8. 8. A hacking story SQLi XSS HTMLi CSRF Session Hijacking Session Fixation Buffer Overflow Insecure Direct Object Reference Non-validated Redirects Server Side Inclusion XXE LFI / RFI
  9. 9. A hacking story OK. I am going to take a look at the page I reported the bugs the past month… It seems that they have fixed them… interesting… I am happy to see that they have been able to solve the issues but… let me see… Lets play the joker up the sleeve… What if I change here this number… …YEAH!!!!
  10. 10. A hacking story Syringe image from http://shinta- girl.deviantart.com/
  11. 11. The Menu • As starter • A hacking story • What we are looking for • A methodological Approach • Abuse cases from use cases • Abuse cases from scratch • Take away
  12. 12. What we are looking for What the Application Is intended to do and It actually does What the Application Is intended to do and It does not What the Application Is not intended to do and It actually does The application business logic must be checked from a security perspective ABUSE CASES
  13. 13. What we are looking for — Use Cases ¡ A use case is a list of steps, typically defining interactions between a role (actor) and a system, to achieve a goal ¡ They are essentially structured stories or scenarios detailing the normal behaviour and usage of the software ¡ A use case is not only a diagram, is text as well, a full description including the main actor, goal in context, scope, preconditions, etc. — Abuse Cases ¡ An abuse case is a type of complete interaction between a system and one or more actors, where the results of the interaction are harmful to the system, one of the actors, or one of the stakeholders in the system ¡ An abuse case diagram is created together with a corresponding use case diagram (if available), but not in the same diagram ¡ There is no new terminology or special symbols introduced for abuse case diagrams
  14. 14. The Menu • As starter • A hacking story • What we are looking for • A methodological Approach • Abuse cases from use cases • Abuse cases from scratch • Take away
  15. 15. A methodological approach Look for the business key requirements Use the available use cases to design the abuse cases Wide understanding of the bussiness logic implement. Detect implementation flaws and … ¡¡¡¡Exploit them!!!! REQUIREMENT DESIGN IMPLEMENTATION INTEGRATION THE STAIRWAY TO THE BUG
  16. 16. A methodological approach Key requirement specification Use Cases designed? Locate Functional Documentation and Knowledge Detect potentially worst scenarios Design Abuse Cases derived from Use Cases Yes Application Use Cases Gain a deep understanding on the Business Logic Functional Documentation Detect key points Yes Application Workflows Design Abuse Cases derived from key points Abuse Cases App Repository Perform Application Workflows No Workflows designed? Determine the Critical Flows
  17. 17. The Menu • As starter • A hacking story • What we are looking for • A methodological Approach • Abuse cases from use cases • Abuse cases from scratch • Take away
  18. 18. Abuse Cases from Use Cases Goal Check that there is no possibility to add items for free to the basket Preconditions • All application modules have been correctly deployed in test • A previously registered user account must be provided • There must be at least 1 item and one item category available Description • Access to the Application URL: the user accesses to the URL http://www... • Log in: he/she performs the login using a provided user account • ... Access to the Application URL Log in Add an Item to the Basket Add an Item for free Check the total cost Actors • User: agent which is intended to perform a normal use of the application • Security Tester: person which is intended to cause abnormal behaviour in the application User Security Tester
  19. 19. The Menu • As starter • A hacking story • What we are looking for • A methodological Approach • Abuse cases from use cases • Abuse cases from scratch • Take away
  20. 20. Abuse Cases from scratch Access to application Register a new account Log in to the application Access to an item section Select an Item Increase / Decrease number of items to order Add to basket Increase / Decrease number of items Update basket About us Contact us Search items Your Basket Compulsory Optional
  21. 21. Abuse Cases from scratch Access to application Register a new account Log in to the application Access to an item section Select an Item Increase / Decrease number of items to order Add to basket Increase / Decrease number of items Update basket Privilege increase Access to content Alters the price Compulsory Optional
  22. 22. Abuse Cases from scratch Access to application Register a new account Log in to the application Access to an item section Select an Item Increase / Decrease number of items to order Add to basket Increase / Decrease number of items Update basket Could I access to a non- published or private item section? What if I insert a very long number as a section selector? Could I be able to modify the items price? …The number of items without altering the total price perhaps? Definitely I must try to add to the basket a negative number of Items Would it be possible to order non-existent Items? Could I decrease the number of Items below cero? What will be the maximum number of items to order? Could it be possible to include a negative number of items updating the basket? Would it be possible to change the price during the basket update process? What if I perform an update over a non-existent item in the basket? Compulsory Optional
  23. 23. Abuse Cases from scratch Access to the Application URL Register a User Access with the New User Select 4 Items of certain category Select 3 Items of another category Add them to the basket Add them to the basket Update the number of items in the basket Include a negative number of items User Security Tester Goal Gain a higher confidence in how the application is going to behave when the number of items is modified below cero Preconditions • All application modules have been correctly deployed in test • At least two item categories have been included in the application • There must be at least 4 items for two item categories Actors • User: agent which is intended to perform a normal use of the application • Security Tester: person which is intended to cause abnormal behaviour in the application Description • Access to the Application URL: the user accesses to the URL http://www... • Register a new user: he/she clicks on the… •…
  24. 24. Demo Hey Hey Hey!, don’t touch my App!! Let`s rock baby!!Mmmm, I am not sure if I want to see this…
  25. 25. The Menu • As starter • A hacking story • What we are looking for • A methodological Approach • Abuse cases from use cases • Abuse cases from scratch • Take away
  26. 26. Take away • Mind the Business Logic of your application, in the middle time is really cheap • Look for the way to add a negative thinking in the development process. Enforce Abuse Cases development. • Do not trick yourself: “This DO could happen to you” • Raise the problem if you think there is a bug in the application, the sooner the better. • Do not trust the component of the application you are developing: “Develop defensively and watch the abuse cases”
  27. 27. Take away • You have a great future ahead as security tester… go for it! • Use all your knowledge: “Try bypassing the business logic as specified in the abuse cases”. None technological device will protect you against Business Logic Attacks, use the talent in your organization, your brain is the most powerful tool, think in negative… Develop Abuse Cases
  28. 28. References • Testing for business Logic attacks. OWASP Foundation, 2014 – https://www.owasp.org/index.php/Testing_for_business_logic • OWASP Business Logic Cheat sheet; OWASP Foundation; 2014 – https://www.owasp.org/index.php/Business_Logic_Security_Cheat_Sheet • Common weakness Enumeration; Business Logic Errors; 2014 – http://cwe.mitre.org/data/definitions/840.html • Ten Business Logic Attack Vectors: Business Logic Bypass & More; NTObjectives; 2012 – http://www.ntobjectives.com/research/web-application-security-white-papers/business-logic-attack-vectors-white-paper/ • How to Prevent Business Flaws Vulnerabilities in Web Applications; Marco Morana; 2011 – http://es.slideshare.net/marco_morana/issa-louisville-2010morana
  29. 29. Thank You!! Thank you all! Thank You!! Thank You!!
  30. 30. The dessert… ?
  31. 31. On the Speaker - Bio mhernand@ie.ibm.com / hernandezrma@gmail.com https://www.linkedin.com/in/security-miguel-hernandez https://twitter.com/miguelangelher http://plusplussecurity.blogspot.ie/ IT Engineer, Master in Advanced Technologies, Master in Business Administration, CEH, CISA, CISM, SPSE, IRCA LA 27001, ISTQBf, ITIL-f and FCE. Currently working for IBM in the Watson Health division as Senior Security Engineer. Miguel Hernández has been working in the security field during the past 10 years. He has helped some of the most important companies in different sectors to improve their security by process improvement and web application security testing.
  32. 32. Running the demo • Download and install docker for your operating system • Download bodgeit store from docker – docker pull psiinon/bodgeit • Run docker • Run bodgeit in docker – docker run --rm -p 8080:8080 -i -t psiinon/bodgeit • Open bodgeit in the browser – http://localhost:8080/bodgeit • If you want to intercept the communication and perform the “hack”. – download and install ZAP for your platform. – Change the port of ZAP for the local proxy from 8080 to 8085 – Configure firefox network settings to use the proxy localhost:8085

×