Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Oh No They Didn't! 7 Web App Security Stories (v1.0)


Published on

This is the first iteration of a talk that goes through some of the more ..."interesting" failures in web app security over the 2009-2010 assessment calendar.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Oh No They Didn't! 7 Web App Security Stories (v1.0)

  1. 1. 1<br />15 October 2010<br />Oh No They Didn’t!<br />Rafal M. Los<br />HP Security Evangelist<br />
  2. 2. Web Application Security is Hard…<br />2<br />15 October 2010<br />
  3. 3. Story #1 – “Loyalty-free”<br />The Story…<br />Utilizing a restaurant delivery service; website driven interaction<br />During transaction, credit card input incorrectly, transaction rejected but “loyalty points” accrue<br />Result: Logic flaw exposing the website to scripted attack via CSRF<br />Lesson(s) Learned…<br />Purchase process should be protected against CSRF (many options)<br />Test, test, test and test again<br />Manual security testing is required; you can’t just “scan”!<br />Logic flaws can be discovered … advanced EFD-based tools needed<br />3<br />15 October 2010<br />
  4. 4. Story #2 – Web coupons<br />The Story…<br />Large national pizza chain wants 2-part marketing campaign<br />2 coupons: 1 for $5 pizza, one for FREE pizza<br />Marketing agency creates Flash! app, codes logic into client (both coupon codes)<br />Accidental discovery leads to 11,000 free pizzas …oops<br />Lesson(s) Learned…<br />Never perform critical business logic on the client<br />Marketing teams don’t know about security … don’t understand<br />Flash! can/will be decompiled and inspected…be aware<br />4<br />15 October 2010<br />
  5. 5. Client-Side Data Validation: FAIL<br />… <br />button 9 {<br /> on (release, keyPress '<Enter>') {<br /> if (password eq ‘ PASSWORD ') {<br />getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/778.html', '');<br /> } else {<br /> if (password eq ' PASSWORD ') {<br />getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/781.html', '');<br /> } else {<br /> if (password eq ' PASSWORD ') {<br />getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/783.html', '');<br /> } else {<br /> if (password eq ‘ PASSWORD ') {<br />getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/771.html', '');<br /> } else {<br /> if (password eq ‘ PASSWORD ') {<br />getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/799.html', '');<br /> } else {<br />…<br />5<br />
  6. 6. Story #3 – Hold this encryption key<br />The Story…<br />Flash application sending “encrypted” data across the wire; context: play a game, win a prize<br />“Encryption” scheme (including key) embedded in Flash application<br />Download, decompile, repurpose and win every time?<br />Lesson(s) Learned…<br />It’s not encryption if you also give me the scheme + key<br />Flash! can/will be decompiled and inspected…be aware<br />Security testing would reveal weakness … other ideas for solving this?<br />6<br />15 October 2010<br />
  7. 7. Client-Side Encryption: FAIL<br />try {<br />strURI ="getLittleServer");<br /> …<br /> n1 = parseInt(strN1);<br /> n2 = parseInt(strN2);<br />nAlgo = n1 * n2 * nScore + nScore;<br />strToPass = nGameId + "," + nScore + "," + nTime + "," + nAlgo;<br />encrypted_data = MD5.hash(strToPass);<br />submission_data = "score=" + nScore + "|gameId=" + nGameId + "|timestamp=" + nTime + "|key=" + encrypted_data;<br /> variables = new URLVariables();<br /> variables.attr1 = submission_data;<br /> request = new URLRequest(strURI);<br /> = variables;<br />navigateToURL(request, "_self");<br /> return submission_data;<br /> …<br />7<br />
  8. 8. Story #4 – Pwn3d (ouch)<br />The Story…<br />Commercial, templated online restaurant menu & ordering system<br />Developer believed there was no need to test “why would anyone want to hack this?”<br />SQL Injection hole found … app had already been compromised<br />App was distributing Zeus bot (and other malware) to customers!<br />Lesson(s) Learned…<br />Arrogance is more deadly than lack of knowledge<br />SQL Injection is not a highly complex attack (‘or 1=1 to detect)<br />Not only vulnerable, now a liability and an investigation<br />8<br />15 October 2010<br />
  9. 9. Story #5 - Predictable<br />The Story…<br />Online retail shopping cart, sends email with “customer ID” –based order retrieval system (no passwords!)<br />Customer can save shipping details, payment information…<br />Predictable customerID parameter in URL (CustID=aaaabbbcccdddd)<br />Alpha-numeric, non-case-sensitive …but predictable<br />Lesson(s) Learned…<br />It can be a hassle, but require users to fully “register” (userID + pwd)<br />Randomize at least a 32-bit alpha-numeric string for CustID<br />Predictable IDs exposed customer data, critical payment info!<br />9<br />15 October 2010<br />
  10. 10. Story #6 – Name your own price<br />The Story…<br />Critical application for customers to purchase extremely high-value replaceable parts for power-generation systems<br />Parameter “NetCost” present in URL and POST body<br />Server acceptsNetCost price from POST body, final page of checkout<br />Lesson(s) Learned…<br />Never, ever, ever, ever trust anything you send to the client<br />The server should always hold the “record of truth”<br />Validate against server-known data, prior to processing checkout<br />Test, test, test … this is a business logic flaw!<br />10<br />15 October 2010<br />
  11. 11. Story #7 – But wait, there’s MORE<br />The Story…<br />Demonstrating web app security testing tool vs customer application<br />SQL Injection hole found, exploited at the MS SQL Server<br />Server was clustered, on internal network, extended stored procedures<br />Mission-critical web-application database on internal, AD-based network<br />Lesson(s) Learned…<br />So many layers of fail … layered upon SQL Injection (testable!)<br />Separate your databases by criticality<br />Remove non-necessary stored procedures, secure priviliges<br />11<br />15 October 2010<br />
  12. 12. Contribute …<br />Do you have a story that’s too funny not to be true?<br />SHARE IT!<br />12<br />15 October 2010<br />
  13. 13. 13<br />15 October 2010<br />Done.<br />Rafal M. Los<br />Security Evangelist<br />@Wh1t3Rabbit<br /><br /><br />