Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How to steal and modify data using Business Logic flaws - Insecure Direct Object References

5,552 views

Published on

Regardless on how sophisticated your framework is, how many layers of firewalls and mitigation techniques that are put in place, there's a common weakness that often gets overlooked: the insecure direct object reference. The flaw exist everywhere: WordPress with username enumeration issues. Twitter where remote attackers could delete credit cards for the ad service and to OculusVR with a horizontal privilege escalation vulnerability which got disclosed recently.

Published in: Software

How to steal and modify data using Business Logic flaws - Insecure Direct Object References

  1. 1. detectify detectify SECURITY FOR DEVELOPERS
  2. 2. Remember the AT&T Hack? #freeweev detectify
  3. 3. …or how about the Apple Developer site! detectify incident? #down4maint
  4. 4. What do they have in common? detectify
  5. 5. What do they have in common? detectify IDOR #wth?
  6. 6. detectify Frans Rosén! @fransrosen! #hacktheplanet
  7. 7. detectify Co-founder #daytime
  8. 8. detectify Hacked a few #nightime 0x09 in Google Hall of Fame! www.google.com/about/appsecurity/hall-of-fame/
  9. 9. detectify …a few more #uhere?
  10. 10. detectify aaand a few more #sorry
  11. 11. What does it mean? #owasp4 detectify “A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. ! ! Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.”
  12. 12. I! Insecure D! Direct O! Object R! Reference detectify Without proper access control exposing unauthorized data, such as a file, directory, or database key.
  13. 13. Eye-ball the URL #waitisover detectify
  14. 14. Eye-ball the URL #waitisover detectify Ouch.
  15. 15. detectify Update a user #totallylegit
  16. 16. detectify Update a user #totallylegit Ouch.
  17. 17. detectify Business Impact #obvious • Keys, Passwords! • Credit Card Data! • User Information / Email! • Invoices / Billing Data!
  18. 18. Business Impact #notsoobvious Numeric IDs for Order Receipts! ! “Not found” vs “No access”! ! Poll every day, you get analytics!! $$$! detectify
  19. 19. Business Impact #notsoobvious Numeric IDs for email invites = spam.! ! ! detectify Found by d4d1a179c0f3 https://hackerone.com/reports/1533
  20. 20. Business Impact #evenworse Change Delivery Address of an order.! ! Deleting another user’s information.! ! Reclaiming other user’s data. Gift Certificates anyone? detectify
  21. 21. detectify Are you fully protected?
  22. 22. detectify Why so few? #ohnoez 1. No secure access model.! ! “User X should only have access to A” “User X that has access to A should only have access to B”! ! and so on…
  23. 23. detectify Why so few? #ohnoez 2. Numeric IDs.! ! Enumerable/Sequential. Decrease value with 1 and try. ! ! Easy to test. Easy to attack.
  24. 24. detectify Why so few? #ohnoez 3. Error messages show and tell.! ! “User X cannot view object owned by User Y”! ! “No access to this object” ! ! “Object does not exist”
  25. 25. detectify Why so few? #ohnoez 4. Inconsequent ID sources.! ! /receipt/view/434! ! /receipt/?view=434! ! POST /receipt/view/ HTTP/1.1! receipt=434
  26. 26. detectify Why so few? #ohnoez 5. Lack of proper code review.! ! How to automate this?
  27. 27. detectify Examples! #bringpopcorn
  28. 28. detectify Example – Twitter Credit Card deletion from other users.! ! Sequential IDs when deleting cards.! ! Bounty $2,800 Found by secgeek (Ahmed Aboul-­‐Ela) https://hackerone.com/reports/27404
  29. 29. detectify Example – Oculus RCE through IDOR! ! Sequential IDs when updating users.! ! Bounty in total $25,000 Found by Bitquark (Jon) https://bitquark.co.uk/blog/2014/08/31/ popping_a_shell_on_the_oculus_developer_portal
  30. 30. detectify Example – Square Update other users / Get user info! ! ID as hashes, but visible using Google.! ! No check if user was in another company.! ! Bounty $3,000 ! https://hackerone.com/reports/23126
  31. 31. detectify Example – Zapier Get log-history from other user’s Zaps.! ! Contained sensitive information such as OAuth tokens / Credentials,! ! No access control for log entries.! ! Bounty $3,000 ! https://zapier.com/engineering/bug-­‐bounty-­‐program/
  32. 32. detectify Example – getClouder Remove Cloud Scaling for other users.! ! No check if user owned the Cloud Scaling setting.! ! Bounty $200
  33. 33. detectify Example – WordPress Get all users on a WordPress site.! ! .com/?author=1! ! WONTFIX by Wordpress ! http://hackertarget.com/wordpress-­‐user-­‐enumeration/
  34. 34. Doing it right. #anyoneoutthere? detectify
  35. 35. detectify Doing it right. #hellyeh 1. User ID in Session or Token! ! /user/view/me! /user/transactions
  36. 36. detectify Doing it right. #hellyeh 2. Make generic access model and stick to it.! ! function get($type, $id) { //check access for all objects }! ! $user->get(‘transaction’, $id);! // if not owned by user! ! ! ! ! ! ! ! ! // then error!!
  37. 37. detectify Doing it right. #hellyeh 3. Access model in routes or controllers.! ! Stick to it! Easy to miss.! !
  38. 38. detectify Doing it right. #hellyeh 4. Code review. Don’t miss this.! !
  39. 39. Quick repetition #eatsleepraverepeat detectify 1. IDORs are bad. Easy to exploit. East to find.! ! 2. Being actively exploited as we speak. Worth €€€! ! 3. Generic access model.! ! 4. Numeric IDs vs Hashes! ! 5. Review your code.
  40. 40. detectify THAT’S ALL FOLKS!! Questions?! ! by Frans Rosén (@fransrosen) www.detectify.com

×