Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Exploit of Business Logic Flaws, Business Logic Attacks

Business Logic Attacks: vulnerability analysis and risk management presentation at ISSA Security Conference in Louisville, KY, October 7, 2010

  • Login to see the comments

Security Exploit of Business Logic Flaws, Business Logic Attacks

  1. 1. Analysis and Risk Mitigation of Business Logic Attacks Marco Morana OWASP ISSA Info Security Conference Louisville, KY October 7 h 2010
  2. 2. Agenda For Today’s Presentation <ul><li>General Background on Business Logic Attacks (BLA) </li></ul><ul><ul><li>Problem statement </li></ul></ul><ul><ul><li>Business logic exploits, exploits </li></ul></ul><ul><ul><li>Categorization of BLAs </li></ul></ul><ul><li>Vulnerability Analysis of Business Logic Flaws </li></ul><ul><ul><li>Threat, vulnerabilities, and attacks </li></ul></ul><ul><ul><li>Root causes of vulnerabilities </li></ul></ul><ul><ul><li>OWASP T10, SANS-25, WASC </li></ul></ul><ul><li>Risk Analysis and Mitigation of BLA </li></ul><ul><ul><li>Security requirements </li></ul></ul><ul><ul><li>Threat analysis </li></ul></ul><ul><ul><li>Risk management </li></ul></ul><ul><li>Q & A </li></ul>
  3. 3. Business Logic Attacks
  4. 4. Business Logic Attacks: The Problem Statement <ul><li>Target the business logic of the site by attacking the data and the transactions: </li></ul><ul><ul><li>Attacking check out credit cards in shopping cart transactions </li></ul></ul><ul><ul><li>Attacking wire transfers in on-line banking transactions </li></ul></ul><ul><li>Pose the same level of risk of attacks exploiting critical vulnerabilities : </li></ul><ul><ul><li>Abuse web sites business logic for: </li></ul></ul><ul><ul><ul><li>fraud, </li></ul></ul></ul><ul><ul><ul><li>theft of user’s credentials and sensitive information, </li></ul></ul></ul><ul><ul><ul><li>reputational damage </li></ul></ul></ul><ul><li>Business Logic flaws are overlooked by security tests and tools: </li></ul><ul><ul><li>Undetected by vulnerability scanning tools </li></ul></ul><ul><ul><li>Require specific business logic abuse tests not usually included as part of the security testing process </li></ul></ul>
  5. 5. Business Logic Attacks Examples
  6. 6. Categorization of Business Logic Exploits <ul><li>Exploit flaws in the design, implementation and configuration of the application business logic rules and data , examples include: </li></ul><ul><ul><li>Weak enforcement of workflows and steps required by transactions, </li></ul></ul><ul><ul><li>Implicit trust and weak process validations in transactions, </li></ul></ul><ul><ul><li>Committing to transactions without all checks required are first validated </li></ul></ul><ul><li>Exploit weaknesses in the implementation of security controls whose function is protect the application business logic , examples include: </li></ul><ul><ul><li>Gaps in enforcement of role base access controls policy rules, </li></ul></ul><ul><ul><li>Insufficient parameters validation (e.g. priceID, roleIDs, userIDs), </li></ul></ul><ul><ul><li>Password reset flaws, username recovery flaws, </li></ul></ul><ul><ul><li>Security controls failing insecurely, </li></ul></ul><ul><ul><li>Insufficient anti-automation defenses to detect the attacks </li></ul></ul>
  7. 7. Vulnerability Analysis of Business Logic Flaws
  8. 8. Threat, Attacks, Vulnerabilities in the context of BLA <ul><li>Threats </li></ul><ul><ul><li>Some agent or adverse condition that target the application business logic to cause a negative impact to the business </li></ul></ul><ul><li>Attacks </li></ul><ul><ul><li>Realizing the threat to cause the negative impact , includes different ways for an attacker to conduct business logic attacks by exploiting one or more vulnerabilities and logic flaws </li></ul></ul><ul><li>Vulnerabilities </li></ul><ul><ul><li>Weaknesses in the business logic that can be exploited by a threat and cause a negative impact to the application. </li></ul></ul>
  9. 9. General Categorization Of Vulnerabilities By Root Causes <ul><li>Security Design Flaws </li></ul><ul><ul><li>Caused by lack of security requirements, knowledge, design reviews </li></ul></ul><ul><ul><li>Cannot be identified by security tools alone since are logical vulnerabilities and require manual threat analysis/ threat modeling </li></ul></ul><ul><li>Security Coding Errors </li></ul><ul><ul><li>Coding bugs that result in vulnerabilities </li></ul></ul><ul><ul><li>Can be identified with source code analysis tools and manual code reviews </li></ul></ul><ul><li>Security Mis-configurations </li></ul><ul><ul><li>Mis-configuration for application security policies </li></ul></ul><ul><ul><li>Can be identified through change control processes </li></ul></ul><ul><li>Business Logic Attack, Mostly Exploit Security Flaws in Design and Security Mis-Configurations </li></ul>
  10. 10. OWASP T10, WASC And SANS T25 Vulnerabilities Potentially Exploited For Attacking Business Logic
  11. 11. Attacks Exploiting Authorization Vulnerabilities & Root Causes <ul><li>BUSINESS LOGIC ATTACKS: </li></ul><ul><ul><li>Attackers are allowed to access web resources not restricted by role, simply changes the workflow/URL to a privileged page using forceful browsing </li></ul></ul><ul><ul><li>Attacker change the transaction data by modifying parameters to change data used in a transaction such as the price of goods purchased </li></ul></ul><ul><li>VULNERABILITIES: </li></ul><ul><ul><li>INSUFFICIENT AUTHORIZATION (WASC-02), FAILURE TO RESTRICT URL ACCESS (OWASP A7), IMPROPER ACCESS CONTROL ( SANS-CWE-285) </li></ul></ul><ul><li>ROOT CAUSES: </li></ul><ul><ul><li>Lack of granular enforcement of authorization rules through policy such as Role Base Access Controls (RBAC) </li></ul></ul><ul><ul><li>Business rules enforced using client side parameters instead of server side logic </li></ul></ul>
  12. 12. Attacks Exploiting Authentication Vulnerabilities & Root Causes <ul><li>BUSINESS LOGIC ATTACKS : </li></ul><ul><ul><li>Attacker guesses questions in challenge/questions (e.g. account creation, change password, recover password, this includes KBA , Knowledge Based Authentication) </li></ul></ul><ul><ul><li>Attacker replay the session such as a valid sessionID to logon in the application after previous logout </li></ul></ul><ul><li>VULNERABILITIES: </li></ul><ul><ul><li>INSUFFICIENT AUTHENTICATION (WASC-01), BROKEN AUTHENTICATION AND SESSION MANAGEMENT (OWASP A3), INSECURE DIRECT OBJ REFERENCES (OWASP A4) MISSING AUTHENTICATION FOR CRITICAL FUNCTION (CWE 306) </li></ul></ul><ul><li>ROOT CAUSES: </li></ul><ul><ul><li>Design flaws for password reset transactions </li></ul></ul><ul><ul><li>Easily guessable Challenge/Questions </li></ul></ul><ul><ul><li>Session management issues such as lack of single logout across applications-tiers </li></ul></ul>
  13. 13. Attacks Exploiting Mis-Configurations Vulnerabilities & Root Causes <ul><li>BUSINESS LOGIC ATTACKS: </li></ul><ul><ul><li>Attacker exploit mis-configuration of access control policy to exploit fail open-insecure conditions, unauthorized access to resources, bypass of authentication and RBAC, information disclosure through errors </li></ul></ul><ul><ul><li>Transaction and security events are not logged so the attack cannot be audited/investigated </li></ul></ul><ul><li>VULNERABILITIES: </li></ul><ul><ul><li>SERVER MISCONFIGURATION (WASC-14), SECURITY MISCONFIGURATION (OWASP A6) </li></ul></ul><ul><li>ROOT CAUSES: </li></ul><ul><ul><li>Configuration management process lacks validation/testing of enforcement of roles and permissions in the configuration policy used by application’s development frameworks (e.g., Struts, Spring, ASP.NET) </li></ul></ul><ul><ul><li>Logging and auditing does not cover BLA events </li></ul></ul>
  14. 14. Attacks Exploiting Insufficient Anti-Automation Vulnerabilities & Root Causes <ul><li>BUSINESS LOGIC ATTACKS: </li></ul><ul><ul><li>Automatic injection of web pages (e.g. forms/Frames) in application workflows to collect PII (e.g. Zeus Trojans) and do fraud </li></ul></ul><ul><ul><li>Automated trying of credit card values to validate them through conventional validation flaws (e.g. enumeration) </li></ul></ul><ul><ul><li>Spam of pre-authenticated transactions to flood back-office processes </li></ul></ul><ul><ul><li>Denial of service by locking usernames through automation locking and by flooding of call center for unlocking requests </li></ul></ul><ul><li>VUNERABILITIES: </li></ul><ul><ul><li>INSUFFICIENT ANTI-AUTOMATION (WASC-21) </li></ul></ul><ul><li>ROOT CAUSES: </li></ul><ul><ul><li>Lack of detective control for automation (e.g. CAPTCHA, automated intrusion detection) to protect transactions </li></ul></ul>
  15. 15. Attacks of Insufficient Process Control Vulnerabilities & Root Causes <ul><li>BUSINESS LOGIC ATTACKS: </li></ul><ul><ul><li>Fraudster can bypass validations checks for performing transactions such as shipping for goods not being purchased </li></ul></ul><ul><ul><li>External or internal attacker can spoof the data traffic between front end and back-end business logic processing </li></ul></ul><ul><ul><li>Fraudster can have secrets required to perform a transaction sent to him by spoofing authorized user emails, phone numbers etc </li></ul></ul><ul><li>VULNERABILITY </li></ul><ul><ul><li>INSUFFICIENT PROCESS CONTROLS (UNCLASSIFIED) </li></ul></ul><ul><li>ROOT CAUSES: </li></ul><ul><ul><li>Insufficient enforcement of transaction validations performed at different stages of the business transaction before committing to it </li></ul></ul><ul><ul><li>Gaps in enforcing authentication at different tiers of the application architecture (e.g. application and messaging) </li></ul></ul><ul><ul><li>Lack of out of band validations and call backs to validate the transaction </li></ul></ul>
  16. 16. Risk Analysis and Mitigation of BLA
  17. 17. Security Requirements for Mitigation of BLA <ul><li>Require every application to document business logic with data flows for transactions and the access control matrix used </li></ul><ul><li>Use application threat modeling to identify threats to application data flows and use and abuses cases that can be exploited for business logic attacks </li></ul><ul><li>Security test (manually) for business logic attacks that could exploit common vulnerabilities such as OWASP 3,4,8, WASC 1,2,14,21 and SANS-25-CWE 285,306 </li></ul><ul><li>Develop and execute business logic tests for insufficient process controls by deriving them from the use-abuse cases and transaction/data flow analysis performed during threat modeling </li></ul><ul><li>Rank the risk severity of business logic flaws/vulnerabilities can be exploited for business logic attacks </li></ul><ul><li>Manage the risk by devising preventive and detective controls to mitigate the likelihood and impact of business logic attacks </li></ul>
  18. 18. The Logic Tier In Web Architectures Not All Business Logic Resides on the Application Server ! Beware of Web 2.0 Apps that include business logic client side (e.g. AJAX, Widgets, Mashups Beware of Flaws in Integration of Business Logic with Server Components
  19. 19. Threat Analysis Of End to End Data Traffic Spoofing And Tampering XML/HTTP Parameters Forceful browsing Threats to Application Business Logic Spoofing And Tampering Web Service Calls Spoofing And Tampering Message Calls Spoofing And Tampering SQL Queries Elevation Of Privileges/ RBAC Misconfigurations
  20. 20. Threat Analysis with Use And Abuse Cases
  21. 21. Threat Analysis Using Business Logic Transaction Flows
  22. 22. Business Logic Attack To Shopping Cart (Real) Catalogue Price: $ 27.99 Charged Price: $.99
  23. 23. Enforcement of Roles and Permissions With Design of Role Base Access Controls
  24. 24. Security Testing Of Business Logic Attacks <ul><li>Main objective is to test that the application business rules cannot be altered by business logic attacks </li></ul><ul><li>Require testers to write NEGATIVE test cases and scripts to identify potential exploits of business logic flaws during Q/A test validation cycles. Examples include : </li></ul><ul><ul><li>Trying to bypass of user validations and prerequisite checks for a transaction, </li></ul></ul><ul><ul><li>Trying to bypass multi factor authentication in a transaction, </li></ul></ul><ul><ul><li>Trying to force a transaction and access high privileged resources logging as low privilege user, </li></ul></ul><ul><ul><li>Tampering with business logic parameters during a request to try to access resources, </li></ul></ul><ul><ul><li>Replaying session tokens after logouts to try to log back to the application, </li></ul></ul><ul><ul><li>Trying to force the application to fail in unsecure conditions such as fail open or as un-handled exceptions </li></ul></ul><ul><ul><li>Trying to alter price of items and validate if they can be added, </li></ul></ul><ul><ul><li>Trying to abuse registration, account openings/applications with automation scripts </li></ul></ul>
  25. 25. Assigning Risks to Business Logic Flaws Using OWASP Risk Methodology
  26. 26. Possible Countermeasures Against BLAs <ul><li>Deterrent controls </li></ul><ul><ul><li>Anti-automation (e.g. CAPTCHA, logic puzzles) </li></ul></ul><ul><li>Preventive controls </li></ul><ul><ul><li>Authentication and authorization of transactions (e.g. ESAPI) </li></ul></ul><ul><ul><li>Secure pre-auth password reset and userID reminder processes </li></ul></ul><ul><ul><li>Strong business process validation/checks for transactions (e.g. Out Of Band) </li></ul></ul><ul><ul><li>Data validation/filtering of transaction parameters (e.g. ESAPI) </li></ul></ul><ul><ul><li>Secure session management such as the SessionIDs used in business transactions </li></ul></ul><ul><li>Detective controls </li></ul><ul><ul><li>Application layer detection rules for BLA patterns (e.g. ESAPI IDS) </li></ul></ul><ul><ul><li>Web Application Firewall (WAF) rules (e.g. ESAPI WAF) </li></ul></ul><ul><ul><li>Fraud monitoring and detection rules (e.g. Fraud Detection Systems) </li></ul></ul><ul><ul><li>Logging and alerts of business transaction events as well as related security events </li></ul></ul>
  27. 27. Q & Q U E S T I O N S A N S W E R S
  28. 28. Thanks for listening, further references <ul><li>Designing a Framework Method for Secure Business Application Logic Integrity in e-Commerce Systems </li></ul><ul><ul><li> </li></ul></ul><ul><li>Seven Business Logic Flaws That Put Your Website At Risk </li></ul><ul><ul><li> </li></ul></ul><ul><li>Testing for business logic (OWASP-BL-001) </li></ul><ul><ul><li> </li></ul></ul><ul><li>Get rich or die trying, “Making money on the web, the black hat way” </li></ul><ul><ul><li> </li></ul></ul>
  29. 29. Further references con’t <ul><li>OWASP Top Ten Project </li></ul><ul><ul><li> </li></ul></ul><ul><li>The WASC Threat Classification v2.0 </li></ul><ul><ul><li> </li></ul></ul><ul><li>CWE/SANS TOP 25 Most Dangerous Coding Errors </li></ul><ul><ul><li> </li></ul></ul><ul><li>OWASP Application Threat Modeling </li></ul><ul><ul><li> </li></ul></ul><ul><li>OWASP EASPI </li></ul><ul><ul><li> </li></ul></ul><ul><li>OWASP Testing Project </li></ul><ul><ul><li> </li></ul></ul>