This document discusses vulnerabilities in application frameworks and the importance of monitoring for vulnerabilities in third party libraries and components. It uses the Equifax breach as an example of how vulnerabilities in the Apache Struts framework were exploited to gain access and steal personal data. The document recommends that software developers and IT security teams regularly check all application components for known vulnerabilities and ensure components and libraries are kept up to date with the latest security patches. It also emphasizes the importance of detection mechanisms to identify suspicious activity resulting from exploited vulnerabilities.

1. Application frameworks’
vulnerabilities
Don’t be the next Equifax
Wojtek Dworakowski

2. login> Wojtek Dworakowski
OWASP Poland Chapter Leader
(since 2012)
SecuRing
(since 2003)
2

3. Equifax breach
• Credit monitoring
company
• 143 milion of user’s data
records
• 200,000 credit card data
<video src= CNN Money http://money.cnn.com/2017/09/11/pf/equifaxmyths/index.html>
© 2017 Cable News Network. A Time Warner Company.

4. How come?
• Initial attack vector:
Web server, Apache
Struts
• CVE-2017-9805
• CVE-2017-5638

5. Is it easy to exploit?
Google for:
”CVE-2017-5638 exploit”
<src= Exploit Database https://www.exploit-db.com/exploits/41570/>
https://www.flickr.com/photos/alijava/27634909445
(but it is not trivial to find such as bug)

6. What was next?
• ?
• Multiple backdoors
• Lateral movement
• Huge data transfers
– 143 mln user records
– 209 000 credit card numbers
Struts patched: 7 Mar
Vulnerabity disclosed: 10 Mar
Equifax was able to determine a
series of breaches had occurred
from May 13 through July 30
Nobody has noticed?
<src= CNN Tech http://money.cnn.com/2017/09/16/technology/equifax-breach-security-hole/index.html>

7. Case #2
Źródło: flickr / Nick Bastian, licencja CC BY-ND 2.0)

8. Server vulnerability exploitation
• In late 2015 one
of Polish banks
was pwned
(outdated
components)
• Intruder was
able to modify
transactions
source: www.zaufanatrzeciastrona.pl
~ 40 000 eur

9. Server vulnerability exploitation
Source: www.zaufanatrzeciastrona.pl
~ 92 000 eur
• In late 2015 one
of Polish banks
was pwned
(outdated
components)
• Intruder was
able to modify
transactions

10. Server vulnerability exploitation
Source: www.zaufanatrzeciastrona.pl

11. Application components vulnerabilities
<src= www.cvedetails.com>

12. Why frameworks are vulnerable?
• Internals are
complicated
• Execution path is not
obvious
• Years of development
and feature arms race
<img src= Łukasz Lenart "How secure your web framework is? Based on Apache Struts2„
https://www.slideshare.net/kravietz/struts2-howsecure/>

13. "No-man's-land-flanders-field" by King, W. L. (William Lester) - http://www.loc.gov/pictures/item/2007663169/. Licensed under Public Domain
No man’s land

14. What to do?

15. Am I vulnerable too?
1. What kind of framework/libraries are we
running?
– Check URL: e.g. .do .action  Struts (probably)
– Ask developers ;)
– Check WEB-INF/lib
…
ognl-3.1.12.jar
struts2-config-browser-plugin-2.5.10.jar
struts2-convention-plugin-2.5.10.jar
struts2-core-2.5.10.jar
struts2-rest-plugin-2.5.10.jar
…

16. Am I vulnerable too?
2. Are those versions
vulnerable?
– vendor’s doc
– vendor’s Jira/Bugzilla/..
– NVD / CVE

17. Am I vulnerable too?
3. Are we using vulnerable functions?
S2-052 (CVE-2017-9805) – the non-default REST plugin has
to be enabled
S2-053 (CVE-2017-12611) – non-standard (considered wrong)
construction of freemarker tags
S2-045 (CVE-2017-5638) – exploited functionality is widely
implemented
More: Struts security app-ocalypse – IT security managers survival guide

18. but…

20. Tools
Free
• OWASP Dependency Check
• Retire.js
Commercial
• Black Duck
• Sonatype Nexus Firewall
• …

21. OWASP Dependency Check
• Performs Software Composition Analysis
– Reports known vulnerabilities
• Works as:
Maven Plugin
Gradle Plugin
Jenkins Plugin
SBT Plugin
Ant Task
Command Line
SonarQube

22. Language support
• Stable: Java & .Net
• Experimental: Ruby, Node.js, Python, PHP,
other

23. DEMO

24. It’s not 100% accurate
(but much better than nothing)
• It’s not trivial to assess what kind of libs are
used (CPE)
• Forks, proprietary modifications, etc.
• As up to date as vulnerability data feed (NVD)

25. Recomendations:
Software vendor / development team
Verify framework and libraries before each release (or build)
Integrate security verification into your software development process
OWASP Dependency Check
https://www.owasp.org/index.php/OWASP_Dependency_Check
Take care about security awareness of your development team.
Especially in field of components’ security.

26. Recomendations:
Software owner / IT security
During rutine security testing remember about application components
(WHITE BOX !)
Know your software stack: Build and maintain list of recommended
frameworks and libraries
Use WAF as a first line of defence
Enforce on your vendors / developers constant components’ updates
Monitor public information about your software stack security. Verify
your production systems (e.g. OWASP Dependency Check)

27. Don’t forget about detection !
• Build detection mechanisms INTO your software, e.g.
– Suspicious activity is easiest to detect on highier layers
(checkout OWASP AppSensor)
– Honeytokens
• Be prepared
– Incident response process
– Build your skills /
/ External professional support

28. Equifax and Struts are just an example !
Black Duck Report - The State of Open Source Security in Commercial Applications
https://info.blackducksoftware.com/rs/872-OLS-526/images/OSSAReportFINAL.pdf

29. Q & A

30. Links
• OWASP dependency-check
– http://jeremylong.github.io/DependencyCheck/general/dependency-
check.pdf
– http://jeremylong.github.io/DependencyCheck/
• Struts security app-ocalypse. IT security manager’s survival guide
https://www.securing.biz/en/struts-security-app-ocalypse-it-security-
managers-survival-guide/index.html
• How secure your web framework is? Based on Apache Struts2
https://www.slideshare.net/kravietz/struts2-howsecure/