attack patterns for black box security testing of multi
play

Attack Patterns for Black-Box Security Testing of Multi-Party Web - PowerPoint PPT Presentation

Apr 02, 2024 •224 likes •508 views

Attack Patterns for Black-Box Security Testing of Multi-Party Web Applications Avinash Sudhodanan (sudhodanan@fbk.eu) Alessandro Armando (armando@fbk.eu) Roberto Carbone (carbone@fbk.eu) Luca Compagna (luca.compagna@sap.com) NDSS, San Diego,

  1. Attack Patterns for Black-Box Security Testing of Multi-Party Web Applications Avinash Sudhodanan (sudhodanan@fbk.eu) Alessandro Armando (armando@fbk.eu) Roberto Carbone (carbone@fbk.eu) Luca Compagna (luca.compagna@sap.com) NDSS, San Diego, 22/02/2016 1

  2. Multi-Party Web Applications (MPWAs) A Service Provider web app. relying on Trusted Third-Parties to deliver its services to Users through web-based security protocols Examples Online Shop Alice o Single Sign-On (SSO) Service Provider (SP) User (U) o Cashier-as-a-Service (CaaS) Shopping SAML SSO, OAuth, PayPal Express.. online Popularity/Relevance Trusted Third-Party (TTP) o 27% of top 1000 US websites supports Payment Service Identity Provider Facebook SSO [1] Provider (e.g. Google) (e.g. PayPal) o 179+ million PayPal users worldwide 2

  3. Multi-Party Web Applications (MPWAs) A Service Provider web app. relying on Trusted Third-Parties to deliver its services to Users through web-based security protocols Examples Alice Online Shop o Single Sign-On (SSO) U TTP SP o Cashier-as-a-Service (CaaS) 1. Login Request 2. Auth. Request Popularity/Relevance 3. Login & Consent o 27% of top 1000 US websites supports 4. AuthAssert (Alice,SP) Facebook SSO [1] 5. “Welcome Alice” o 179+ million PayPal users worldwide The implementation of the protocols underlying MPWAs is notoriously error-prone 3

  4. Several Vulnerabilities Reported Many vulnerabilities discovered through a variety of techniques applied to specific scenarios Tech. [Ref.] Vulnerable MPWA Attack Attacker’s Goal FV [2] SPs implementing Google’s Replay U V ’s AuthAssert for SP M in SP T Authenticate as U V at SP T SAML SSO GB + FV [3] developer.mozilla.com (SP) Make U V browser send request to SP T Authenticate as U M at SP T implementing BrowserID with U M ’s AuthAssert BB [4] PayPal Express Checkout in Replay Token of transaction T 1 at SP T Complete T 2 at SP T OpenCart 1.5.3.1 during transaction T 2 at SP T FV [5] SPs implementing Facebook Replay U V ’s AccessToken for SP M in Authenticate as U V at SP T SSO SP T BB [6] PayPal Payments Standard Replay PayeeId of SP M during Complete T at SP T in osCommerce v2.3.1 transaction T at SP T WB [7] Authorize.net credit card sim Replay OrderId of transaction T 1 at Complete T 2 at SP T in baby products store SP T during transaction T 2 at SP T FV [8] CitySearch.com (SP) using Make U V browser send request to SP T Authenticate as U M at SP T Facebook SSO with U M ’s AuthCode Legend- FV : Formal Verification, GB : Grey-Box Analysis, BB : Black-Box Analysis, WB : White-Box Analysis 4

  5. SAML SSO: Example of vulnerable implementation A man-in-the-middle attack against the SAML based SSO for Google Apps reported in [2] Alice Online Shop Google U TTP SP 1. Login Request 2. Auth. Request 3. Login & Consent 4. AuthAssert(Alice,SP) 5. “Welcome Alice” 5

  6. SAML SSO: Example of vulnerable implementation Bob Online Store Alice Kitty pics Google Malicious SP Target SP Victim User Malicious User TTP (SP M ) SP T (U V ) (U M ) 1. Login Request 2. Auth. Request 3. Login & Consent Session (U V , SP M ) 4. AuthAssert(Alice) 5. “Welcome Alice” 1’. Login Request : Session (U M , SP T ) : Attack strategy: Replay U V ’s AuthAssert for SP M in SP T 5’. “Welcome Alice ” 6

  7. Our Observation- I: attack strategies The strategy behind many attacks reported in the literature is the same Tech. [Ref.] Vulnerable MPWA Attack Strategy Attacker’s Goal FV [2] SPs implementing Google’s Replay U V ’s AuthAssert for SP M in SP T Authenticate as U V at SP T SAML SSO GB + FV [3] developer.mozilla.com (SP) Make U V browser send request to SP T Authenticate as U M at SP T implementing BrowserID with U M ’s AuthAssert BB [4] PayPal Express Checkout in Replay Token of transaction T 1 at SP T Complete T 2 at SP T OpenCart 1.5.3.1 during transaction T 2 at SP T FV [5] SPs implementing Facebook Replay U V ’s AccessToken for SP M in Authenticate as U V at SP T SSO SP T BB [4] PayPal Payments Standard Replay PayeeId of SP M during Complete T at SP T in osCommerce v2.3.1 transaction T at SP T WB [6] Authorize.net credit card sim Replay OrderId of transaction T 1 at Complete T 2 at SP T in baby products store SP T during transaction T 2 at SP T FV [7] CitySearch.com (SP) using Make U V browser send request to SP T Authenticate as U M at SP T Facebook SSO with U M ’s AuthCode Can we exploit the similarity in attack strategies to discover new attacks in an automatic way? 7

  8. Our Observation- II: preconditions Online shop Alice Alice Google Some properties of the HTTP elements of protocols can be U SP TTP used as preconditions to apply the attack strategy: 1. Login Request • Syntactic/Semantic properties of HTTP elements [8] 2. Auth. Request Property Label User Unique UU 3. Login & Consent Session Unique SU 4. Auth. Assert : • Data flow properties 5. “Welcome Alice” Property Flow The HTTP element flows from SP to TTP, through the browser SP-TTP The HTTP element flows from TTP to SP, through the browser TTP-SP Can we understand from the HTTP traffic of the underlying protocol which attack strategy to be applied? 8

  9. Our Observation-III: threat model Four nominal sessions are sufficient to execute all the attacks we considered: The thread model: Attacker can play the role of a User and/or a Service Provider Is this threat model general enough for our purpose? Any added value by considering browser history attacker? 9

  10. From Attacks to Attack Patterns 10

  11. From Attacks to Attack Patterns: one example Ref. Vulnerable MPWA Attack Strategy Attacker’s Goal FV [2] SPs implementing Replay U V ’s AuthAssert for SP M in SP T Authenticate as U V at SP T Google’s SAML SSO FV [5] SPs implementing Replay U V ’s AccessToken for SP M in SP T Authenticate as U V at SP T Facebook SSO (Formalized) (Formalized) e.g. “Welcome Alice” 11

  12. Attack Patterns 12

  13. Approach Knowledge of the security expert is encapsulated in attack patterns • Provide • Execute user actions • Check preconditions implementation , • Identify syntactic/ • Execute actions e.g. replay recording of user semantic, data flow an element from one actions of the properties of underling protocol run in another nominal sessions HTTP elements (e.g. • Check postconditions SU, TTP-SP etc.) 13

  14. Implementation 14

  15. Results (excerpt) Novelty SP TTP (& Protocol) Attack (& Elements) ACKs New attack Alexa e-comm < 10 Linkedin JS API SSO RA5 ( Uid, Email ) developer.linkedin.com RA5 ( Mem. Id, Access. Token ) Attacks previously All SPs Stripe Checkout RA4 ( DataKey, Token ) reported in SSO found other scenarios e.g. CaaS open.sap.com Gmail (reg. via email) LCSRF (Act. Link) Same attack in another INstant Linkedin JS API SSO RA1 (Access_Token) protocol of same scenario Alexa US top < 1000 Log in with Instagram LCSRF ( Auth. Code ) pinterest.com Facebook SSO RedURI (red_uri, Auth. Code) All SPs Log in with PayPal RedURI (red_uri, Auth. Code) Same attack another app OpenCart v2.1.0.1 2Checkout RA3 (Order_num, Key) 15

  16. Conclusions • Identified 7 attack patterns • Introduced a black-box security testing framework leveraging our attack patterns to discover vulnerabilities in the implementations of MPWAs • Implementation based on OWASP ZAP (a widely-used open source penetration testing tool) • Using our tool we discovered 21 previously-unknown vulnerabilities in SSO, CaaS and beyond 16

  17. Limitations and future directions Coverage • general issue for black-box techniques • attack patterns can state precisely what they are testing • still our approach is not complete • can we reach practical full-coverage for replay attacks? Observability • our approach can observe client side communication • server-to-server (S2S) communication is not considered • what would we gain by adding S2S observability? 17

  18. References [1] Zhou, Y. and Evans, D. SSOScan: automated testing of web applications for single sign-on vulnerabilities. USENIX 2014 [2] Armando, A., Carbone, R., Compagna, L., Cuellar, J., and Tobarra, L. Formal Analysis of SAML 2.0 Web Browser Single Sign-On: Breaking the SAML-based Single Sign-On for Google Apps. FMSE 2008 [3] Bai, G., Lei, J., Meng, G., Venkatraman, S. S., Saxena, P., Sun, J., Liu, Y., and Dong, J. S. Authscan: Automatic extraction of web authentication protocols from implementations. NDSS 2013 [4] Pellegrino, G., and Balzarotti, D. Toward black-box detection of logic flaws in web applications. NDSS 2014 [5] Wang, R., Zhou, Y., Chen, S., Qadeer, S., Evans, D., and Gurevich, Y. Explicating SDKs: Uncovering assumptions underlying secure authentication and authorization. USENIX 2013 [6] Sun, F., Xu, L., and Su, Z. Detecting logic vulnerabilities in e-commerce applications. NDSS 2014 [7] Bansal, C. and Bhargavan, K. and Maffeis, S. Discovering Concrete Attacks on Website Authorization by Formal Analysis. CSF, 2012 [8] Wang, R., Chen, S., and Wang, X. Signing me onto your accounts through facebook and google: A traffic-guided security study of commercially deployed single-sign-on web services. S&P 2012 18

  19. Thank You sudhodanan@fbk.eu 19

  20. Backup slides 20

  21. Example Attack Pattern: RA1 21

  22. Custom Strategies Threat Model: Browser History of victim user (U V ) is available to Attacker 22

  23. Complex Attack Patterns 23

  24. LCSRF Attack Pattern 24

Recommend

A Network Black Box with Splunk for Forensic Analysis of Attack Patterns Clive Blackwell Oxford

A Network Black Box with Splunk for Forensic Analysis of Attack Patterns Clive Blackwell Oxford

A Network Black Box with Splunk for Forensic Analysis of Attack Patterns Clive Blackwell Oxford Brookes University Oxford, United Kingdom CBlackwell@brookes.ac.uk Roadmap Three layer architectural security model Influenced by OSI

782 views • 37 slides
Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &amp;

Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &amp;

15th USENIX Security Symposium | July 31st August 4th 2006 | Vancouver, B.C. - Canada Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &amp; profit Ivn Arce Core Security Technologies Humboldt

767 views • 41 slides
Broadcasting your attack: Security testing DAB radio in cars Andy Davis, Research Director

Broadcasting your attack: Security testing DAB radio in cars Andy Davis, Research Director

Broadcasting your attack: Security testing DAB radio in cars Andy Davis, Research Director Image: computerworld.com.au Agenda Who am I and why am I interested in security testing DAB? Overview of DAB How do we broadcast DAB?

790 views • 33 slides
Black Box Testing (A&amp;O Ch. 4) (2 nd Ed. Ch. 6) Course Software Testing &amp; Verification

Black Box Testing (A&amp;O Ch. 4) (2 nd Ed. Ch. 6) Course Software Testing &amp; Verification

Black Box Testing (A&amp;O Ch. 4) (2 nd Ed. Ch. 6) Course Software Testing &amp; Verification 2019/20 Wishnu Prasetya &amp; Gabriele Keller Plan Partitioning based testing (A&amp;O Ch 4/2 nd Ed Ch. 6). Model based testing Note: black

772 views • 39 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on Deep Neural Networks Yandong Li* 1 Lijun Li* 1 Liqiang Wang 1 Tong Zhang 2 Boqing Gong 3 *Equal Contribution 1 University of Central Florida 2 Hong

440 views • 11 slides
Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared

Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared

Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared DeMott Dr. Richard Enbody @msu.edu Dr. William Punch Black Hat 2007 www.vdalabs.com VDA Labs, LLC Agenda Goals and previous works (1)

683 views • 54 slides
Attack Patterns Recognition Framework Noor-ul-hassan Shirazi, Alberto Schaeffer-Filho and David

Attack Patterns Recognition Framework Noor-ul-hassan Shirazi, Alberto Schaeffer-Filho and David

Attack Patterns Recognition Framework Noor-ul-hassan Shirazi, Alberto Schaeffer-Filho and David Hutchison Lancaster University MSN2012:The Multi Service Networks Workshop Coseners House, Abingdon, Oxfordshire, UK 12-13 July 2012 1

348 views • 17 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
Security &amp; Compliance Thursday, September 4 2014 What is a security breach/attack? A

Security &amp; Compliance Thursday, September 4 2014 What is a security breach/attack? A

Security &amp; Compliance Thursday, September 4 2014 What is a security breach/attack? A security breach/attack is defined as an event in which a corporations network is compromised or an individuals name plus Social Security Name (SSN),

890 views • 12 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
Security Testing - Where Automation Fails Today How does security testing of web

Security Testing - Where Automation Fails Today How does security testing of web

Security Testing - Where Automation Fails Today How does security testing of web applications work What does the tooling landscape look like How does automated security testing fail What can we do Image courtesy of

583 views • 56 slides
CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing

CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing

CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing Improving Security Testing or Collect security errors Derive Patterns Improving Performance Improving Performance 1. Take the code 2. Point out

423 views • 9 slides
Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo,

Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo,

Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo, Jonathan Katz, Xiao Wang, Chenkai Weng, Yu Yu All widely used GCs have a birthday-bound security Explicit attack GC based on fix-key block cipher

313 views • 7 slides
ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT &amp; Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT &amp; Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT &amp; Return-to-plt Attack &amp; GOT Overwrite Attack Dr. Si Chen (schen@wcupa.edu) Review Page 2 ret2libc Attack Page 3 libc C standard library Provides

662 views • 36 slides
Yet another side-channel attack: Multi-linear Power Analysis attack (MLPA) Thomas Roche , C

Yet another side-channel attack: Multi-linear Power Analysis attack (MLPA) Thomas Roche , C

List decoding of RM(1,m) and Multi-linear cryptanalysis Application to Power Analysis attacks : MLPA Conclusion and Open persp Yet another side-channel attack: Multi-linear Power Analysis attack (MLPA) Thomas Roche , C edric Tavernier

625 views • 29 slides
Scaling up baseband attacks: More (unexpected) attack surface Black Hat USA 2012 2012-07-25

Scaling up baseband attacks: More (unexpected) attack surface Black Hat USA 2012 2012-07-25

Scaling up baseband attacks: More (unexpected) attack surface Black Hat USA 2012 2012-07-25 36.117038, -115.174562 Ralf-Philipp Weinmann SnT, University of Luxembourg &lt;ralf-philipp.weinmann@uni.lu&gt; Security issues with SUPL

769 views • 38 slides
Wireless Security Why This Works Integrity Attacks Availability Black Holes Battery Exhaustion

Wireless Security Why This Works Integrity Attacks Availability Black Holes Battery Exhaustion

Wireless Security Wireless Security Confidentiality Integrity Wireless Architecture Access Points Which AP? The Evil Twin Attack Wireless Security Why This Works Integrity Attacks Availability Black Holes Battery Exhaustion Battery

785 views • 41 slides
OmegaLog: High-Fidelity Attack Investigation via Transparent Multi-layer Log Analysis Wajih Ul

OmegaLog: High-Fidelity Attack Investigation via Transparent Multi-layer Log Analysis Wajih Ul

OmegaLog: High-Fidelity Attack Investigation via Transparent Multi-layer Log Analysis Wajih Ul Hassan , Mohammad A. Noureddine, Pubali Datta, Adam Bates Network and Distributed System Security Symposium (NDSS) 2020 26 February 2020 . 1 State

767 views • 40 slides
Shuntaint: Emulation-based Security Testing for Formal Verification Bruno Luiz

Shuntaint: Emulation-based Security Testing for Formal Verification Bruno Luiz

Shuntaint: Emulation-based Security Testing for Formal Verification Bruno Luiz ramosblc@gmail.com Black Hat Europe 2009 Overview Give a brief overview of the emulation- based security testing Introduction to VEX Formalism

376 views • 26 slides
Black Hills Power CIS Testing Importance to your TIMP Programs And Black Hills Powers

Black Hills Power CIS Testing Importance to your TIMP Programs And Black Hills Powers

Black Hills Power CIS Testing Importance to your TIMP Programs And Black Hills Powers Lessons Learned WHO WE ARE Black Hills Corporation is a diversified energy service company operating in several western states. o Corporate Offices

626 views • 39 slides
Security Patterns M. Schumacher, E. Fernandez-Buglioni, D. Hybertson, F. Bushmann, and P.

Security Patterns M. Schumacher, E. Fernandez-Buglioni, D. Hybertson, F. Bushmann, and P.

Security Patterns M. Schumacher, E. Fernandez-Buglioni, D. Hybertson, F. Bushmann, and P. Sommerlad, Security Patterns: Integrating Security and Systems Engineering, John Wiley and Sons Ltd., 2006 Lecture outline What is pattern? What is

1.04k views • 83 slides
Attack Graphs Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1 Outline Attack

Attack Graphs Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1 Outline Attack

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Attack Graphs Systems and Internet Infrastructure Security (SIIS)

1.06k views • 60 slides
Black Hat Europe 2009 Hijacking Mobile Data Connections 1 Mobile Security Lab Provisioning

Black Hat Europe 2009 Hijacking Mobile Data Connections 1 Mobile Security Lab Provisioning

Black Hat Europe 2009 Hijacking Mobile Data Connections 1 Mobile Security Lab Provisioning &amp; WAP primer Forging Messages Demo: Remote provisioning Provisioning: Process and Issues Attack scenario and exploiting Final

713 views • 59 slides

More recommend