the art of exploiting logical flaws in web apps
play

The Art of Exploiting Logical Flaws in Web Apps Sumit sid Siddharth - PowerPoint PPT Presentation

Aug 11, 2023 •372 likes •1.17k views

The Art of Exploiting Logical Flaws in Web Apps Sumit sid Siddharth Richard deanx Dean A GREAT COLLABORATION! 2 competitors working together! Thanks to: 7Safe, Part of PA Consulting Group Portcullis Computer Security Limited

  1. The Art of Exploiting Logical Flaws in Web Apps Sumit “sid” Siddharth Richard “deanx” Dean

  2. A GREAT COLLABORATION! 2 competitors working together! Thanks to: 7Safe, Part of PA Consulting Group Portcullis Computer Security Limited

  3. About Me... i. Global Head of Penetration testing ii. 7Safe- Part of PA Consulting Group iii. 7 + years in IT Security iv. Specialist in Application and Database security v. Speaker at Black Hat, DEF CON, OWASP Appsec etc vi. Co-author of book: SQL Injection: Attacks and Defence 2 nd Edition

  4. and About Me... i. No snazzy job title ii. Portcullis CLS iii. 6 years in IT Security iv. Enjoys building things up or breaking them down in to first principles v. Was a Semi-conducting Polymer researcher in a previous life vi. Co-author of a Cover article from Advanced Materials

  5. Overview What & Why Logic Flaws? Some Examples Where to Look? What To Look For? Some More Examples The Take homes

  6. Other Researchers Work Trustwave’s Presentation at Appsec 2012: Anatomy of a Logical Flaw https://www.owasp.org/images/b/b6/ASDC12-Anatomy_of_a_Logic_Flaw.pdf MDSEC’s presentation: Beyond OWASP Top 10 http://blog.mdsec.co.uk/2012/04/beyond-owasp-top-10.html

  7. What Is A Logic Flaw? • A problem where the application does not behave as expected from a given state • When an expected workflow can be avoided / circumvented • When a developer has not considered external influences to the current execution path

  8. Why Logic Flaws? • Very little awareness/mention of them • Beyond the scope of automated tools • Requires understanding of the application • Requires out-of-box thinking • They are a lot more interesting than most other web application flaws* * May not be a view held by all of this talks presenters

  9. Key Axiom “You cannot comprehensively test for logic flaws unless you know what the application is supposed to be doing”

  10. Example Classic parameter manipulation attacks, the server trusts a client supplied value: a. Change the price of an item in a shopping basket b. Change a hidden form value such as “UID” c. Transfer Negative Funds

  11. Root Causes • Poor Design • No thorough documentation of logical flows • Lack of understanding of technologies used • Laxed SDLC • Lack of rigorous testing both security and functional

  12. The First Attack 2 Step Authenticated banking application

  13. Authentication schema

  14. Pin Verification

  15. Pin Verification • What happens authentication when fails Same indices asked again?

  16. Pin Verification Same indices asked again? Account lockout after certain YES N O attempts Only 3-5 attempts to 1000 attempts to brute guess the write PIN force Unless you can do Game Over! something clever....

  17. What about the indices? • If the application does not validate the indices and accepts the user submitted value then.... – What will be the value for non-existing indices – Such as index 7, 8, 9 for a 6 digit PIN – Null equals Null... – Tip: Often pentesters/scanners focus on parameter value but not parameter!

  18. Null Equals Null Note: The index value changed from 1, 3 and 4 to 7, 8 and 9

  19. And Bang!

  20. Solution • It’s a server side piece of knowledge, keep it server side • Definitely Don’t trust user supplied data • Remind you of CVE-2004-0627 – Mysql Auth Bypass

  21. “Attacks on uninitialized local variables” - Halvar Flake – Black Hat Federal 2006 #include <stdio.h> #include <stdlib.h> int main(int argc, char **argv) { int b; printf(“%lx”, b); }

  22. An Analogy Local Variable = Session Variable = Function Calls = HTTP Requests #include <stdio.h> #include <stdlib.h> int main(int argc, char **argv) { int b; printf(“%lx”, b); }

  23. An Analogy Local Variable = Session Variable = Function Calls = HTTP Requests Do we control “Local Variables”? Do we control “Function Calls”? What can be done?

  24. Simple Messaging App • After a bit of recognisance the following is found: – Normal users can send each other messages – Normal users can edit their own profile – Admin users can edit other users profiles

  25. User Messaging First a user is selected from the list

  26. User Messaging

  27. User Messaging Then the message is composed

  28. Nothing to Play With?

  29. Session Data • Application did not require the id of user whom the message was sent to in final POST • This info must be saved session side • So we can control at least 1 session variable

  30. Session Variable Use if ( !isset ($_SESSION['target_id'])){ // check if session variable exists $target = $_SESSION['target_id']; $message = $_POST[‘message’]; send_messge($target, $message); // do something }else { error(“User Not Selected”); // do something else }

  31. Look Similar?

  32. Even More Interesting Message User Select Edit User Select

  33. Exploit • Visit “User Edit Page” • Open second window to “User Messaging” • Select User in Messaging Dialogue + Next • Blank out one of the required fields on “User Edit Page” • Hit “Update” • Page returns with other users info • Use password recovery to get access to any accounts.

  34. Variable Reuse if ( !isset($_SESSION['target_id'])){ // checks if session variable exists update_profile($_SESSION['target_id']); // do something }else { update_profile($_SESSION[‘uid']); // do something else } Developer has assumed that as the `target_id’ is a session variable it cannot be controlled by the user, forgetting that the variable *can* be controlled during the messaging phase.

  35. Where to Look? • Cracks in the application – Places where di fg erent dev teams have been used – Places where extra functionality has been bolted on – Boundaries between frameworks and bespoke code

  36. What to Look For? • Obviously di fg erent coding styles – May indicate coding guidelines not followed • Missing framework elements – May indicate framework security is missing • Complex user journeys – More complex more scope for mistakes • New functionality that is added • Similarities between di fg erent function

  37. Discount Voucher Fun • Typically common in e-commerce website • Problem: – lack of co-ordination between functional testing and security testing • General Crack - new functionality added for specific purpose

  38. Discount Voucher Fun

  39. Hot DEAL!

  40. Free Gift==Discount?

  41. Free Gift==Discount?

  42. Facebook Abuse Another bolt-on functionality problem

  43. Facebook Abuse • “Locate the person who you want to view photos of”

  45. Facebook Abuse • “Locate the person who you want to view photos of” • “Click on Report/Block. From the popup menu, select Inappropriate Profile photo and press continue.”

  47. Facebook Abuse • “Locate the person who you want to view photos of” • “Click on Report/Block. From the popup menu, select Inappropriate Profile photo and press continue.” • “Select Nudity or pornography and press continue.”

  49. Facebook Abuse • “Locate the person who you want to view photos of” • “Click on Report/Block. From the popup menu, select Inappropriate Profile photo and press continue.” • “Select Nudity or pornography and press continue.” • “Only check Report to Facebook and press continue.”

  51. Facebook Abuse • “Locate the person who you want to view photos of” • “Click on Report/Block. From the popup menu, select ‘Inappropriate Profile photo’ and press continue.” • “Select ‘Nudity or pornography’ and press continue.” • “Only check ‘Report to Facebook’ and press continue.” • “Only select ‘Help us take action by selecting additional photos to include with your report’ and press Okay.”

  53. Understand Your Tech

  54. Authentication Hashes • Typically, the clear text password and username are submitted to server • Server creates a hash (often salted hash) and then compare the hash stored in back-end • If hash is correct, authentication is successful.

  55. Authentication Hashes • CVE 2010-2861 • Reference: – http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq- cve-2010-2861/

  56. Pwning Coldfusion

  57. Directory Traversal • Bad – http://server/CFIDE/administrator/enter.cfm?locale=../../../../../boot.ini%00en • Worse – http://server/CFIDE/administrator/enter.cfm?locale=../../../../../ColdFusion8/lib/ password.properties%00en

  58. password.properties file

  59. Unsalted SHA1 Hash • Good security practice? – Not too bad, could have been better with salt? • Only if you understand the salting

  60. Authentication Request

  61. CF Authentication • The javascript running on webpage will automatically converts password into SHA1 hash and then use a salt to create a HMAC • The HMAC and salt are sent to server • Server computes HMAC based on password hash stored at back-end and salt value received • If the 2 HMAC are same, authentication is successful • Grrrrr! #FAIL

Recommend

WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake Mathy

WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake Mathy

WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake Mathy Vanhoef - @vanhoefm Black Hat, 27 July 2017 In collaboration with Domien Schepers and Frank Piessens Introduction More and more Wi-Fi network use

414 views • 26 slides
Securely Implementing Network Protocols: Detecting and Preventing Logical Flaws Mathy Vanhoef

Securely Implementing Network Protocols: Detecting and Preventing Logical Flaws Mathy Vanhoef

Securely Implementing Network Protocols: Detecting and Preventing Logical Flaws Mathy Vanhoef (KU Leuven) Black Hat Webcast, 24 August 2017 @vanhoefm Introduction Many protocols have been affected by logical bugs Design flaws Implementation

692 views • 31 slides
Exploiting Microarchitectural Flaws in the Heart of the Memory Subsystem Daniel Moghimi,

Exploiting Microarchitectural Flaws in the Heart of the Memory Subsystem Daniel Moghimi,

Exploiting Microarchitectural Flaws in the Heart of the Memory Subsystem Daniel Moghimi, Worcester Polytechnic University Feb 20, 2020 Columbia University Spoiler!! 2 CPU Memory Subsystem Allocation Queue Front End CPU Memory Subsystem

1.59k views • 127 slides
Comparison and Analysis Point of view If multiple processes involved in exploiting the

Comparison and Analysis Point of view If multiple processes involved in exploiting the

Comparison and Analysis Point of view If multiple processes involved in exploiting the flaw, how does that affect classification? xterm , fingerd flaws depend on interaction of two processes ( xterm and process to switch file objects;

999 views • 50 slides
Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of

Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of

WELCOME Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of information An App is a piece of so ware (a program) that needs to be installed on Mobile Apps are device specific, meaning that an App that runs

268 views • 12 slides
PHP and active pages Logical models for

PHP and active pages Logical models for

Telecom SudParis Introduction sessions management and transactions PHP and active pages Logical models for DB-web apps. Evolutions Bruno DEFUDE

531 views • 15 slides
Flaws and Frauds Flaws and Frauds in IDPS evaluation in IDPS evaluation Dr. Stefano Zanero, PhD

Flaws and Frauds Flaws and Frauds in IDPS evaluation in IDPS evaluation Dr. Stefano Zanero, PhD

Flaws and Frauds Flaws and Frauds in IDPS evaluation in IDPS evaluation Dr. Stefano Zanero, PhD Post-Doc Researcher, Politecnico di Milano CTO, Secure Network Outline Establishing a need for testing methodologies Testing for

1.13k views • 43 slides
Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can

Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can

Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can crash OS wants to be your friend Buggy apps can hog all resources Operating System Malicious apps can violate Reading and writing memory, privacy

548 views • 17 slides
F ROM WEBSITES TO APPS , AND NOW FROM APPS TO CHATBOTS ? A NTNIO B RANCO FROM APPS TO CHATBOTS

F ROM WEBSITES TO APPS , AND NOW FROM APPS TO CHATBOTS ? A NTNIO B RANCO FROM APPS TO CHATBOTS

F ROM WEBSITES TO APPS , AND NOW FROM APPS TO CHATBOTS ? A NTNIO B RANCO FROM APPS TO CHATBOTS CEO of large social network in annual development conference 2 months ago Shared vision for next 2 decades: past : with advent of PCs, companies

498 views • 14 slides
The Kernel wants to be your friend Boxing them in Buggy apps can crash other apps App 1 App 2

The Kernel wants to be your friend Boxing them in Buggy apps can crash other apps App 1 App 2

The Kernel wants to be your friend Boxing them in Buggy apps can crash other apps App 1 App 2 App 3 Buggy apps can crash OS Buggy apps can hog all resources Operating System Malicious apps can violate Reading and writing memory, privacy

1.15k views • 67 slides
By: Taylor Thomas &amp; Ashley Fischer There are apps for just about EVERYTHING! There are

By: Taylor Thomas &amp; Ashley Fischer There are apps for just about EVERYTHING! There are

By: Taylor Thomas &amp; Ashley Fischer There are apps for just about EVERYTHING! There are new apps being developed and posted everyday. Some of the best apps you will ever find are FREE! There are two ways to download apps for

606 views • 38 slides
Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data

Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data

Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data Gerome Miklau University of Massachusetts, Amherst DIMACS Workshop on Recent Work on Di ff erential Privacy across Computer Science October 2012

1.39k views • 136 slides
CONDITIONAL EXECUTION: PART 2 yes no x &gt; y? max = y; max = x; logical AND logical OR

CONDITIONAL EXECUTION: PART 2 yes no x &gt; y? max = y; max = x; logical AND logical OR

CONDITIONAL EXECUTION: PART 2 yes no x &gt; y? max = y; max = x; logical AND logical OR logical NOT &amp;&amp; || ! Fundamentals of Computer Science I Outline Review: The if-else statement The switch statement A look at

536 views • 25 slides
Basic Computation logical AND logical OR logical NOT &amp;&amp; || ! public static void

Basic Computation logical AND logical OR logical NOT &amp;&amp; || ! public static void

Basic Computation logical AND logical OR logical NOT &amp;&amp; || ! public static void main(String [] args) Fundamentals of Computer Science Outline Data Types Variables Primitive Data Types The String Class Type

922 views • 55 slides
Google Study: Google Study: Could those memory failures be caused by design flaws? Could those

Google Study: Google Study: Could those memory failures be caused by design flaws? Could those

Google Study: Google Study: Could those memory failures be caused by design flaws? Could those memory failures be caused by design flaws? Barbara P. Aichinger Vice President New Business Development FuturePlus Systems Corporation

886 views • 21 slides
Adaptive Progressive Web Apps PWA Progressive Web Apps are just great websites that can behave

Adaptive Progressive Web Apps PWA Progressive Web Apps are just great websites that can behave

Adaptive Progressive Web Apps PWA Progressive Web Apps are just great websites that can behave like native apps Progressive Web Apps are just great apps, powered by Web technologies and delivered with Web infrastructure.

454 views • 32 slides
Detecting and Resolving Type Flaws in Security Protocols Michael Banks Department of Computer

Detecting and Resolving Type Flaws in Security Protocols Michael Banks Department of Computer

Detecting and Resolving Type Flaws in Security Protocols Michael Banks Department of Computer Science, University of York 26th February 2009 Outline 1 Security Protocols 2 Type Flaws: Attacks and Defences 3 Detecting and Resolving Potential

391 views • 25 slides
A Linear Logical A Linear Logical A Linear Logical Framework Framework Framework Iliano

A Linear Logical A Linear Logical A Linear Logical Framework Framework Framework Iliano

A Linear Logical A Linear Logical A Linear Logical Framework Framework Framework Iliano Cervesato - Frank Pfenning Department of Computer Science Carnegie Mellon University 11 th IEEE Symposium on Logic in Computer Science New

587 views • 30 slides
2015-16 Results: Thank You! Goal = 415,000 apps Actual = 427,695 apps $30,000 in

2015-16 Results: Thank You! Goal = 415,000 apps Actual = 427,695 apps $30,000 in

More Than a Meal Campaign 2016-17 Two applications, one deadline, many student resources 2015-16 Results: Thank You! Goal = 415,000 apps Actual = 427,695 apps $30,000 in recognition awards $60M/3 yrs in new revenue to the

345 views • 10 slides
All About Apps Well cover... Whats an app? What are app permissions? What do

All About Apps Well cover... Whats an app? What are app permissions? What do

All About Apps Well cover... Whats an app? What are app permissions? What do companies gain by getting your permission? Typical permissions requested by apps How to check up on apps already on your phone App safety

134 views • 11 slides
in Android apps Shin Hwei Zhen Xiang Abhik Tan Dong Gao Roychoudhury 2 Prevalence of

in Android apps Shin Hwei Zhen Xiang Abhik Tan Dong Gao Roychoudhury 2 Prevalence of

Repairing crashes in Android apps Shin Hwei Zhen Xiang Abhik Tan Dong Gao Roychoudhury 2 Prevalence of Mobile Apps App Store Google Play Launched with 500 apps. 3.5 millions apps By July 17, 10 millions available for download apps

518 views • 22 slides
What is the Logical Framework Approach? 1 LFA - DEFINITION The logical framework approach is an

What is the Logical Framework Approach? 1 LFA - DEFINITION The logical framework approach is an

Correspondence on The Logical Framework Approach Developed for SNV PARTNERS 14-18 July 2008 Supported by SNV Zimbabwe Compiled by: What is the Logical Framework Approach? 1 LFA - DEFINITION The logical framework approach is an

653 views • 34 slides
On the Road: Websites and Apps for Travel Loading the Right Apps Lets you get the most out

On the Road: Websites and Apps for Travel Loading the Right Apps Lets you get the most out

On the Road: Websites and Apps for Travel Loading the Right Apps Lets you get the most out of your vacation Helps you avoid missing important sites Eliminates confusion while travelling Keeps you connected to home Tips for

971 views • 39 slides
Mobile Apps INFM 603 Week 10 Agenda Questions Mobile Apps HCI Project

Mobile Apps INFM 603 Week 10 Agenda Questions Mobile Apps HCI Project

Mobile Apps INFM 603 Week 10 Agenda Questions Mobile Apps HCI Project discussions Native Apps Live on device Access to all device features GPS, accelerometer, compass, list of contacts Written for specific

654 views • 38 slides

More recommend