ttern - Free Web Hosting with PHP, MySQL and cPanel
ttern - Free Web Hosting with PHP, MySQL and cPanel
ttern - Free Web Hosting with PHP, MySQL and cPanel
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
The Logic Behind Application Logic Defects<br />
appropriate logic controls to identify that the player has<br />
already used their turn, can be manipulated, <strong>and</strong> in fact,<br />
has been in the past.<br />
Picking on Parallel Processes<br />
Turning a developer’s time-optimization technique against<br />
the application is also a great way to exploit application<br />
logic defects. Developers are often trying to speed their<br />
applications <strong>and</strong> optimize workflow to accomplish multiple<br />
tasks concurrently. An attacker can exploit this type of<br />
optimization by looking for what appear to be parallel<br />
processes that should logically run in serial.<br />
A good example is a business <strong>with</strong> an online shopping<br />
cart that has also implemented a customer loyalty<br />
system. Once a customer logs in <strong>and</strong> places their order,<br />
their purchases are converted to points which can be<br />
redeemed for goods or services at a later date. A hacker<br />
can attempt to manipulate this system by placing a small<br />
order, then entering an incorrect payment method to<br />
ensure that the transaction fails. Often, the loyalty points<br />
transaction <strong>and</strong> payment transaction are conducted in<br />
parallel for speed. However, even though the payment<br />
transaction fails, the loyalty points are still added to the<br />
customer’s account. This type of attack can be repeated,<br />
or even scripted, to obtain a large volume of loyalty points<br />
while not spending any money <strong>with</strong> the vendor.<br />
Exploiting Numerical H<strong>and</strong>ling Vulnerabilities<br />
It’s important to validate that an application h<strong>and</strong>les<br />
various numeric inputs correctly. Once again, turning to<br />
a shopping cart feature, if a hacker can input a negative<br />
number into an order system various issues can arise,<br />
including something called phantom inventory. If the<br />
application allows a negative number to be used, a<br />
hacker can simply add inventory that doesn’t exist<br />
during the purchase or acquisition process.<br />
For example, a recently discovered <strong>and</strong> patched<br />
issue in a popular Internet application allowed clientside<br />
validation of input, but if the hacker stripped out<br />
the field validation, which was written in JavaScript, or<br />
intercepted <strong>and</strong> manipulated the request, a negative<br />
number could be inserted. Inside the application logic<br />
there were immediately two issues. First, someone<br />
could checkout <strong>with</strong> a negative number prompting a<br />
debit to their account or credit card. This in effect was<br />
stealing money from the vendor. The second issue was<br />
<strong>with</strong> the back-end inventory management system which<br />
now reflected a discrepancy in available stock.<br />
The Devil is in the Details<br />
Logic defects in an application can cause serious<br />
business challenges. Discovering these types of<br />
issues takes time, <strong>and</strong> isn’t a simple matter of coding<br />
up a scanner tool. Each issue has a unique method of<br />
discovery, is different from one application to another,<br />
<strong>and</strong> is often different from one developer to another.<br />
The one thing all logic defects have in common is they<br />
are virtually invisible to modern web attack mitigation<br />
platforms. Whether there is a web application firewall,<br />
an intrusion prevention system, or any combination<br />
thereof – it’s nearly certain that attacking web application<br />
logic will be invisible to the victim –whether that it be an<br />
enterprise, a small business, or a governmental entity.<br />
This is primarily due to the lack of identifiable pa<strong>ttern</strong>s<br />
such as tell-tale SQL Injection markers. Requests <strong>and</strong><br />
responses are often legitimate, <strong>and</strong> don’t trigger an<br />
alarm or raise suspicion even if the hack is successful.<br />
Remaining undetected makes this type of attack very<br />
attractive to hackers, fraudsters, <strong>and</strong> others.<br />
Additionally, these types of security defects in applications<br />
often slip past testing teams as scanning tools <strong>and</strong> formal<br />
logic testing methodologies are still maturing. The best<br />
weapon against these types of security defects is the<br />
Quality Assurance testing organization at each business.<br />
QA testers are well-versed in application logic for the<br />
purposes of functional testing. Rather than developing logic<br />
testing methodology from scratch, security testing teams<br />
should collaborate <strong>with</strong> their QA organizations to add logic<br />
testing into their already well-adopted methodologies.<br />
It Takes a Village<br />
Logic defects are difficult to avoid in code, difficult to<br />
effectively test for, <strong>and</strong> nearly impossible to detect. As<br />
hackers exhaust obvious <strong>and</strong> scriptable defects on the<br />
Internet, web-based applications will likely be their next<br />
attack vector. Rather than waiting for the deluge of<br />
attacks, <strong>and</strong> for the appearance of scathing headlines,<br />
now is the time for development organizations,<br />
application security teams, <strong>and</strong> businesses to work<br />
together to fortify their web-based applications against<br />
these attacks. Focus on discussing this <strong>with</strong> your QA<br />
organization, develop an internal testing methodology<br />
that suits the applications you build, <strong>and</strong> test your<br />
existing applications. You can then apply these lessons<br />
learned to new applications you design before they are<br />
deployed throughout the organization.<br />
RAFAL LOS<br />
Rafal Los Enterprise <strong>and</strong> Cloud Security Strategist for Hewlett-<br />
Packard Software, combines over a decade of deep technical<br />
expertise in information security <strong>and</strong> risk management <strong>with</strong><br />
a critical business perspective. From technical research to<br />
building <strong>and</strong> implementing enterprise application security<br />
programs, Rafal has a proven track record <strong>with</strong> organizations<br />
of diverse sizes <strong>and</strong> verticals.<br />
Prior to joining HP, Los de�ned the framework for a software<br />
security program <strong>and</strong> served as a security lead at a Global<br />
Fortune 100. Los also contributed to the global organization’s<br />
security <strong>and</strong> risk-management strategy internally <strong>and</strong> <strong>with</strong><br />
their customers.<br />
www.hakin9.org/en 21