ttern - Free Web Hosting with PHP, MySQL and cPanel

More documents

Recommendations

Info

20 ATTACK PATTERN The Logic Behind Application Logic Defects It’s no secret that web applications are at the center of the ongoing conflict between malicious hackers, and those defending the applications. As more and more critical business functions migrate to an Internet presence, web applications play an extremely vital role in business. Hackers know this well, and have been exploiting weaknesses in web applications at an alarmingly high rate. While age-old issues like SQL Injection and authentication weaknesses continue to plague developers there is another class of security defects that has been flying under the radar. Web application logic defects are not new – in fact, the topic has been covered at great length by various academic and research organizations; rather, this class of issues has not received enough attention due to the prevalence of much simpler attack vectors. While hackers may not be exploiting this class of defects in high volume, they are nevertheless extremely effective and stealthy. Mapping and Hacking To attack application logic, a hacker must first understand the function of the application itself. Although a small detail, it makes this type of hacking different. While it is an advantage to know the application when looking for SQL Injection and like defects, application flow knowledge is absolutely critical when discovering and exploiting logic defects. Application flow presents a complex and often difficult attack surface, but to a hacker looking to remain undetected, it is the perfect choice. A hacker who wants to exploit application logic must first take the time to map out the application flow and determine vulnerabilities. An experienced hacker would use a visual graphing tool to draw the application page-flow and workflow to fully understand the application. As the application is being mapped, the hacker keeps track of page-state, page parameters and available actions. Finding logic defects in applications is painstaking, requiring a hacker to look for subtle hints inside these tracked components. For example, hidden variables that only exist on certain pages within an application, such as the login page or during privilege elevation, may point to an exploitable issue in the authentication or authorization service. Finding such parameters can be tricky, but once they are identified they can be studied for patterns, or simply fed to a targeted fuzzer to discover lapses in logic. There are a number of application logic defects that are obvious to someone looking for them. For example, an application that implements a login lockout mechanism to prevent hackers from guessing passwords, but stores that information in a cookie, is easy to manipulate. The hacker simply deletes the cookie (or never accepts it) and can keep grinding away at the password mechanism. This is yet another reason to perform all critical functions away from the client – in other words, at the back-end server where the logic and environment is more likely to be under the control of the developer. Allowing logic to be stored and executed on the client is like a bank building miniature cash dispensing machines that customers can take home with them. It sounds great in theory because it allows customers to not have to visit a banking center – but since the bank no longer has direct control over the physical component given to the customer to take home – this will ultimately lead to fraud. Online gaming systems are a particular target for logic tampering and hacking. An application, such as an online poker room, which allows re-submission of an action, in the form of a bet or hand, is vulnerable to being manipulated. For example, if a player feels he has a winning hand and places a large bet, then discovers a sign that their opponent also feels they have a good hand, they would be able to re-submit a previous request (typically in the form of an AJAX request) and make a lower bet. An application that does not have 02/2011
The Logic Behind Application Logic Defects appropriate logic controls to identify that the player has already used their turn, can be manipulated, and in fact, has been in the past. Picking on Parallel Processes Turning a developer’s time-optimization technique against the application is also a great way to exploit application logic defects. Developers are often trying to speed their applications and optimize workflow to accomplish multiple tasks concurrently. An attacker can exploit this type of optimization by looking for what appear to be parallel processes that should logically run in serial. A good example is a business with an online shopping cart that has also implemented a customer loyalty system. Once a customer logs in and places their order, their purchases are converted to points which can be redeemed for goods or services at a later date. A hacker can attempt to manipulate this system by placing a small order, then entering an incorrect payment method to ensure that the transaction fails. Often, the loyalty points transaction and payment transaction are conducted in parallel for speed. However, even though the payment transaction fails, the loyalty points are still added to the customer’s account. This type of attack can be repeated, or even scripted, to obtain a large volume of loyalty points while not spending any money with the vendor. Exploiting Numerical Handling Vulnerabilities It’s important to validate that an application handles various numeric inputs correctly. Once again, turning to a shopping cart feature, if a hacker can input a negative number into an order system various issues can arise, including something called phantom inventory. If the application allows a negative number to be used, a hacker can simply add inventory that doesn’t exist during the purchase or acquisition process. For example, a recently discovered and patched issue in a popular Internet application allowed clientside validation of input, but if the hacker stripped out the field validation, which was written in JavaScript, or intercepted and manipulated the request, a negative number could be inserted. Inside the application logic there were immediately two issues. First, someone could checkout with a negative number prompting a debit to their account or credit card. This in effect was stealing money from the vendor. The second issue was with the back-end inventory management system which now reflected a discrepancy in available stock. The Devil is in the Details Logic defects in an application can cause serious business challenges. Discovering these types of issues takes time, and isn’t a simple matter of coding up a scanner tool. Each issue has a unique method of discovery, is different from one application to another, and is often different from one developer to another. The one thing all logic defects have in common is they are virtually invisible to modern web attack mitigation platforms. Whether there is a web application firewall, an intrusion prevention system, or any combination thereof – it’s nearly certain that attacking web application logic will be invisible to the victim –whether that it be an enterprise, a small business, or a governmental entity. This is primarily due to the lack of identifiable patterns such as tell-tale SQL Injection markers. Requests and responses are often legitimate, and don’t trigger an alarm or raise suspicion even if the hack is successful. Remaining undetected makes this type of attack very attractive to hackers, fraudsters, and others. Additionally, these types of security defects in applications often slip past testing teams as scanning tools and formal logic testing methodologies are still maturing. The best weapon against these types of security defects is the Quality Assurance testing organization at each business. QA testers are well-versed in application logic for the purposes of functional testing. Rather than developing logic testing methodology from scratch, security testing teams should collaborate with their QA organizations to add logic testing into their already well-adopted methodologies. It Takes a Village Logic defects are difficult to avoid in code, difficult to effectively test for, and nearly impossible to detect. As hackers exhaust obvious and scriptable defects on the Internet, web-based applications will likely be their next attack vector. Rather than waiting for the deluge of attacks, and for the appearance of scathing headlines, now is the time for development organizations, application security teams, and businesses to work together to fortify their web-based applications against these attacks. Focus on discussing this with your QA organization, develop an internal testing methodology that suits the applications you build, and test your existing applications. You can then apply these lessons learned to new applications you design before they are deployed throughout the organization. RAFAL LOS Rafal Los Enterprise and Cloud Security Strategist for Hewlett- Packard Software, combines over a decade of deep technical expertise in information security and risk management with a critical business perspective. From technical research to building and implementing enterprise application security programs, Rafal has a proven track record with organizations of diverse sizes and verticals. Prior to joining HP, Los de�ned the framework for a software security program and served as a security lead at a Global Fortune 100. Los also contributed to the global organization’s security and risk-management strategy internally and with their customers. www.hakin9.org/en 21
Page 4: Editor in Chief: Grzegorz Tabaka gr
Page 7 and 8: CONTENTS REVERSE ENGINEERING 28 A Q
Page 9 and 10: Malware Analysis for Widows Systems
Page 11 and 12: Malware Analysis for Widows Systems
Page 13 and 14: WHAT IS A GOOD FUZZING TOOL? Fuzz t
Page 15 and 16: Direct Object Reference or, How a T
Page 17 and 18: Direct Object Reference or, How a T
Page 19: and associates with that specific f
Page 23 and 24: Password, What Password? Computers
Page 25 and 26: Password, What Password? files. For
Page 28 and 29: 28 REVERSE ENGINEERING A Quick „H
Page 30 and 31: 30 Listing 4. Getting the AddressOf
Page 32 and 33: 32 is stored in the PE headers). Us
Page 34: 34 Table 1. Checking if the �les
Page 37 and 38: Interview with Jan van Bon Exploiti

ttern - Free Web Hosting with PHP, MySQL and cPanel

Create successful ePaper yourself

Delete template?

Save as template?