why appsec matters? - owaspwhy appsec matters? aldo salas [email protected] agenda • intro. •...
TRANSCRIPT
WhyAppSec Matters?
Agenda
• Intro.• CurrentstatusofAppSec intheindustry.• Casestudy.• WhyOWASPmatters.
Aboutme
• 10+yearsofexperienceinAppSec.• CurrentlyworkingforFortune500Company.• Independentresearcherinfreetime(bugbounty).
• ChapterLeaderforAguascalientes.• Favoritevulnerability:SQLInjection.• ProudU.A.A.alumnus.
I’mnotheretoscareyou…
• OrmaybeIam
Anotherweek,anotherhack
Andthelistgoeson:http://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-in-march-2016/
Wearenotdoingagreatjob
Real-lifecasestudy
Background• Thirdpartyusedtocollectfestivalsandnew-hiresinformation.• Thefollowingemailwassenttoartists/managers/assistants:
• Firstthoughton“public_key”:Maybeit’sanauthenticationtoken,notidealbutstillprovidessomelevelofauthentication.
Phase 1:Discovery
Publickeyparameter:
• Removingpublic_key =UnauthenticatedAccessToData
AnalyzingURL:
• Changing IDinURL=InsecureDirectObjectReference(Stillunauthenticated)
Analyzingpage:
Analyzingpage:
• FilesarestoredinAWSS3• Fileisalwaysrenamedtooriginal.ext• Unauthenticatedaccesstouploadedfilesaswell.• Bruteforcing offilesispossiblebutnotreallyneeded.
Summarysofar:• Unauthenticatedaccesstoartistprofile.
• AccesstoANYprofileispossibleusingInsecureDirectObject
References.
• UnrestrictedFileUploadispossible.
• UnauthenticatedAccesstouploadedfilesispossible.
Reminder:thisisasinglepage.
Phase2:Automation
Automatingdataretrievaltodemonstraterisk
• InitialResults:• Morethan80thousandrecordsfound.
• Notes:• Morethan170thousandrequestsweresent.• Morethan6GBsweredownloaded.• Iwasneverstoppednorevendetected.
Phase3:Parsingdata
Parsingdata:• NumberOfDirectURLsToDownloadFilesobtained:
Parsingdata:• ArtistsPIIincludingemailsandphones
Parsingdata:• Andmuch,muchmore:
Possibleoutcomesifexploitedbyattackers:
• Headlinesinthenews:• “HUNDRESOFTHOUSANDSARTISTSDETAILSLEAKEDBYCOMPANY”
• “WANTTAYLORSWIFT’SNUMBER?WE’VEGOTIT”
• Attackerssellingorleakingartistsinformation(stalkers,curiouspeople,etc.)
• Fraudandpotentiallegalconsequences(SSNsinvolved).• Phishingcampaignsagainstretrievedemails.• Etc.,etc.,etc.
Whatcould’vebeendonebetter:• Preventunauthenticatedaccesstothepage.
• Onceauthenticationhasbeenimplemented,performauthorizationchecks.
• Validateatserver-sidetheuploadedfiles.
• Alsoaddauthenticationcheckstothefiles.
• LoggingandIPS/IDSconfigurationtodetectunusualactivity.
Toolsusedfordiscoveryandexploit:
• Pythonprogramminglanguagetocodesmalldownloadscript.
• StandardUnixtoolstoparsedata(find,cat,cut,grep,sort,sed,ls,wget).
Questions?
WhyOWASPMatters?
• Allthevulnerabilitiesshowninthispresentationcould’vebeenavoidedbyfollowingOWASPrecommendations.
OWASPTOP10misses:
• A1– Injection• A2– BrokenAuthenticationandSessionManagement
• A4– InsecureDirectObjectReferences
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Questions?