SESSION ID: DSO -R02 Case Files from 20 Years of Business Logic Flaws Chetan Conikee, CTO #RSA C Security Issues Two broad categories ○ Vulnerabilities that have common characteristics across different applications ○ Design Flaws that are specific to the application or business domain #RSAC #RSAC Vulnerabilities Implementation problems in code attack Source [read input] auth validation Sink [security sensitive function] ● Improper API usage patterns , e.g. malloc w it h o u t free , ● La c k o f input validation , le a d in g t o in je c t io n s , b u ffe r o ve rflo w s etc. ● La c k o f access controls , w h ic h m a y le a d t o c o n fid e n t ia l in fo rm a t io n b e in g le a ke d , a lt e re d o r d e n ie d a c c e s s t o . #RSAC Flaws Misuse of application by circumventing business rules attack Source auth bypass ● Abuse functionality ● Manipulate parameter(s) ● Bypass or side step workflow step Sink #RSAC FLAWS FLAWS Source of Flaws ● ● ● ● ● High velocity development Poor documentation and testing Security not a part of early design process Lack of automated checks in CI pipeline Lack of architectural risk analysis to identify attack resistance, ambiguity and weakness in software design #RSAC FLAWS #RSAC OWASP Categorization (WIP) Business Consistency Security Aging Bypass Testing Verification Code Breakthrough Identity Authentication security Business Authorization Security Retrieving Password vulnerabilities Business Process Out of Order Business Data Tampering Business Interface Invocation Users Enter Legality FLAWS (Example: Paying less for more items Attacker Session -1 ) Store Session -2 Lo g in Ad d It e m (s ) t h e Ch e c ko u t Cre a t e u n iq u e To ke n Authorize Payment (token) [To ke n , P a ym e n t Id ] Ship Items concurrent session Lo g in (n e w s e s s io n ) Ad d It e m (s ) t h e Ch e c ko u t Reuse [To ke n , P a ym e n t Id ] Ship Items #RSAC Payment Initiate low cost transaction using normal workflow. Intercept request and capture [TOKEN, PAYMENTID] Login using another browser (new session) and initiate new transaction, side step auth phase and, reuse [TOKEN, PAYMENTID] FLAWS (Example: Paying less for more items) ● Is meta -data (cost,quantity,user,session) mapped to a payment transaction token . ● Is an authorization/capture unique to a userId ? ● Is an authorization/capture unique to a session scope belonging to same userId ? #RSAC #RSAC EXPL ITING FLAWS EXPLOITING FLAWS #RSAC Adversarial Mindset Choose a target business Manipulate parameters and repeat Discover functionality by spidering domain Analyze traffic by proxy interception Identify points of interest ● REST APIs ● Web Forms (+fields) ● Registration forms ● Tokens, Hashes and parameters exchanged between requests ● Password Recovery ● Out of band channels EXPLOITING FLAWS #RSAC An Attacker’s Toolchain (Burp) Interceptor -> Choose Target and Intercept via proxy Repeater -> Automate parameter manipulation and observe response(s) EXPLOITING FLAWS #RSAC Weaponizing Flaws Observe Enumerate Abuse Functionality Weak password recovery Exploit Observe Information Leakage Observe Predictable Resource location Enumerate Insufficient Authorization Workflow bypass Exploit Critical parameter manipulation EXPLOITING FLAWS #RSAC Weaponizing Flaws Observe Enumerate Abuse Functionality Weak password recovery Observe Pivot Information Leakage Predictable Resource location Workflow bypass Enumerate Pivot Observe Exploit Insufficient Authorization Exploit Critical parameter manipulation EXPLOITING FLAWS #RSAC Weaponizing Flaws - Case 1 (Bidding) Observe Enumerate Abuse Functionality Participate by bidding on item in online auction portal Weak password recovery Observe Information Leakage During bidding process, system exposes username and email of fellow bidders on screen Minutes before bid ends, attacker initiates brute force password recovery attack on all fellow bidders & wins bid at lowest price Exploit Wins BID by locking fellow bidders EXPLOITING FLAWS Weaponizing Flaws #RSAC - Case 2 (Finance) Observe Abuse Functionality Initiate transaction and receives email after transaction is fulfilled Data exfiltration Insufficient Authorization Observe Predictable Resource location Email contains site link to view Transaction details and transactionId is a predictable sequence Attacker increments/decrements sequen