Upload
miguel-angel-hernandez-ruiz
View
52
Download
0
Embed Size (px)
Citation preview
Abuse CasesFrom scratch to the hack
Miguel Hernandez Ruiz
Do the testers know about the business flows supported by the
application?
As starter…
The Menu
• As starter• A hacking story• What we are looking for• A methodological Approach• Abuse cases from use cases• Abuse cases from scratch• Take away
A hacking story
Disclaimer:Ihavefoundbothimagesonlinewithnocopyrights,ifyoufindouttheyactuallyarecopyrightedpleaseletmeknowassoonaspossible
Name: PaulAge: 27Job: Developer
Name: MikeAge: 22Job: none
Paul work as IT Engineerfor an IT Company whichprovides a shopping cartsolution to severalclients. He has neverbeen concerned aboutsecurity, neither hisboss…
Mike is a universitystudent with too much freetime and he is a securitypassionate person who lovesfinding out applicationvulnerabilities. He isreally aware aboutapplication in-security…
Name: JoshAge: 40Job: Boss
Josh is a successfulbusiness man who ownsthree different companiesoperating in differentsectors. He has heardabout security concernsin applications but “thiswon’t happen to him”…
A hacking storyMY APP =
Yabadabadoooooooooooooooooooooooooo!
Break another app Break another app Break another
app Break another app
A hacking storyOuch! My boss recently
told me that our customers complained
about some security bugs reported by a
Hacker in our application…
Actually I think they were there since the first
version but I am happy they didn’t realise it before…
Anyway I am ready to fix them in the
new release… I will close the issues all in
a raw…
A hacking storySQLi
XSS
HTMLi
CSRF
SessionHijackingSessionFixation
BufferOverflow
InsecureDirectObject
Reference
Non-validatedRedirects
ServerSideInclusion
XXE
LFI/RFI
A hacking story
OK. I am going to take a look at the page I reported
the bugs the past month…
It seems that they have fixed
them… interesting…
I am happy to see that they have been
able to solve the issues but… let me
see…
Lets play the joker up the
sleeve… What if I change here this number…
…YEAH!!!!
A hacking story
Syringeimagefromhttp://shinta-girl.deviantart.com/
The Menu
• As starter• A hacking story• What we are looking for• A methodological Approach• Abuse cases from use cases• Abuse cases from scratch• Take away
What we are looking for
What the ApplicationIs intended to doand
It actually does
WhattheApplicationIs intended todoand
Itdoesnot
WhattheApplicationIsnotintended todoand
Itactuallydoes
The application business logic must be checked from a security perspective
ABUSE CASES
What we are looking for� UseCases
¡ A use case is a list of steps, typicallydefining interactions between a role(actor) and a system, to achieve a goal
¡ They are essentially structured storiesor scenarios detailing the normalbehaviour and usage of the software
¡ A use case is not only a diagram, is textas well, a full description including themain actor, goal in context, scope,preconditions, etc.
� AbuseCases¡ An abuse case is a type of complete
interaction between a system and one ormore actors, where the results of theinteraction are harmful to the system, oneof the actors, or one of the stakeholders inthe system
¡ An abuse case diagram is created togetherwith a corresponding use case diagram (ifavailable), but not in the same diagram
¡ There is no new terminology or specialsymbols introduced for abuse casediagrams
The Menu
• As starter• A hacking story• What we are looking for• A methodological Approach• Abuse cases from use cases• Abuse cases from scratch• Take away
A methodological approach
Look for the business key requirements
Use the available use cases to design the abuse cases
Wide understanding of the bussiness logic implement.
Detect implementation flaws and …
¡¡¡¡Exploit them!!!!
REQUIREMENT
DESIGN
IMPLEMENTATION
INTEGRATION
THESTAIRWAYTOTHEBUG
A methodological approachKeyrequirementspecification
UseCasesdesigned?
LocateFunctionalDocumentationandKnowledge
Detectpotentiallyworstscenarios
DesignAbuseCasesderivedfromUse
Cases
Yes
ApplicationUseCases
GainadeepunderstandingontheBusinessLogic
FunctionalDocumentation
Detectkeypoints
Yes
ApplicationWorkflows
DesignAbuseCasesderivedfromkey
pointsAbuseCases
AppRepository
PerformApplicationWorkflows
No
Workflowsdesigned?
DeterminetheCriticalFlows
The Menu
• As starter• A hacking story• What we are looking for• A methodological Approach• Abuse cases from use cases• Abuse cases from scratch• Take away
Abuse Cases from Use CasesGoalCheck that there is no possibility to add items for free to the basket
Preconditions• All application modules have been correctly deployed in test• A previously registered user account must be provided• There must be at least 1 item and one item category available
Description• Access to the Application URL: the user accesses to the URLhttp://www...• Log in: he/she performs the login using a provided user account• ...
AccesstotheApplicationURL
Login
AddanItemtotheBasket
AddanItemforfree
Checkthetotalcost
Actors• User: agent which is intended to perform a normal use of the application• Security Tester: person which is intended to cause abnormal behaviourin the application
UserSecurityTester
The Menu
• As starter• A hacking story• What we are looking for• A methodological Approach• Abuse cases from use cases• Abuse cases from scratch• Take away
Abuse Cases from scratchAccesstoapplication
Registeranewaccount
Logintotheapplication
Accesstoanitemsection
SelectanItem
Increase/Decreasenumberofitemstoorder
Addtobasket
Increase/Decreasenumberofitems
Updatebasket
Aboutus Contactus Searchitems YourBasket
Compulsory
Optional
Abuse Cases from scratchAccesstoapplication
Registeranewaccount
Logintotheapplication
Accesstoanitemsection
SelectanItem
Increase/Decreasenumberofitemstoorder
Addtobasket
Increase/Decreasenumberofitems
Updatebasket
Privilegeincrease
Accesstocontent
Alterstheprice
Compulsory
Optional
Abuse Cases from scratchAccesstoapplication
Registeranewaccount
Logintotheapplication
Accesstoanitemsection
SelectanItem
Increase/Decreasenumberofitemstoorder
Addtobasket
Increase/Decreasenumberofitems
Updatebasket
Could I access to a non-
published or private item
section?What if I insert a
very long number as a
section selector?
Could I be able to
modify the items price?
…The number of items without
altering the total price perhaps?
Definitely I must try to add to the basket a negative number of Items
Would it be possible to order
non-existent Items?
Could I decrease the number of Items below
cero?What will be the
maximum number of items
to order?
Could it be possible to include a negative number of items updating
the basket?
Would it be possible to change the price during
the basket update process?
What if I perform an update over a
non-existent item in the basket?
Compulsory
Optional
Abuse Cases from scratchAccesstothe
ApplicationURL
RegisteraUser
AccesswiththeNewUser
Select4Itemsofcertaincategory
Select3Itemsofanothercategory
Addthemtothebasket
Addthemtothebasket
Updatethenumberofitemsinthe
basket
Includeanegativenumberofitems
User
SecurityTester
GoalGain a higher confidence in how the application is going to behave whenthe number of items is modified below cero
Preconditions• All application modules have been correctly deployed in test• At least two item categories have been included in the application• There must be at least 4 items for two item categories
Actors• User: agent which is intended to perform a normal use of theapplication• Security Tester: person which is intended to cause abnormal behaviourin the application
Description• Access to the Application URL: the user accesses to the URLhttp://www...• Register a new user: he/she clicks on the…•…
DemoHey Hey Hey!, don’t touch my
App!!
Let`s rock baby!!Mmmm, I am not sure if I want to see this…
The Menu
• As starter• A hacking story• What we are looking for• A methodological Approach• Abuse cases from use cases• Abuse cases from scratch• Take away
Take away• Mind the Business Logic of your application, in the middle time is
really cheap• Look for the way to add a negative thinking in the development
process. Enforce Abuse Cases development.• Do not trick yourself: “This DO could happen to you”
• Raise the problem if you think there is a bug in the application, thesooner the better.
• Do not trust the component of the application you are developing:“Develop defensively and watch the abuse cases”
Take away
• You have a great future ahead as security tester… go for it!• Use all your knowledge: “Try bypassing the business logic as specified in the
abuse cases”.
NonetechnologicaldevicewillprotectyouagainstBusinessLogicAttacks,usethetalentinyourorganization,yourbrainisthe
mostpowerfultool,thinkinnegative…DevelopAbuseCases
References
• Testing for business Logic attacks. OWASP Foundation, 2014– https://www.owasp.org/index.php/Testing_for_business_logic
• OWASP Business Logic Cheat sheet; OWASP Foundation; 2014– https://www.owasp.org/index.php/Business_Logic_Security_Cheat_Sheet
• Common weakness Enumeration; Business Logic Errors; 2014– http://cwe.mitre.org/data/definitions/840.html
• Ten Business Logic Attack Vectors: Business Logic Bypass & More; NTObjectives; 2012– http://www.ntobjectives.com/research/web-application-security-white-papers/business-logic-attack-vectors-white-paper/
• How to Prevent Business Flaws Vulnerabilities in Web Applications; Marco Morana; 2011– http://es.slideshare.net/marco_morana/issa-louisville-2010morana
ThankYou!!
Thank you all!
ThankYou!!
Thank You!!
The dessert…
?
On the Speaker - Bio
[email protected] /[email protected]
https://www.linkedin.com/in/security-miguel-hernandez
https://twitter.com/miguelangelher
http://plusplussecurity.blogspot.ie/
IT Engineer, Master in Advanced Technologies, Master in Business Administration,CEH, CISA, CISM, SPSE, IRCA LA 27001, ISTQBf, ITIL-f and FCE. Currently working forIBM in the Watson Health division as Senior Security Engineer. Miguel Hernández hasbeen working in the security field during the past 10 years. He has helped some of themost important companies in different sectors to improve their security by processimprovement and web application security testing.
Running the demo• Download and install docker for your operating system• Download bodgeit store from docker
– docker pull psiinon/bodgeit• Run docker• Run bodgeit in docker
– docker run --rm -p 8080:8080 -i -t psiinon/bodgeit• Open bodgeit in the browser
– http://localhost:8080/bodgeit• If you want to intercept the communication and perform the “hack”.
– download and install ZAP for your platform.– Change the port of ZAP for the local proxy from 8080 to 8085– Configure firefox network settings to use the proxy localhost:8085