WIXLIB

How to Prevent Business FlawsVulnerabilities In WebApplicationsMarco MoranaOWASPOWASPCincinnati Chapter,January 2011 MeetingCopyright 2010 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this documentunder the terms of the GNU Free Documentation License.The OWASP Foundationhttp://www.owasp.org

What is OWASP?OWASP2

Agenda For Today’s Presentation1.General Background on Business Logic Attacks (BLA)1. Problem statement2. Business logic exploits3. Categorization of business logic flaws2. Vulnerability Analysis of Business Logic Flaws1. Threat, vulnerabilities, and attacks2. Root causes of vulnerabilities leading to BLA3. Categorization of business logic flaws using OWASP T10, SANS-25,WASC3. Identification and mitigation of Business Logic Flaws1. Application Threat Modeling2. Testing for Business Logic Flaws3. Countermeasures4. Q & AOWASP3

Business Logic AttacksOWASP4

Business Logic Attacks: The Problem Statement Target specifically the business rules of the application byabusing them for monetary gain and fraud, some examples: Attacking shopping cart transactions to alter price of an item beforecheckout Attack shopping cart after checkout to bypass credit card purchasevalidation before shipping the item Attacking money transfers in an on-line banking transactions byexploiting weaknesses in account validations Take advantage of overlooked flaws in enforcing strict control ofbusiness logic at the application layers, for example: Security design reviews does not focus on designing controls forpreventing abuses of business logic Automated vulnerability assessments and code scan do not foundbusiness logic flawsOWASP5

Business Logic Attacks ExamplesOWASP

Bypassing Security Controls ?OWASP7

Business Logic Flaws Categorized in 2 GroupsGroup 1: Exploit flaws in enforcement of business logic fortransactions and the data , examples include:Weak enforcement of business logic such as workflows and steps requiredby transactions (e.g. A, B, C not A to C directly)Insufficient parameters validation (e.g. priceID, roleIDs, userIDs),Committing to transactions without doing all checks required firstGroup 2: Exploit weaknesses in security controls whose functionis protect the business rules examples include:Mis-configurations of Role Base Access Controls (RBAC) policy rules,Password reset flaws, username recovery flaws,Security controls failing insecurely,Insufficient anti-automation attacks defensesOWASP8

Vulnerability Analysis of Business LogicFlawsOWASP9

BLA From Risk Analysis Perspective Threats Some threat agent (human, non-human) and/or adversecondition that target the application logic to cause a negativeimpact to the business and the customers Attacks Realize the threat to business logic cause a negativeimpact, includes different ways for an attacker to conductbusiness logic attacks by exploiting one or more vulnerabilities andlogic flaws Application vulnerabilities Are weaknesses in the application that can be exploited by athreat and cause a negative impact to the application.OWASP

Root Causes Of Business Logic Flaws Security Design Flaws Caused by lack of security requirements, poor knowledge,lack of security architecture design reviews Cannot be identified by security tools alone since are logicalvulnerabilities and require manual threat analysis/ threat modeling Security Coding Errors Coding bugs that result in vulnerabilities Can be identified with source code analysis tools and manualcode reviews Security Mis-configurations Mis-configuration for application security policies andbusiness rules Can be identified through change control processesBusiness Logic Attack, Mostly Exploit Security Flaws in Designand Security Mis-Configurations OWASP

Vulnerabilities Potentially Exploited By BLAsOWASP

1: BLAs Exploiting Authorization Flaws BUSINESS LOGIC ATTACKS: Attackers access web resources not restricted by role, simplychanges the workflow/URL to a privileged page using forcefulbrowsing Attackers change the parameters of a business transactionsuch as the price of goods purchased to be charged a cheaper price FLAWS: INSUFFICIENT AUTHORIZATION (WASC-02), FAILURE TO RESTRICT URL ACCESS (OWASP A7), IMPROPER ACCESS CONTROL (SANS-CWE-285) ROOT CAUSES: Lack of granular enforcement of authorization rules throughpolicy such as Role Base Access Controls (RBAC) Business rules enforced using client side parameters insteadof server side logicOWASP

2: BLAs Exploiting Authentication Flaws BUSINESS LOGIC ATTACKS: Attackers guess questions in challenge/questionauthentication (e.g. account creation, change password, recoverpassword, this includes KBA , Knowledge Based Authentication) Attackers replay the session such as a valid sessionID to logon inthe application after previous logout FLAWS: INSUFFICIENT AUTHENTICATION (WASC-01), BROKEN AUTHENTICATION AND SESSION MANAGEMENT(OWASP A3), MISSING AUTHENTICATION FOR CRITICAL FUNCTION (CWE306) ROOT CAUSES: Design flaws for password reset transactions Easily guessable questions Session management issues such as lack of single logout acrossapplications-tiersOWASP

3: BLAs Exploiting Mis-Configurations BUSINESS LOGIC ATTACKS: Attackers exploit mis-configuration of access control policyto exploit fail open-insecure conditions, unauthorized access toresources, bypass of authentication and RBAC, information disclosurethrough errors Attackers bypass detection since transaction and securityevents are not logged so the attack cannot beaudited/investigated FLAWS: SERVER MISCONFIGURATION (WASC-14), SECURITY MISCONFIGURATION (OWASP A6) ROOT CAUSES: Configuration management changes not tested forenforcement of roles and permissions Logging does not cover validations x transaction x userOWASP

4: BLAs Exploiting Insufficient Anti-Automation BUSINESS LOGIC ATTACKS: Automatic injection of web pages (e.g. forms/Frames) inapplication workflows to collect PII (e.g. Zeus Trojans) to commitfraud Automated validation of credit card data through theapplication exploiting error and exception handling flaws Spam of account registrations to flood back-office processes Denial of services to customers by locking accounts byfailing logins through automation locking and by flooding of callcenter for unlocking requests FLAWS: INSUFFICIENT ANTI-AUTOMATION (WASC-21) ROOT CAUSES: Lack of detective control for automation (e.g. CAPTCHA,automated intrusion detection) to protect transactionsOWASP

5: BLAs Exploiting Insufficient Process Controls BUSINESS LOGIC ATTACKS: Fraudster bypasses validations checks for performingtransactions such as by altering the flow (e.g. shipping for goods notbeing purchased) Attacker learns to exploit business logic from client code (e.g.Web 2.0 applications) Attacker learns how to game the system from the way thesystem responds to input data VULNERABILITY INSUFFICIENT PROCESS CONTROLS (UNCLASSIFIED) ROOT CAUSES: Insufficient enforcement of transaction validations performedat different stages of the business transaction before committing to it Lack of data validations at different tiers of the applicationarchitecture (e.g. application and messaging) Lack of Out of Band (OOB) validations and call backs Business logic exposed to clientsOWASP

Identification and Mitigation of BusinessLogic FlawsOWASP18

Business Logic In Web Application ArchitecturesPresentation TierRepresents the top most levelof the application.The purpose of this tier is to translatecommands from the user interfaceinto data for processing to other tiers andpresent back the processed data Account#:***8765Balance: 45,780 Last Transaction:5/25/09 Get MY AccountInfo And AccountActivity Beware of Web 2.0 Appsthat include businesslogic client side (e.g.AJAX, Widgets, Mashups browserbrowserNot All Business LogicResides on theApplication Server !Logic TierThis layer processes commands andmakes decisions based uponthe application business logicIt also moves and processes dataServersbetween the presentation and the data tierData yBeware of Flaws inIntegration of BusinessLogic with ServerComponentsIs the layer responsible for data storage andretrieval from a database or file systemQuery commands or messages are processedby the DB server, retrieved from the datasourceand passed back to the lo the logical tier forprocessing before being presented to the userDatabaseStorageOWASP

Security Process for Preventing BusinessLogic Flaws in Applications1. Require every application to document business logic withdata flows for transactions and the access control matrix used2. Design the application as business logic abuse resistant,including process validations and controls assuming that theapplication business logic can be abused3. Use application threat modeling to identify design flaws inbusiness logic. Analyze abuse of business logic and securitycontrols with use misuse cases and transaction analysis4. Security test (manually) for business logicflaws/vulnerabilities such as OWASP 3,4,8, WASC 1,2,14,21and SANS-25-CWE 285,3065. Create specific security tests for abuse of business logic byderiving them from the use-abuse cases and transaction/data flowanalysis performed during threat modeling6. Analyze risks and apply countermeasures to mitigatelikelihood and impact of business logic attacksOWASP

Identification Of Security Flaws: ApplicationThreat Modeling ProcessOWASP21

Data Flow DiagrammingSpoofing And TamperingXML/HTTP ParametersForceful browsingUser’sBrowserHTTPS/ RequestResponsesSpoofing AndTampering WebService CallsHTTPs RequestsTo Application tion OfPrivileges/ RBACMisconfigurationsDMZ-BoundaryMiddleware BoundaryThreats toApplicationBusinessLogicSpoofing AndTampering SQLQueriesSpoofing AndTamperingMessage CallsWeb-service CallsSOAP/XMLEnterpriseService BusMessage QueueCallWeb ServiceSOAP ResponseMessageCall ResponseJDBC iedSQL Query CallDataOWASPData

Security Flaws Identification With Use AndAbuse Cases: Password ResetCompromised User'sEmailRegister ChallengeQuestionsMitigatesSelect PasswordResetUser Email VerifiedThreatensUserGuess OTPEnter User ID AndSubmitHacker/Malicious UserMitigatesThreatensReceive TemporaryPassword in EmailRandom OTP, 6 char &numbers, last 15 minuteEnter User ID AndOne Time PasswordGuess AnswersThreatensAnswer Any of 2Secret QuestionsMitigatesUse Shared Secrets,High Entropy QuestionsThreatensIncludesIncludesMitigatesCreate New PasswordEnumerateValid AnswersLockout After N Attemptsto AnswerOWASP

Identification of Business Logic Flaws UsingTransaction Analysis: Shopping CartShoppingShoppingStartStartCheckout ViewCartShopping/Browse ForItems in the CatalogueAdd Item to ShoppingCartYES:Proceed toCheck outBusinessLogicAttackCalculateTotalAddCheck Out ItemIs user loggedin?Login or Sign upSelect Type OfShippingBusinessLogicAttackEnter ShippingAddressNOItems in t CreditCardChargePassedYESNONOOWASPOrderThankYou

Shopping Cart BLA ExampleCataloguePrice: 27.99ChargedPrice: .99OWASP

Testing For Occurrence of Business LogicFlaws Main objective is to test that the application business rulescannot be altered by business logic attacks Require testers to write NEGATIVE test cases and scripts toidentify potential exploits of business logic flaws during Q/Atest validation cycles. Examples include:1. Trying to bypass of user validations and prerequisite checks fora transaction,2. Trying to bypass multi factor authentication in a transaction,3. Trying to force a transaction and access high privilegedresources logging as low privilege user,4. Tampering with business logic parameters during a request totry to access resources,5. Replaying session tokens after logouts to try to log back to theapplication,6. Trying to force the application to fail in unsecure conditionssuch as fail open or as un-handled exceptions7. Trying to alter price of items and validate if they can be added,8. Trying to abuse registration, account openings/applications withautomation scriptsOWASP

Checking Configuration of Security And BusinessRulesOWASP