This is a simple discussion based on the demo done at Barcamp 2014.This writeup is based on the problems faced in the implementation of a majority of the cloud based systems especially those offered as SaaS. Some of the issues highlighted here are:
- Session Management Failures
- Poor Coding Practices (Non Secure SDLC)
- Failed Business Continuity Procedures
- Non adherence to security models ( in this video particularly Chinese wall security Model)
The attack is based on attacking a try before you buy system based on simple flaws that are often ignored to gain access to a system and also a production system with actual data.
Session Management Failures
Sessions are identifiers of a user’s role and validity in using an application. The main problems encountered when implementing this by developers as is seen in the demo following are:
- Session tokens and Cookies are predictable
- Sessions are handled fully on client side
- Sessions are generic and don’t bind unique attributes like IP
In this case study the poor management session enabled a user to login to a system as super administrator with cookie :
mid=1
Poor Coding Practices
Developers when getting user data fail to filter the inputs which leaves an open attack surface, also there’s too much trust in user’s following the main routing or rather logic of the application which is not always the case. Common attacks that have been seen from this are:
- SQL Injection
- XSS
- LFI and RFI
- Arbitrary File Uploads
- Insecure Cryptographic Storage Problems
The main issue that arises from trusting a user will follow an application’s designated workflow is leaving pages not directly accessed without authentication. This leads to manipulation of an application by a user without logging in.
In this particular case study what showed strongest was :
- Arbitrary File Uploads
- Unauthenticated Pages
- Insecure Cryptographic Storage of data ( Plain text passwords beside hashed ones)
This led to not only application compromise but full system compromise.
Business Continuity Procedures Failure
Most of these systems usually backup databases and the application to ensure in event of a disaster they can be easily bounced back into businesses from the regular backups. However a big problem is that most are stored in Web accessible locations leaving them open to attackers and they also reveal alot of information that may be used to compromise other systems. A good example of this was recently documented here
In this particular case the database user and password was available on the client side and could be used to connect to the main database on the system with live data not only that on the demo.
Non Adherence to Security Models
When offering SaaS it is specifically most applicable in terms of the chinese wall security model. Most Clients will fall within the conflict of interest class and based on the problems above it makes it evident that this can be breached when one user can access or affect information of other cloud users.
Who’s Your Data’s Daddy? I am