Categories
Uncategorized, WAAS, Web Attacks, webdev

This is a simple discussion based on the demo done at Barcamp 2014.This writeup is based on the problems faced in the implementation of a majority of the cloud based systems especially those offered as SaaS. Some of the issues highlighted here are:

  •  Session Management Failures
  • Poor Coding Practices (Non Secure SDLC)
  • Failed Business Continuity Procedures
  • Non adherence to security models ( in this video particularly Chinese wall security Model)

The attack is based on attacking a try before you buy system based on simple flaws that are often ignored to gain access to a system and also a production system with actual data.

 Session Management Failures

Sessions are identifiers of a user’s role and validity in using an application. The main problems encountered when implementing this by developers as is seen in the demo following are:

  • Session  tokens and Cookies are predictable
  • Sessions are handled fully on client side
  • Sessions are generic and don’t bind unique attributes like IP

In this case study the poor management session enabled a user to login to a system as super administrator with cookie :

mid=1 

Session Management Failure

Session Management Failure

 Poor Coding Practices

Developers when getting user data fail to filter the inputs which leaves an open attack surface, also there’s too much trust in user’s following the main routing or rather logic of the application which is not always the case. Common attacks that have been seen from this are:

  • SQL Injection
  • XSS
  • LFI and RFI
  • Arbitrary File Uploads
  • Insecure Cryptographic Storage Problems

The main issue that arises from trusting a user will follow an application’s designated workflow  is leaving pages not directly accessed without authentication. This leads to manipulation of an application by a user without logging in.

In this particular case study what showed strongest was :

  • Arbitrary File Uploads
  • Unauthenticated Pages
  • Insecure Cryptographic Storage of data ( Plain text passwords beside hashed ones)

This led to not only application compromise but full system compromise.

Insecure Storage of Passwords

Insecure Storage of Passwords

Server With Webshell , System level Compromise

Server With Webshell , System level Compromise

 

 

 

 

 

 

Unauthenticated Pages

Unauthenticated Pages

Business Continuity Procedures Failure

Most of  these systems usually backup databases and the application to ensure in event of a disaster they can be easily bounced back into businesses from the regular backups. However a big problem is that most are stored in Web accessible locations leaving them open to attackers and they also reveal alot of information that may be used to compromise other systems. A good example of this was recently documented here

In this  particular case the database user and password was available on the client side and could be used to connect to the main database on the system with live data not only that on the demo.

Revealing of sensitive information ,Business Continuity plan failure

Revealing of sensitive information ,Business Continuity Plan failure

 Non Adherence to Security Models

When offering SaaS it is specifically most applicable in terms of the chinese wall security model. Most Clients will fall within the conflict of interest class and based on the problems above it makes it evident that this can be breached when one user can access or affect information of other cloud users.

Who’s Your Data’s Daddy? I am

Leave a Reply

Your email address will not be published. Required fields are marked *

October 2024
M T W T F S S
 123456
78910111213
14151617181920
21222324252627
28293031