Surfacing Cloud Application Vulnerabilities

Slide 1

Slide 1 text

Surfacing Cloud Application Vulnerabilities Sam Stepanyan  OWASP London Chapter Leader    Twitter: @securestep9

Slide 2

Slide 2 text

• We are a Global not-for-profit charitable organisation • Focused on improving the security of software • We collaboratively develop and provide free tools, guidance, standards • All meetings are free to attend (*free beer included)

Slide 3

Slide 3 text

Community of VOLUNTEERS   (45,000 worldwide)

Slide 4

Slide 4 text

200+ OWASP Chapters Around The World

Slide 5

Slide 5 text

• Belfast • Birmingham • Bristol • Cambridge • Leeds • London • Manchester • Newcastle • Royal Holloway (inactive) • Scotland • Sheffield • Suffolk

Slide 6

Slide 6 text

Vendor Neutral

Slide 7

Slide 7 text

• Most Critical Risks • Referenced by PCI DSS • Used By The Industry OWASP TOP 10 VULNERABILITIES WARNING: There are more than 10 vulnerabilities! DO NOT BASE Your Entire Application Security Programme Solely On OWASP Top 10 !

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

• Timesheets & Expenses? • Meeting Room Booking?

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

OWASP Top 10 Vulnerabilities A1 - A5

Slide 16

Slide 16 text

OWASP Top 10 Vulnerabilities A6 - A10

Slide 17

Slide 17 text

TalkTalk Breach - SQL Injection

Slide 18

Slide 18 text

£400,000 fine by ICO - biggest to date in “pre-GDPR world” “The attacker used a common technique known as SQL injection to access the data”   “SQL injection is well understood, defences exist and TalkTalk ought to have known that it posed a risk to its data, the ICO investigation found” “157,000-record customer database stolen: names, addresses, dates of birth, phone numbers and email addresses.” “In almost 16,000 cases, the attackers also had access to TalkTalk customers’ bank account details and sort codes”

Slide 19

Slide 19 text

“LinkedIN was breached via SQL Injection – one of the lowest-hanging fruits on the vulnerability tree” - Sophos

Slide 20

Slide 20 text

“Attacks aimed at the application layer are growing at 25% annually. SQL Injection vulnerability was used in over 51% of application attacks seen in Q2 2017“ — Akamai

Slide 21

Slide 21 text

US Department of Defence- SQL Injection!

Slide 22

Slide 22 text

Mirai Botnet - OS Command Injection ! The Day The Internet Died: 21 October 2016 ! Attack launched from millions of IoT devices (e.g. CCTV cameras)  hacked due to OS Command Injection vulnerability

Slide 23

Slide 23 text

Sensitive Data Exposure - TCS

Slide 24

Slide 24 text

Developers at Indian outsourcing giant Tata Consultancy Services (TCS) “inadvertently” uploaded to a public cloud-based GitHub repository raw source code, internal documentation on web banking applications and mobile apps of: TCS Developer GitHub Leak - May 2017 6 big Canadian banks 2 well-known American financial organisations a multinational Japanese bank a multibillion dollar financial software company

Slide 25

Slide 25 text

Unvalidated Redirect - Election “Rigging” Phishing E-mail looks exactly like a real e-mail from Google. Change Password button URL leads to https:// mail.google.com/

Slide 26

Slide 26 text

Login Page is very convincing, but it is fake. Credentials are “harvested” and cybercriminals log in with stolen credentials to steal all the e-mails and then leak them

Slide 27

Slide 27 text

Despite the pressure from the security community Google refuses to fix several Open Redirect vulnerabilities in its systems and excludes them from their Bug Bounty Programme There are over 30 known Google URLs - all on https:// - vulnerable to Open Redirect  (A10 in OWASP Top 10 2013)

Slide 28

Slide 28 text

Google “Fixed” This One

Slide 29

Slide 29 text

Components With Known Vulnerabilities

Slide 30

Slide 30 text

No content

Slide 31

Slide 31 text

No content

Slide 32

Slide 32 text

Cross-Site Scripting(XSS)

Slide 33

Slide 33 text

Cross-Site Scripting(XSS)

Slide 34

Slide 34 text

No content

Slide 35

Slide 35 text

Cross-Site Scripting(XSS) This vulnerability could allow the attacker to: use the victim's identity to take action on behalf of the victim, such as: • CHANGE permissions • DELETE content • READ content • STEAL sensitive information • INJECT malicious scripts in the browser of the victim • CAPTURE keystrokes of the victim including Passwords • FULLY CONTROL THE BROWSER OF THE VICTIM

Slide 36

Slide 36 text

Broken Authentication

Slide 37

Slide 37 text

Missing Access Control “ Any person with a mailbox in a company using Office 365 could exploit this vulnerability to obtain full Administrative permissions over their entire company’s Office 365 environment and read any employee’s email … ”

Slide 38

Slide 38 text

Direct Object References Security Misconfigurations

Slide 39

Slide 39 text

“  There is a expectation among most Cloud adopters who think that if their data is in Amazon’s AWS Cloud then it will magically be secure ” — Overheard at BSIDES Conference

Slide 40

Slide 40 text

“  If we store our confidential PDF files in the Cloud, but give them a really long and random URLs nobody will ever find them, right? ”

Slide 41

Slide 41 text

No content

Slide 42

Slide 42 text

No content

Slide 43

Slide 43 text

Help! The Cloud Is Leaking!

Slide 44

Slide 44 text

No content

Slide 45

Slide 45 text

No content

Slide 46

Slide 46 text

No content

Slide 47

Slide 47 text

• names • addresses • dates of birth • bank account numbers • e-mail addresses • phone numbers • NHS patient referrals

Slide 48

Slide 48 text

No content

Slide 49

Slide 49 text

• Employment Contracts • Salaries & Payroll data • Confidential Agreements and Documents (e.g. NDAs) • Encryption Keys • Database Backups (AA, PageGroup) • Passwords To Corporate Firewalls!

Slide 50

Slide 50 text

https://

Slide 51

Slide 51 text

•1.7 million PDF files •60,000 of them gov.uk •30,000 of them NHS-related

Slide 52

Slide 52 text

No content

Slide 53

Slide 53 text

14,298-Page PDF !

Slide 54

Slide 54 text

Penetration Testing and Scanning Report PDFs •$70 Bln turnover insurance company •PDF of a vulnerability scan report easily searchable on Google •100s of High and Medium flaws

Slide 55

Slide 55 text

237 SQL Injection Vulnerabilities with precise locations! Ouch!

Slide 56

Slide 56 text

No content

Slide 57

Slide 57 text

No content

Slide 58

Slide 58 text

No content

Slide 59

Slide 59 text

Application Security   is often an AFTERTHOUGHT

Slide 60

Slide 60 text

No content

Slide 61

Slide 61 text

Start a Bug Bounty Programme

Slide 62

Slide 62 text

$8,000 $7,500 $5,000 $5,500 $5,000 $3,000 $2,500 $500

Slide 63

Slide 63 text

No content

Slide 64

Slide 64 text

No content

Slide 65

Slide 65 text

No content

Slide 66

Slide 66 text

No content

Slide 67

Slide 67 text

No content

Slide 68

Slide 68 text

No content

Slide 69

Slide 69 text

Learning about secure application development   in a fun way! OWASP Cornucopia OWASP Snakes & Ladders

Slide 70

Slide 70 text

No content

Slide 71

Slide 71 text

No content

Slide 72

Slide 72 text

Hackathons & CTF Tournaments

Slide 73

Slide 73 text

Cloud Joke: Q: What do you call software that has moved into the Cloud?

Slide 74

Slide 74 text

VAPOURWARE

Slide 75

Slide 75 text

Thank You!   Questions? sam.stepanyan @ owasp . org    @securestep9  @owasplondon Cloud Comics Courtesy of CloudTweaks