Automa(c  Detec(on  of  Inadequate   Authoriza(on  Checks  in  Web  Applica(ons    

About  Me   Name   Alvaro  Muñoz   Organiza(on   HP  SoCware  Security  Research   Currently   Researching  the  security  impact  of  new   technologies.  Especially  interested  in  Web,  any   language,  any  framework.   In  previous  episodes   Applica(on  Security  Consultant   Pentester   Other  Stuff   CTF  player,  OSCP,  GWAPT,  CISSP  …   Loca(on   Madrid,  Spain   Contact   alvaro.munoz@hp.com   @pwntester  

About  Me   Name   Dyvia  Muthukumaran   Organiza(on   Imperial  College     Currently   Postdoctoral  researcher  at  Imperial  College   Working  on  security  issues  in  Cloud  Compu(ng   In  previous  episodes   Ph.D  at  Penn  State.   Thesis  work  entailed  automated  authoriza(on   hook  placement.     Loca(on   London,  UK   Contact   dmuthuku@imperial.ac.uk    

Agenda   •  Agenda   – Design  Flaws  vs  Code  Level  Bugs   – Why  should  we  care?   – Current  detec(on  techniques   – Proposed  solu(on  

Applica(on  Security     Duality   Code   Bugs   Design   Flaws  

No content

Admin view User view

Is there anything wrong here? Any user can delete an account!!! Even if its not shown in the UI …

Any user can delete an account!!! Even if its not shown in the UI …

Detec(on   Code   Bugs   Design   Flaws  

Detec(on   Code   Bugs   Design   Flaws  

OpenSAMM   Source:  hWp://www.opensamm.org/  

Code  Review   Source:  hWp://www.opensamm.org/  

Design  Review   Source:  hWp://www.opensamm.org/  

OWASP  Top  Ten   Source:  hWp://h30499.www3.hp.com/t5/HP-­‐Security-­‐Research-­‐Blog/OWASP-­‐Top-­‐Ten-­‐2013/ba-­‐p/6046369  

OWASP  Top-­‐10  2013   A4-­‐Insecure  Direct  Object  References   A  direct  object  reference  occurs  when  a  developer   exposes  a  reference  to  an  internal  implementa(on   object,  such  as  a  file,  directory,  or  database  key.  Without   an  access  control  check  or  other  protec(on,  aWackers   can  manipulate  these  references  to  access  unauthorized   data.  Many  web  applica(ons  check  URL  access  rights   before  rendering  protected  links  and  buWons.  However,   applica(ons  need  to  perform  similar  access  control   checks  each  (me  these  pages  are  accessed,  or  aWackers   will  be  able  to  forge  URLs  to  access  these  hidden  pages   anyway.     Source:  hWps://www.owasp.org/index.php/Top_10_2013-­‐Top_10  

Is  this  the  real  life?  Is  this  just   fantasy?     Source:  hWp://irwebreport.com/20101118/bloomberg-­‐grabs-­‐netapps-­‐earnings-­‐early-­‐second-­‐case-­‐in-­‐a-­‐week/    

OWASP  Top-­‐10  2013   A7-­‐Missing  FuncBon  Level  Access  Control   Most  web  applica(ons  verify  func(on  level  access   rights  before  making  that  func(onality  visible  in  the   UI.  However,  applica(ons  need  to  perform  the  same   access  control  checks  on  the  server  when  each   func(on  is  accessed.  If  requests  are  not  verified,   aWackers  will  be  able  to  forge  requests  in  order  to   access  func(onality  without  proper  authoriza(on.     Source:  hWps://www.owasp.org/index.php/Top_10_2013-­‐Top_10  

Is  this  the  real  life?  Is  this  just   fantasy?     Source:  hWp://www.theregister.co.uk/2011/06/14/ci(group_website_hack_simple/  

Current  Approaches   •  Dynamic  approach   – Scan  applica(on  with  two  or  more  roles   – Compare  results   – Limita(ons:   •  Dynamic   –  Set  up   •  Can  only  detect  missing  checks  

A  beWer  solu(on   •  Requirements   – Works  on  Web  Applica(ons   – Sta(c   – Finds  both  missing  and  inconsistent  checks   – Does  not  require  any  training  or  preparaBon  

Iden(fying  inadequate  access   checks   3.  Suggest  RemediaBon     What  checks  should  be  added  or  modified?   2.  IdenBfy  Anomalies   What  similar  opera6ons  are  not  been  checked  or  checked  differently?   1.  Create  SpecificaBon   What  is  currently  being  access  checked?    

1.  Create  Specifica(on  

Create  Specifica(on   IdenBfy  access  checked  methods   – Configura(on  Files:   •  URLs   •  PointCuts   – Source  Code:   •  Annota(ons   •  if-­‐else  checks   – Consider  super  classes  and  call  traces  

Intercep(ng  URLs                              

Pointcut-­‐based                    

Pointcut-­‐based                                              org.demo.AccountService.createAccount=ROLE_USER        org.demo.AccountService.delete*=ROLE_ADMIN                                                                  

Annota(ons          public  interface  BankService  {                  @RequiresRole(“teller”)                  public  Account  post(Account  account,  double  amount);                  @RequiresPermission(“account:create”)                  public  Account[]  findAccounts();            }            public  interface  BankService  {                  @Secured("IS_AUTHENTICATED_ANONYMOUSLY")                  public  Account  readAccount(Long  id);                    @PreAuthorize(isAuthen(cated()  and  hasRole(“ROLE_USER”))                  @PreFilter(hasPermission(filterObject,’read’))                  public  Account[]  findAccounts();            }    

Hiding/Disabling  func(onality  

Hi  Guest   !                "/>              This  will  be  shown  if  the  user  has  either  of  the  permissions          represented  by  the  values  "1"  or  "2"  on  the  given  object.      

Programma(c   //  get  the  current  subject   Subject  currentUser  =  SecurityU(ls.getSubject();     If  (currentUser.hasRole(“administrator”))  {          do_something();   }  else  {          do_something_different();   }    

Gather  all  protected   opera(ons   Gather  all  protected  operaBons   – What  objects,  classes,  methods  are  accessed   within  access  checked  methods?     – For  each  opera(on:   •  Func(on   •  Variable  (instance  object,  argument)   – Discard:   •  U(lity/Helper  func(on  calls   •  Common  Func(on  calls  (Heuris(cally  detected)  

Example   public  class  CocktailServiceImpl  implements  CocktailService{                      List  cocktails=new  ArrayList();            @PreAuthorize(hasRole(‘ADMIN’))            public  Cocktail  getCocktail(int  id)  {                    return  cocktails.get(int  );                }              public  Cocktail  deleteCocktail(int  id)  {                    Cocktail  cocktail  =  cocktails.get(int  );                    cocktails.remove(int);                    return  cocktail;                }   }      

Example   CocktailServiceImpl.java   @RequestMapping(“/admin/getDrink)   public  getCocktail(int  id)  {        return  lookupCocktail(id);       }     CocktailServiceImpl.java   private  lookupCocktail()    {            Cocktail  c  =  cocktails.get();            return  c;     }     CocktailService.java   public  interface  CocktailService      {   {        @PreAuthorize(hasRole(‘ADMIN’))          Cocktail  getCocktail(int  );                ….       }     @PreAuthorize(hasRole(‘ADMIN’))   @PreAuthorize(hasRole(‘ADMIN’))  &&  isAuthenBcated()   URL  -­‐>  Access  Check   Security-­‐config.xml       Method  -­‐>  URL   •  AnnotaBon   @RequestMapping     •  ConfiguraBon                  PointCuts,  …   isAuthenBcated()   Method  -­‐>  URL  -­‐>  Access  Check   X  

2.  Iden(fy  Anomalies  

Iden(fy  Anomalies   •  Given  a  class  c  where  some  of  methods  have  access   checks,  are  there  methods  that  do  not?   •  If  so,  are  they  performing  any  of  the  same  types  of   accesses  as  the  ones  that  do?    

Iden(fy  Anomalies   •  For  each  non-­‐access  controlled  method   examine  all  opera(ons  performed  within   func(on  scope:     •  Iden(fy  Func(on   •  Iden(fy  Variable   –  Instance  object,  argument   •  Fine  Tune  opera(ons:   – Map  opera(ons  with  CRUD  ac(ons  

Iden(fy  Anomalies   Same  variable  and  same  method   [SAMEVAR+SAMEMETHOD]     Same  variable  and  different  method   [SAMEVAR+DIFFMETHOD]     Same  variable  type  and  same  method   [SAMETYPE+SAMEMETHOD]     Same  variable  type  and  different  method     [SAMETYPE+DIFFMETHOD]     •  deleteCocktail()   • Opera(ons:     •   this.cocktails  +  get()     •  getCocktail()   • Opera(ons:     • this.cocktails  +  get()     • Access  Checks:       • PreAuthorize(hasRole(‘Admin’)).    

Iden(fy  Anomalies:   Inconsistency     private  lookupCocktail()    {            Cocktail  =  cocktails.get();     }       public  getCocktail(int  id)  {        return  lookupCocktail(id);       }       Public  deleteCocktail(int  id)  {        return  lookupCocktail(id);       }     @PreAuthorize(hasRole(‘ADMIN’))   isAuthen(cated()  

3.  Suggest  Remedia(on  

Suggest  Remedia(on   •  Present  the  developer  with  precise  details  of   the  anomalies  found  and  the  evidences   suppor(ng  the  finding   •  If  several  evidences  are  found,  present  the   most  similar  in  terms  of  opera(ons  performed   •  Provide  developers  with  a  set  of  access   control  checks  based  on  evidences  

Summary   Create   Specifica(on     •  getCocktail()   • Opera(ons:     • CocktailServiceImpl  +  this.cocktails  +  get()     • Access  Checks:       • PreAuthorize(hasRole(‘Admin’)).     Iden(fy   Anomalies   •  deleteCocktail()   • Opera(ons:  CocktailServiceImpl  +  this.cocktails  +  get()     Remedia(on   •  deleteCocktail()   • Add  Check:     • PreAuthorize(hasRole(‘Admin’))   • Evidence:  getCocktail()  

No content

In  the  wild   •  Mifos:   – Very  large  open  source  microfinance  applica(on.   – 323,007  Java  LOC   – 122224  XML  LOC   – It  uses  spring  annota(ons  in  addi(on  to  custom   checks   – 77  anomalies  were  found  

In  the  wild:  mifos     Anomaly   LocaBon:     ClientServiceFacadeWebTier:859   FuncBon  Signature:     public  String  transferClientToBranch(String,  Short)   Suspicious   operaBons   [SAMEVAR+SAMEMETHOD]     this.customerService  +  transferClientTo  @  842   Evidence   FuncBon  Signature:     public  String  transferClientToGroup(Integer,  String,  Integer)   Protected  OperaBons:     this.customerService+  transferClientTo  @  733     Recommended   AnnotaBon  Set   @PreAuthorize("isFullyAuthen(cated()  and   hasRole('ROLE_CAN_UPDATE_GROUP_MEMBERSHIP_OF_CLIENT ')")  

Source:  hWps://github.com/mifos/head/blob/0d9cdffeb07bcbeb75ffa4f9107272c6694a00a2/appdomain/src/main/java/org/mifos/applica(on/servicefacade/ClientServiceFacadeWebTier.java  

Source:  hWps://github.com/mifos/head/blob/0d9cdffeb07bcbeb75ffa4f9107272c6694a00a2/serviceInterfaces/src/main/java/org/mifos/applica(on/servicefacade/ClientServiceFacade.java  

In  the  wild:  mifos     Anomaly   LocaBon:     Ques(onnaireServiceFacadeImpl:94   FuncBon  Signature:     public  Ques(onGroupDetail  createQues(onGroup   (Ques(onGroupDetail)   Suspicious   operaBons   [SAMEVAR+SAMEMETHOD]     this.ques(onnaireService  +  defineQues(onGroup  @  94   Evidence   FuncBon  Signature:     public  Ques(onGroupDetail   createAc(veQues(onGroup(Ques(onGroupDetail)   Protected  OperaBons:     this.ques(onnaireService  +  defineQues(onGroup  @  100   Recommended   AnnotaBon  Set   @PreAuthorize("isFullyAuthen(cated()  and   hasRole('ROLE_CAN_ACTIVATE_QUESTION_GROUPS')")  

Source:  hWps://github.com/mifos/head/blob/aa1d2ac985b‚e7ea4e07a0eb7a22cef7ba92bc1/appdomain/src/main/java/org/mifos/plaƒorm/ques(onnaire/service/ Ques(onnaireServiceFacadeImpl.java    

Source:  hWps://github.com/mifos/head/blob/6fe9141e4491194181c7ec85ef0adc3773208dcd/serviceInterfaces/src/main/java/org/mifos/plaƒorm/ques(onnaire/service/ Ques(onnaireServiceFacade.java    

In  the  wild:  mifos     Anomaly   LocaBon:     SystemInforma(onServiceFacadeWebTier:90   FuncBon  Signature:     public  String  getServerInforma(on(ServletContext,  Locale)   Suspicious   operaBons   [SAMETYPE+SAMEMETHOD]     org.mifos.applica(on.admin.SystemInfo  +  SystemInfo  @  90   Evidence   FuncBon  Signature:     public  SystemInfor  getSystemInforma(on(ServletContext,  Locale)   Protected  OperaBons:     org.mifos.applica(on.admin.SystemInfo  +  SystemInfo  @  46     Recommended   AnnotaBon  Set   PreAuthorize(isFullyAuthen(cated()  and   hasRole(‘ROLE_VIEW_SYSTEM_INFO’)      

Source:  hWps://github.com/mifos/head/blob/e271189b8ec71e5724ffcf189f0aef7249896e13/applica(on/src/main/java/org/mifos/applica(on/admin/servicefacade/ SystemInforma(onServiceFacadeWebTier.java    

Source:  hWps://github.com/mifos/head/blob/0d9cdffeb07bcbeb75ffa4f9107272c6694a00a2/serviceInterfaces/src/main/java/org/mifos/applica(on/admin/servicefacade/ SystemInforma(onServiceFacade.java  

In  the  wild   •  pgGallery   – Small  photo  sharing  applica(on   •  1897  Java  LOC   •  419  XML  LOC   – 8  anomalies  iden(fied  

In  the  wild:  pgGallery   Anomaly   LocaBon:     AlbumService.java:42   FuncBon  Signature:     public  List  getBreadcrumbById  (BigDecimal)   Suspicious   operaBons   [SAMEVAR+DIFFMETHOD]     this.albumMapper  +  getBreadcrumbById  @  42   Evidence  1   FuncBon  Signature:     public  List  getByParent  (BigDecimal)   Protected  OperaBons:     this.albumMapper  +  getByParent  @  30   Evidence  2   FuncBon  Signature:     public  List  getRoot()   Protected  OperaBons:     this.albumMapper  +  getRoot  @  25   Recommended   AnnotaBon  Set   PostFilter  (  hasAnyRole('ROLE_USER','ROLE_ADMIN'))   PostFilter  (filterObject.isPublic()  ==  true)  

Source:  hWps://github.com/chotchki/pgGallery/blob/master/src/main/java/pgGallery/db/service/AlbumService.java  

Next  steps   •  Handle  custom  authoriza(on  checks.     •  Reduce  false  posi(ves:     – Increase  granularity  of  opera(ons.       – Map  opera(ons  to  CRUD  ac(ons.   •  Extending  to  other  frameworks/languages  

Thanks       alvaro.munoz@hp.com   @pwntester