Slide 1

Slide 1 text

 Automa(c  Detec(on  of  Inadequate   Authoriza(on  Checks  in  Web  Applica(ons    

Slide 2

Slide 2 text

About  Me   Name   Alvaro  Muñoz   Organiza(on   HP  SoCware  Security  Research   Currently   Researching  the  security  impact  of  new   technologies.  Especially  interested  in  Web,  any   language,  any  framework.   In  previous  episodes   Applica(on  Security  Consultant   Pentester   Other  Stuff   CTF  player,  OSCP,  GWAPT,  CISSP  …   Loca(on   Madrid,  Spain   Contact   [email protected]   @pwntester  

Slide 3

Slide 3 text

About  Me   Name   Dyvia  Muthukumaran   Organiza(on   Imperial  College     Currently   Postdoctoral  researcher  at  Imperial  College   Working  on  security  issues  in  Cloud  Compu(ng   In  previous  episodes   Ph.D  at  Penn  State.   Thesis  work  entailed  automated  authoriza(on   hook  placement.     Loca(on   London,  UK   Contact   [email protected]    

Slide 4

Slide 4 text

Agenda   •  Agenda   – Design  Flaws  vs  Code  Level  Bugs   – Why  should  we  care?   – Current  detec(on  techniques   – Proposed  solu(on  

Slide 5

Slide 5 text

Applica(on  Security     Duality   Code   Bugs   Design   Flaws  

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

Admin view User view

Slide 8

Slide 8 text

Is there anything wrong here? Any user can delete an account!!! Even if its not shown in the UI …

Slide 9

Slide 9 text

Any user can delete an account!!! Even if its not shown in the UI …

Slide 10

Slide 10 text

Detec(on   Code   Bugs   Design   Flaws  

Slide 11

Slide 11 text

Detec(on   Code   Bugs   Design   Flaws  

Slide 12

Slide 12 text

OpenSAMM   Source:  hWp://www.opensamm.org/  

Slide 13

Slide 13 text

Code  Review   Source:  hWp://www.opensamm.org/  

Slide 14

Slide 14 text

Design  Review   Source:  hWp://www.opensamm.org/  

Slide 15

Slide 15 text

OWASP  Top  Ten   Source:  hWp://h30499.www3.hp.com/t5/HP-­‐Security-­‐Research-­‐Blog/OWASP-­‐Top-­‐Ten-­‐2013/ba-­‐p/6046369  

Slide 16

Slide 16 text

OWASP  Top-­‐10  2013   A4-­‐Insecure  Direct  Object  References   A  direct  object  reference  occurs  when  a  developer   exposes  a  reference  to  an  internal  implementa(on   object,  such  as  a  file,  directory,  or  database  key.  Without   an  access  control  check  or  other  protec(on,  aWackers   can  manipulate  these  references  to  access  unauthorized   data.  Many  web  applica(ons  check  URL  access  rights   before  rendering  protected  links  and  buWons.  However,   applica(ons  need  to  perform  similar  access  control   checks  each  (me  these  pages  are  accessed,  or  aWackers   will  be  able  to  forge  URLs  to  access  these  hidden  pages   anyway.     Source:  hWps://www.owasp.org/index.php/Top_10_2013-­‐Top_10  

Slide 17

Slide 17 text

Is  this  the  real  life?  Is  this  just   fantasy?     Source:  hWp://irwebreport.com/20101118/bloomberg-­‐grabs-­‐netapps-­‐earnings-­‐early-­‐second-­‐case-­‐in-­‐a-­‐week/    

Slide 18

Slide 18 text

OWASP  Top-­‐10  2013   A7-­‐Missing  FuncBon  Level  Access  Control   Most  web  applica(ons  verify  func(on  level  access   rights  before  making  that  func(onality  visible  in  the   UI.  However,  applica(ons  need  to  perform  the  same   access  control  checks  on  the  server  when  each   func(on  is  accessed.  If  requests  are  not  verified,   aWackers  will  be  able  to  forge  requests  in  order  to   access  func(onality  without  proper  authoriza(on.     Source:  hWps://www.owasp.org/index.php/Top_10_2013-­‐Top_10  

Slide 19

Slide 19 text

Is  this  the  real  life?  Is  this  just   fantasy?     Source:  hWp://www.theregister.co.uk/2011/06/14/ci(group_website_hack_simple/  

Slide 20

Slide 20 text

Current  Approaches   •  Dynamic  approach   – Scan  applica(on  with  two  or  more  roles   – Compare  results   – Limita(ons:   •  Dynamic   –  Set  up   •  Can  only  detect  missing  checks  

Slide 21

Slide 21 text

A  beWer  solu(on   •  Requirements   – Works  on  Web  Applica(ons   – Sta(c   – Finds  both  missing  and  inconsistent  checks   – Does  not  require  any  training  or  preparaBon  

Slide 22

Slide 22 text

Iden(fying  inadequate  access   checks   3.  Suggest  RemediaBon     What  checks  should  be  added  or  modified?   2.  IdenBfy  Anomalies   What  similar  opera6ons  are  not  been  checked  or  checked  differently?   1.  Create  SpecificaBon   What  is  currently  being  access  checked?    

Slide 23

Slide 23 text

1.  Create  Specifica(on  

Slide 24

Slide 24 text

Create  Specifica(on   IdenBfy  access  checked  methods   – Configura(on  Files:   •  URLs   •  PointCuts   – Source  Code:   •  Annota(ons   •  if-­‐else  checks   – Consider  super  classes  and  call  traces  

Slide 25

Slide 25 text

Intercep(ng  URLs                              

Slide 26

Slide 26 text

Pointcut-­‐based                    

Slide 27

Slide 27 text

Pointcut-­‐based                                              org.demo.AccountService.createAccount=ROLE_USER        org.demo.AccountService.delete*=ROLE_ADMIN                                                                  

Slide 28

Slide 28 text

Annota(ons          public  interface  BankService  {                  @RequiresRole(“teller”)                  public  Account  post(Account  account,  double  amount);                  @RequiresPermission(“account:create”)                  public  Account[]  findAccounts();            }            public  interface  BankService  {                  @Secured("IS_AUTHENTICATED_ANONYMOUSLY")                  public  Account  readAccount(Long  id);                    @PreAuthorize(isAuthen(cated()  and  hasRole(“ROLE_USER”))                  @PreFilter(hasPermission(filterObject,’read’))                  public  Account[]  findAccounts();            }    

Slide 29

Slide 29 text

Hiding/Disabling  func(onality  

Hi  Guest   !                "/>              This  will  be  shown  if  the  user  has  either  of  the  permissions          represented  by  the  values  "1"  or  "2"  on  the  given  object.      

Slide 30

Slide 30 text

Programma(c   //  get  the  current  subject   Subject  currentUser  =  SecurityU(ls.getSubject();     If  (currentUser.hasRole(“administrator”))  {          do_something();   }  else  {          do_something_different();   }    

Slide 31

Slide 31 text

Gather  all  protected   opera(ons   Gather  all  protected  operaBons   – What  objects,  classes,  methods  are  accessed   within  access  checked  methods?     – For  each  opera(on:   •  Func(on   •  Variable  (instance  object,  argument)   – Discard:   •  U(lity/Helper  func(on  calls   •  Common  Func(on  calls  (Heuris(cally  detected)  

Slide 32

Slide 32 text

Example   public  class  CocktailServiceImpl  implements  CocktailService{                      List  cocktails=new  ArrayList();            @PreAuthorize(hasRole(‘ADMIN’))            public  Cocktail  getCocktail(int  id)  {                    return  cocktails.get(int  );                }              public  Cocktail  deleteCocktail(int  id)  {                    Cocktail  cocktail  =  cocktails.get(int  );                    cocktails.remove(int);                    return  cocktail;                }   }      

Slide 33

Slide 33 text

Example   CocktailServiceImpl.java   @RequestMapping(“/admin/getDrink)   public  getCocktail(int  id)  {        return  lookupCocktail(id);       }     CocktailServiceImpl.java   private  lookupCocktail()    {            Cocktail  c  =  cocktails.get();            return  c;     }     CocktailService.java   public  interface  CocktailService      {   {        @PreAuthorize(hasRole(‘ADMIN’))          Cocktail  getCocktail(int  );                ….       }     @PreAuthorize(hasRole(‘ADMIN’))   @PreAuthorize(hasRole(‘ADMIN’))  &&  isAuthenBcated()   URL  -­‐>  Access  Check   Security-­‐config.xml       Method  -­‐>  URL   •  AnnotaBon   @RequestMapping     •  ConfiguraBon                  PointCuts,  …   isAuthenBcated()   Method  -­‐>  URL  -­‐>  Access  Check   X  

Slide 34

Slide 34 text

2.  Iden(fy  Anomalies  

Slide 35

Slide 35 text

Iden(fy  Anomalies   •  Given  a  class  c  where  some  of  methods  have  access   checks,  are  there  methods  that  do  not?   •  If  so,  are  they  performing  any  of  the  same  types  of   accesses  as  the  ones  that  do?    

Slide 36

Slide 36 text

Iden(fy  Anomalies   •  For  each  non-­‐access  controlled  method   examine  all  opera(ons  performed  within   func(on  scope:     •  Iden(fy  Func(on   •  Iden(fy  Variable   –  Instance  object,  argument   •  Fine  Tune  opera(ons:   – Map  opera(ons  with  CRUD  ac(ons  

Slide 37

Slide 37 text

Iden(fy  Anomalies   Same  variable  and  same  method   [SAMEVAR+SAMEMETHOD]     Same  variable  and  different  method   [SAMEVAR+DIFFMETHOD]     Same  variable  type  and  same  method   [SAMETYPE+SAMEMETHOD]     Same  variable  type  and  different  method     [SAMETYPE+DIFFMETHOD]     •  deleteCocktail()   • Opera(ons:     •   this.cocktails  +  get()     •  getCocktail()   • Opera(ons:     • this.cocktails  +  get()     • Access  Checks:       • PreAuthorize(hasRole(‘Admin’)).    

Slide 38

Slide 38 text

Iden(fy  Anomalies:   Inconsistency     private  lookupCocktail()    {            Cocktail  =  cocktails.get();     }       public  getCocktail(int  id)  {        return  lookupCocktail(id);       }       Public  deleteCocktail(int  id)  {        return  lookupCocktail(id);       }     @PreAuthorize(hasRole(‘ADMIN’))   isAuthen(cated()  

Slide 39

Slide 39 text

3.  Suggest  Remedia(on  

Slide 40

Slide 40 text

Suggest  Remedia(on   •  Present  the  developer  with  precise  details  of   the  anomalies  found  and  the  evidences   suppor(ng  the  finding   •  If  several  evidences  are  found,  present  the   most  similar  in  terms  of  opera(ons  performed   •  Provide  developers  with  a  set  of  access   control  checks  based  on  evidences  

Slide 41

Slide 41 text

Summary   Create   Specifica(on     •  getCocktail()   • Opera(ons:     • CocktailServiceImpl  +  this.cocktails  +  get()     • Access  Checks:       • PreAuthorize(hasRole(‘Admin’)).     Iden(fy   Anomalies   •  deleteCocktail()   • Opera(ons:  CocktailServiceImpl  +  this.cocktails  +  get()     Remedia(on   •  deleteCocktail()   • Add  Check:     • PreAuthorize(hasRole(‘Admin’))   • Evidence:  getCocktail()  

Slide 42

Slide 42 text

No content

Slide 43

Slide 43 text

In  the  wild   •  Mifos:   – Very  large  open  source  microfinance  applica(on.   – 323,007  Java  LOC   – 122224  XML  LOC   – It  uses  spring  annota(ons  in  addi(on  to  custom   checks   – 77  anomalies  were  found  

Slide 44

Slide 44 text

In  the  wild:  mifos     Anomaly   LocaBon:     ClientServiceFacadeWebTier:859   FuncBon  Signature:     public  String  transferClientToBranch(String,  Short)   Suspicious   operaBons   [SAMEVAR+SAMEMETHOD]     this.customerService  +  transferClientTo  @  842   Evidence   FuncBon  Signature:     public  String  transferClientToGroup(Integer,  String,  Integer)   Protected  OperaBons:     this.customerService+  transferClientTo  @  733     Recommended   AnnotaBon  Set   @PreAuthorize("isFullyAuthen(cated()  and   hasRole('ROLE_CAN_UPDATE_GROUP_MEMBERSHIP_OF_CLIENT ')")  

Slide 45

Slide 45 text

Source:  hWps://github.com/mifos/head/blob/0d9cdffeb07bcbeb75ffa4f9107272c6694a00a2/appdomain/src/main/java/org/mifos/applica(on/servicefacade/ClientServiceFacadeWebTier.java  

Slide 46

Slide 46 text

Source:  hWps://github.com/mifos/head/blob/0d9cdffeb07bcbeb75ffa4f9107272c6694a00a2/serviceInterfaces/src/main/java/org/mifos/applica(on/servicefacade/ClientServiceFacade.java  

Slide 47

Slide 47 text

In  the  wild:  mifos     Anomaly   LocaBon:     Ques(onnaireServiceFacadeImpl:94   FuncBon  Signature:     public  Ques(onGroupDetail  createQues(onGroup   (Ques(onGroupDetail)   Suspicious   operaBons   [SAMEVAR+SAMEMETHOD]     this.ques(onnaireService  +  defineQues(onGroup  @  94   Evidence   FuncBon  Signature:     public  Ques(onGroupDetail   createAc(veQues(onGroup(Ques(onGroupDetail)   Protected  OperaBons:     this.ques(onnaireService  +  defineQues(onGroup  @  100   Recommended   AnnotaBon  Set   @PreAuthorize("isFullyAuthen(cated()  and   hasRole('ROLE_CAN_ACTIVATE_QUESTION_GROUPS')")  

Slide 48

Slide 48 text

Source:  hWps://github.com/mifos/head/blob/aa1d2ac985b‚e7ea4e07a0eb7a22cef7ba92bc1/appdomain/src/main/java/org/mifos/plaƒorm/ques(onnaire/service/ Ques(onnaireServiceFacadeImpl.java    

Slide 49

Slide 49 text

Source:  hWps://github.com/mifos/head/blob/6fe9141e4491194181c7ec85ef0adc3773208dcd/serviceInterfaces/src/main/java/org/mifos/plaƒorm/ques(onnaire/service/ Ques(onnaireServiceFacade.java    

Slide 50

Slide 50 text

In  the  wild:  mifos     Anomaly   LocaBon:     SystemInforma(onServiceFacadeWebTier:90   FuncBon  Signature:     public  String  getServerInforma(on(ServletContext,  Locale)   Suspicious   operaBons   [SAMETYPE+SAMEMETHOD]     org.mifos.applica(on.admin.SystemInfo  +  SystemInfo  @  90   Evidence   FuncBon  Signature:     public  SystemInfor  getSystemInforma(on(ServletContext,  Locale)   Protected  OperaBons:     org.mifos.applica(on.admin.SystemInfo  +  SystemInfo  @  46     Recommended   AnnotaBon  Set   PreAuthorize(isFullyAuthen(cated()  and   hasRole(‘ROLE_VIEW_SYSTEM_INFO’)      

Slide 51

Slide 51 text

Source:  hWps://github.com/mifos/head/blob/e271189b8ec71e5724ffcf189f0aef7249896e13/applica(on/src/main/java/org/mifos/applica(on/admin/servicefacade/ SystemInforma(onServiceFacadeWebTier.java    

Slide 52

Slide 52 text

Source:  hWps://github.com/mifos/head/blob/0d9cdffeb07bcbeb75ffa4f9107272c6694a00a2/serviceInterfaces/src/main/java/org/mifos/applica(on/admin/servicefacade/ SystemInforma(onServiceFacade.java  

Slide 53

Slide 53 text

In  the  wild   •  pgGallery   – Small  photo  sharing  applica(on   •  1897  Java  LOC   •  419  XML  LOC   – 8  anomalies  iden(fied  

Slide 54

Slide 54 text

In  the  wild:  pgGallery   Anomaly   LocaBon:     AlbumService.java:42   FuncBon  Signature:     public  List  getBreadcrumbById  (BigDecimal)   Suspicious   operaBons   [SAMEVAR+DIFFMETHOD]     this.albumMapper  +  getBreadcrumbById  @  42   Evidence  1   FuncBon  Signature:     public  List  getByParent  (BigDecimal)   Protected  OperaBons:     this.albumMapper  +  getByParent  @  30   Evidence  2   FuncBon  Signature:     public  List  getRoot()   Protected  OperaBons:     this.albumMapper  +  getRoot  @  25   Recommended   AnnotaBon  Set   PostFilter  (  hasAnyRole('ROLE_USER','ROLE_ADMIN'))   PostFilter  (filterObject.isPublic()  ==  true)  

Slide 55

Slide 55 text

Source:  hWps://github.com/chotchki/pgGallery/blob/master/src/main/java/pgGallery/db/service/AlbumService.java  

Slide 56

Slide 56 text

Next  steps   •  Handle  custom  authoriza(on  checks.     •  Reduce  false  posi(ves:     – Increase  granularity  of  opera(ons.       – Map  opera(ons  to  CRUD  ac(ons.   •  Extending  to  other  frameworks/languages  

Slide 57

Slide 57 text

Thanks       [email protected]   @pwntester