Prevent business logic attacks using dynamic instrumentation

Prevent business logic attacks using dynamic instrumentation

Presented by Jean-Baptiste Aviat at SysadminDays #8 (https://sysadmindays.fr)

415efaa445ed983307231341eaa4be55?s=128

Renaud Chaput

October 19, 2018
Tweet

Transcript

  1. 2.

    Who am I? Jean-Baptiste Aviat CTO & CO-FOUNDER OF SQREEN.IO

    EX APPLE RED TEAM Email jb@sqreen.io Twitter @JbAviat
  2. 7.
  3. 8.

    WAF

  4. 9.
  5. 10.
  6. 13.

    function generate_user_token(user_id) { ... track(‘user_token’) } function reset_password(email) { ...

    track(‘reset_password’) } 1 2 3 4 1 2 3 4 function login(email, password) { ... track(‘login’) } 1 2 3 4
  7. 17.

    if (rate(user_token_gen) is unusual) { respond: lock_user_account alert: send_webhook }

    1 2 3 4 if (count(user_impersonation) is above 10 over last 1 minute) { respond: raise_exception, block_ip in reverse proxy alert: call_pager } 1 2 3 4
  8. 23.

    23 def override_instance_method(klass_name, meth, hook) saved_meth_name = "#{meth}_saved" new_method =

    "#{meth}_modified".to_sym klass_name.class_eval do alias_method saved_meth_name, meth define_method(new_method, hook) end alias_method meth, new_method end 1 2 3 4 5 6 7 8 9 10 11 12 In Ruby
  9. 25.

    Retrieve all the context you need • Authenticated user •

    Custom business information • Custom code / framework information • Any HTTP value • Previous service called • Spanning information
  10. 27.

    [ { "class": "User", "method": "token_generation", "event_name": "user_token_generation", "custom_properties": {

    "impersonated": "@impersonated" } }, { "class": "User", "method": "impersonation", "event_name": "user_impersonation" } ] instrumentation.json 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 How could this work?
  11. 28.

    Analyze • The volume of calls • The successive actions

    performed by a given user (or IP) • Detect unusual activity • Anomalies in volume, proportions • Check logic flows
  12. 29.

    • Deny access to sensitive functions • Deny access to

    a whole service • Set account “read only” • Lock a user account • Log a user out • Trigger a pager • Fire a webhook • Create a ticket • … Respond
  13. 32.

    How to solve it Record business logic actions (down to

    the code) Define rules to detect a vulnerability exploitation Trigger security responses to be applied (a)Impersonate a user (b) Generate a token User is calling (impersonation) too much OR
 user is calling (generate_token) too much Lock the user AND Tag the user for review
  14. 33.

    33

  15. 34.
  16. 35.

    Event Stream Processing & analysis Respond: Lock User View as

    Video uploader User Token Management instru- mentation .json