Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Prevent business logic attacks using dynamic instrumentation

Renaud Chaput
October 19, 2018
Programming
1
250

Prevent business logic attacks using dynamic instrumentation

Presented by Jean-Baptiste Aviat at SysadminDays #8 (https://sysadmindays.fr)

Renaud Chaput

October 19, 2018
Tweet

More Decks by Renaud Chaput

See All by Renaud Chaput
L'Infrastructure as Code au complet (par Benoit Petit)
renchap
1
490
Autour des requêtes des TSDB
renchap
2
290
Operate HBase clusters at Scale
renchap
1
230
Versions (par Olivier Delhomme)
renchap
1
220
Atelier Paris Web : Introduction à Docker
renchap
0
50
Introduction à Kubernetes
renchap
2
190
Alkemics CI & CD with Jenkins and Docker
renchap
1
190
Les containers : décryptage
renchap
2
200
Kubernetes en production : un an après
renchap
1
240

Other Decks in Programming

See All in Programming
Unexplored Region - parse.y -
yui_knk
2
1.3k
Information Schemaから自動生成する型付きORM spannent
khmer495
0
140
多様なプロトコルと 駆動モデルをサポートするIoTゲートウェイの開発と運用の知見
takesinoda
0
460
2023年5月ミートアップRubyKaigi2023スペシャル
umizaru
0
5.1k
Kotlin Multiplatform Library 배포하기
fornewid
0
210
LlamaIndex で Text-to-SQL 100 本ノック!
os1ma
2
800
Goのジェネリクスを活用する
syumai
2
1.3k
次なるルーターパッケージ選定のしざまと決め手について
yuzuy
2
300
OpenSearchを使って ごちクルの検索画面を爆速にする
konpay
0
150
Architecting For Scale
squer
0
210
ランニングコストやっべぇぞ!ECS/FargateでECRへのアクセスについて
honma12345
0
860
Reactive Microservices with Spring Boot and JHipster - Omaha JUG 2023
mraible
PRO
0
260

Featured

See All Featured
A designer walks into a library…
pauljervisheath
199
17k
The Mythical Team-Month
searls
211
41k
The World Runs on Bad Software
bkeepers
PRO
59
5.9k
How to train your dragon (web standard)
notwaldorf
69
4.4k
Web Components: a chance to create the future
zenorocha
304
41k
Fantastic passwords and where to find them - at NoRuKo
philnash
33
2k
From Idea to $5000 a Month in 5 Months
shpigford
374
45k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
5
6.5k
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.7k
Designing the Hi-DPI Web
ddemaree
273
33k
How GitHub (no longer) Works
holman
299
140k
Imperfection Machines: The Place of Print at Facebook
scottboms
255
12k

Transcript

  1. using dynamic instrumentation
    2018/10/18
    Prevent business logic attacks

    View Slide

  2. Who am I?
    Jean-Baptiste Aviat
    CTO & CO-FOUNDER OF SQREEN.IO
    EX APPLE RED TEAM
    Email [email protected]
    Twitter @JbAviat

    View Slide

  3. 2000’s
    Code
    Frame-
    works

    View Slide

  4. Frameworks
    Code
    2010’s

    View Slide

  5. 5
    2020’s

    View Slide

  6. What is an attack
    against business logic?

    View Slide

  7. View Slide

  8. WAF

    View Slide

  9. View Slide

  10. View Slide

  11. How to do it in practice?

    View Slide

  12. def track(event_name)
    Let’s define a function

    View Slide

  13. function generate_user_token(user_id) {
    ...
    track(‘user_token’)
    }
    function reset_password(email) {
    ...
    track(‘reset_password’)
    }
    1
    2
    3
    4
    1
    2
    3
    4
    function login(email, password) {
    ...
    track(‘login’)
    }
    1
    2
    3
    4

    View Slide

  14. Event Stream

    View Slide

  15. Event Stream
    Processing
    & analysis

    View Slide

  16. Event Stream
    Processing
    & analysis
    Response

    View Slide

  17. if (rate(user_token_gen) is unusual) {
    respond: lock_user_account
    alert: send_webhook
    }
    1
    2
    3
    4
    if (count(user_impersonation) is above 10 over last 1 minute) {
    respond: raise_exception, block_ip in reverse proxy
    alert: call_pager
    }
    1
    2
    3
    4

    View Slide

  18. Application Performance Monitoring

    View Slide

  19. How to do this
    at scale?

    View Slide

  20. 1
    2
    4
    AUTHENTICATE
    5 6

    View Slide

  21. 1
    2
    HOOK 4
    5 6
    AUTHENTICATE

    View Slide

  22. 1
    2
    HOOK 4
    5 6
    AUTHENTICATE
    Dynamic?

    View Slide

  23. 23
    def override_instance_method(klass_name, meth, hook)
    saved_meth_name = "#{meth}_saved"
    new_method = "#{meth}_modified".to_sym
    klass_name.class_eval do
    alias_method saved_meth_name, meth
    define_method(new_method, hook)
    end
    alias_method meth, new_method
    end
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    In Ruby

    View Slide

  24. 24
    Class> dynamicType = new ByteBuddy()
    .subclass(Object.class)
    .method(ElementMatchers.named("toString"))
    .intercept(FixedValue.value("Hello World!"))
    .make()
    .load(getClass().getClassLoader())
    .getLoaded();
    1
    2
    3
    4
    5
    6
    7
    In Java

    View Slide

  25. Retrieve all the
    context you need
    • Authenticated user
    • Custom business information
    • Custom code / framework information
    • Any HTTP value
    • Previous service called
    • Spanning information

    View Slide

  26. 26
    Architecting for
    performance

    View Slide

  27. [
    {
    "class": "User",
    "method": "token_generation",
    "event_name": "user_token_generation",
    "custom_properties": {
    "impersonated": "@impersonated"
    }
    },
    {
    "class": "User",
    "method": "impersonation",
    "event_name": "user_impersonation"
    }
    ]
    instrumentation.json
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    How could
    this work?

    View Slide

  28. Analyze
    • The volume of calls
    • The successive actions performed by a
    given user (or IP)
    • Detect unusual activity
    • Anomalies in volume, proportions
    • Check logic flows

    View Slide

  29. • Deny access to sensitive
    functions
    • Deny access to a whole
    service
    • Set account “read only”
    • Lock a user account
    • Log a user out
    • Trigger a pager
    • Fire a webhook
    • Create a ticket
    • …
    Respond

    View Slide

  30. 30
    Case Study
    Facebook Hack

    View Slide

  31. View as
    Video uploader
    User Token Management

    View Slide

  32. How to solve it
    Record business logic
    actions (down to the code)
    Define rules to detect a
    vulnerability exploitation
    Trigger security responses
    to be applied
    (a)Impersonate a user
    (b) Generate a token
    User is calling (impersonation) too much OR

    user is calling (generate_token) too much
    Lock the user AND
    Tag the user for review

    View Slide

  33. 33

    View Slide

  34. View Slide

  35. Event Stream
    Processing
    & analysis
    Respond:
    Lock User
    View as
    Video uploader
    User Token Management
    instru-
    mentation
    .json

    View Slide

  36. https://github.com/sqreen/BusinessLogicAttacksPOC
    Example Open Source Project

    View Slide

  37. Questions?

    View Slide