Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Surfacing Cloud Application Vulnerabilities

Sam Stepanyan
September 04, 2017

Surfacing Cloud Application Vulnerabilities

Cloud applications are all around us and continue to proliferate at an impressive rate. We use them at home and at work, via a web browser, mobile app or a 'smart' device. How secure are they? The Cloud Security efforts have been traditionally focused on network infrastructure, identity & access management and data encryption. This talk will discuss the frequently overlooked Application Security Vulnerabilities and will demonstrate several examples of such vulnerabilities in the real world cloud applications.

Sam Stepanyan

September 04, 2017
Tweet

More Decks by Sam Stepanyan

Other Decks in Technology

Transcript

  1. • We are a Global not-for-profit charitable organisation • Focused

    on improving the security of software • We collaboratively develop and provide free tools, guidance, standards • All meetings are free to attend (*free beer included)
  2. • Belfast • Birmingham • Bristol • Cambridge • Leeds

    • London • Manchester • Newcastle • Royal Holloway (inactive) • Scotland • Sheffield • Suffolk
  3. • Most Critical Risks • Referenced by PCI DSS •

    Used By The Industry OWASP TOP 10 VULNERABILITIES WARNING: There are more than 10 vulnerabilities! DO NOT BASE Your Entire Application Security Programme Solely On OWASP Top 10 !
  4. £400,000 fine by ICO - biggest to date in “pre-GDPR

    world” “The attacker used a common technique known as SQL injection to access the data” 
 “SQL injection is well understood, defences exist and TalkTalk ought to have known that it posed a risk to its data, the ICO investigation found” “157,000-record customer database stolen: names, addresses, dates of birth, phone numbers and email addresses.” “In almost 16,000 cases, the attackers also had access to TalkTalk customers’ bank account details and sort codes”
  5. “LinkedIN was breached via SQL Injection – one of the

    lowest-hanging fruits on the vulnerability tree” - Sophos
  6. “Attacks aimed at the application layer are growing at 25%

    annually. SQL Injection vulnerability was used in over 51% of application attacks seen in Q2 2017“ — Akamai
  7. Mirai Botnet - OS Command Injection ! The Day The

    Internet Died: 21 October 2016 ! Attack launched from millions of IoT devices (e.g. CCTV cameras)
 hacked due to OS Command Injection vulnerability
  8. Developers at Indian outsourcing giant Tata Consultancy Services (TCS) “inadvertently”

    uploaded to a public cloud-based GitHub repository raw source code, internal documentation on web banking applications and mobile apps of: TCS Developer GitHub Leak - May 2017 6 big Canadian banks 2 well-known American financial organisations a multinational Japanese bank a multibillion dollar financial software company
  9. Unvalidated Redirect - Election “Rigging” Phishing E-mail looks exactly like

    a real e-mail from Google. Change Password button URL leads to https:// mail.google.com/ <some_URL>
  10. Login Page is very convincing, but it is fake. Credentials

    are “harvested” and cybercriminals log in with stolen credentials to steal all the e-mails and then leak them
  11. Despite the pressure from the security community Google refuses to

    fix several Open Redirect vulnerabilities in its systems and excludes them from their Bug Bounty Programme There are over 30 known Google URLs - all on https:// - vulnerable to Open Redirect
 (A10 in OWASP Top 10 2013)
  12. Cross-Site Scripting(XSS) This vulnerability could allow the attacker to: use

    the victim's identity to take action on behalf of the victim, such as: • CHANGE permissions • DELETE content • READ content • STEAL sensitive information • INJECT malicious scripts in the browser of the victim • CAPTURE keystrokes of the victim including Passwords • FULLY CONTROL THE BROWSER OF THE VICTIM
  13. Missing Access Control “ Any person with a mailbox in

    a company using Office 365 could exploit this vulnerability to obtain full Administrative permissions over their entire company’s Office 365 environment and read any employee’s email … ”
  14. “
 There is a expectation among most Cloud adopters who

    think that if their data is in Amazon’s AWS Cloud then it will magically be secure ” — Overheard at BSIDES Conference
  15. “
 If we store our confidential PDF files in the

    Cloud, but give them a really long and random URLs nobody will ever find them, right? ”
  16. • names • addresses • dates of birth • bank

    account numbers • e-mail addresses • phone numbers • NHS patient referrals
  17. • Employment Contracts • Salaries & Payroll data • Confidential

    Agreements and Documents (e.g. NDAs) • Encryption Keys • Database Backups (AA, PageGroup) • Passwords To Corporate Firewalls!
  18. Penetration Testing and Scanning Report PDFs •$70 Bln turnover insurance

    company •PDF of a vulnerability scan report easily searchable on Google •100s of High and Medium flaws
  19. Learning about secure application development 
 in a fun way!

    OWASP Cornucopia OWASP Snakes & Ladders
  20. Thank You! 
 Questions? sam.stepanyan @ owasp . org
 


    @securestep9
 @owasplondon Cloud Comics Courtesy of CloudTweaks