Surfacing Cloud Application Vulnerabilities

Transcript

1. Surfacing Cloud Application Vulnerabilities Sam Stepanyan
 OWASP London Chapter Leader


   
 Twitter: @securestep9

2. • We are a Global not-for-profit charitable organisation • Focused

   on improving the security of software • We collaboratively develop and provide free tools, guidance, standards • All meetings are free to attend (*free beer included)

3. Community of VOLUNTEERS 
 (45,000 worldwide)

4. 200+ OWASP Chapters Around The World

5. • Belfast • Birmingham • Bristol • Cambridge • Leeds

   • London • Manchester • Newcastle • Royal Holloway (inactive) • Scotland • Sheffield • Suffolk

6. Vendor Neutral

7. • Most Critical Risks • Referenced by PCI DSS •

   Used By The Industry OWASP TOP 10 VULNERABILITIES WARNING: There are more than 10 vulnerabilities! DO NOT BASE Your Entire Application Security Programme Solely On OWASP Top 10 !
8. None

9. • Timesheets & Expenses? • Meeting Room Booking?

10. None
11. None
12. None
13. None
14. None

15. OWASP Top 10 Vulnerabilities A1 - A5

16. OWASP Top 10 Vulnerabilities A6 - A10

17. TalkTalk Breach - SQL Injection

18. £400,000 fine by ICO - biggest to date in “pre-GDPR

    world” “The attacker used a common technique known as SQL injection to access the data” 
 “SQL injection is well understood, defences exist and TalkTalk ought to have known that it posed a risk to its data, the ICO investigation found” “157,000-record customer database stolen: names, addresses, dates of birth, phone numbers and email addresses.” “In almost 16,000 cases, the attackers also had access to TalkTalk customers’ bank account details and sort codes”

19. “LinkedIN was breached via SQL Injection – one of the

    lowest-hanging fruits on the vulnerability tree” - Sophos

20. “Attacks aimed at the application layer are growing at 25%

    annually. SQL Injection vulnerability was used in over 51% of application attacks seen in Q2 2017“ — Akamai

21. US Department of Defence- SQL Injection!

22. Mirai Botnet - OS Command Injection ! The Day The

    Internet Died: 21 October 2016 ! Attack launched from millions of IoT devices (e.g. CCTV cameras)
 hacked due to OS Command Injection vulnerability

23. Sensitive Data Exposure - TCS

24. Developers at Indian outsourcing giant Tata Consultancy Services (TCS) “inadvertently”

    uploaded to a public cloud-based GitHub repository raw source code, internal documentation on web banking applications and mobile apps of: TCS Developer GitHub Leak - May 2017 6 big Canadian banks 2 well-known American financial organisations a multinational Japanese bank a multibillion dollar financial software company

25. Unvalidated Redirect - Election “Rigging” Phishing E-mail looks exactly like

    a real e-mail from Google. Change Password button URL leads to https:// mail.google.com/ <some_URL>

26. Login Page is very convincing, but it is fake. Credentials

    are “harvested” and cybercriminals log in with stolen credentials to steal all the e-mails and then leak them

27. Despite the pressure from the security community Google refuses to

    fix several Open Redirect vulnerabilities in its systems and excludes them from their Bug Bounty Programme There are over 30 known Google URLs - all on https:// - vulnerable to Open Redirect
 (A10 in OWASP Top 10 2013)

28. Google “Fixed” This One

29. Components With Known Vulnerabilities

30. None
31. None

32. Cross-Site Scripting(XSS)

33. Cross-Site Scripting(XSS)

34. None

35. Cross-Site Scripting(XSS) This vulnerability could allow the attacker to: use

    the victim's identity to take action on behalf of the victim, such as: • CHANGE permissions • DELETE content • READ content • STEAL sensitive information • INJECT malicious scripts in the browser of the victim • CAPTURE keystrokes of the victim including Passwords • FULLY CONTROL THE BROWSER OF THE VICTIM

36. Broken Authentication

37. Missing Access Control “ Any person with a mailbox in

    a company using Office 365 could exploit this vulnerability to obtain full Administrative permissions over their entire company’s Office 365 environment and read any employee’s email … ”

38. Direct Object References Security Misconfigurations

39. “
 There is a expectation among most Cloud adopters who

    think that if their data is in Amazon’s AWS Cloud then it will magically be secure ” — Overheard at BSIDES Conference

40. “
 If we store our confidential PDF files in the

    Cloud, but give them a really long and random URLs nobody will ever find them, right? ”
41. None
42. None

43. Help! The Cloud Is Leaking!

44. None
45. None
46. None

47. • names • addresses • dates of birth • bank

    account numbers • e-mail addresses • phone numbers • NHS patient referrals
48. None

49. • Employment Contracts • Salaries & Payroll data • Confidential

    Agreements and Documents (e.g. NDAs) • Encryption Keys • Database Backups (AA, PageGroup) • Passwords To Corporate Firewalls!

50. https://

51. •1.7 million PDF files •60,000 of them gov.uk •30,000 of

    them NHS-related
52. None

53. 14,298-Page PDF !

54. Penetration Testing and Scanning Report PDFs •$70 Bln turnover insurance

    company •PDF of a vulnerability scan report easily searchable on Google •100s of High and Medium flaws

55. 237 SQL Injection Vulnerabilities with precise locations! Ouch!

56. None
57. None
58. None

59. Application Security 
 is often an AFTERTHOUGHT

60. None

61. Start a Bug Bounty Programme

62. $8,000 $7,500 $5,000 $5,500 $5,000 $3,000 $2,500 $500

63. None
64. None
65. None
66. None
67. None
68. None

69. Learning about secure application development 
 in a fun way!

    OWASP Cornucopia OWASP Snakes & Ladders
70. None
71. None

72. Hackathons & CTF Tournaments

73. Cloud Joke: Q: What do you call software that has

    moved into the Cloud?

74. VAPOURWARE

75. Thank You! 
 Questions? sam.stepanyan @ owasp . org
 


    @securestep9
 @owasplondon Cloud Comics Courtesy of CloudTweaks