Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Surfacing Cloud Application Vulnerabilities

760a8fd7484350a225b43b405ce84eff?s=47 Sam Stepanyan
September 04, 2017

Surfacing Cloud Application Vulnerabilities

Cloud applications are all around us and continue to proliferate at an impressive rate. We use them at home and at work, via a web browser, mobile app or a 'smart' device. How secure are they? The Cloud Security efforts have been traditionally focused on network infrastructure, identity & access management and data encryption. This talk will discuss the frequently overlooked Application Security Vulnerabilities and will demonstrate several examples of such vulnerabilities in the real world cloud applications.


Sam Stepanyan

September 04, 2017


  1. Surfacing Cloud Application Vulnerabilities Sam Stepanyan
 OWASP London Chapter Leader

 Twitter: @securestep9
  2. • We are a Global not-for-profit charitable organisation • Focused

    on improving the security of software • We collaboratively develop and provide free tools, guidance, standards • All meetings are free to attend (*free beer included)
  3. Community of VOLUNTEERS 
 (45,000 worldwide)

  4. 200+ OWASP Chapters Around The World

  5. • Belfast • Birmingham • Bristol • Cambridge • Leeds

    • London • Manchester • Newcastle • Royal Holloway (inactive) • Scotland • Sheffield • Suffolk
  6. Vendor Neutral

  7. • Most Critical Risks • Referenced by PCI DSS •

    Used By The Industry OWASP TOP 10 VULNERABILITIES WARNING: There are more than 10 vulnerabilities! DO NOT BASE Your Entire Application Security Programme Solely On OWASP Top 10 !
  8. None
  9. • Timesheets & Expenses? • Meeting Room Booking?

  10. None
  11. None
  12. None
  13. None
  14. None
  15. OWASP Top 10 Vulnerabilities A1 - A5

  16. OWASP Top 10 Vulnerabilities A6 - A10

  17. TalkTalk Breach - SQL Injection

  18. £400,000 fine by ICO - biggest to date in “pre-GDPR

    world” “The attacker used a common technique known as SQL injection to access the data” 
 “SQL injection is well understood, defences exist and TalkTalk ought to have known that it posed a risk to its data, the ICO investigation found” “157,000-record customer database stolen: names, addresses, dates of birth, phone numbers and email addresses.” “In almost 16,000 cases, the attackers also had access to TalkTalk customers’ bank account details and sort codes”
  19. “LinkedIN was breached via SQL Injection – one of the

    lowest-hanging fruits on the vulnerability tree” - Sophos
  20. “Attacks aimed at the application layer are growing at 25%

    annually. SQL Injection vulnerability was used in over 51% of application attacks seen in Q2 2017“ — Akamai
  21. US Department of Defence- SQL Injection!

  22. Mirai Botnet - OS Command Injection ! The Day The

    Internet Died: 21 October 2016 ! Attack launched from millions of IoT devices (e.g. CCTV cameras)
 hacked due to OS Command Injection vulnerability
  23. Sensitive Data Exposure - TCS

  24. Developers at Indian outsourcing giant Tata Consultancy Services (TCS) “inadvertently”

    uploaded to a public cloud-based GitHub repository raw source code, internal documentation on web banking applications and mobile apps of: TCS Developer GitHub Leak - May 2017 6 big Canadian banks 2 well-known American financial organisations a multinational Japanese bank a multibillion dollar financial software company
  25. Unvalidated Redirect - Election “Rigging” Phishing E-mail looks exactly like

    a real e-mail from Google. Change Password button URL leads to https:// mail.google.com/ <some_URL>
  26. Login Page is very convincing, but it is fake. Credentials

    are “harvested” and cybercriminals log in with stolen credentials to steal all the e-mails and then leak them
  27. Despite the pressure from the security community Google refuses to

    fix several Open Redirect vulnerabilities in its systems and excludes them from their Bug Bounty Programme There are over 30 known Google URLs - all on https:// - vulnerable to Open Redirect
 (A10 in OWASP Top 10 2013)
  28. Google “Fixed” This One

  29. Components With Known Vulnerabilities

  30. None
  31. None
  32. Cross-Site Scripting(XSS)

  33. Cross-Site Scripting(XSS)

  34. None
  35. Cross-Site Scripting(XSS) This vulnerability could allow the attacker to: use

    the victim's identity to take action on behalf of the victim, such as: • CHANGE permissions • DELETE content • READ content • STEAL sensitive information • INJECT malicious scripts in the browser of the victim • CAPTURE keystrokes of the victim including Passwords • FULLY CONTROL THE BROWSER OF THE VICTIM
  36. Broken Authentication

  37. Missing Access Control “ Any person with a mailbox in

    a company using Office 365 could exploit this vulnerability to obtain full Administrative permissions over their entire company’s Office 365 environment and read any employee’s email … ”
  38. Direct Object References Security Misconfigurations

  39. “
 There is a expectation among most Cloud adopters who

    think that if their data is in Amazon’s AWS Cloud then it will magically be secure ” — Overheard at BSIDES Conference
  40. “
 If we store our confidential PDF files in the

    Cloud, but give them a really long and random URLs nobody will ever find them, right? ”
  41. None
  42. None
  43. Help! The Cloud Is Leaking!

  44. None
  45. None
  46. None
  47. • names • addresses • dates of birth • bank

    account numbers • e-mail addresses • phone numbers • NHS patient referrals
  48. None
  49. • Employment Contracts • Salaries & Payroll data • Confidential

    Agreements and Documents (e.g. NDAs) • Encryption Keys • Database Backups (AA, PageGroup) • Passwords To Corporate Firewalls!
  50. https://

  51. •1.7 million PDF files •60,000 of them gov.uk •30,000 of

    them NHS-related
  52. None
  53. 14,298-Page PDF !

  54. Penetration Testing and Scanning Report PDFs •$70 Bln turnover insurance

    company •PDF of a vulnerability scan report easily searchable on Google •100s of High and Medium flaws
  55. 237 SQL Injection Vulnerabilities with precise locations! Ouch!

  56. None
  57. None
  58. None
  59. Application Security 
 is often an AFTERTHOUGHT

  60. None
  61. Start a Bug Bounty Programme

  62. $8,000 $7,500 $5,000 $5,500 $5,000 $3,000 $2,500 $500

  63. None
  64. None
  65. None
  66. None
  67. None
  68. None
  69. Learning about secure application development 
 in a fun way!

    OWASP Cornucopia OWASP Snakes & Ladders
  70. None
  71. None
  72. Hackathons & CTF Tournaments

  73. Cloud Joke: Q: What do you call software that has

    moved into the Cloud?

  75. Thank You! 
 Questions? sam.stepanyan @ owasp . org

 @owasplondon Cloud Comics Courtesy of CloudTweaks