Web Application & Cloud Computing What are the new threats?

Similar documents
Integrity attacks (from data to code): Cross-site Scripting - XSS

P2_L12 Web Security Page 1

Copyright

BUG BOUNTY AUTOMATION. Sergey

Understanding Perimeter Security

Web Application Penetration Testing

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

CSCE 813 Internet Security Case Study II: XSS

Web Application Security

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

CIS 4360 Secure Computer Systems XSS

The security of Mozilla Firefox s Extensions. Kristjan Krips

Web Application Security. Philippe Bogaerts

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Common Websites Security Issues. Ziv Perry

Hunting Bugs in Web App. By Suleman Malik

We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)

Overtaking Google Desktop Leveraging XSS to Raise Havoc. 6 th OWASP AppSec Conference. The OWASP Foundation

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

RKN 2015 Application Layer Short Summary

HTTP Security Headers Explained

CLOUD STRIFE. Mitigating the Security Risks of Domain-Validated Certificates

Title: Planning AWS Platform Security Assessment?

Web Application Vulnerabilities: OWASP Top 10 Revisited

Robust Defenses for Cross-Site Request Forgery Review

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Your Turn to Hack the OWASP Top 10!

Web Application with AJAX. Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar. University of Colorado, Colorado Springs

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Web Vulnerabilities. And The People Who Love Them

Domino Web Server Security

Chrome Extension Security Architecture

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

One Phish, Two Phish, Three! Building an Active Threat Management Framework for Malicious

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Exploiting and Defending: Common Web Application Vulnerabilities

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

CSC 482/582: Computer Security. Cross-Site Security

Evaluating the Security Risks of Static vs. Dynamic Websites

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

Finding Vulnerabilities in Web Applications

NET 311 INFORMATION SECURITY

Magento Commerce Architecture and Security Model Last updated: Aug 2017

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Hacking Intranet Websites from the Outside

WEB SECURITY: XSS & CSRF

Human vs Artificial intelligence Battle of Trust

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Russ McRee Bryan Casper

OWASP TOP 10. By: Ilia

Best Practices in Securing a Multicloud World

Chat with a hacker. Increase attack surface for Pentest. A talk by Egor Karbutov and Alexey Pertsev

Beyond Blind Defense: Gaining Insights from Proactive App Sec

John Coggeshall Copyright 2006, Zend Technologies Inc.

Cookie Security. Myths and Misconceptions. David Johansson OWASP London 30 Nov. 2017

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Client Side Security And Testing Tools

OWASP Top 10 The Ten Most Critical Web Application Security Risks

HUAWEI TECHNOLOGIES CO., LTD. Huawei FireHunter6000 series

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Cybersecurity Survey Results

Web Security. Thierry Sans

Scan Report Executive Summary

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

How NOT To Get Hacked

Web basics: HTTP cookies

How to Configure Route 53 for F-Series Firewalls in AWS

Client Side Injection on Web Applications

EasyCrypt passes an independent security audit

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Application security : going quicker

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Hosting Roadmap Upgrades, Improvements and Changes

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

AppSpider Enterprise. Getting Started Guide

TIBCO Cloud Integration Security Overview

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Information Security CS 526 Topic 8

Secure Agile How to make secure applications using Agile Methods Thomas Stiehm, CTO

The PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference

MTAT Research Seminar in Cryptography The Security of Mozilla Firefox s Extensions

C1: Define Security Requirements

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

Information Security. Gabriel Lawrence Director, IT Security UCSD

Storing Your Application s Data in the Google Cloud

Make Cloud the Most Secure Environment for Business. Seth Hammerman, Systems Engineer Mvision Cloud (formerly Skyhigh Networks)

Advanced Techniques for DDoS Mitigation and Web Application Defense

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications

10 FOCUS AREAS FOR BREACH PREVENTION

Can HTTP Strict Transport Security Meaningfully Help Secure the Web? nicolle neulist June 2, 2012 Security B-Sides Detroit

Cloud Catastrophes. and how to avoid them

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

Training for the cyber professionals of tomorrow

Transcription:

Web Application & Cloud Computing What are the new threats? David Calligaris OWASP Italy Day Cagliari, 19th October 2018

$: whoami Geek & Nerd Director Security Testing Automation Huawei Munich (DE) Former CTO Emaze S.p.A.

Disclaimer All the content of these slides represent my personal view not that of my employer.

What is this presentation about? How Cloud Computing changes Companies How Cloud Computing changes Web Applications Web Applications & External Resources (Buckets) Buckets Security

What are Clouds? Virtual Machines Storage Application Providers Others...

Companies before Cloud era:

Companies in Cloud era:

Web Applications before Cloud era:

Web Applications in Cloud era:

Loading External Files Web application could load images, javascripts, css from external sources

Loading External Files In general this puts your application at risk because the security of your web application depends on the security of these external sources

Loading External Files We have several examples and write-ups of security issues of Web Applications loading contents from expired domains

Loading External Files The consequences could have a high impact: Load in-browser JavaScript cryptominer Steal cookies Inject Malicious code (e.g. malware, exploit)

Loading External Files Buckets Sometimes we can see a web application loading content from buckets

Loading External Files Buckets What are the differences if an application is loading content from a bucket? What are buckets?

What are Buckets? Services served by different cloud providers (e.g. Amazon S3, Google Storage, DigitalOcean Spaces, etc) that offer storage resources.

Bucket Security? In recent years buckets misconfiguration issues were on the news for several security incidents

Identify buckets Buckets have a particular name format and are easy to identify: bucket-name.s3.amazonaws.com s3.amazonaws.com/bucket-name bucket-name.s3-us-west-2.amazonaws.com s3-us-west-2.amazonaws.com/bucket-name bucket-name.storage.googleapis.com storage.googleapis.com/bucket-name

Identify buckets Sometimes buckets are behind a CNAME or CDN: d1l27wvezozmw4.cloudfront.net images.owaspdaycagliari2018.it

Identify buckets There are several techniques to identify buckets: CNAME Server Header Default Page Error Message

How to identify buckets? DNS CNAME

How to identify buckets? Server Headers (1/2)

How to identify buckets? Server Headers (2/2)

How to identify buckets? Index default page

How to identify buckets? Via Error Messages

How to identify buckets? Via 404 NoSuchBucket Error Message NOTE: This can enable a SubDomain Takeover Vulnerability

Special Note: Subdomain TakeOver The first article regarding this vulnerability is from Franz Rosen from 2014 https://labs.detectify.com/tag/hostile-subdomain-takeover/

Special Note: Subdomain TakeOver Companies decide to use a bucket for storing website images: images-owasp.s3.amazonaws.com

Special Note: Subdomain TakeOver The company decides to associate this name with a company DNS entry: CNAME images-owasp.example.com images-owasp.s3.amazonaws.com

Special Note: Subdomain TakeOver After some time the company decides to use a different cloud provider for hosting the images and deletes the bucket...

Special Note: Subdomain TakeOver but they don t delete the DNS CNAME entry CNAME images-owasp.example.com images-owasp.s3.amazonaws.com

Special Note: Subdomain TakeOver Anyone now can create a bucket with the original name and take control of it CNAME images-owasp.example.com images-owasp.s3.amazonaws.com

Special Note: Subdomain TakeOver What are the consequences of the SubDomain TakeOver? Phishing Attacks In some conditions Steal Cookies with scope *.example.com In some conditions bypass CORS/CSP Policy

Special Note: Subdomain TakeOver Additional Resources: https://github.com/edoverflow/can-i-take-over-xyz https://0xpatrik.com/subdomain-takeover-basics/

Special Note: Subdomain TakeOver Who is to blame? SysAdmins? Cloud Service Providers?

Special Note: Subdomain TakeOver https://blog.cloudsecurityalliance.org/2018/08/13/cve-cloud -services-part-1/

Testing Buckets Security Buckets can be misconfigured in different ways: READ Access WRITE Access Readable ACL Writable ACL...

Testing Buckets Security Buckets can have different types of access: Anonymous Authenticated User (*) Owner

Testing Buckets Security Checking for READ Access: Amazon $ aws s3 ls s3://bucket-name Google $ gsutil ls gs://bucket-name

Testing Buckets Security READ Access: Backups (.tar.gz,.zip) SQL Databases (.sql) Source Code (.php,.aspx,.rb)

Testing Buckets Security Checking for WRITE Access: Amazon $ aws cp TestUpload.txt s3://bucket-name Google $ gsutil cp TestUpload.txt gs://bucket-name NOTE: remember to delete the file!!!

Testing Buckets Security WRITE Access: Overwrite files (.js, css, jpg, html) Create phishing pages (.html) Overwrite executables (.exe,.sh) Malware drop zone Warez Hosting

Testing Buckets Security Checking ACL READ ACCESS Amazon $ aws s3api get-bucket-acl --bucket bucket-name

Testing Buckets Security

Testing Buckets Security Checking ACL WRITE ACCESS Amazon $ aws s3api put-bucket-acl --bucket bucket-name NEW_ACL

Testing Buckets Security

Testing Buckets Security The topic is not over; in this presentation we did not cover some aspects like: Bucket Name Identification Bucket Policies Pre-Signed URLs

Bucket Security

Bucket Security

Conclusions Nothing New, just a new contest: Writable FTP Server, Writable NFS Share, Writable Buckets Need of Security Automation: Traditional security scanners focus on old / classic perimeter We need new security scanners to check cloud deployment

Thanks! Feedback: david.calligaris@gmail.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback