Business Logic Attacks BATs and BLBs

Similar documents
Cyber Vigilantes. Rob Rachwald Director of Security Strategy. Porto Alegre, October 5, 2011

RSA Web Threat Detection

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

BIG-IP Application Security Manager : Attack and Bot Signatures. Version 13.0

The Bots Are Coming The Bots Are Coming Scott Taylor Director, Solutions Engineering

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

C1: Define Security Requirements

RSA Web Threat Detection

Copyright

Imperva Incapsula Website Security

BIG-IP Application Security Manager : Implementations. Version 13.0

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Beyond Blind Defense: Gaining Insights from Proactive App Sec

EasyCrypt passes an independent security audit

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Fighting Phishing I: Get phish or die tryin.

Lecture 10. Denial of Service Attacks (cont d) Thursday 24/12/2015

Intelligent and Secure Network

Web Application Security. Philippe Bogaerts

Unique Phishing Attacks (2008 vs in thousands)

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

WHAT IS MALICIOUS AUTOMATION? Definition and detection of a new pervasive online attack

haltdos - Web Application Firewall

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Automation is changing the modern world. DevOps, Infrastructure Automation, Process Automation

Solutions Business Manager Web Application Security Assessment

WEB SECURITY: XSS & CSRF

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Authentication Security

CSE Computer Security (Fall 2006)

OAuth securing the insecure

Rate-Limiting at Scale. SANS AppSec Las Vegas 2012 Nick

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

Securing ArcGIS for Server. David Cordes, Raj Padmanabhan

A Model to Restrict Online Password Guessing Attacks

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

SECURITY TESTING. Towards a safer web world

Intrusion Attempt Who's Knocking Your Door

Protecting Against Application DDoS A acks with BIG-IP ASM: A Three- Step Solution

Basic Concepts in Intrusion Detection

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

Aguascalientes Local Chapter. Kickoff

Robust Defenses for Cross-Site Request Forgery Review

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Cloudy with a chance of hack. OWASP November, The OWASP Foundation Lars Ewe CTO / VP of Eng. Cenzic

CIS 4360 Secure Computer Systems XSS

Security Awareness. Chapter 2 Personal Security

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

NETWORK SECURITY. Ch. 3: Network Attacks

N different strategies to automate OWASP ZAP

COSC 301 Network Management. Lecture 14: Electronic Mail

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Top 10 Database Security Threats and How to Stop Them. Rob Rachwald Director of Security Strategy

Managing User Account Passwords

FORTIFICATION AGAINST PASSWORD GUESSING ATTACKS IN ONLINE SYSTEM

MEASURING AND FINGERPRINTING CLICK-SPAM IN AD NETWORKS

CS 142 Winter Session Management. Dan Boneh

EBOOK. Stopping Fraud. How Proofpoint Helps Protect Your Organisation from Impostors, Phishers and Other Non-Malware Threats.

CSE Computer Security

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

The 3 Pillars of SharePoint Security

Accounting Information Systems

EBOOK. Stopping Fraud. How Proofpoint Helps Protect Your Organization from Impostors, Phishers and Other Non-Malware Threats.

Intruders. significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders:

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Remote Desktop Security for the SMB

CSC 482/582: Computer Security. Cross-Site Security

Robust Defenses for Cross-Site Request Forgery

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Account Takeover: Why Payment Fraud Protection is Not Enough

Attacking CAPTCHAs for Fun and Profit

5/15/2009. Introduction

Instructions 1. Elevation of Privilege Instructions. Draw a diagram of the system you want to threat model before you deal the cards.

Web basics: HTTP cookies

Screw You and the Script You Rode in On

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Attacking the Application OWASP. The OWASP Foundation. Dave Ferguson, CISSP Security Consultant FishNet Security.

11 Most Common. WordPress Mistakes. And how to fix them

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Web Security II. Slides from M. Hicks, University of Maryland

Approaches for application request throttling. Maarten

1 About Web Security. What is application security? So what can happen? see [?]

Password Guessing Resistant Protocol

White Paper. The Industrialization of Hacking SUMMARY

ASPPlayground.net Version 3.x User FAQ s v1.0

Information Technology Enhancing Productivity and Securing Against Cyber Attacks

Vulnerability Analysis, Secure Development and Risk Management of Web 2.0 Applications OWASP. The OWASP Foundation

DO NOT OPEN UNTIL INSTRUCTED

Web Security, Summer Term 2012

BIG-IP Application Security Manager : Getting Started. Version 12.1

How to perform the DDoS Testing of Web Applications

Transcription:

Business Logic Attacks BATs and BLBs Noa Bar-Yosef Security Research Engineer Imperva 12/02/2009 noa@imperva.com Copyright The Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the License. The Foundation http://www.owasp.org

Agenda The challenge of business logic bots Business logic attacks Business process automation: The friendly side of web automation Business logic bots: Solutions Malicious web automation Detection Mitigation 2

Business Logic Attacks (BATs) Compared to syntactic attacks: Technical Attacks Malformed requests Invalid input values Change functionality Attack the application and only indirectly the business Usually a single request Business Logic Attacks Normal requests Legitimate input values Abuse functionality Attack directly the business Often multiple requests 3

Web Automation 4

Web Automation The fact is that web automation is in wide use Online form automation Tracking competition Personal and institutional stock trading Indexing services Comparative shopping Web Services and other web APIs Bottom line is that business level automation may or may not be defined as an attack based on the context of things Who is the source Which part of the business logic is being invoked 5

Born to be bad: BUSINESS LOGIC BOTS (BLBS) 6

What BLBs Are Used For Brute force Cracking login credentials Guessing session identifiers, file and directory names Denial of Service Locking resources Abusing resource-sensitive functions Web Spam Abusive SEO Comment Spam Click Fraud Referrer click fraud. CSRF click fraud 7

Hardcore Robotics Queue Jumping Ticketmaster confessed to fighting like the dickens queue jumping. Travel agents known to automate air line ticketing systems. Auctions Sniping Watching a timed online auction and placing a winning bid at the last possible moment giving the other bidders no time to outbid the sniper. Poll Skewing 8

Gaming Bots MUD, Virtual Worlds & Second Life bots: Gain Wealth, and turn it into money in Second Life. Scripted Clients GUI Bots Poker Bots: Share information between several bots at one table. Monitor tables to choose the weak ones. Play well. 9

Information Harvesting Harvests: E-mail and personal information Competitive information Record oriented information such as CVs Entire Web sites for creating a mirror Executed from: Local computer Distributed, potentially using bot net Trojans, exploiting the victims credentials at the site 10

ENOUGH WITH THE FUD! 11

Solutions The solution is comprised of two separate problems Detection Mitigation Detection Detect automation (absolute) Flag unauthorized use of automation (subjective) Mitigation Effective Does not break application 12

Detection Basic Tools Black listing: IP Addresses (IP Reputation) Anonymous Proxies, TOR exit nodes, highly active bots User Agents Ad-hoc attack vector patterns Ad-hoc comment spam patterns Request structure Missing / mismatch Host header Irregular header combinations Naïve, but eliminates the masses 13

Detection Proactive Techniques Introduce extra content into the response The extra content is interpreted in a different manner by a human driven browser and by an automated tool Must not affect visuals Must not break application Positive detection Extra content affects a robot but not human Negative Detection Extra content affects a browser but not a robot 14

Detection Frequency Measurement Count the frequency of events within some scope in a given time frame Challenges What s an event? What s the best scope? What s the right threshold? Allow detection of script related attacks and brute force attacks 15

Detection Flow Some attacks, either inherently or for performance reasons bypass normal application flow Traversing a product catalog Skipping transaction validation Not easy to implement Referer header can be forged Flows are hard to define and track in modern applications that use frames and AJAX Require guided configuration and learning algorithms Can detect some types of forceful browsing and man in the browser attacks 16

Detection Click Rate Humans take time to respond (even the fast ones) Some observations: Clickable events, within a session, need to be at some minimal distance from one another Within a session, over time, clickable events should be relatively slow Can detect general script attacks as well as man in the browser attacks 17

Detection - Summary Will a single method do the trick? I don t think so. Will there be false positives? Yes! Do I care? No! Let me tell you why 18

Mitigation Attacks are automated I can t prevent the attack from going on I can however try to defuse its effects Examples: Slow down a brute force attack Reduce the rate of a DDoS attack Make the victim aware of a man-in-the-browser attack Enforce flow on transactions Disinformation Preventative measures may increase the cost of automation to the level that makes it much less attractive for anything but high end targets 19

Mitigation - Blocking Dropping requests can only occur in very specific cases IP blacklists User-agent blacklists Strongly enforced flow (e.g. through nonce in a form) Dropping requests that fail to answer the challenges described in the following slides 20

Mitigation That Which Makes Us Human Provide a Turing test that only a human can solve. Usually called CAPTCHA. Traditionally character recognition Other methods exists Choose the correct description of an image Solve a simple riddle John had one thousand apples and five oranges. He ate as many of his apples as there is letters in word "apple". Also he ate two bananas :-). How many apples does John have? 21

Mitigation That Which Makes Us Human There are automated tools and algorithms today that solve CAPTCHA s of various types I don t care If a brute force login program solves one CAPTCHA per second then it is ineffective If a client solves a CAPTCHA faster than a human being (no less than one second) then it can easily be identified as a robot and further challenged (see next slide) 22

Mitigation Throttling Slowing down an attack is most often the best way to make it ineffective. A second of delay can make the difference for an automated attack but will not be noticed by most humans Server side throttling may have sever impact on server (quickly consume connection resources) Client side computational challenges Client is required to solve a computational challenge that can be easily verified by server Code for solving the challenge is introduced into the response in the form of a script 23

Mitigation Adaptive Authentication When automation is detected in the context of a user (man in the browser) Ask for additional authentication Repeat password Previously recorded questions Makes the attack apparent to a victim 24

Mitigation - Disinformation Feed the client with bogus information A client follows a hidden link Respond to the request with a page that includes a large number of server distinguishable random links Whenever one of the random links is requested generate yet another random page A client that follows a hidden link that was generated by a script Respond with a page that includes a script that runs for a long time before generating a new random link 25

Mitigation - Summary Mitigation methods should take into consideration the possibility of false positives Most often the system s reaction to a suspected automation attempt should not be blocking but rather challenging the client Legitimate clients are not materially affected Automated clients become ineffective 26

Summary Automated business layer attacks are proliferating today and expected to grow in number and sophistication in the near term Detecting and mitigating these attacks require a set of sophisticated tools that are different than the standard web application security tools Some of the issues have nothing to do with the way the application code is written It s bound to be a cat and mouse game as robots become more sophisticated As a consequence of the above, solutions should be external to the application code 27

Noa Bar-Yosef, noa@imperva.com 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback