Session Puzzles - Indirect Application Attack Vectors

Report
Session Puzzles
Indirect Application Attack Vectors
Shay Chen
Senior Manager, HASC CTO
Hacktics ASC, Ernst & Young
May 17, 2011
Agenda
►
►
►
►
►
►
►
►
►
Session Puzzles – Introduction (What? Why? How?)
Background: Attack Vectors and Session Implementations
Sample Session Puzzling Sequences and Live Demo
Session Puzzling – A New Application-Level Attack?
Session Puzzling Testing Approach
Black Box and White Box Testing Methods
Real Life Examples
Puzzlemall Training App, Presentation & Paper
Credits
Page 2
Session Puzzles
Introduction to Session Puzzles
Session Puzzles – What’s That?
►
Session Puzzles are a new (or rather, underemphasized)
type of application-level vulnerabilities that could enable
attackers to perform a variety of malicious actions:
►
►
►
►
►
►
►
►
Page 4
Bypass authentication and authorization enforcement mechanisms
Elevate privileges
Impersonate legitimate users
Avoid flow enforcement restrictions
Execute “traditional attacks” (such as injections) in locations that
were previously considered safe
Affect content delivery destination
Cause unexpected application behaviors
Etc.
Session Puzzles
Indirect Attacks on the Session – Why Now?
►
Since the concept of indirect attacks suggests that the
target is not attacked directly, the model itself has several
benefits:
►
►
►
►
Most attack sequences can easily bypass common WAF
deployments.
Since the attack is indirect, there is a low probability for code level
mitigations.
Avoid detection by following a “valid” behavior pattern.
Furthermore, since the exposure enables unique attack
vectors, the attacker can exploit new exposures:
►
►
Page 5
Gain control over a valid account or even an application without
sending even a single malicious input.
Perform new types of logical attacks.
Session Puzzles
Session Puzzling – Simple Example (1 of 3)
►
Page 6
Starting a password recovery process with a valid user
Session Puzzles
Session Puzzling – Simple Example (2 of 3)
►
Page 7
The process populates the session memory with the
username…
Session Puzzles
Session Puzzling – Simple Example (3 of 3)
►
Page 8
Afterwards, the attacker directly access an internal page that
relies on the session-stored username variable
Session Puzzles
Session Puzzling – How Does It Work?
►
A Session Puzzle exposure may exist due to one or more
of the following conditions:
►
►
►
►
►
►
►
Page 9
Premature “population” of session objects in publically accessible
entry points.
Unnecessary storage of values in the session memory.
Identical session variables used by multiple processes.
Consistent usage of session flags in legitimate features.
Lack of validation to “trusted” session originating values which are
used by the application.
Inefficient or Incomplete authentication & authorization
enforcement mechanisms.
Etc.
Session Puzzles
Session Puzzling – How Does It Work?
►
Session Puzzling – The process of detecting and
exploiting session puzzles:
►
►
Page 10
Access one or more entry points that might populate the session
memory with identity values, flags and other objects, while using
the same session identifier.
After populating the session with enough objects, access other
entry points that require, rely on or use the session objects.
Session Puzzles
Background:
Attack Vectors and Session
Implementations
“Traditional” Application Attack Vectors
►
►
►
►
►
►
►
►
Malicious Input (Injections,
Reflections, Logical, Memory
Attacks, etc.)
Forceful Access
Consuming Resources (DoS)
Enumeration
Redirection (CSRF,
Clickjacking, External, etc.)
Information Gathering
Abusing Legitimate Features
Etc.
Page 12
Session Puzzles
Attack Vector Traits
►
Most of the listed attack vectors share a few traits in
common:
►
►
►
Page 13
Directly attack the target through payloads, redirection or direct
access to resources.
Straightforward detection and exploitation methods.
“Noisy” – might be detected by various mechanisms, due to
abnormal and sometime intrusive behavior.
Session Puzzles
Session Puzzling Traits Comparison
►
In comparison to “traditional” attacks, session puzzling
attack vectors share the following methods and traits:
►
►
►
►
►
►
Page 14
Access a sequence of entry points in a pre-planned order,
random order or timely manner.
Attack a target indirectly by “composing” a back-end hosted
“payload” that is delivered to it indirectly through a relatively
trusted source – the session.
“Silent” – ideal for stealth attacks.
“Sneaky” – ideal for avoiding security mechanisms that validate
input.
“Unknown” – exploiting scenarios that are currently rarely
mitigated.
“Obscure” – inconsistent detection and exploitation methods.
Session Puzzles
Session Implementations
►
►
Sessions are interactive information exchange processes
that represent a “dialog” between two or more entities.
In general, sessions are used to track the state of an
interaction between a consumer and an application, and
are usually implemented through the use of several
components:
►
►
►
Session Identifier – a unique temporary identifier given to the entity
upon its initial access or after an authentication process.
Session Memory Allocation / Association – the server-side
memory associated with the session identifier.
Session is the name given to the entire communication
interchange, but it is also effectively used as a synonym
for the server side session memory allocation.
Page 15
Session Puzzles
Session Implementations
►
The process of session identifier generation and association
Web Server
Initial Access to the Domain
Set-cookie: SID=abcd123
Session ID Memory Allocation
Abcd123
0xAA…
Cbcr321
0xBB…
Cookie: SID=abcd123
Session Memory
Domain Cookie
SID=Abcd123
Initial
Browser
Access
Page 16
Session
Identifier
Generation
Session
Memory
Association
Session Puzzles
Session
Identifier
Storage
Session
Identifier
Reuse
Process Description in Web Applications
►
►
►
►
When the application server is initially accessed by a
browser, a new, unique session identifier is generated and
associated to a server side memory allocation.
The session identifier is returned to the browser, usually
in a “set-cookie” response header.
The browser stores the identifier in a domain-specific
cookie, and since the content of domain-specific cookies
is sent to the domain in every request, so does the
session identifier.
The server uses the session identifier to “associate” the
browser instance with the memory allocation, which can
store flags, identities, and browser instance specific data.
Page 17
Session Puzzles
Session Stored Values
►
Since sessions enable applications to “track” the state of
browsers, they are used to store a variety of browserinstance related values:
►
►
►
►
►
►
Page 18
User Identities (user identifiers, usernames, email addresses,
social ID numbers, etc.)
Permissions (roles, resource lists, etc.)
Flags (Flow flags, State flags, etc.)
Input (Especially input from multiphase processes)
Results of Operations, Queries, and Calculations
Etc.
Session Puzzles
Session Puzzling
In-Depth Discussion
and
Live Demo
Session Puzzling Attack Sequences
►
As mentioned earlier, session puzzles can be exploited in
a variety of ways. Although this presentation does not aim
to cover them all, the following scenarios are by far the
most common instances:
►
►
►
►
►
►
Page 20
Authentication Bypass via Session Puzzling
Impersonation via Session Puzzling
Flow Bypass via Session Puzzling
Privilege Escalation via Session Puzzling
Content Theft via Session Puzzling
Indirect “Traditional” Attacks
Session Puzzles
Authentication Bypass via Session Puzzling
►
Authentication mechanisms that enforce authentication by
validating the existence of identity-related session
variables can be bypassed by accessing public entry
points that might populate the session with identical
values (registration modules, password recovery modules,
contact-us forms, question challenges, etc.).
Session Memory
Username Session Variable
Uncontrolled Session Object
Population
Session Object Verification
Registration, Recovery, Etc
Page 21
Internal (Authenticated)
Content
Session Puzzles
Impersonate Users via Session Puzzling
►
Applications that rely on the session for storing user
identities can be misled by malicious users that “overrun”
their own identifying values with those of other users,
through the use of modules that temporarily populate the
session with client-originating identity values.
Session Memory
IdenititySession Variable
Uncontrolled Session Object
Population
Session Object Verification
Registration, Recovery, Etc
Page 22
Private User Content
Session Puzzles
Flow Bypass via Session Puzzling
►
Flow enforcement mechanisms (in processes such as
password recovery, registration and transactions) that rely
on identical session flags, can be bypassed by activating
the processes simultaneously (for example, performing
the registration process in parallel to the password
recovery or transaction, to enable “skipping” phases).
Session Memory
Flow & State Session Variables
Uncontrolled Session Object
Population
Session Object Verification
Simple Flow Enforced Process
Page 23
Sensitive Flow-Enforced
Process
Session Puzzles
Privilege Escalation via Session Puzzling
►
Attackers might be able to elevate their privileges in the
application by accessing entry points that populate their
session memory with additional values, permissions and
flags, which might be required by other modules that were
previously inaccessible.
Session Memory
Username Session Variable
Uncontrolled Session Object
Population
Session Object Verification
Registration, Recovery, Etc
Page 24
Internal (Authenticated)
Content
Session Puzzles
Content Theft via Session Puzzling
►
Applications use a variety of content delivery methods to
keep in touch with their consumers (SMS, email, etc.).
Attackers can use session puzzles to initiate content
delivery processes and affect their destination (for
example, affect the destination of an SMS password
recovery by simultaneously registering with a new
number).
Session Memory
Delivery Destination Variable
Uncontrolled Session Object
Population
Session Object Usage
Entry Points that can affect
delivery variables
Page 25
Content Delivery Modules
Session Puzzles
Indirect “Traditional” Attacks
►
The same “indirect” method used in the previous
instances can also be used to execute injections,
reflections, manipulations and other “traditional” attacks
in locations that were previously considered safe, simply
by affecting session values which are used in entry points
that treat their origin as trusted (and thus avoid validation).
Session Memory
Session Variables
Temporarily invalidated
Session Object Population
Session Object Usage
Entry Points that store input in
the session
Page 26
Potentially Vulnerable Modules
that “trust” session values
Session Puzzles
Potential Entry Points
►
►
►
►
►
►
►
►
Login modules with premature session value population.
Registration, password recovery and recovery challenge
modules.
Multiphase processes.
Contact forms.
Test pages and obsolete content.
Security mechanisms.
Any module that stores values in the session.
Etc.
Page 27
Session Puzzles
Session Puzzles FAQ
►
Should session puzzles be considered as something
new?
►
►
Yes and no. Some of the patterns used in session puzzling are
similar to other attack vectors (the scenarios that require input are
similar to session poisoning, and the final phase of the attack,
which is a form of forceful access), but the testing perspective, the
combination of methods and certain unique attack patterns
differentiate the attack from other exposure classifications. It is
however important to remember that certain indirect attacks are
sometimes classified under the “root” attack (for example –
Session Persistent XSS).
So who might be vulnerable?
►
Page 28
Any application or system that tracks consumer “state”, not just
web applications.
Session Puzzles
Session Puzzling
Testing Approach
and
Methodology
Attack Basics
►
In addition to the access sequences used in session
puzzling, the attack is also using the following techniques:
►
►
►
Page 30
Forceful Browsing
Session Poisoning – a vulnerability that is similar to some inputdependant scenarios of session puzzling, and that for some
reason, did not receive the acknowledgement it deserved.
“Traditional” malicious inputs
ASC Discussion
Session Puzzling – A Different Approach
►
Since session puzzling attacks attempt to affect a
resource that can’t be inspected or directly affected, the
task calls for a different testing approach. Here are a few
guidelines:
►
►
►
►
►
►
Page 31
Always use the same session identifier (unless it was deleted or
expired).
Avoid accessing entry points that might invalidate the session or
initialize session variables (including logout and login entry points,
HTTP to HTTPS transitions, etc.).
Prevent redirections, especially if the target is the same page.
Try different sequences to achieve the same goal.
Use automated crawling to attempt and populate the session by
accessing multiple entry points.
Submit forms in entry points.
ASC Discussion
Session Puzzling – Blackbox Insights
►
Questions to ask yourself while testing an entry point
►
►
►
►
►
►
Page 32
Does the entry point need to populate the session with values? For
what purposes?
Which values might be stored in the session by the entry point?
Which entry point uses the session-stored values and when?
Which additional entry points might store, rely on or use the same
session-stored values?
Can one or more values be replaced? What is the effect?
Do these session values provide access to additional entry points
that store additional values in the session?
ASC Discussion
Session Puzzling – Blackbox Testing
►
Good starting points
►
Common authentication bypass and impersonation sequences:
►
►
►
►
►
Common flow bypass sequences:
►
Page 33
Register with a username (existing and new), while trying to access
internal entry points during the process.
Start a password recovery process with valid and invalid usernames,
while trying to access internal entry points during the process.
Access password recovery challenge links, and try to access internal
entry points before answering the recovery question.
Activate login entry points with valid usernames, avoid any redirection
instructions, and try to access internal entry points afterwards.
Attempt to perform multiphase processes simultaneously, while trying
to skip phases in some, after advancing others (registration, password
recovery and transactions are all good choices).
ASC Discussion
Session Puzzling – Blackbox Testing, Cont.
►
Good starting points, Cont.
►
Common privilege escalation sequences:
►
►
►
Common content hijack sequences:
►
Page 34
Authenticate, access obsolete content and test pages, and eventually
access entry points that were previously restricted.
Authenticate, access every entry point that does not initialize the
session (login, logout, etc.), and then attempt to access entry points
that were previously restricted.
Attempt to affect the target of content delivery and credential recovery
processes during the initiation of the processes by attempting to
activate features such as registration and profile update (which might
overrun the session variable that contains the original delivery target –
e.g., SMS, email, home address, etc).
ASC Discussion
Session Puzzling – Blackbox Methods
►
Additional Insights
►
Blind Session Puzzling:
►
►
Unverified Ideas
►
Page 35
Assuming that the tester can implement a script that compares
responses, anomalies in the behavior of different entry points can be
detected and measured after different access sequences, which are
initiated by an automated tool that attempts all the possible
combinations. The anomalies can then be analyzed to determine if a
specific sequence could be abused.
Session puzzling can potentially be used to trigger additional
events, including race conditions (VERY difficult), DoS, data
corruption and unexpected errors.
ASC Discussion
Session Puzzling – Code Review Guidelines
►
While reviewing the code, try and keep track of the
following subjects, for each and every entry point:
►
►
►
►
►
►
►
►
►
Page 36
Which session values are created by the entry point?
Which input values have affected the session stored values?
Which session values are being relied on?
Which session values are used by the entry point? Are those
values used in a way that could have enabled an attack if these
values originated from the client side?
Does the entry point require authentication?
Is the access to the entry point restricted to a specific role?
Is the entry point implementing a part of a multiphase process?
Is the entry point responsible for delivering content via SMS, email,
or similar methods?
Does the entry point enable access to private user content?
ASC Discussion
Real Life Examples
Insurance Company Site Corruption
►
►
►
Page 38
2008: An attacker gains remote control over the
administrative interface of a European insurance
company, and starts corrupting the web site content.
An investigation performed by Hacktics reveals that the
attacker gained control by crawling the entire application
tree twice, using paros proxy, prior to accessing the
administrative login page (which resided in a trivial URL
address).
The act of crawling automatically submitted contact-us
forms, which populated the attacker’s session with values
that were used by the administrative application for
authentication enforcement.
ASC Discussion
European Bank Back-Door Sequence
►
►
Page 39
2007: A session puzzle exposure was detected in a
security assessment performed by Hacktics to a
European banking application (which consisted of an
application penetration test and code review).
The vulnerability enabled the attacker to gain complete
control over the system (by activating a dormant feature),
and the attack vector required the attacker to populate his
session with multiple objects by accessing a sequence of
seven different pages.
ASC Discussion
Additional Instances
►
Oracle E-Business Suite Unauthenticated Remote
Takeover Vulnerability
►
►
Page 40
Published by Hacktics in 2009, this vulnerability is in fact an
instance of the exposure “authentication bypass via session
puzzle”. Demonstration movie available at:
http://www.hacktics.com/content/advisories/AdvORA20091214.ht
ml
Many additional instances over the years, in telecom,
financial and other industries.
ASC Discussion
Puzzlemall Training Application,
Presentation and Paper
Puzzlemall - Session Puzzle Training
►
Puzzlemall is a vulnerable web application designed for
training purposes.
►
►
►
►
►
►
Page 42
Released to help pen-testers understand the exposure better.
Prone to various session puzzle exposures, which can be
exploited using different session puzzling attack vectors.
Released under GPL 3.0, and available in a source code
distribution, and a ready-to-use WAR file distribution.
Implemented in Java, includes an install script and requires no
configurations or modifications.
Available at: http://code.google.com/p/puzzlemall/
The web site includes the presentation, the application, and a
detailed white paper that explains the session puzzling attack in
detail.
ASC Discussion
Puzzlemall - Vulnerable Web Application
Page 43
ASC Discussion
Puzzlemall - Vulnerable Web Application
Page 44
ASC Discussion
Credits
Credits
►
Time to thank the ones that helped me in the research… including:
►
Ernst & Young, for investing the resources necessary to
publish the research.
Huston ASC (and especially James Philippe), for
providing support, templates and guidance.
Apache Software Foundation, http://www.sxc.hu and
whatever remains of Sun – for existing.
Additional Contribution
►
►
►
►
►
Page 46
Oren Hafif – Insights, revelations and spectacular movie editing
skills.
Oren Ofer – Additional instances, demonstration movies and
attack vectors.
ASC Discussion
Ernst & Young Advanced Security Center
►
Americas
►
►
►
►
►
EMEIA
►
►
►
Dublin
Barcelona
Asia Pacific
►
►
Page 47
Hacktics Israel
Houston
New York
Buenos Aires
Singapore
Melbourne
ASC Discussion
Ernst & Young
Assurance | Tax | Transactions | Advisory
About Ernst & Young
Ernst & Young is a global leader in assurance, tax, transaction and advisory services.
Worldwide, our 130,000 people are united by our shared values and an unwavering
commitment to quality. We make a difference by helping our people, our clients and
our wider communities achieve potential.
About Ernst & Young’s Technology Risk and Security Services
Information technology is one of the key enablers for modern organizations to
compete. It gives the opportunity to get closer, more focused and faster in responding
to customers, and can redefine both the effectiveness and efficiency of operations.
But as opportunity grows, so does risk. Effective information technology risk
management helps you to improve the competitive advantage of your information
technology operations, to make these operations more cost efficient and to manage
down the risks related to running your systems. Our 6,000 information technology risk
professionals draw on extensive personal experience to give you fresh perspectives
and open, objective advice – wherever you are in the world. We work with you to
develop an integrated, holistic approach to your information technology risk or to deal
with a specific risk and security issue. And because we understand that, to achieve
your potential, you need a tailored service as much as consistent methodologies, we
work to give you the benefit of our broad sector experience, our deep subject matter
knowledge and the latest insights from our work worldwide. It’s how Ernst & Young
makes a difference.
For more information, please visit www.ey.com.
© 2008 EYGM Limited. All Rights Reserved.
Proprietary and confidential. Do not distribute without written permission.
Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of
which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not
provide services to clients.
Page 48
Session Puzzles
Questions
Shay Chen
Senior Manager, HASC CTO
Hacktics ASC, Ernst & Young
http://il.linkedin.com/pub/shaychen/0/91b/217
Page 49
Session Puzzles

similar documents