application logic flaws
play

Application Logic Flaws Professor Larry Heimann Web Application - PowerPoint PPT Presentation

Apr 16, 2023 •666 likes •847 views

Application Logic Flaws Professor Larry Heimann Web Application Security Information Systems Discussion of Lab 6 Due end of the week on October 17th (11:59am) Complete findings record, attach screenshots and/or code files to confirm

  1. Application Logic Flaws Professor Larry Heimann Web Application Security Information Systems

  2. Discussion of Lab 6 • Due end of the week on October 17th (11:59am) • Complete findings record, attach screenshots and/or code files to confirm • Don’t look at Ruby code • Don’t collaborate with others • Grades will be curved if necessary

  3. “You cannot defend against threats you cannot see.” � -- Mr. H, chess coach “You cannot defend against threats you cannot see.” � -- Prof. H, 67-327

  4. “ Zwischenzug ”

  5. White is expecting Black to capture the bishop on b8, after which he will win a piece with 10. Qa4+ and then 11. Qxb4

  6. Black surprised White by playing 9. ... Nd5! first, which protects the bishop on b4 and threats a knight fork on e3. Zwischenzug.

  7. Logic flaws (“Zwischenzug”) • Logic is everywhere in applications. • Presents an intricate attack surface that is often overlooked. • Flaws like XSS and SQL injection receive more attention because they have a standard “signature”. • Flaws in application logic are harder to characterize, and may appear to be one-o ff s. • Not usually identified by vulnerability scanners. • Therefore ... logic flaws are of great interest to attackers.

  8. Nature of logic flaws • All involve some defect in the application’s logic. • Developer reasons: “If A happens, then B must be the case.” • They don’t ask: “But what if X occurs?” where X violates some assumption in their reasoning. • Best way to learn about logic flaws is by example.

  9. Case 1: Password change function • Password change functions usually ask for your existing password. • When functions are used by administrators to reset users’ passwords, they don’t ask for the existing password. • Defective assumption: if the existing password parameter is not submitted, the request is being made by an administrator: � � � � • Any user can change another user’s password by removing the “old_password” parameter altogether (both name and value).

  10. Case 2: Avoiding payment • A typical multi-stage purchase process: • Add items to shopping cart • View cart and select “checkout” • Enter payment information • Enter delivery information • Defective assumption: if a user reaches stage #4, they must have passed through stage #3. • Any user can purchase items for free by forcing their browser to skip stage #3.

  11. Forced browsing • A key technique for finding and exploiting logic flaws. • Circumvents any controls on navigation imposed by the browser. • Involves accessing functionality out of the expected sequence. • Directly applicable to multi-stage processes – need to consider every GET and POST request made, including redirects. • Can be used to reach privileged functions if access control is only imposed by the interface. • Also involves submitting request parameters to unexpected locations or in unexpected sequences. • Can be used to uncover subtle but devastating flaws.

  12. Case 3: Banking registration • Existing banking customers can register for online banking. • Users supply some basic personal details, and are sent login info by mail. • Defective assumption: no way for users to self-register and gain direct access to sensitive information. But ... • The developers used an existing application component to track the user’s identity during self-registration. • When personal information has been processed, an object representing the user’s identity is instantiated and stored in their session. • The same object is used by the main application functionality to control access. • Hence, an attacker could access any customer’s account by submitting the relevant data in registration, and then proceed to the protected function.

  13. Discovering logic flaws • Use forced browsing to access multi-stage functions out of sequence. • Transmit parameters to di ff erent functions where they are not expected. • Remove individual request parameters altogether (name and value). • Work systematically, targeting each parameter and function in turn. • Include every request in your testing, including auto-generated redirects. • In situations where users transition between di ff erent trust levels, determine whether you can accumulate appropriate state to make the transition in an unauthorized way (as in banking registration). • Where numeric limits and checks are enforced, try unusual input (like negative numbers) to defeat the logic being applied. • When probing input validation logic, always check if the escape character is being handled safely.

  14. Avoiding logic flaws • No silver bullet – need to apply good practice and think laterally. • Document every detail of the application’s design in su ffi cient detail for an outsider to understand. • Explicitly document every assumption being made within the design – this step alone will cause many unsafe assumptions to be identified. • Mandate that all source code is clearly commented to include the following: • The purpose and intended uses of each code component. • The assumptions made by each component about anything that is outside of its direct control. • References to all client code which makes use of the component.

  15. Avoiding logic flaws • Perform security-focused design reviews: • Identify and evaluate every assumption being made. • Try to identify circumstances in which they might be violated. • Perform security-focused code reviews, and in particular consider: • The ways in which unexpected user behavior and input will be handled by the application. • The potential side-e ff ects of any dependencies and interoperation between di ff erent code components and application functions. • Beware of “GOD” objects and how they are being used (or can be abused)

  16. Summary • Logic flaws are very widespread. • Often appear to be one-o ff s, but many common themes exist. • They are not going to go away, and cannot be detected by vulnerability scanners. • Many can be detected using the standard testing steps described. • Others require a degree of lateral thinking. • Try to think like a developer ... • Imagine you were working to a tight deadline, focusing on functionality not security, modifying an existing code base, and using someone else’s APIs. • What would you get wrong?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Logic Bug Hunting in Chrome on Android Infiltrate 17 April, 2017 Agenda Fuzzing and memory

Logic Bug Hunting in Chrome on Android Infiltrate 17 April, 2017 Agenda Fuzzing and memory

Logic Bug Hunting in Chrome on Android Infiltrate 17 April, 2017 Agenda Fuzzing and memory corruptions Introduction to logic flaws General approach to hunting logic bugs Application in Mobile Pwn2Own 2016 Exploit improvement

1.07k views • 52 slides
Logic Bug Hunting in Chrome on Android CanSecWest 17 March, 2017 Agenda Fuzzing and memory

Logic Bug Hunting in Chrome on Android CanSecWest 17 March, 2017 Agenda Fuzzing and memory

Logic Bug Hunting in Chrome on Android CanSecWest 17 March, 2017 Agenda Fuzzing and memory corruptions Introduction to logic flaws General approach to hunting logic bugs Application in Mobile Pwn2Own 2016 Exploit improvement

963 views • 73 slides
Flaws and Frauds Flaws and Frauds in IDPS evaluation in IDPS evaluation Dr. Stefano Zanero, PhD

Flaws and Frauds Flaws and Frauds in IDPS evaluation in IDPS evaluation Dr. Stefano Zanero, PhD

Flaws and Frauds Flaws and Frauds in IDPS evaluation in IDPS evaluation Dr. Stefano Zanero, PhD Post-Doc Researcher, Politecnico di Milano CTO, Secure Network Outline Establishing a need for testing methodologies Testing for

1.13k views • 43 slides
Machine Checking Proof Theory: an application of logic to logic (Jeremy E Dawson and) Rajeev

Machine Checking Proof Theory: an application of logic to logic (Jeremy E Dawson and) Rajeev

Machine Checking Proof Theory: an application of logic to logic (Jeremy E Dawson and) Rajeev Gor e Logic and Computation Group College of Engineering and Computer Science The Australian National University rajeev.gore@anu.edu.au ICLA 2009:

288 views • 25 slides
Visualizing Geometric Morphisms An application of the Logic for Children project to

Visualizing Geometric Morphisms An application of the Logic for Children project to

1 Visualizing Geometric Morphisms An application of the Logic for Children project to Category Theory (talk @ Logic and Categories workshop, UniLog 2018) By: Eduardo Ochs (UFF, Brazil) Selana Ochs 2018vichy-vgms-slides June

710 views • 24 slides
Splitting an operator An algebraic modularity result and its application to logic programming

Splitting an operator An algebraic modularity result and its application to logic programming

Splitting an operator An algebraic modularity result and its application to logic programming Joost Vennekens Logic David Gilis Programming Marc Denecker KU Leuven, Belgium Abstraction Theory Slides by Peter Baumgartner MPII

509 views • 32 slides
Securely Implementing Network Protocols: Detecting and Preventing Logical Flaws Mathy Vanhoef

Securely Implementing Network Protocols: Detecting and Preventing Logical Flaws Mathy Vanhoef

Securely Implementing Network Protocols: Detecting and Preventing Logical Flaws Mathy Vanhoef (KU Leuven) Black Hat Webcast, 24 August 2017 @vanhoefm Introduction Many protocols have been affected by logical bugs Design flaws Implementation

692 views • 31 slides
Validity of bilateral classical logic and Verificationist semantics its application Bilateral

Validity of bilateral classical logic and Verificationist semantics its application Bilateral

Validity of bilateral classical logic and its application Yoriyuki Yamagata Validity of bilateral classical logic and Verificationist semantics its application Bilateral classical logic Proof theoretical semantics of BCL Evidences and

585 views • 42 slides
Application of Logic and Decision Application of Logic and Decision Models in Models in

Application of Logic and Decision Application of Logic and Decision Models in Models in

Application of Logic and Decision Application of Logic and Decision Models in Models in Sustainable Ecosystem Sustainable Ecosystem Management Management Mark Jensen, USDA Forest Service, Northern Region Mark Jensen, USDA Forest Service,

705 views • 45 slides
A Tree Logic... ... and an Application for the Analysis of Cascading Style Sheets Pierre Genevs

A Tree Logic... ... and an Application for the Analysis of Cascading Style Sheets Pierre Genevs

A Tree Logic... ... and an Application for the Analysis of Cascading Style Sheets Pierre Genevs CNRS Tyrex team pierre.geneves@inria.fr Toccata seminar, LRI Feb. 22 nd , 2013 1 / 27 Outline 1 Insights on the L Tree Logic 2

892 views • 39 slides
Google Study: Google Study: Could those memory failures be caused by design flaws? Could those

Google Study: Google Study: Could those memory failures be caused by design flaws? Could those

Google Study: Google Study: Could those memory failures be caused by design flaws? Could those memory failures be caused by design flaws? Barbara P. Aichinger Vice President New Business Development FuturePlus Systems Corporation

886 views • 21 slides
Minimal solutions in Fuzzy Relation Equations. Application to Fuzzy Logic Programming Jes us

Minimal solutions in Fuzzy Relation Equations. Application to Fuzzy Logic Programming Jes us

Introduction Adjoint triples Multi-adjoint logic programming Computing the weights Solving abduction problem Conclusions Minimal solutions in Fuzzy Relation Equations. Application to Fuzzy Logic Programming Jes us Medina Moreno

653 views • 38 slides
Detecting and Resolving Type Flaws in Security Protocols Michael Banks Department of Computer

Detecting and Resolving Type Flaws in Security Protocols Michael Banks Department of Computer

Detecting and Resolving Type Flaws in Security Protocols Michael Banks Department of Computer Science, University of York 26th February 2009 Outline 1 Security Protocols 2 Type Flaws: Attacks and Defences 3 Detecting and Resolving Potential

391 views • 25 slides
A Lightweight Epistemic Logic and its Application to Planning Elise Perrotin Joint work with

A Lightweight Epistemic Logic and its Application to Planning Elise Perrotin Joint work with

Introduction EL-O: Epistemic Logic of Observation Epistemic planning with conditional effects Conclusion A Lightweight Epistemic Logic and its Application to Planning Elise Perrotin Joint work with Martin Cooper, Andreas Herzig, Faustine

549 views • 24 slides
TouIST: a friendly language for propositional logic and more Application to planning with SAT or

TouIST: a friendly language for propositional logic and more Application to planning with SAT or

TouIST: a friendly language for propositional logic and more Application to planning with SAT or QBF solvers Frdric Maris Joint work with Olivier Gasquet, Dominique Longin and Mal Valais December 18 th , 2019 IRIT University of

542 views • 42 slides
Web Application Security Assessment Policy John Hally John.hally@comcast.net Why This Policy?

Web Application Security Assessment Policy John Hally John.hally@comcast.net Why This Policy?

Web Application Security Assessment Policy John Hally John.hally@comcast.net Why This Policy? Limit attack surface of our web applications Web application flaws/vulnerabilities are a major attack vector Protect Company

195 views • 6 slides
Kinetic Monte Carlo Simulations of Nanofilm Formation South Orange, August 5, 2014 Jan Willem

Kinetic Monte Carlo Simulations of Nanofilm Formation South Orange, August 5, 2014 Jan Willem

Kinetic Monte Carlo Simulations of Nanofilm Formation South Orange, August 5, 2014 Jan Willem Abraham CAU Kiel J.W. Abraham, CAU Kiel (Metal-Polymer) Nanocomposites Optics (surface plasmon resonances) Electronics Food packaging

951 views • 60 slides
CS184c: Computer Architecture [Parallel and Multithreaded] Day 16: May 31, 2001 Defect and

CS184c: Computer Architecture [Parallel and Multithreaded] Day 16: May 31, 2001 Defect and

CS184c: Computer Architecture [Parallel and Multithreaded] Day 16: May 31, 2001 Defect and Fault Tolerance CALTECH cs184c Spring2001 -- DeHon Today EAS Questionnaire (10 min) Project Report Defect and Fault Tolerance

663 views • 31 slides
Non-uniform cracks in the concrete: the power of free precomputation Daniel J. Bernstein

Non-uniform cracks in the concrete: the power of free precomputation Daniel J. Bernstein

Non-uniform cracks in the concrete: the power of free precomputation Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Tanja Lange Technische Universiteit Eindhoven eprint.iacr.org/2012/318 ,

1.02k views • 62 slides
The middle program $ middle 3 3 5 middle: 3 $ middle 2 1 3 middle: 1 10 10 int main(int

The middle program $ middle 3 3 5 middle: 3 $ middle 2 1 3 middle: 1 10 10 int main(int

Detecting Anomalies Andreas Zeller 1 Tracing Infections For every infection, we must find the earlier infection that causes it. Which origin should we focus upon? 2 2 Tracing Infections 3 3 Focusing on Anomalies

522 views • 27 slides
Exotic Brane Junctions Exotic Brane Junctions from F-theory from F-theory JHEP 05 (2016) 060

Exotic Brane Junctions Exotic Brane Junctions from F-theory from F-theory JHEP 05 (2016) 060

Strings and Fields 2016 @ Yukawa Institute, Kyoto University August 09, 2016 Exotic Brane Junctions Exotic Brane Junctions from F-theory from F-theory JHEP 05 (2016) 060 JHEP 05 (2016) 060 arXiv:1602.08606 arXiv:1602.08606 Tetsuji KIMURA

843 views • 47 slides
Multicore Semantics and Programming Tim Harris Peter Sewell Amazon University of Cambridge

Multicore Semantics and Programming Tim Harris Peter Sewell Amazon University of Cambridge

Multicore Semantics and Programming Tim Harris Peter Sewell Amazon University of Cambridge October November, 2019 These Lectures Part 1: Multicore Programming: Concurrent algorithms (Tim Harris, Amazon) Concurrent programming: simple

4.69k views • 166 slides
How to Fix Them October 29, 2015 The webinar will start at 11:00 a.m. CT Heather Smith, QKA

How to Fix Them October 29, 2015 The webinar will start at 11:00 a.m. CT Heather Smith, QKA

Why Retirement Plans Fail And How to Fix Them October 29, 2015 The webinar will start at 11:00 a.m. CT Heather Smith, QKA Eric Namee, JD, CPA Operations Manager Co-Managing Member Employee Benefit Services Hinkle Law Firm LLC

1.02k views • 73 slides
CS422 Computer Architecture Spring 2004 Lecture 04, 06 Jan 2004 Bhaskaran Raman Department of

CS422 Computer Architecture Spring 2004 Lecture 04, 06 Jan 2004 Bhaskaran Raman Department of

CS422 Computer Architecture Spring 2004 Lecture 04, 06 Jan 2004 Bhaskaran Raman Department of CSE IIT Kanpur http://web.cse.iitk.ac.in/~cs422/index.html Announcements Course web-page is up http://web.cse.iitk.ac.in/~cs422/index.html

307 views • 27 slides

More recommend