attack patterns for black box security testing of multi
play

Attack Patterns for Black-Box Security Testing of Multi-Party Web - PowerPoint PPT Presentation

Apr 02, 2024 •224 likes •508 views

Attack Patterns for Black-Box Security Testing of Multi-Party Web Applications Avinash Sudhodanan (sudhodanan@fbk.eu) Alessandro Armando (armando@fbk.eu) Roberto Carbone (carbone@fbk.eu) Luca Compagna (luca.compagna@sap.com) NDSS, San Diego,

  1. Attack Patterns for Black-Box Security Testing of Multi-Party Web Applications Avinash Sudhodanan (sudhodanan@fbk.eu) Alessandro Armando (armando@fbk.eu) Roberto Carbone (carbone@fbk.eu) Luca Compagna (luca.compagna@sap.com) NDSS, San Diego, 22/02/2016 1

  2. Multi-Party Web Applications (MPWAs) A Service Provider web app. relying on Trusted Third-Parties to deliver its services to Users through web-based security protocols Examples Online Shop Alice o Single Sign-On (SSO) Service Provider (SP) User (U) o Cashier-as-a-Service (CaaS) Shopping SAML SSO, OAuth, PayPal Express.. online Popularity/Relevance Trusted Third-Party (TTP) o 27% of top 1000 US websites supports Payment Service Identity Provider Facebook SSO [1] Provider (e.g. Google) (e.g. PayPal) o 179+ million PayPal users worldwide 2

  3. Multi-Party Web Applications (MPWAs) A Service Provider web app. relying on Trusted Third-Parties to deliver its services to Users through web-based security protocols Examples Alice Online Shop o Single Sign-On (SSO) U TTP SP o Cashier-as-a-Service (CaaS) 1. Login Request 2. Auth. Request Popularity/Relevance 3. Login & Consent o 27% of top 1000 US websites supports 4. AuthAssert (Alice,SP) Facebook SSO [1] 5. “Welcome Alice” o 179+ million PayPal users worldwide The implementation of the protocols underlying MPWAs is notoriously error-prone 3

  4. Several Vulnerabilities Reported Many vulnerabilities discovered through a variety of techniques applied to specific scenarios Tech. [Ref.] Vulnerable MPWA Attack Attacker’s Goal FV [2] SPs implementing Google’s Replay U V ’s AuthAssert for SP M in SP T Authenticate as U V at SP T SAML SSO GB + FV [3] developer.mozilla.com (SP) Make U V browser send request to SP T Authenticate as U M at SP T implementing BrowserID with U M ’s AuthAssert BB [4] PayPal Express Checkout in Replay Token of transaction T 1 at SP T Complete T 2 at SP T OpenCart 1.5.3.1 during transaction T 2 at SP T FV [5] SPs implementing Facebook Replay U V ’s AccessToken for SP M in Authenticate as U V at SP T SSO SP T BB [6] PayPal Payments Standard Replay PayeeId of SP M during Complete T at SP T in osCommerce v2.3.1 transaction T at SP T WB [7] Authorize.net credit card sim Replay OrderId of transaction T 1 at Complete T 2 at SP T in baby products store SP T during transaction T 2 at SP T FV [8] CitySearch.com (SP) using Make U V browser send request to SP T Authenticate as U M at SP T Facebook SSO with U M ’s AuthCode Legend- FV : Formal Verification, GB : Grey-Box Analysis, BB : Black-Box Analysis, WB : White-Box Analysis 4

  5. SAML SSO: Example of vulnerable implementation A man-in-the-middle attack against the SAML based SSO for Google Apps reported in [2] Alice Online Shop Google U TTP SP 1. Login Request 2. Auth. Request 3. Login & Consent 4. AuthAssert(Alice,SP) 5. “Welcome Alice” 5

  6. SAML SSO: Example of vulnerable implementation Bob Online Store Alice Kitty pics Google Malicious SP Target SP Victim User Malicious User TTP (SP M ) SP T (U V ) (U M ) 1. Login Request 2. Auth. Request 3. Login & Consent Session (U V , SP M ) 4. AuthAssert(Alice) 5. “Welcome Alice” 1’. Login Request : Session (U M , SP T ) : Attack strategy: Replay U V ’s AuthAssert for SP M in SP T 5’. “Welcome Alice ” 6

  7. Our Observation- I: attack strategies The strategy behind many attacks reported in the literature is the same Tech. [Ref.] Vulnerable MPWA Attack Strategy Attacker’s Goal FV [2] SPs implementing Google’s Replay U V ’s AuthAssert for SP M in SP T Authenticate as U V at SP T SAML SSO GB + FV [3] developer.mozilla.com (SP) Make U V browser send request to SP T Authenticate as U M at SP T implementing BrowserID with U M ’s AuthAssert BB [4] PayPal Express Checkout in Replay Token of transaction T 1 at SP T Complete T 2 at SP T OpenCart 1.5.3.1 during transaction T 2 at SP T FV [5] SPs implementing Facebook Replay U V ’s AccessToken for SP M in Authenticate as U V at SP T SSO SP T BB [4] PayPal Payments Standard Replay PayeeId of SP M during Complete T at SP T in osCommerce v2.3.1 transaction T at SP T WB [6] Authorize.net credit card sim Replay OrderId of transaction T 1 at Complete T 2 at SP T in baby products store SP T during transaction T 2 at SP T FV [7] CitySearch.com (SP) using Make U V browser send request to SP T Authenticate as U M at SP T Facebook SSO with U M ’s AuthCode Can we exploit the similarity in attack strategies to discover new attacks in an automatic way? 7

  8. Our Observation- II: preconditions Online shop Alice Alice Google Some properties of the HTTP elements of protocols can be U SP TTP used as preconditions to apply the attack strategy: 1. Login Request • Syntactic/Semantic properties of HTTP elements [8] 2. Auth. Request Property Label User Unique UU 3. Login & Consent Session Unique SU 4. Auth. Assert : • Data flow properties 5. “Welcome Alice” Property Flow The HTTP element flows from SP to TTP, through the browser SP-TTP The HTTP element flows from TTP to SP, through the browser TTP-SP Can we understand from the HTTP traffic of the underlying protocol which attack strategy to be applied? 8

  9. Our Observation-III: threat model Four nominal sessions are sufficient to execute all the attacks we considered: The thread model: Attacker can play the role of a User and/or a Service Provider Is this threat model general enough for our purpose? Any added value by considering browser history attacker? 9

  10. From Attacks to Attack Patterns 10

  11. From Attacks to Attack Patterns: one example Ref. Vulnerable MPWA Attack Strategy Attacker’s Goal FV [2] SPs implementing Replay U V ’s AuthAssert for SP M in SP T Authenticate as U V at SP T Google’s SAML SSO FV [5] SPs implementing Replay U V ’s AccessToken for SP M in SP T Authenticate as U V at SP T Facebook SSO (Formalized) (Formalized) e.g. “Welcome Alice” 11

  12. Attack Patterns 12

  13. Approach Knowledge of the security expert is encapsulated in attack patterns • Provide • Execute user actions • Check preconditions implementation , • Identify syntactic/ • Execute actions e.g. replay recording of user semantic, data flow an element from one actions of the properties of underling protocol run in another nominal sessions HTTP elements (e.g. • Check postconditions SU, TTP-SP etc.) 13

  14. Implementation 14

  15. Results (excerpt) Novelty SP TTP (& Protocol) Attack (& Elements) ACKs New attack Alexa e-comm < 10 Linkedin JS API SSO RA5 ( Uid, Email ) developer.linkedin.com RA5 ( Mem. Id, Access. Token ) Attacks previously All SPs Stripe Checkout RA4 ( DataKey, Token ) reported in SSO found other scenarios e.g. CaaS open.sap.com Gmail (reg. via email) LCSRF (Act. Link) Same attack in another INstant Linkedin JS API SSO RA1 (Access_Token) protocol of same scenario Alexa US top < 1000 Log in with Instagram LCSRF ( Auth. Code ) pinterest.com Facebook SSO RedURI (red_uri, Auth. Code) All SPs Log in with PayPal RedURI (red_uri, Auth. Code) Same attack another app OpenCart v2.1.0.1 2Checkout RA3 (Order_num, Key) 15

  16. Conclusions • Identified 7 attack patterns • Introduced a black-box security testing framework leveraging our attack patterns to discover vulnerabilities in the implementations of MPWAs • Implementation based on OWASP ZAP (a widely-used open source penetration testing tool) • Using our tool we discovered 21 previously-unknown vulnerabilities in SSO, CaaS and beyond 16

  17. Limitations and future directions Coverage • general issue for black-box techniques • attack patterns can state precisely what they are testing • still our approach is not complete • can we reach practical full-coverage for replay attacks? Observability • our approach can observe client side communication • server-to-server (S2S) communication is not considered • what would we gain by adding S2S observability? 17

  18. References [1] Zhou, Y. and Evans, D. SSOScan: automated testing of web applications for single sign-on vulnerabilities. USENIX 2014 [2] Armando, A., Carbone, R., Compagna, L., Cuellar, J., and Tobarra, L. Formal Analysis of SAML 2.0 Web Browser Single Sign-On: Breaking the SAML-based Single Sign-On for Google Apps. FMSE 2008 [3] Bai, G., Lei, J., Meng, G., Venkatraman, S. S., Saxena, P., Sun, J., Liu, Y., and Dong, J. S. Authscan: Automatic extraction of web authentication protocols from implementations. NDSS 2013 [4] Pellegrino, G., and Balzarotti, D. Toward black-box detection of logic flaws in web applications. NDSS 2014 [5] Wang, R., Zhou, Y., Chen, S., Qadeer, S., Evans, D., and Gurevich, Y. Explicating SDKs: Uncovering assumptions underlying secure authentication and authorization. USENIX 2013 [6] Sun, F., Xu, L., and Su, Z. Detecting logic vulnerabilities in e-commerce applications. NDSS 2014 [7] Bansal, C. and Bhargavan, K. and Maffeis, S. Discovering Concrete Attacks on Website Authorization by Formal Analysis. CSF, 2012 [8] Wang, R., Chen, S., and Wang, X. Signing me onto your accounts through facebook and google: A traffic-guided security study of commercially deployed single-sign-on web services. S&P 2012 18

  19. Thank You sudhodanan@fbk.eu 19

  20. Backup slides 20

  21. Example Attack Pattern: RA1 21

  22. Custom Strategies Threat Model: Browser History of victim user (U V ) is available to Attacker 22

  23. Complex Attack Patterns 23

  24. LCSRF Attack Pattern 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Network Black Box with Splunk for Forensic Analysis of Attack Patterns Clive Blackwell Oxford

A Network Black Box with Splunk for Forensic Analysis of Attack Patterns Clive Blackwell Oxford

A Network Black Box with Splunk for Forensic Analysis of Attack Patterns Clive Blackwell Oxford Brookes University Oxford, United Kingdom CBlackwell@brookes.ac.uk Roadmap Three layer architectural security model Influenced by OSI

782 views • 37 slides
Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &amp;

Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &amp;

15th USENIX Security Symposium | July 31st August 4th 2006 | Vancouver, B.C. - Canada Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &amp; profit Ivn Arce Core Security Technologies Humboldt

767 views • 41 slides
Broadcasting your attack: Security testing DAB radio in cars Andy Davis, Research Director

Broadcasting your attack: Security testing DAB radio in cars Andy Davis, Research Director

Broadcasting your attack: Security testing DAB radio in cars Andy Davis, Research Director Image: computerworld.com.au Agenda Who am I and why am I interested in security testing DAB? Overview of DAB How do we broadcast DAB?

790 views • 33 slides
Black Box Testing (A&amp;O Ch. 4) (2 nd Ed. Ch. 6) Course Software Testing &amp; Verification

Black Box Testing (A&amp;O Ch. 4) (2 nd Ed. Ch. 6) Course Software Testing &amp; Verification

Black Box Testing (A&amp;O Ch. 4) (2 nd Ed. Ch. 6) Course Software Testing &amp; Verification 2019/20 Wishnu Prasetya &amp; Gabriele Keller Plan Partitioning based testing (A&amp;O Ch 4/2 nd Ed Ch. 6). Model based testing Note: black

772 views • 39 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on Deep Neural Networks Yandong Li* 1 Lijun Li* 1 Liqiang Wang 1 Tong Zhang 2 Boqing Gong 3 *Equal Contribution 1 University of Central Florida 2 Hong

440 views • 11 slides
Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared

Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared

Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared DeMott Dr. Richard Enbody @msu.edu Dr. William Punch Black Hat 2007 www.vdalabs.com VDA Labs, LLC Agenda Goals and previous works (1)

683 views • 54 slides
Attack Patterns Recognition Framework Noor-ul-hassan Shirazi, Alberto Schaeffer-Filho and David

Attack Patterns Recognition Framework Noor-ul-hassan Shirazi, Alberto Schaeffer-Filho and David

Attack Patterns Recognition Framework Noor-ul-hassan Shirazi, Alberto Schaeffer-Filho and David Hutchison Lancaster University MSN2012:The Multi Service Networks Workshop Coseners House, Abingdon, Oxfordshire, UK 12-13 July 2012 1

348 views • 17 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
Security &amp; Compliance Thursday, September 4 2014 What is a security breach/attack? A

Security &amp; Compliance Thursday, September 4 2014 What is a security breach/attack? A

Security &amp; Compliance Thursday, September 4 2014 What is a security breach/attack? A security breach/attack is defined as an event in which a corporations network is compromised or an individuals name plus Social Security Name (SSN),

890 views • 12 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
Security Testing - Where Automation Fails Today How does security testing of web

Security Testing - Where Automation Fails Today How does security testing of web

Security Testing - Where Automation Fails Today How does security testing of web applications work What does the tooling landscape look like How does automated security testing fail What can we do Image courtesy of

583 views • 56 slides
CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing

CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing

CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing Improving Security Testing or Collect security errors Derive Patterns Improving Performance Improving Performance 1. Take the code 2. Point out

423 views • 9 slides
Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo,

Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo,

Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo, Jonathan Katz, Xiao Wang, Chenkai Weng, Yu Yu All widely used GCs have a birthday-bound security Explicit attack GC based on fix-key block cipher

313 views • 7 slides
ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT &amp; Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT &amp; Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT &amp; Return-to-plt Attack &amp; GOT Overwrite Attack Dr. Si Chen (schen@wcupa.edu) Review Page 2 ret2libc Attack Page 3 libc C standard library Provides

662 views • 36 slides
Yet another side-channel attack: Multi-linear Power Analysis attack (MLPA) Thomas Roche , C

Yet another side-channel attack: Multi-linear Power Analysis attack (MLPA) Thomas Roche , C

List decoding of RM(1,m) and Multi-linear cryptanalysis Application to Power Analysis attacks : MLPA Conclusion and Open persp Yet another side-channel attack: Multi-linear Power Analysis attack (MLPA) Thomas Roche , C edric Tavernier

625 views • 29 slides
2020 Application Training STEVE WHITSON, COMMUNITY INITIATIVES ASSISTANT MANAGER MISSOURI HOUSING

2020 Application Training STEVE WHITSON, COMMUNITY INITIATIVES ASSISTANT MANAGER MISSOURI HOUSING

Emergency Solutions Grant Program 2020 Application Training STEVE WHITSON, COMMUNITY INITIATIVES ASSISTANT MANAGER MISSOURI HOUSING DEVELOPMENT COMMISSION JUNE, 2019 Agenda Part One: ESG Program Guidance Community Initiatives Overview

587 views • 45 slides
INVESTMENT IN MENTAL HEALTH WELLNESS GRANT PROGRAM FOR CHILDREN AND YOUTH APPLICATION TECHNICAL

INVESTMENT IN MENTAL HEALTH WELLNESS GRANT PROGRAM FOR CHILDREN AND YOUTH APPLICATION TECHNICAL

INVESTMENT IN MENTAL HEALTH WELLNESS GRANT PROGRAM FOR CHILDREN AND YOUTH APPLICATION TECHNICAL ASSISTANCE WEBINAR DECEMBER 11, 2018 CALIFORNIA HEALTH FACILITIES FINANCING AUTHORITY 915 CAPITOL MALL, ROOM 435 SACRAMENTO, CA 95814 PHONE:

891 views • 51 slides
Using Digital Certificates to Establish Federated Trust chris.brown@enspier.com U.S.

Using Digital Certificates to Establish Federated Trust chris.brown@enspier.com U.S.

Using Digital Certificates to Establish Federated Trust chris.brown@enspier.com U.S. E-Authentication Interoperability Lab Engineer Agenda U.S. Federal E-Authentication Background Current State of PKI in E-Authentication Future of

675 views • 52 slides
CS5412: THE CLOUD VALUE PROPOSITION Lecture XXII Ken Birman Cloud Hype 2 The cloud is

CS5412: THE CLOUD VALUE PROPOSITION Lecture XXII Ken Birman Cloud Hype 2 The cloud is

1 CS5412: THE CLOUD VALUE PROPOSITION Lecture XXII Ken Birman Cloud Hype 2 The cloud is cheaper The cloud business model is growing at an unparalleled pace without any limit in sight In the future everything will be on the cloud

945 views • 65 slides
Gregory L. LaFollette, CPA.CITP Eide Bailly, LLP Senior Manager, Tax and Technology Consulting

Gregory L. LaFollette, CPA.CITP Eide Bailly, LLP Senior Manager, Tax and Technology Consulting

and still somehow, it's cloud's illusions I recall; I really don't know clouds at all. How to Keep Your Feet on the Ground When Your Heads in the Cloud Gregory L. LaFollette, CPA.CITP Eide Bailly, LLP Senior Manager, Tax and Technology

748 views • 58 slides
Hardware Physical components that a computer system requires to function. Easy to change

Hardware Physical components that a computer system requires to function. Easy to change

Hardware Physical components that a computer system requires to function. Easy to change out and upgrade. Large determinant of how fast your computer operates. Software is the programming that tells all these components what to do.

636 views • 30 slides
Lesson 16 Consuming Web Services Using SOAP and REST Apps Victor Matos Cleveland State

Lesson 16 Consuming Web Services Using SOAP and REST Apps Victor Matos Cleveland State

Lesson 16 Consuming Web Services Using SOAP and REST Apps Victor Matos Cleveland State University Portions of this page are reproduced from work created and shared by Google and used according to terms described in the Creative Commons 3.0

936 views • 68 slides
A Collaborative Monitoring Mechanism for Making a Multitenant Platform Accountable Chen Wang

A Collaborative Monitoring Mechanism for Making a Multitenant Platform Accountable Chen Wang

A Collaborative Monitoring Mechanism for Making a Multitenant Platform Accountable Chen Wang Ying Zhou CSIRO ICT Centre The University of Sydney Australia Australia chen.wang@csiro.au ying.zhou@sydney.edu.au Service Level Agreement (SLA)

1.3k views • 22 slides

More recommend