security analysis of mattermost

Security Analysis of Mattermost By Changze Cui & Weihao Dong 1 - PowerPoint PPT Presentation

Security Analysis of Mattermost By Changze Cui & Weihao Dong 1 What is Mattermost 2 What is Mattermost 3 What is Mattermost 4 Key Difference between Mattermost and Slack Support Self-Hosting yes no Open Source yes no Mattermost


  1. Security Analysis of Mattermost By Changze Cui & Weihao Dong 1

  2. What is Mattermost 2

  3. What is Mattermost 3

  4. What is Mattermost 4

  5. Key Difference between Mattermost and Slack Support Self-Hosting yes no Open Source yes no Mattermost envisions itself as an open source Slack alternative 5

  6. Motivations 8

  7. Project Timeline Read Documentation Acquired and deployed a trial of Extracted features Enterprise Edition of Mattermost Phase2 Phase4 Phase1 Phase3 Came up with Conducted behavior analysis and Threat Model source code analysis Network Capture, Static Analysis, Manual Analysis, POC generation 9

  8. Architecture of Mattermost Mattermost Server Notification Service Database Internet Proxy (MySQL, Postgres) Email Service HTTPS Secure Web Sockets File Store PC Web Experience (Amazon S3) Mobile APP Experience Mobile Web Experience Email Client 10 https://docs.mattermost.com/deployment/deployment.html

  9. Features of Mattermost Mattermost Server Notification Service Database Internet Proxy (MySQL, Postgres) Email Password Hashing Service Encryption-at-rest HTTPS Secure Web Sockets Scalability Support File Store Data Management PC Web Experience (Amazon S3) RESTful API Mobile APP Experience OAuth2.0 Mobile Web Experience Email Client 11 https://docs.mattermost.com/deployment/deployment.html

  10. Project Timeline Read Documentation Acquired and deployed a trial of Extract features Enterprise Edition of Mattermost Phase2 Phase4 Phase1 Phase3 Came up with Conducted behavior analysis and Threat Model source code analysis Network Capture, Static Analysis, Manual Analysis, POC generation 12

  11. How We Come Up With Our Threat Model Mattermost Server Notification Service Database Internet Proxy (MySQL, Postgres) Email Password Hashing Service Encryption-at-rest HTTPS Secure Web Sockets Scalability Support File Store Data Management PC Web Experience (Amazon S3) RESTful API Mobile APP Experience OAuth2.0 Mobile Web Experience Email Client 13 https://docs.mattermost.com/deployment/deployment.html

  12. Attackers in Server & Database Mattermost Server Notification Service Database Internet Proxy (MySQL, Postgres) Email Password Hashing Service Encryption-at-rest HTTPS Secure Web Sockets Scalability Support File Store Data Management PC Web Experience (Amazon S3) RESTful API Mobile APP Experience OAuth2.0 Mobile Web Experience Email Client 14 https://docs.mattermost.com/deployment/deployment.html

  13. Attackers as Non-Admin Mattermost Users Mattermost Server Notification Service Database Internet Proxy (MySQL, Postgres) Email Password Hashing Service Encryption-at-rest HTTPS Secure Web Sockets Scalability Support File Store Data Management PC Web Experience (Amazon S3) RESTful API Mobile APP Experience OAuth2.0 Mobile Web Experience Email Client 15 https://docs.mattermost.com/deployment/deployment.html

  14. Attackers as Non-Users Mattermost Server Notification Service Database Internet Proxy (MySQL, Postgres) Email Password Hashing Service Encryption-at-rest HTTPS Secure Web Sockets Scalability Support File Store Data Management PC Web Experience (Amazon S3) RESTful API Mobile APP Experience OAuth2.0 Mobile Web Experience Email Client 16 https://docs.mattermost.com/deployment/deployment.html

  15. Project Timeline Read Documentation Acquired and deployed a trial of Extract features Enterprise Edition of Mattermost Phase2 Phase4 Phase1 Phase3 Came up with Conducted behavior analysis and Threat Model source code analysis Network Capture, Static Analysis, Manual Analysis, POC generation 17

  16. Attackers in Server & Database Mattermost Server Notification Service Database Internet Proxy (MySQL, Postgres) Email Password Hashing Service Encryption-at-rest HTTPS Secure Web Sockets Scalability Support File Store Data Management PC Web Experience (Amazon S3) RESTful API Mobile APP Experience OAuth2.0 Mobile Web Experience Email Client 18 https://docs.mattermost.com/deployment/deployment.html

  17. Attackers in Server & Database Everything is readable. But is it the end of the nightmare? 1. Credential breach 2. Session token stealing 3. Integrated applications can be compromised 19

  18. Attackers in Server & DB - Credential Breach Password Plain text passwords can be used for credential stuffing ● Mattermost only stores bcrypt hashed passwords into database ● bcrypt is probably not the best choice with the evolution of parallel hardware 1 ● scrypt and argon2 2 provide better defense against offline parallel cracking ● [1] Malvoni, Katja, and Josip Knezovic. “Are your passwords safe: Energy -efficient bcrypt cracking with low-cost parallel hardware.” 8th USENIXWorkshop on Offensive Technologies (WOOT 14). 2014. [2] Biryukov, Alex, Daniel Dinu, and Dmitry Khovratovich. "Argon2: new generation of memory-hard functions for password hashing and other applications." 2016 IEEE European Symposium on Security and Privacy (EuroS&P) . IEEE, 2016. 20

  19. Attackers in Server & DB - Credential Breach Password Plain text passwords can be used for credential stuffing ● Mattermost only stores bcrypt hashed passwords into database ● bcrypt is probably not the best choice with the evolution of parallel hardware 1 ● scrypt and argon2 2 provide better defense against offline parallel cracking ● [1] Malvoni, Katja, and Josip Knezovic. “Are your passwords safe: Energy -efficient bcrypt cracking with low-cost parallel hardware.” 8th USENIXWorkshop on Offensive Technologies (WOOT 14). 2014. [2] Biryukov, Alex, Daniel Dinu, and Dmitry Khovratovich. "Argon2: new generation of memory-hard functions for password hashing and other applications." 2016 IEEE European Symposium on Security and Privacy (EuroS&P) . IEEE, 2016. 21

  20. Attackers in Server & DB - Session Stealing Session token generated by Google UUID (based on RFC 4122 and DCE 1.1: ● Authentication and Security Services) Valid for 180 days ● Stored in database as plain text ● Can be stolen and used to impersonate any user ● 22

  21. Attackers in Server & DB - Integrated Applications 23

  22. Attackers in Server & DB - Integrated Applications Realtime notification Show TODO list 24

  23. Attackers in Server & DB - Integrated Applications 25

  24. Attackers in Server & DB - Integrated Applications 26

  25. Attackers in Server & DB - Integrated Applications GitHub token is AES-256 encrypted and stored in database ● Encryption key is randomly generated and stored in a json file ● Still safe when the database is dumped, but not safe when fully compromised ● 27

  26. Attackers in Server & DB - Integrated Applications 28

  27. Attackers as Non-Admin Mattermost Users Mattermost Server Notification Service Database Internet Proxy (MySQL, Postgres) Email Password Hashing Service Encryption-at-rest HTTPS Secure Web Sockets Scalability Support File Store Data Management PC Web Experience (Amazon S3) RESTful API Mobile APP Experience OAuth2.0 Mobile Web Experience Email Client 30 https://docs.mattermost.com/deployment/deployment.html

  28. Attackers as Non-Admin Mattermost Users A solid step. But what’s next? Target Intellectual property and trade secret (Posts), as the threat model suggests ● Approach Become Mattermost’s system admin ( XSS attack , password cracking, SQL injection ● etc.) Trick other users (Phishing) ● Dump the database (SQL injection) ● 31

  29. Attackers as Non-Admin Users - XSS attack Session token is stored in cookies Steal token by XSS attack - document.cookie; Token is set to be httponly RESTful API of role management Send <script>XMLHttpRequest.open()</script> to the admin <> will be escaped to &gt; &lt; URL will be checked before rendered Send [click me](JavAsCripT:alert();) to the admin 32

  30. Attackers as Non-Admin Users - XSS attack Session token is stored in cookies Steal token by XSS attack - document.cookie; Token is set to be httponly RESTful API of role management Send <script>XMLHttpRequest.open()</script> to the admin <> will be escaped to &gt; &lt; URL will be checked before rendered Send [click me](JavAsCripT:alert();) to the admin 33

  31. Attackers as Non-Admin Users - XSS attack Session token is stored in cookies [click me](javascript:alert();) Steal token by XSS attack - document.cookie; Token is set to be httponly <a href=javascript:alert();>click me</a> RESTful API of role management Send <script>XMLHttpRequest.open()</script> to the admin <> will be escaped to &gt; &lt; URL will be checked before rendered Send [click me](JavAsCripT:alert();) to the admin 34

  32. Attackers as Non-Admin Users - XSS attack Backend sends unescaped text file to user for file preview Upload a malicious HTML file and trick the admin to preview it Frontend escapes it File preview won’t be triggered for a link to the file Content-Disposition in the Bypass the frontend escape by posting a link to the HTML file header is set to attachment 35

Recommend


More recommend