security analysis of mattermost

Security Analysis of Mattermost By Changze Cui & Weihao Dong 1 - PowerPoint PPT Presentation

Oct 03, 2023 •356 likes •1.02k views

Security Analysis of Mattermost By Changze Cui & Weihao Dong 1 What is Mattermost 2 What is Mattermost 3 What is Mattermost 4 Key Difference between Mattermost and Slack Support Self-Hosting yes no Open Source yes no Mattermost

  1. Security Analysis of Mattermost By Changze Cui & Weihao Dong 1

  2. What is Mattermost 2

  3. What is Mattermost 3

  4. What is Mattermost 4

  5. Key Difference between Mattermost and Slack Support Self-Hosting yes no Open Source yes no Mattermost envisions itself as an open source Slack alternative 5

  6. Motivations 8

  7. Project Timeline Read Documentation Acquired and deployed a trial of Extracted features Enterprise Edition of Mattermost Phase2 Phase4 Phase1 Phase3 Came up with Conducted behavior analysis and Threat Model source code analysis Network Capture, Static Analysis, Manual Analysis, POC generation 9

  8. Architecture of Mattermost Mattermost Server Notification Service Database Internet Proxy (MySQL, Postgres) Email Service HTTPS Secure Web Sockets File Store PC Web Experience (Amazon S3) Mobile APP Experience Mobile Web Experience Email Client 10 https://docs.mattermost.com/deployment/deployment.html

  9. Features of Mattermost Mattermost Server Notification Service Database Internet Proxy (MySQL, Postgres) Email Password Hashing Service Encryption-at-rest HTTPS Secure Web Sockets Scalability Support File Store Data Management PC Web Experience (Amazon S3) RESTful API Mobile APP Experience OAuth2.0 Mobile Web Experience Email Client 11 https://docs.mattermost.com/deployment/deployment.html

  10. Project Timeline Read Documentation Acquired and deployed a trial of Extract features Enterprise Edition of Mattermost Phase2 Phase4 Phase1 Phase3 Came up with Conducted behavior analysis and Threat Model source code analysis Network Capture, Static Analysis, Manual Analysis, POC generation 12

  11. How We Come Up With Our Threat Model Mattermost Server Notification Service Database Internet Proxy (MySQL, Postgres) Email Password Hashing Service Encryption-at-rest HTTPS Secure Web Sockets Scalability Support File Store Data Management PC Web Experience (Amazon S3) RESTful API Mobile APP Experience OAuth2.0 Mobile Web Experience Email Client 13 https://docs.mattermost.com/deployment/deployment.html

  12. Attackers in Server & Database Mattermost Server Notification Service Database Internet Proxy (MySQL, Postgres) Email Password Hashing Service Encryption-at-rest HTTPS Secure Web Sockets Scalability Support File Store Data Management PC Web Experience (Amazon S3) RESTful API Mobile APP Experience OAuth2.0 Mobile Web Experience Email Client 14 https://docs.mattermost.com/deployment/deployment.html

  13. Attackers as Non-Admin Mattermost Users Mattermost Server Notification Service Database Internet Proxy (MySQL, Postgres) Email Password Hashing Service Encryption-at-rest HTTPS Secure Web Sockets Scalability Support File Store Data Management PC Web Experience (Amazon S3) RESTful API Mobile APP Experience OAuth2.0 Mobile Web Experience Email Client 15 https://docs.mattermost.com/deployment/deployment.html

  14. Attackers as Non-Users Mattermost Server Notification Service Database Internet Proxy (MySQL, Postgres) Email Password Hashing Service Encryption-at-rest HTTPS Secure Web Sockets Scalability Support File Store Data Management PC Web Experience (Amazon S3) RESTful API Mobile APP Experience OAuth2.0 Mobile Web Experience Email Client 16 https://docs.mattermost.com/deployment/deployment.html

  15. Project Timeline Read Documentation Acquired and deployed a trial of Extract features Enterprise Edition of Mattermost Phase2 Phase4 Phase1 Phase3 Came up with Conducted behavior analysis and Threat Model source code analysis Network Capture, Static Analysis, Manual Analysis, POC generation 17

  16. Attackers in Server & Database Mattermost Server Notification Service Database Internet Proxy (MySQL, Postgres) Email Password Hashing Service Encryption-at-rest HTTPS Secure Web Sockets Scalability Support File Store Data Management PC Web Experience (Amazon S3) RESTful API Mobile APP Experience OAuth2.0 Mobile Web Experience Email Client 18 https://docs.mattermost.com/deployment/deployment.html

  17. Attackers in Server & Database Everything is readable. But is it the end of the nightmare? 1. Credential breach 2. Session token stealing 3. Integrated applications can be compromised 19

  18. Attackers in Server & DB - Credential Breach Password Plain text passwords can be used for credential stuffing ● Mattermost only stores bcrypt hashed passwords into database ● bcrypt is probably not the best choice with the evolution of parallel hardware 1 ● scrypt and argon2 2 provide better defense against offline parallel cracking ● [1] Malvoni, Katja, and Josip Knezovic. “Are your passwords safe: Energy -efficient bcrypt cracking with low-cost parallel hardware.” 8th USENIXWorkshop on Offensive Technologies (WOOT 14). 2014. [2] Biryukov, Alex, Daniel Dinu, and Dmitry Khovratovich. "Argon2: new generation of memory-hard functions for password hashing and other applications." 2016 IEEE European Symposium on Security and Privacy (EuroS&P) . IEEE, 2016. 20

  19. Attackers in Server & DB - Credential Breach Password Plain text passwords can be used for credential stuffing ● Mattermost only stores bcrypt hashed passwords into database ● bcrypt is probably not the best choice with the evolution of parallel hardware 1 ● scrypt and argon2 2 provide better defense against offline parallel cracking ● [1] Malvoni, Katja, and Josip Knezovic. “Are your passwords safe: Energy -efficient bcrypt cracking with low-cost parallel hardware.” 8th USENIXWorkshop on Offensive Technologies (WOOT 14). 2014. [2] Biryukov, Alex, Daniel Dinu, and Dmitry Khovratovich. "Argon2: new generation of memory-hard functions for password hashing and other applications." 2016 IEEE European Symposium on Security and Privacy (EuroS&P) . IEEE, 2016. 21

  20. Attackers in Server & DB - Session Stealing Session token generated by Google UUID (based on RFC 4122 and DCE 1.1: ● Authentication and Security Services) Valid for 180 days ● Stored in database as plain text ● Can be stolen and used to impersonate any user ● 22

  21. Attackers in Server & DB - Integrated Applications 23

  22. Attackers in Server & DB - Integrated Applications Realtime notification Show TODO list 24

  23. Attackers in Server & DB - Integrated Applications 25

  24. Attackers in Server & DB - Integrated Applications 26

  25. Attackers in Server & DB - Integrated Applications GitHub token is AES-256 encrypted and stored in database ● Encryption key is randomly generated and stored in a json file ● Still safe when the database is dumped, but not safe when fully compromised ● 27

  26. Attackers in Server & DB - Integrated Applications 28

  27. Attackers as Non-Admin Mattermost Users Mattermost Server Notification Service Database Internet Proxy (MySQL, Postgres) Email Password Hashing Service Encryption-at-rest HTTPS Secure Web Sockets Scalability Support File Store Data Management PC Web Experience (Amazon S3) RESTful API Mobile APP Experience OAuth2.0 Mobile Web Experience Email Client 30 https://docs.mattermost.com/deployment/deployment.html

  28. Attackers as Non-Admin Mattermost Users A solid step. But what’s next? Target Intellectual property and trade secret (Posts), as the threat model suggests ● Approach Become Mattermost’s system admin ( XSS attack , password cracking, SQL injection ● etc.) Trick other users (Phishing) ● Dump the database (SQL injection) ● 31

  29. Attackers as Non-Admin Users - XSS attack Session token is stored in cookies Steal token by XSS attack - document.cookie; Token is set to be httponly RESTful API of role management Send <script>XMLHttpRequest.open()</script> to the admin <> will be escaped to &gt; &lt; URL will be checked before rendered Send [click me](JavAsCripT:alert();) to the admin 32

  30. Attackers as Non-Admin Users - XSS attack Session token is stored in cookies Steal token by XSS attack - document.cookie; Token is set to be httponly RESTful API of role management Send <script>XMLHttpRequest.open()</script> to the admin <> will be escaped to &gt; &lt; URL will be checked before rendered Send [click me](JavAsCripT:alert();) to the admin 33

  31. Attackers as Non-Admin Users - XSS attack Session token is stored in cookies [click me](javascript:alert();) Steal token by XSS attack - document.cookie; Token is set to be httponly <a href=javascript:alert();>click me</a> RESTful API of role management Send <script>XMLHttpRequest.open()</script> to the admin <> will be escaped to &gt; &lt; URL will be checked before rendered Send [click me](JavAsCripT:alert();) to the admin 34

  32. Attackers as Non-Admin Users - XSS attack Backend sends unescaped text file to user for file preview Upload a malicious HTML file and trick the admin to preview it Frontend escapes it File preview won’t be triggered for a link to the file Content-Disposition in the Bypass the frontend escape by posting a link to the HTML file header is set to attachment 35

Recommend

DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and

DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and

DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and

860 views • 71 slides
Lessons learned building software with a fully remote team March, 2020 Corey Hulen / Co-founder

Lessons learned building software with a fully remote team March, 2020 Corey Hulen / Co-founder

Lessons learned building software with a fully remote team March, 2020 Corey Hulen / Co-founder and CTO, Mattermost, Inc. Why did we build a fully remote development team? Why Why Cont. https://community.mattermost.com

276 views • 27 slides
Towards Minimising Timestamp Usage in Application Software A Case Study of the Mattermost

Towards Minimising Timestamp Usage in Application Software A Case Study of the Mattermost

Christian Burkert , Hannes Federrath Towards Minimising Timestamp Usage in Application Software A Case Study of the Mattermost Application 26.09.2019 Project: Employee Privacy in Development and Operations 26.09.2019 | Christian Burkert,

731 views • 39 slides
Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols 01 Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief introduction to security protocols; Model checking of security protocols, particularly using the process

1.28k views • 110 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

644 views • 36 slides
Security, Security, Security Presentation to NSAI Consultation Meeting Chinese National Body

Security, Security, Security Presentation to NSAI Consultation Meeting Chinese National Body

Chinese NB presentation: Security, Security, Security Dublin, Ireland, Feb. 22, 2006 Security, Security, Security Presentation to NSAI Consultation Meeting Chinese National Body Feb. 22, 2006 Thank you Mr. Chairman, Chinese National

240 views • 7 slides
UCP GROUP Maritime Security Services UCP GROUP ONE SOLUTION ONE PLATFORM ONE SECURITY SERVICE

UCP GROUP Maritime Security Services UCP GROUP ONE SOLUTION ONE PLATFORM ONE SECURITY SERVICE

UCP GROUP Maritime Security Services UCP GROUP ONE SOLUTION ONE PLATFORM ONE SECURITY SERVICE Maritime Security - Commercial Shipping Security - Cruise Liner Security - Super-Yacht Security Maritime Security Services UCP GROUP is a market

247 views • 22 slides
Xpanda security gates Security solutions Retail security gate solutions Industrial

Xpanda security gates Security solutions Retail security gate solutions Industrial

STOREFRONT PROTECTION Xpanda security gates Security solutions Retail security gate solutions Industrial security gate solutions Institutional security gate solutions Access control security gate solutions Office building

406 views • 13 slides
A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
OS Security Thierry Sans Security is a wide topic CSCD27 Computer and Network Security covers

OS Security Thierry Sans Security is a wide topic CSCD27 Computer and Network Security covers

OS Security Thierry Sans Security is a wide topic CSCD27 Computer and Network Security covers Cryptography Network security System security Web security (recap) Protection File systems implement a protection system Who

800 views • 30 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

459 views • 18 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis

NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis

NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis Intrusion Detection, Protection, and Usage Reporting NetFlow is a cornucopia of information that allows for: Intrusion Detection, Bandwidth usage,

665 views • 17 slides
SWOT Analysis W T S O SWOT Analysis Learning Objectives What is SWOT Analysis? What is SWOT

SWOT Analysis W T S O SWOT Analysis Learning Objectives What is SWOT Analysis? What is SWOT

SWOT Analysis W T S O SWOT Analysis Learning Objectives What is SWOT Analysis? What is SWOT Analysis? Aim of SWOT Analysis Who needs SWOT Analysis? How to conduct SWOT Analysis? Benefits &amp; Pitfalls of SWOT Analysis Brainstorming

445 views • 31 slides
Analysis and Optimizations Analysis and Optimizations Program Analysis Program Analysis

Analysis and Optimizations Analysis and Optimizations Program Analysis Program Analysis

Analysis and Optimizations Analysis and Optimizations Program Analysis Program Analysis Discovers properties of a program Optimizations Using Program Analysis Use analysis results to transform program Use analysis results

744 views • 17 slides
Lessons learned implementing ChatOps (DevOps + messaging) Corey Hulen / Co-founder and CTO,

Lessons learned implementing ChatOps (DevOps + messaging) Corey Hulen / Co-founder and CTO,

Lessons learned implementing ChatOps (DevOps + messaging) Corey Hulen / Co-founder and CTO, Mattermost, Inc. March 2020 What is ChatOps? ChatOps is a collaborative, conversation- centric way of working that brings people, discussions, bots,

390 views • 27 slides
Encoding Carrier signal is somehow modulated to have two discrete signals Need to encode

Encoding Carrier signal is somehow modulated to have two discrete signals Need to encode

Encoding Carrier signal is somehow modulated to have two discrete signals Need to encode bits onto these two signals. Easiest way is to assign one level to 0 and one level to 1 This is NRZ encoding (Non-Return to Zero)

485 views • 10 slides
Voting in the Age of COVID-19 Barbara Simons Indiana A crazy quilt of polling place voting

Voting in the Age of COVID-19 Barbara Simons Indiana A crazy quilt of polling place voting

Voting in the Age of COVID-19 Barbara Simons Indiana A crazy quilt of polling place voting technologies More than of state uses paperless systems Insecure and old technology ~ uses hand marked paper ballots (ideal)

494 views • 34 slides
1 Wavelength Division Analog Carrier Systems Multiplexing AT&amp;T (USA) Multiple

1 Wavelength Division Analog Carrier Systems Multiplexing AT&amp;T (USA) Multiple

William Stallings Multiplexing Data and Computer Communications 7 th Edition Chapter 8 Multiplexing Frequency Division Multiplexing Frequency Division Multiplexing Diagram FDM Useful bandwidth of medium exceeds required bandwidth

603 views • 7 slides
Point-to-Point Links Outline Encoding (bits) Framing (frames) Error Detection Sliding Window

Point-to-Point Links Outline Encoding (bits) Framing (frames) Error Detection Sliding Window

Point-to-Point Links Outline Encoding (bits) Framing (frames) Error Detection Sliding Window Algorithm 1 Encoding Signals propagate over a physical medium modulate electromagnetic waves e.g., vary voltage Encode binary

152 views • 11 slides
PLESIOCHROUNOUS DIGITAL HIERARCHY ETI 2506 TELECOMMUNICATION SYSTEMS Monday, 14 November

PLESIOCHROUNOUS DIGITAL HIERARCHY ETI 2506 TELECOMMUNICATION SYSTEMS Monday, 14 November

PLESIOCHROUNOUS DIGITAL HIERARCHY ETI 2506 TELECOMMUNICATION SYSTEMS Monday, 14 November 2016 LINKING DIGITAL TELEPHONE EXCHANGES Clock THIKA Generator 30 Channel PCM E1 30 Channel PCM E1 30 Channel PCM-E1 NAKURU NAIROBI

358 views • 13 slides
Overloading and Subtyping Liam OConnor CSE, UNSW (and data61) Term 3 2019 1 Overloading

Overloading and Subtyping Liam OConnor CSE, UNSW (and data61) Term 3 2019 1 Overloading

Overloading Subtyping Overloading and Subtyping Liam OConnor CSE, UNSW (and data61) Term 3 2019 1 Overloading Subtyping Motivation Suppose we added Float to MinHS. Ideally, the same functions should be able to work on both Int and Float

517 views • 26 slides
Comparative Review of Classification Trees by Leonardo Auslender, leoldv12 at gmail

Comparative Review of Classification Trees by Leonardo Auslender, leoldv12 at gmail

Comparative Review of Classification Trees by Leonardo Auslender, leoldv12 at gmail dot com Independent Statistical Research Consultant 2013 Contents 1) Trees/CART: varieties, algorithm 2) Model Deployment: scoring 3) Examples. 4)

817 views • 52 slides
COMMUNITY TRANSLATION IN AFRICA DENIS GIKUNDA, LOCALIZATION PRG MANAGER w3c: The Multilingual

COMMUNITY TRANSLATION IN AFRICA DENIS GIKUNDA, LOCALIZATION PRG MANAGER w3c: The Multilingual

COMMUNITY TRANSLATION IN AFRICA DENIS GIKUNDA, LOCALIZATION PRG MANAGER w3c: The Multilingual Web: Where are we? Google in Africa Local language content Tools Methodology (x 3) Friday, October 29, 2010 GOOGLE IN AFRICA Google confidential

675 views • 15 slides

More recommend