th the e bo boom omeran erang g
play

Th The e Bo Boom omeran erang g EF EFFEC FECT Using Session - PowerPoint PPT Presentation

Nov 09, 2023 •44 likes •714 views

Th The e Bo Boom omeran erang g EF EFFEC FECT Using Session Puzzling to Attack Apps from the Backend Shay Chen, CTO @sectooladdict Hacktics ASC, Ernst & Young November 22 nd , 2013 About Formerly a boutique company that

  1. Th The e Bo Boom omeran erang g EF EFFEC FECT Using Session Puzzling to Attack Apps from the Backend Shay Chen, CTO @sectooladdict Hacktics ASC, Ernst & Young November 22 nd , 2013

  2. About ► Formerly a boutique company that provided information security services since 2004. ► As of 01/01/2011, Ernst & Young acquired Hacktics professional services practice, and the group joined EY as one of the firm’s advanced security centers (ASC). Page 2

  3. Introduction to Session Puzzles Page 3

  4. Session Puzzles – What’s That? ► Session Puzzles are application-level vulnerabilities that can be exploited by overriding session attributes ► The “Session Puzzling” exploitation process is referred as “Session Variable Overloading” by OWASP. ► Potential exploitation examples: ► Bypass authentication and authorization enforcement ► Elevate privileges ► Impersonate legitimate users ► Avoid flow enforcement restrictions ► Execute “traditional attacks” in “safe” locations ► Affect content delivery destination ► Cause unexpected application behaviors Page 4

  5. Indirect Session Attacks – Why Bother? ► Since the concept of indirect attacks suggests that the target is not attacked directly , the model itself has several benefits: ► Low probability for code level mitigations. ► Avoid detection by following a “valid” behavior pattern. ► Furthermore, since the exposure enables unique attack vectors, the attacker can exploit new exposures: ► Gain control over a valid account or even an application without sending a single malicious input. ► Perform new types of logical attacks. Page 5

  6. Session Puzzling - Example (1 of 3) ► Starting a password recovery process with a valid user Page 6

  7. Session Puzzling - Example (2 of 3) ► The process populates the session memory with the username value… Page 7

  8. Session Puzzling - Example (3 of 3) ► Tthe attacker directly access an internal page that relies on the session-stored username variable Page 8

  9. Traditional Attack Vectors Page 9

  10. “Traditional” Application Attack Vectors ► Malicious Inputs ► Forceful Access ► Consuming Resources (DoS) ► Enumeration ► Redirection ► Abusing Features ► Etc Page 10

  11. … And more Page 11

  12. Common Attack Vector Traits ► Directly attack the target through payloads, redirection or direct access to resources. ► Straightforward detection and exploitation methods. ► Potentially “ Noisy ”: might be detected by various mechanisms, due to abnormal and sometime intrusive behavior. Page 12

  13. Session Puzzling Traits Comparison ► Access a sequence of entry points in a pre-planned order, random order or timely manner. ► “ Indirect ” - Attack a target indirectly by “composing” a back- end hosted “payload” that is delivered to it indirectly through a relatively trusted source – the session. ► “ Silent ” – ideal for stealth attacks and avoiding security mechanisms that validate input. ► “ Unknown ” – exploiting scenarios that are currently rarely mitigated. ► “ Obscure ” – inconsistent detection and exploitation methods. Page 13

  14. Session Puzzle Variants In the Wild Page 14

  15. A Couple of Prominent Examples ► Oracle E-Business Suite ► Authentication Bypass ► Privilege Escalation and Admin Takeover ► Sony Network Account Service System ► Reset passwords of Sony Playstation users ► Undisclosed Vulnerabilities in Banks ► Skip verification phases in multiphase transactions Page 15

  16. Insurance Company Site Corruption ► 2008 : An attacker gains remote control over the administrative interface of a European insurance company, and starts corrupting the web site content. ► An investigation performed revealed that the attacker gained control by crawling the entire application tree twice , using paros proxy, prior to accessing the administrative login page (which resided in a trivial URL address). ► The act of crawling automatically submitted contact-us forms, which populated the attacker’s session with values that were used by the administrative application for authentication enforcement. Page 16

  17. European Bank Back-Door Sequence ► 2007 : A session puzzle exposure was detected in a security assessment of a European banking application. ► The vulnerability enabled the attacker to gain complete control over the system (by activating a dormant feature), by accessing a sequence of seven different pages. Page 17

  18. The Session Mechanism Page 18

  19. The Session Mechanism ► The process of session identifier generation and association Web Server Initial Access to the Domain Session ID Memory Allocation 0 xAA… Abcd123 0 xBB… Cbcr321 Set-cookie: SID=abcd123 Cookie: SID=abcd123 Session Memory Domain Cookie SID=Abcd123 Initial Session Session Session Session Browser Identifier Memory Identifier Identifier Generation Association Storage Reuse Access Page 19

  20. The Session Lifespan in Web-Apps ► Initial browser access to server -> generation of a new session identifier. ► The session identifier is returned to the browser, usually in a “set - cookie” response header. Page 20

  21. The Session Lifespan in Web-Apps ► The browser stores the identifier in a domain cookie , ► Domain-specific cookies are sent to the domain in every request (including the session identifier). ► The server uses the session identifier to “ associate ” the browser instance with the memory allocation ► Associated memory can store flags , identities , and browser instance specific data. Page 21

  22. Session Stored Values ► Since sessions enable applications to “track” the state of browsers, they are used to store a variety of browser-instance related values: ► User Identities (user identifiers, usernames, email addresses, social ID numbers, etc.) ► Permissions (roles, resource lists, etc.) ► Flags (Flow flags, State flags, etc.) ► Input (Especially input from multiphase processes) ► Results of Operations, Queries, and Calculations ► Etc. Page 22

  23. Session Puzzling Sequences Page 23

  24. Session Puzzling Attack Sequences ► As mentioned earlier, session puzzles can be exploited in a variety of ways. Common instances include (but not limited to): ► Authentication Bypass via Session Puzzling ► Impersonation via Session Puzzling ► Flow Bypass via Session Puzzling ► Privilege Escalation via Session Puzzling ► Content Theft via Session Puzzling ► Indirect “Traditional” Attacks Page 24

  25. Authentication Bypass via Session Puzzling ► Authentication mechanisms that enforce authentication by validating the existence of identity-related session variables can be bypassed by accessing public entry points that might populate the session with identical values (registration modules, password recovery modules, contact-us forms, question challenges, etc.). Session Memory Username Session Variable Page 25

  26. Impersonate Users via Session Puzzling ► Applications that rely on the session for storing user identities can be misled by malicious users that “overrun” their own identifying values with those of other users, through the use of modules that temporarily populate the session with client-originating identity values. Session Memory Identity Session Variable Page 26

  27. Flow Bypass via Session Puzzling ► Flow enforcement mechanisms (in processes such as password recovery, registration and transactions) that rely on identical session flags, can be bypassed by activating the processes simultaneously (for example, performing the registration process in parallel to the password recovery or transaction, to enable “skipping” phases). Session Memory Flow & State Session Variables Page 27

  28. Privilege Escalation via Session Puzzling ► Attackers might be able to elevate their privileges in the application by accessing entry points that populate their session memory with additional values, permissions and flags, which might be required by other modules that were previously inaccessible. Session Memory Username Session Variable Page 28

  29. Content Theft via Session Puzzling ► Applications use a variety of content delivery methods to keep in touch with their consumers (SMS, email, etc.). Attackers can use session puzzles to initiate content delivery processes and affect their destination (for example, affect the destination of an SMS password recovery by simultaneously registering with a new number). Session Memory Delivery Destination Variable Page 29

  30. Indirect “Traditional” Attacks ► The same “indirect” method used in the previous instances can also be used to execute injections , reflections , manipulations and other “traditional” attacks in locations that were previously considered safe, simply by affecting session values which are used in entry points that treat their origin as trusted (and thus avoid validation). Session Memory Session Variables Page 30

  31. Potential Entry Points ► Login modules with premature session value population. ► Registration, password recovery and recovery challenge modules. ► Multiphase processes. ► Contact forms. ► Test pages and obsolete content. ► Security mechanisms. ► Any module that stores values in the session. ► Etc. Page 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

BOOM! BOOM! BOOM! BOOM! Linking Technology to RTI & PBS PBS RTI Connection 3-

BOOM! BOOM! BOOM! BOOM! Linking Technology to RTI & PBS PBS RTI Connection 3-

BOOM! BOOM! BOOM! BOOM! Linking Technology to RTI & PBS PBS RTI Connection 3- Intensive Individual Intervention 2 Targeted Small Group Instruction 1 Core Classroom Instruction PBS Implementation - 2006 Building-wide

785 views • 16 slides
DANCES: Schottische Boom Boom Music: Boom Boom Pow by Black Eyed Peas Schottische up and

DANCES: Schottische Boom Boom Music: Boom Boom Pow by Black Eyed Peas Schottische up and

CCEPE CCEPE Rh Rhyt ythms ms favor favorite dances ite dances and and ma makin ing u g up routi routine nes Presenter: Cheryl Wardell February 23, 2013 Cheryl_wardell@beaverton.k12.or.us DANCES: Schottische Boom Boom Music:

522 views • 5 slides
Welcome everyone to SPECIAL EVENTS: MAKING YOUR EVENT GO FROM HUM-DRUM TO BOOM-BOOM-POW 1

Welcome everyone to SPECIAL EVENTS: MAKING YOUR EVENT GO FROM HUM-DRUM TO BOOM-BOOM-POW 1

Welcome everyone to SPECIAL EVENTS: MAKING YOUR EVENT GO FROM HUM-DRUM TO BOOM-BOOM-POW 1 Youre probably wondering what makes me qualified to tell any of you about event planning. 2 3 Ask for a handful of people to explain what their

299 views • 13 slides
http://www2.stat.duke.edu/courses/Summer17/ sta104.001-1/ 2 3 Learning units and course outline

http://www2.stat.duke.edu/courses/Summer17/ sta104.001-1/ 2 3 Learning units and course outline

Teaching team Data Analysis and Statistical Inference Introduction STA 104 - Summer 2017 Professor: Willem van den Boom - willem.van.den.boom@duke.edu Duke University, Department of Statistical Science Prof. van den Boom Slides posted at

156 views • 4 slides
BOOM Analytics: Exploring Data-Centric,Declarative Programming for the Cloud Jadwiga Kaska 21

BOOM Analytics: Exploring Data-Centric,Declarative Programming for the Cloud Jadwiga Kaska 21

Introduction Overlog BOOM-FS The Availability The scalability BOOM-MR Performance Validation Experience and Lessons BOOM Analytics: Exploring Data-Centric,Declarative Programming for the Cloud Jadwiga Kaska 21 grudnia 2011 Jadwiga

505 views • 39 slides
BLOCK&4 BOOM&OR&BUST EXPANDING&AND&RESTRUCTURING&YOUR& BUSINESS

BLOCK&4 BOOM&OR&BUST EXPANDING&AND&RESTRUCTURING&YOUR& BUSINESS

Coordinator:* Prof.*Teresa*Rodrguez*de*las*Heras*Ballell BLOCK&4 Collaborators:* BOOM&OR&BUST Prof.*Jorge*Feliu Rey* Prof.*Juan*Pablo*Rodrguez*Delgado* BLOCK&4 BOOM&OR&BUST

323 views • 14 slides
Boom, Bust, KABOOM? Prospects for Physician Resources in Canada Town Hall Meeting Faculty of

Boom, Bust, KABOOM? Prospects for Physician Resources in Canada Town Hall Meeting Faculty of

Boom, Bust, KABOOM? Prospects for Physician Resources in Canada Town Hall Meeting Faculty of Medicine Dalhousie University Halifax, NS December 15, 2012 Owen Adams Vice-President, Policy & Research Boom, Bust, Kaboom.ppt Boom 1964

439 views • 22 slides
BOOM Analy*cs: Exploring Data-Centric, Declara*ve Programming for

BOOM Analy*cs: Exploring Data-Centric, Declara*ve Programming for

BOOM Analy*cs: Exploring Data-Centric, Declara*ve Programming for the Cloud Neil Conway* hEp://boom.cs.berkeley.edu Joint work with Peter Alvaro*, Tyson Condie*,

444 views • 43 slides
MOU- USCG and DBRC Allows DBRC to use USCG owned Boom Vane Remains a USCG Property Item

MOU- USCG and DBRC Allows DBRC to use USCG owned Boom Vane Remains a USCG Property Item

MOU- USCG and DBRC Allows DBRC to use USCG owned Boom Vane Remains a USCG Property Item DBRC stores and maintains the Boom Vane SDB approves training and operational deployments DBRC approved contractors can deploy the Boom

415 views • 9 slides
Is the Boom a Bubble? Presented by: Adam W. Perdue, PhD Pillars of the Houston Economy Oil

Is the Boom a Bubble? Presented by: Adam W. Perdue, PhD Pillars of the Houston Economy Oil

Is the Boom a Bubble? Presented by: Adam W. Perdue, PhD Pillars of the Houston Economy Oil & Gas & Derivatives Manufacturing Port (Transportation, Logistics) Texas Medical Center Nasa Drivers of the Boom Oil &

577 views • 38 slides
Fixing the Sound Barrier Three Generations of U.S. Research into Sonic Boom Reduction

Fixing the Sound Barrier Three Generations of U.S. Research into Sonic Boom Reduction

Fixing the Sound Barrier Three Generations of U.S. Research into Sonic Boom Reduction and what it means to the future Presented at the FAA Public Meeting on Sonic Boom July 14, 2011 Outline Perspective

540 views • 25 slides
Introduction Farmland was susceptible to two boom-bust cycles in the last century 1920s

Introduction Farmland was susceptible to two boom-bust cycles in the last century 1920s

Who Leveraged the Farm? Allen M. Featherstone Kansas State University Introduction Farmland was susceptible to two boom-bust cycles in the last century 1920s and 1930s 1973 through 1986 Drivers of Boom-Bust Cycles Economic

569 views • 12 slides
The Political Economy of Chinas Housing Boom Xu Lu & Adam (Jiwei) Zhang Stanford May 27,

The Political Economy of Chinas Housing Boom Xu Lu & Adam (Jiwei) Zhang Stanford May 27,

The Political Economy of Chinas Housing Boom Xu Lu & Adam (Jiwei) Zhang Stanford May 27, 2020 The Political Economy of Chinas Housing Boom Lu & Zhang 1 / 15 Introduction Motivation The Chinese Housing Boom Table: Real

407 views • 27 slides
A Dependable Source For Rubber, Plastic and Metal Welcome to Boom RPM! We are an IS0 9001,14001

A Dependable Source For Rubber, Plastic and Metal Welcome to Boom RPM! We are an IS0 9001,14001

A Dependable Source For Rubber, Plastic and Metal Welcome to Boom RPM! We are an IS0 9001,14001 as well as TS 16949 certified manufacturing company. Boom RPM, where the RPM stands for the three products of specialization, is your go-to source

596 views • 24 slides
CONSTRUCTION COORDINATION BOOM CONSTRUCTION The City of Toronto is undergoing an unprecedented

CONSTRUCTION COORDINATION BOOM CONSTRUCTION The City of Toronto is undergoing an unprecedented

CONSTRUCTION COORDINATION BOOM CONSTRUCTION The City of Toronto is undergoing an unprecedented construction boom Toronto is recognized as a great place to live, work, and do business . The city has rapidly grown to become North Americas

507 views • 11 slides
CALM P ROGRAMMING THE C LOUD Joe Hellerstein Peter Alvaro A GENDA A GENDA Brief research

CALM P ROGRAMMING THE C LOUD Joe Hellerstein Peter Alvaro A GENDA A GENDA Brief research

B LOOM CALM P ROGRAMMING THE C LOUD Joe Hellerstein Peter Alvaro A GENDA A GENDA Brief research background from the BOOM project B i f h b k d f th BOOM j t http://boom.cs.berkeley.edu A taste of CS194 17 Programming the

580 views • 26 slides
thin clients: thin clients: back to the future back to the future <Jason Nieh>

thin clients: thin clients: back to the future back to the future <Jason Nieh>

thin clients: thin clients: back to the future back to the future <Jason Nieh> nieh@cs.columbia.edu <Jason Nieh> nieh@cs.columbia.edu Computers in the future may weigh no more than 1.5 tons. a Popular Mechanics editorial

837 views • 82 slides
Statistical Zaps and New Oblivious Transfer Protocols Vipul Goyal Abhishek Jain Zhengzhong Jin

Statistical Zaps and New Oblivious Transfer Protocols Vipul Goyal Abhishek Jain Zhengzhong Jin

1 Statistical Zaps and New Oblivious Transfer Protocols Vipul Goyal Abhishek Jain Zhengzhong Jin Giulio Malavolta Carnegie Mellon University Carnegie Mellon Johns Hopkins Johns Hopkins University of California, University University

1.66k views • 128 slides
Web Application Pentesting mit OpenSource-Werkzeugen Christian Schneider | @cschneider4711

Web Application Pentesting mit OpenSource-Werkzeugen Christian Schneider | @cschneider4711

Frankfurter Entwicklertag 2017 Web Application Pentesting mit OpenSource-Werkzeugen Christian Schneider | @cschneider4711 CHRISTIAN SCHNEIDER Christian Schneider @cschneider4711 Developer, Whitehat Hacker & Trainer Focus on Java

1.17k views • 94 slides
Sequencing of Targeted Therapies Susan OBrien, MD UC Irvine Health Outcomes of CLL Patients

Sequencing of Targeted Therapies Susan OBrien, MD UC Irvine Health Outcomes of CLL Patients

Sequencing of Targeted Therapies Susan OBrien, MD UC Irvine Health Outcomes of CLL Patients Treated With Sequential Kinase Inhibitor Therapy: A Real World Experience Mato AR, Nabhan C, Barr PM, Ujjani CS, Hill BT, Lamanna N, Skarbnik AP,

795 views • 31 slides
Overview Access control lists Capability lists Locks and keys Rings-based

Overview Access control lists Capability lists Locks and keys Rings-based

Overview Access control lists Capability lists Locks and keys Rings-based access control Propagated access control lists May 31, 2005 ECS 235, Computer and Information Slide #1 Security Access Control Lists Columns

1.24k views • 80 slides
The Rapid Charging Fund and the future of MSAs: A discussion on how industry can support the

The Rapid Charging Fund and the future of MSAs: A discussion on how industry can support the

The Rapid Charging Fund and the future of MSAs: A discussion on how industry can support the Governments vision for 6,000 rapid charge points at MSAs by 2035, and debate on how the 500m Rapid Charging Fund should be utilised 16 th June

506 views • 31 slides
What is Rugged all about? Matt Konda He would want me to tell you Software is eating

What is Rugged all about? Matt Konda He would want me to tell you Software is eating

What is Rugged all about? Matt Konda He would want me to tell you Software is eating the world. DevOps and Security is a rare opportunity. Makes security positive, cultural+ Show the Rugged Manifesto Honey Badger =

1.74k views • 124 slides
BurpSentinel Burp Extension Dobin Rutishauser Compass Security Schweiz AG bsidesvienna 2014

BurpSentinel Burp Extension Dobin Rutishauser Compass Security Schweiz AG bsidesvienna 2014

BurpSentinel Burp Extension Dobin Rutishauser Compass Security Schweiz AG bsidesvienna 2014 Version 0.4, 2014 Intro Uhm, welcome to bsides i guess? Glad you could make it this early! I hope everyone had his/her coffee Or wine

1.47k views • 128 slides

More recommend