This is the first iteration of a talk that goes through some of the more ..."interesting" failures in web app security over the 2009-2010 assessment calendar.

1. 1 15 October 2010 Oh No They Didn’t! Rafal M. Los HP Security Evangelist

2. Web Application Security is Hard… 2 15 October 2010

3. Story #1 – “Loyalty-free” The Story… Utilizing a restaurant delivery service; website driven interaction During transaction, credit card input incorrectly, transaction rejected but “loyalty points” accrue Result: Logic flaw exposing the website to scripted attack via CSRF Lesson(s) Learned… Purchase process should be protected against CSRF (many options) Test, test, test and test again Manual security testing is required; you can’t just “scan”! Logic flaws can be discovered … advanced EFD-based tools needed 3 15 October 2010

4. Story #2 – Web coupons The Story… Large national pizza chain wants 2-part marketing campaign 2 coupons: 1 for $5 pizza, one for FREE pizza Marketing agency creates Flash! app, codes logic into client (both coupon codes) Accidental discovery leads to 11,000 free pizzas …oops Lesson(s) Learned… Never perform critical business logic on the client Marketing teams don’t know about security … don’t understand Flash! can/will be decompiled and inspected…be aware 4 15 October 2010

5. Client-Side Data Validation: FAIL … button 9 { on (release, keyPress '<Enter>') { if (password eq ‘ PASSWORD ') { getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/778.html', ''); } else { if (password eq ' PASSWORD ') { getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/781.html', ''); } else { if (password eq ' PASSWORD ') { getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/783.html', ''); } else { if (password eq ‘ PASSWORD ') { getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/771.html', ''); } else { if (password eq ‘ PASSWORD ') { getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/799.html', ''); } else { … 5

6. Story #3 – Hold this encryption key The Story… Flash application sending “encrypted” data across the wire; context: play a game, win a prize “Encryption” scheme (including key) embedded in Flash application Download, decompile, repurpose and win every time? Lesson(s) Learned… It’s not encryption if you also give me the scheme + key Flash! can/will be decompiled and inspected…be aware Security testing would reveal weakness … other ideas for solving this? 6 15 October 2010

7. Client-Side Encryption: FAIL try { strURI = ExternalInterface.call("getLittleServer"); … n1 = parseInt(strN1); n2 = parseInt(strN2); nAlgo = n1 * n2 * nScore + nScore; strToPass = nGameId + "," + nScore + "," + nTime + "," + nAlgo; encrypted_data = MD5.hash(strToPass); submission_data = "score=" + nScore + "|gameId=" + nGameId + "|timestamp=" + nTime + "|key=" + encrypted_data; variables = new URLVariables(); variables.attr1 = submission_data; request = new URLRequest(strURI); request.data = variables; navigateToURL(request, "_self"); return submission_data; … 7

8. Story #4 – Pwn3d (ouch) The Story… Commercial, templated online restaurant menu & ordering system Developer believed there was no need to test “why would anyone want to hack this?” SQL Injection hole found … app had already been compromised App was distributing Zeus bot (and other malware) to customers! Lesson(s) Learned… Arrogance is more deadly than lack of knowledge SQL Injection is not a highly complex attack (‘or 1=1 to detect) Not only vulnerable, now a liability and an investigation 8 15 October 2010

9. Story #5 - Predictable The Story… Online retail shopping cart, sends email with “customer ID” –based order retrieval system (no passwords!) Customer can save shipping details, payment information… Predictable customerID parameter in URL (CustID=aaaabbbcccdddd) Alpha-numeric, non-case-sensitive …but predictable Lesson(s) Learned… It can be a hassle, but require users to fully “register” (userID + pwd) Randomize at least a 32-bit alpha-numeric string for CustID Predictable IDs exposed customer data, critical payment info! 9 15 October 2010

10. Story #6 – Name your own price The Story… Critical application for customers to purchase extremely high-value replaceable parts for power-generation systems Parameter “NetCost” present in URL and POST body Server acceptsNetCost price from POST body, final page of checkout Lesson(s) Learned… Never, ever, ever, ever trust anything you send to the client The server should always hold the “record of truth” Validate against server-known data, prior to processing checkout Test, test, test … this is a business logic flaw! 10 15 October 2010

11. Story #7 – But wait, there’s MORE The Story… Demonstrating web app security testing tool vs customer application SQL Injection hole found, exploited at the MS SQL Server Server was clustered, on internal network, extended stored procedures Mission-critical web-application database on internal, AD-based network Lesson(s) Learned… So many layers of fail … layered upon SQL Injection (testable!) Separate your databases by criticality Remove non-necessary stored procedures, secure priviliges 11 15 October 2010

12. Contribute … Do you have a story that’s too funny not to be true? SHARE IT! 12 15 October 2010

13. 13 15 October 2010 Done. Rafal M. Los Security Evangelist @Wh1t3Rabbit Rafal@HP.com Hp.com/go/white-rabbit