1) The document discusses securing web applications by focusing on business logic security rather than just the OWASP top 10. It presents an approach to monitor business logic functions and define rules to detect attacks. 2) The approach involves instrumenting business logic functions to generate event data, processing that event stream to analyze metrics like call volumes and user flows, and defining responses like locking accounts if unusual activity is detected. 3) A case study is presented on how this approach could have detected and responded to the recent Facebook hack by monitoring functions related to user impersonation and token generation and locking affected user accounts.

1. Securing a web app: business
security VS the OWASP top 10
By Jean-Baptiste Aviat
LONDON 18-19 OCT 2018

2. Who am I?
Jean-Baptiste Aviat
CTO & CO-FOUNDER OF SQREEN.IO
EX APPLE RED TEAM
Email jb@sqreen.io
Twitter @JbAviat

3. 2000’s
Code
Frame-
works

4. Frameworks
Code
2010’s

5. 5
2020’s

6. What is an attack
against business logic?

8. WAF

11. How to do it in practice?

12. def track(event_name)
Let’s define a function

13. function generate_user_token(user_id) {
...
track(‘user_token’)
}
function reset_password(email) {
...
track(‘reset_password’)
}
1
2
3
4
1
2
3
4
function login(email, password) {
...
track(‘login’)
}
1
2
3
4

14. Event Stream

15. Event Stream
Processing
& analysis

16. Event Stream
Processing
& analysis
Response

17. if (rate(user_token_gen) is unusual) {
respond: lock_user_account
alert: send_webhook
}
1
2
3
4
if (count(user_impersonation) is above 10 over last 1 minute) {
respond: raise_exception, block_ip in reverse proxy
alert: call_pager
}
1
2
3
4

18. Application Performance Monitoring

19. How to do this
at scale?

20. 1
2
4AUTHENTICATE
5 6

21. 1
2
HOOK 4
5 6
AUTHENTICATE

22. 1
2
HOOK 4
5 6
AUTHENTICATE
Dynamic?

23. 23
def override_instance_method(klass_name, meth, hook)
saved_meth_name = "#{meth}_saved"
new_method = "#{meth}_modified".to_sym
klass_name.class_eval do
alias_method saved_meth_name, meth
define_method(new_method, hook)
end
alias_method meth, new_method
end
1
2
3
4
5
6
7
8
9
10
11
12
In Ruby

24. 24
Class<?> dynamicType = new ByteBuddy()
.subclass(Object.class)
.method(ElementMatchers.named("toString"))
.intercept(FixedValue.value("Hello World!"))
.make()
.load(getClass().getClassLoader())
.getLoaded();
1
2
3
4
5
6
7
In Java

25. Retrieve all the
context you need
• Authenticated user
• Custom business information
• Custom code / framework information
• Any HTTP value
• Previous service called
• Spanning information

26. 26
Architecting for
performance

27. [
{
"class": "User",
"method": "token_generation",
"event_name": "user_token_generation",
"custom_properties": {
"impersonated": "@impersonated"
}
},
{
"class": "User",
"method": "impersonation",
"event_name": "user_impersonation"
}
]
instrumentation.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
How could
this work?

28. Analyze
• The volume of calls
• The successive actions performed by a
given user (or IP)
• Detect unusual activity
• Anomalies in volume, proportions
• Check logic flows

29. • Deny access to sensitive
functions
• Deny access to a whole
service
• Set account “read only”
• Lock a user account
• Log a user out
• Trigger a pager
• Fire a webhook
• Create a ticket
• …
Respond

30. 30
Case Study
Facebook Hack

31. View as
Video uploader
User Token Management

32. How to solve it
Record business logic
actions (down to the code)
Define rules to detect a
vulnerability exploitation
Trigger security responses
to be applied
(a)Impersonate a user
(b) Generate a token
User is calling (impersonation) too much OR
user is calling (generate_token) too much
Lock the user AND
Tag the user for review

33. 33

35. Event Stream
Processing
& analysis
Respond:
Lock UserView as
Video uploader
User Token Management
instru-
mentation
.json

36. https://github.com/sqreen/BusinessLogicAttacksPOC
Example Open Source Project

37. Questions?

38. Thank You!
LONDON 18-19 OCT 2018