SecCom Labs

Security Compass at RSA

rohit — Thu, 14 Jan 2010 14:10:37 +0000

This year we’ll be returning to RSA to deliver a couple of 1 day training classes: application security hands on and database security hands on. Both are introductory courses that aim to get students ramped up quickly on these important topics. Know anyone who’s interested?

Secure Web Application Framework Manifesto - Draft

rohit — Mon, 11 Jan 2010 19:54:57 +0000

It’s clear that your choice of web application framework makes a significant impact on the security of individual applications. Today we’re releasing a draft version of the Secure Web Application Framework Manifesto - a document that provides a set of security requirements to web application frameworks themselves. Once we’ve collected feedback from the community, we’d like to turn this into a living OWASP project that is updated annually.

We’re eagerly looking forward to any feedback you have. Please email us at labs [ a t ] securitycompass.com

Download it here

XSLT Command Execution Exploit

Subu Ramanathan — Fri, 18 Sep 2009 15:25:14 +0000

This article is based on the Command Injection in XML Signatures and Encryption whitepaper authored by Bradley W. Hill from Information Security Partners.

XSLT is a simple language designed to facilitate cross platform content generation by selecting and merging datasets presented in an XML document. The vulnerability described in the whitepaper still exists in today’s XSLT processing engines, which are widely used in web service implementations. In this article, we will look into reproducing this attack on two of the common XSLT processing engines: Microsft’s MSXML and Xalan (Java’s XML processing library). In addition to an overview of reproducing the attack, this article also features video demonstrations of the exploit that we feature in our Training courses. In both these scenarios we are using the latest versions of the frameworks’ XSLT processing engine as of September 16, 2009.

MSXML implemented in a .NET Application:
MSXML, Microsoft’s XSLT processor, provides a scripting engine to allow for dynamic content generation. The tag, amongst other things, allows developers to define custom functions that can then be called from XSLT code. The engine also provides functions within blocks complete access to .NET classes and methods as long as they fully qualified (e.g. System.Console.WriteLine). This extensibility raises the possibility of remote command execution from the code within the blocks. For instance, in our demonstration video we add a call to System.Diagnostics.Process.Start() method, which enables the attacker to spawn a command prompt.

Xalan implemented in a Java Application:
Xalan, on the other hand provides versions of standard Java classes such as Java.lang.Runtime and Java.lang.Object that can be included with the XSLT signature. These classes can then be used in tags to invoke member methods. In our demonstration video we will be using Java.lang.Runtime.exec() method to spawn a new process that launches Windows Notepad.

OWASP DC

rohit — Mon, 24 Aug 2009 10:21:05 +0000

Come check us out at OWASP DC. We’ll be speaking on the Security Analysis of Core J2EE Patterns and teaching classes on Threat Model Express and Java Source Code Review

J2EE Patterns Analysis Now an OWASP Project!

rohit — Fri, 24 Jul 2009 14:31:08 +0000

We’re happy to announce that our Security Analysis of the J2EE Core Patterns is now officially an OWASP project! I’ll be the project leader and look forward to getting your input on constantly improving this doc. Thanks to everyone who has supported us in this effort thus far!

The True Danger of XSS and CSRF

rohit — Fri, 15 May 2009 10:46:17 +0000

In our one-day training classes and conference talks we make judicious use of videos to demonstrate concepts. One of the most popular videos illustrates the true danger of Cross-Site Scripting (XSS) combined with Cross-Site Request Forgery (CSRF). We constructed a fake bank site and demonstrated that a single XSS vulnerability and money transfer functionality in the bank site could result in a user losing money just by visiting another site. In the example, the bank site isn’t over SSL but SSL would not prevent this attack in any way.

The malicious site in our example is completely attacker-controlled, but in reality the malicious site could actually be a Flash ad in a trusted site, Facebook / Myspace / LinkedIn applications or other mashups running untrusted code, or even malicious code running in another trusted site like a bulletin board.

In our example, the user visits the bank site and the attacker site in two browser tabs at the same time. In reality, the victim is exposed for the entire duration of his/her session on the server. That means if a user simply closes their browser window and doesn’t actually logout of the banking application, they are still vulnerable for a period of time – usually 15-30 minutes.

At first the attack may seem far-fetched because of all the factors at play:

A victim needs to visit a specific vulnerable site
The victim then must visit another malicious site that knows to attack the site from Step 1, all while the victim still has a valid session.

So how is this attack becoming less far-fetched today?

A survey by the Web Application Security Consortium (WASC) reveals that
nearly 60% of websites are vulnerable to XSS. The ability to discover XSS has never been easier, and public disclosure sites like xssed.com make discovering specific vulnerabilities trivial.
We’ve seen real attacks delivered through social networking sites and flash ads. These attack vectors allow malicious users to target thousands of victims concurrently – given enough potential victims, the chances that at least a handful of them also have a valid session on a specific vulnerable site becomes higher. Even though our demo shows an attack on one specific bank, an attacker can try to attack multiple sites from the same malicious JavaScript. In other words, an XSS fraudster can conceivably attempt to deliver malicious payloads for several different vulnerable sites to thousands of victims within a very short period of time.

What makes this attack particularly devastating is the fact that the victim likely won’t be able to repudiate the money transfer. In the bank’s logs, it looks like the user intentionally meant to transfer funds. All of the transactions originate from the victim’s IP address and were sent with the victim’s cookies. Only behavioural analysis, such as looking at the abnormal speed of the series of requests or noticing that multiple people transferred money to the same payee at within a short period of time, might reveal fraud.

Attack Technical Details

User visits http://localhost:3000 (False Secure Bank)
While having a valid session in False Secure Bank, user then visits http://127.0.0.1/CSRF _Example (Attacker site)
Within the Attacker Site, we added a 0 length by 0 width iFrame, rendering the content of the iFrame invisible to the end user.
Within the iFrame, we inserted some HTML including a form with pre-populated values, and some script that automatically submits the form on behalf of the user:

Note that the pay[payee] field value is the actual Cross Site Scripting payload. This corresponds to the XSS vulnerability we discovered earlier within the False Secure Bank site. In this case, the actual script points to source located at http://127.0.0.1/CSRF_Example/bankattack.js. The document.input.submit() method automatically submits the request behalf on the user – in other words, we’re delivering a Cross Site Scripting (XSS) payload via a Cross Site Request Forgery (CSRF) attack.

The user’s browser automatically submits the request to http://localhost:3000/send_payment with the user’s cookies. The user has no idea this has happened.
False Secure Bank sends a response to the 0 x 0 IFrame, where the request originated from. In the response, the developers include an unfiltered, unencoded version of the pay[payee] parameter from the send_payment request. Since this parameter renders within the clients browser, the tag automatically executes.
The browser automatically downloads the bankattack.js file. Since the request for JavaScript file appears to come from False Secure Bank, the browser does not believe this is a violation of the same origin policy.
Within the JavaScript file we’ve included a whole series of Ajax request and responses. They look something like this:

xmlhttp.open("GET", "/payment", false); //AJAX request to get the payment screen

xmlhttp.setRequestHeader('Content-Type','application/x-www-form-urlencoded');

>xmlhttp.send("");

The actual JavaSript Object type of XMLHTTP varies by browser. Note that we can set the request headers however we want, and we can emulate any user generated content – including modifying the user-agent tag or any cookies used to track user navigation. We can also save the response we get back from the “send” command and parse out interesting values. For instance, suppose we need to know the victim’s account number in order to transfer funds. We can send an XML HTTP request to the home page and parse out the account number from the response HTML. Similarly, we can parse out any anti-CSRF tokens once we have our malicious JavaScript running.

Note that False Secure Bank does not support nor feature any Ajax. We don’t care. We only need the user’s browser to support Ajax, which most modern browsers do.

The JavaScript from the previous step makes several different requests:

Go to payments screen
Parse out the account number of the attacker
Add the attacker as a payee
Initiate payment
Confirm payment

While this scenario outlines a bank transfer, we could automate practically any series of requests in any web application with this kind of attack.

Countermeasures (Developers)

The easiest countermeasure is to prevent Cross Site Scripting. Make judicious use of strong encoding libraries like those given in the OWASP ESAPI project . Follow the details outlined in the Cross Site Scripting Prevention Cheat Sheet.
Use frame busting code. Note, people have (and continue to) come up with ways around frame-busting . Also note that the attacker doesn’t need a frame – s/he can execute the entire attack visible to the user – although that increases the possibility that the user will shut down the browser and stop the attack midway.
The most effective method of preventing this and almost all attacks against sensitive transactions is to use transactional authentication. The developers could have required Phone Factor authentication, for instance, for all money transfers over $100. Of course, any additional authentication may come at the expense of usability. A less effective and, arguably, less user-friendly approach is to use some anti-automation
technology like CAPTCHA.
The original XSS vector was delivered through a CSRF attack on the send_payment transaction. If the entire authenticated portion of False Secure Bank was protected against CSRF, we couldn’t have delivered the reflective XSS payload in the first place. Stored XSS does not suffer from the same limitation.

Countermeasures
(End Users)

Always log out. This doesn’t prevent the attack completely but significantly limits your exposure to attack
Do not browse to other sites while on a sensitive application such as online banking
Use NoScript. Yes, NoScript prevents this attack, even if you trust the script in the malicious site because NoScript accurately identifies the CSRF request as a potential Cross Site Scripting attack
Hope that the developers who create your applications care about security, and that they don’t categorically think Cross Site Scripting is low or medium risk

Case Study: The Falling Stock of Appsec

rohit — Wed, 06 May 2009 03:25:06 +0000

Jamie Rockhill^* is the director of information security at DG&S, a medium-sized Manhattan-based financial services company. In the past twelve months some of the firm’s largest clients have either been acquired or have filed for bankruptcy protection. Although not as hard hit as some of their Wall Street peers, DG&S is anticipating a 20% loss against previous year’s earnings. The firm is facing a major restructuring and there is an across-the-board freeze on any training expenditures or major IT projects. Indeed, any expense over $1,000 requires Executive VP sign off.

Traditionally, DG&S did not pay much heed to information security apart from standard practices such as patch management and installation of anti-virus on corporate machines. All that changed when 2,000 high-profile customer records were stolen from their competitors at Finicor Investment Services in late 2007. Worried that they too would suffer a breach, DG&S hired Jamie to augment their IT security practices. Of course, that was before a tide of bad news hit the American financial industry in late 2008. Now Jamie’s been left with a mandate to protect the organization’s data (a priority which still stands, as the CEO recently reminded Jamie) with no appropriate increase in spending.

Although DG&S maintains a relatively low public profile, it is well known in the financial industry and may be an ideal target for online thieves. Jamie is especially concerned that firm’s three extranet applications developed in ASP.Net are vulnerable to web application security attacks since they haven’t undergone any security testing or hardening procedures.

Jamie’s concerns were only heightened after a conversation with the company’s lead software engineer:
“Steve, have you or anyone on your team thought about security during the development of these apps?”, Jamie inquired.

“Security? These apps are made for our business partners - not the general public. We have more pressing concerns” came the curt reply.

“That may be, but they’re exposed on the Internet. It’s just a matter of time before somebody uses them to break into our systems!”, Jamie responded, visibly agitated.

“Good luck securing them. This is Wall Street buddy, we need to get our apps out ASAP before the guys across the street do, otherwise our firm stands to lose big-time, meaning both you and I will be out of jobs. I don’t have any spare time to waste on adding features or doing analysis outside of the core functional requirements”.

As angry as he was, Jamie knew that Steve had a point: time-to-market is of the essence to DG&S developers and it’s even more important as the company has to fight harder for client dollars.

Still, leaving the apps at status quo is asking for disaster. So far, Jamie has been able to keep the company away from danger thanks to complex filtering rules in the Intrusion Prevention System. He had also heard that ASP.net applications are more secure out of the box than PHP or Java web apps. He’s also toyed around with the idea of deploying a web application firewall although he’s heard that they are generally better as a short-term stop-gap measure.

If you were in Jamie’s position, what would you do?

^*: All names are fictional and are generated from http://www.kleimo.com/random/name.cfm

Jason Lam’s Response

Information security is about effectively managing risk in the organization and
the role of a security professional is to advise and assist the management of
risk. In Jamie’s shoes, I would first estimate the cost of one single
incident based on previous incidents in similar organizations and the
likelihood of an incident happening. Armed with this information, I would then
approach the senior executives in the company to explain the risks and the need
to lock down the applications. Security has to come from the top of the
organization. Starting from the highest level is the prudent route to take.

The argument from management is often, “It’s not going to happen to us.”
This is an easy one to tackle given the recent security related incidents in
the financial sector. Hard dollar value is usually very persuasive, the stock
prices affected by security incidents and also some of the public announcement
of incidents can quickly reveal the real cost. In the financial sector, PCI DSS
requirements now include application security requirements, so it is hard to
deny that it is an essential part of security. Prudent executives want to
control costs that will affect current and future business. The pressing needs
to secure applications clearly affect the company’s future, especially when
the reputation of the firm is at stake. Once the need to lock down the
application is established with executives, the funding should come with ease.

As far as the approach to locking down the application goes, there are various
options and approaches to take. If the internal security capability is strong
then a quick security assessment of the application with strong focus on
critical vulnerabilities such as OWASP Top 10 can help identify the weak point
of the application and get the developers started on the right path to fixing
the application. If skillset is lacking in the organization, then external firm
help may be necessary. Jamie should be frank with the firm on the budget
concern and the goal of locking down three business partner facing application.

A competent firm should be able to work out an effective plan for Jamie.
If fixing the application is absolutely not an option, then maybe a Web
Application Firewall (WAF) is a good choice. Most WAF devices are very
affordable and relatively easy to deploy. WAFs can do a decent job at stopping
about 50%-60% of the vulnerability, effectively reducing the vulnerability
surface. Jamie should keep in mind that there are still risks even after a WAF
device is in use and it is never a long term replacement to a full code fix.

Jason is a senior security analyst at a major financial institute in Canada. He is also an author and instructor for SANS Institute, mostly focusing on web application security and malware threats.

Nish Bhalla’s Response

Letting the applications go out on the Internet without any testing would be
like burying your head in the sand. Due to business requirements and lack of
time or knowledge, this is the unfortunate reality that many organizations face
today. Once, however, organizations realize the impact of the potential issues
(like DG & S), they end up hiring someone like Jamie to help reduce their risk.

There are two major security concerns with any application going live on the
Internet: 1) The security risk associated with exposing the data held by the
application. For example credit card data or other Personal Identifiable
Information (PII). 2) Other vulnerabilities within the application that could expose other components of an organization’s infrastructure.

Assuming that DG & S has neither application nor data classification ratings,
Jim should try to understand the type of data this application holds and the
security controls that are implemented in the applications. This process will
help him to understand and ultimately justify the costs he should spend on
securing the applications.

To understand the risk classification of the applications (i.e. high, medium,
or low), Jim should attempt to perform a high-level risk analysis on the
application. He can perform this analysis by not only spending some time
understanding the application by browsing it, but also interviewing the
business analysts, the architect and a senior developer. Some of key controls
he should try to understand are:

If the data held by each application is considered highly confidential,
confidential or public.
How the basic security
controls such as Authentication, Authorization, Log management and Encryption
(in rest/in transit) are being managed by the application.

Based on this information, Jim can understand which of the applications
would be considered a high risk, medium risk and low risk for his environment.
After understanding this, he should then decide to either perform an
authenticated Health Check or an Unauthenticated Health Check. If he has the
time and skill-set required he should perform the assessment himself, otherwise
he should consider bringing in external help. One of these approaches would
give him the best value for his money.

Nish Bhalla, the Founder of Security Compass, is a specialist in product, code, web application, host and network reviews.

Security Analysis of Core J2EE Design Patterns

rohit — Tue, 21 Apr 2009 02:18:39 +0000

Today Krish Raja, Sahba Kazerooni, and I are releasing a Security Analysis of the Core J2EE Patterns. In our view, this sort of analysis is long overdue: software vendors, enterprise developers, and the open source community all use patterns judiciously. While developers have access to patterns about security, they rarely have access to a security analysis of non-security-specific patterns.

This beta release outlines our security analysis: we’d love to hear your feedback to improve the quality of our analysis. In future releases, we intend to include source code examples to help elucidate the concepts we describe.

Welcome To Seccom Labs

nish — Tue, 21 Apr 2009 01:44:10 +0000

Welcome to Seccom Labs, our site dedicated specifically to helping developers, architects, testers, and everyone else involved in the SDLC with security. This page will include tools, blog entries, articles, videos, whitepapers, and security scenarios.

Some of you may be wondering why we’re releasing Seccom Labs when other great open resources like OWASP exist. To start, we wholeheartedly support the OWASP mission and in fact I personally head the OWASP Toronto chapter. The reasons we’re launching Seccom Labs are simple:

Increase community interaction – We’ve created popular tools like Exploit-Me; we want to continue to create tools and libraries and want to increase community involvement. All of our tools will now feature a publicly accessible bug tracker.
Developer focused – We want a site dedicated specifically to the software development community. Although our materials will be relevant to the information security community, our resources will be primarily directed to people whose day-to-day responsibilities revolve around software development.
Consistency – All of our resources come from Security Compass employees and we’ll ensure a consistency in quality, language, and general principles.

Seccom Labs represents a culmination of our shared experience in securing software. We hope you find it useful and we appreciate any feedback you have for us!

Security Scenarios

tom — Tue, 21 Apr 2009 01:34:02 +0000

So you’ve learned the basics of application security. What happens next? Ongoing education isn’t as clear cut as taking a single course. Nothing beats real world experience, but not everyone has the luxury of time to ramp up on application security experiences.

Security scenarios are modeled after the Harvard Business Review Case Studies - they’re real world scenarios based on actual challenges faced by practitioners on the ground. Each scenario describes a fictional predicament faced by somebody involved in application security. The scenario ends with a challenge: what would you do in this situation? We supplement the scenario with expert opinions from within Security Compass and real world practitioners in industry.

Our first scenario involves Jamie Rockhill – a fictional Manhattan information security information practitioner who faces a growing set of application security threats while battling a severe financial downturn. Our founder Nish Bhalla and SANS instructor Jason lam weigh in with their opinions.