detectify SECURITY FOR DEVELOPERS detectify
How to steal and modify data using Business Logic flaws - Insecure Direct Object References
Aug 20, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
detectifySECURITY FOR DEVELOPERS
detectify
detectify
Remember the AT&T Hack? #freeweev
detectify
…or how about the Apple Developer site!incident? #down4maint
detectify
What do they have in common?
detectify
What do they have in common?IDOR #wth?
detectify
Frans Rosén!@fransrosen!
#hacktheplanet
detectify
Co-founder #daytime
detectify
Hacked a few #nightime
0x09 in Google Hall of Fame!www.google.com/about/appsecurity/hall-of-fame/
detectify
…a few more #uhere?
detectify
aaand a few more #sorry
detectify
What does it mean? #owasp4“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. !!Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.”
detectify
I! Insecure D! DirectO! Object R! Reference
Without proper access control exposing unauthorized data, such as a file, directory, or database key.
detectify
Eye-ball the URL #waitisover
detectify
Eye-ball the URL #waitisover
Ouch.
detectify
Update a user #totallylegit
detectify
Update a user #totallylegit
Ouch.
detectify
Business Impact #obvious
• Keys, Passwords!• Credit Card Data!• User Information / Email!• Invoices / Billing Data!
detectify
Business Impact #notsoobviousNumeric IDs for Order Receipts!!“Not found” vs “No access”!!Poll every day, you get analytics!!$$$!
detectify
Business Impact #notsoobviousNumeric IDs for email invites = spam.!!!
Found by d4d1a179c0f3 https://hackerone.com/reports/1533
detectify
Business Impact #evenworse
Change Delivery Address of an order.!!Deleting another user’s information.!!Reclaiming other user’s data. Gift Certificates anyone?
detectify
Are you fully protected?
detectify
Why so few? #ohnoez1. No secure access model.!!“User X should only have access to A”
“User X that has access to A should only have access to B”!!and so on…
detectify
Why so few? #ohnoez2. Numeric IDs.!!Enumerable/Sequential. Decrease value with 1 and try. !!Easy to test. Easy to attack.
detectify
Why so few? #ohnoez3. Error messages show and tell.!!“User X cannot view object owned by User Y”!!“No access to this object” !!“Object does not exist”
detectify
Why so few? #ohnoez4. Inconsequent ID sources.!!/receipt/view/434!!/receipt/?view=434!!POST /receipt/view/ HTTP/1.1!receipt=434
detectify
Why so few? #ohnoez5. Lack of proper code review.!!How to automate this?
detectify
Examples! #bringpopcorn
detectify
Example – Twitter
Found by secgeek (Ahmed Aboul-‐Ela) https://hackerone.com/reports/27404
Credit Card deletion from other users.!!Sequential IDs when deleting cards.!!Bounty $2,800
detectify
Example – OculusRCE through IDOR!!Sequential IDs when updating users.!!Bounty in total $25,000
Found by Bitquark (Jon) https://bitquark.co.uk/blog/2014/08/31/popping_a_shell_on_the_oculus_developer_portal
detectify
Example – SquareUpdate other users / Get user info!!ID as hashes, but visible using Google.!!No check if user was in another company.!!Bounty $3,000
!https://hackerone.com/reports/23126
detectify
Example – ZapierGet log-history from other user’s Zaps.!!Contained sensitive information such as OAuth tokens / Credentials,!!No access control for log entries.!!Bounty $3,000
!https://zapier.com/engineering/bug-‐bounty-‐program/
detectify
Example – getClouderRemove Cloud Scaling for other users.!!No check if user owned the Cloud Scaling setting.!!Bounty $200
detectify
Example – WordPressGet all users on a WordPress site.!!.com/?author=1!!WONTFIX by Wordpress
!http://hackertarget.com/wordpress-‐user-‐enumeration/
detectify
Doing it right. #anyoneoutthere?
detectify
Doing it right. #hellyeh1. User ID in Session or Token!!/user/view/me!/user/transactions
detectify
Doing it right. #hellyeh2. Make generic access model and stick to it.!!function get($type, $id) { //check access for all objects }!!$user->get(‘transaction’, $id);! // if not owned by user!! ! ! ! ! ! ! ! // then error!!
detectify
Doing it right. #hellyeh3. Access model in routes or controllers.!!Stick to it! Easy to miss.!!
detectify
Doing it right. #hellyeh4. Code review. Don’t miss this.!!
detectify
Quick repetition #eatsleepraverepeat1. IDORs are bad. Easy to exploit. East to find.!!2. Being actively exploited as we speak. Worth €€€!!3. Generic access model.!!4. Numeric IDs vs Hashes!!5. Review your code.
detectify
THAT’S ALL FOLKS!!Questions?!
!by Frans Rosén (@fransrosen)
www.detectify.com
Related Documents
