eurostar 16 abuse cases - from scratch to the hack

Abuse CasesFrom scratch to the hack

Miguel Hernandez Ruiz

Do the testers know about the business flows supported by the

application?

As starter…

The Menu

• As starter• A hacking story• What we are looking for• A methodological Approach• Abuse cases from use cases• Abuse cases from scratch• Take away

A hacking story

Disclaimer:Ihavefoundbothimagesonlinewithnocopyrights,ifyoufindouttheyactuallyarecopyrightedpleaseletmeknowassoonaspossible

Name: PaulAge: 27Job: Developer

Name: MikeAge: 22Job: none

Paul work as IT Engineerfor an IT Company whichprovides a shopping cartsolution to severalclients. He has neverbeen concerned aboutsecurity, neither hisboss…

Mike is a universitystudent with too much freetime and he is a securitypassionate person who lovesfinding out applicationvulnerabilities. He isreally aware aboutapplication in-security…

Name: JoshAge: 40Job: Boss

Josh is a successfulbusiness man who ownsthree different companiesoperating in differentsectors. He has heardabout security concernsin applications but “thiswon’t happen to him”…

A hacking storyMY APP =

Yabadabadoooooooooooooooooooooooooo!

Break another app Break another app Break another

app Break another app

A hacking storyOuch! My boss recently

told me that our customers complained

about some security bugs reported by a

Hacker in our application…

Actually I think they were there since the first

version but I am happy they didn’t realise it before…

Anyway I am ready to fix them in the

new release… I will close the issues all in

a raw…

A hacking storySQLi

XSS

HTMLi

CSRF

SessionHijackingSessionFixation

BufferOverflow

InsecureDirectObject

Reference

Non-validatedRedirects

ServerSideInclusion

XXE

LFI/RFI

A hacking story

OK. I am going to take a look at the page I reported

the bugs the past month…

It seems that they have fixed

them… interesting…

I am happy to see that they have been

able to solve the issues but… let me

see…

Lets play the joker up the

sleeve… What if I change here this number…

…YEAH!!!!

A hacking story

Syringeimagefromhttp://shinta-girl.deviantart.com/

The Menu


What we are looking for

What the ApplicationIs intended to doand

It actually does

WhattheApplicationIs intended todoand

Itdoesnot

WhattheApplicationIsnotintended todoand

Itactuallydoes

The application business logic must be checked from a security perspective

ABUSE CASES

What we are looking for� UseCases

¡ A use case is a list of steps, typicallydefining interactions between a role(actor) and a system, to achieve a goal

¡ They are essentially structured storiesor scenarios detailing the normalbehaviour and usage of the software

¡ A use case is not only a diagram, is textas well, a full description including themain actor, goal in context, scope,preconditions, etc.

� AbuseCases¡ An abuse case is a type of complete

interaction between a system and one ormore actors, where the results of theinteraction are harmful to the system, oneof the actors, or one of the stakeholders inthe system

¡ An abuse case diagram is created togetherwith a corresponding use case diagram (ifavailable), but not in the same diagram

¡ There is no new terminology or specialsymbols introduced for abuse casediagrams

The Menu


A methodological approach

Look for the business key requirements

Use the available use cases to design the abuse cases

Wide understanding of the bussiness logic implement.

Detect implementation flaws and …

¡¡¡¡Exploit them!!!!

REQUIREMENT

DESIGN

IMPLEMENTATION

INTEGRATION

THESTAIRWAYTOTHEBUG

A methodological approachKeyrequirementspecification

UseCasesdesigned?

LocateFunctionalDocumentationandKnowledge

Detectpotentiallyworstscenarios

DesignAbuseCasesderivedfromUse

Cases

Yes

ApplicationUseCases

GainadeepunderstandingontheBusinessLogic

FunctionalDocumentation

Detectkeypoints

Yes

ApplicationWorkflows

DesignAbuseCasesderivedfromkey

pointsAbuseCases

AppRepository

PerformApplicationWorkflows

No

Workflowsdesigned?

DeterminetheCriticalFlows

The Menu


Abuse Cases from Use CasesGoalCheck that there is no possibility to add items for free to the basket

Preconditions• All application modules have been correctly deployed in test• A previously registered user account must be provided• There must be at least 1 item and one item category available

Description• Access to the Application URL: the user accesses to the URLhttp://www...• Log in: he/she performs the login using a provided user account• ...

AccesstotheApplicationURL

Login

AddanItemtotheBasket

AddanItemforfree

Checkthetotalcost

Actors• User: agent which is intended to perform a normal use of the application• Security Tester: person which is intended to cause abnormal behaviourin the application

UserSecurityTester

The Menu


Abuse Cases from scratchAccesstoapplication

Registeranewaccount

Logintotheapplication

Accesstoanitemsection

SelectanItem

Increase/Decreasenumberofitemstoorder

Addtobasket

Increase/Decreasenumberofitems

Updatebasket

Aboutus Contactus Searchitems YourBasket

Compulsory

Optional


Registeranewaccount



SelectanItem


Addtobasket


Updatebasket

Privilegeincrease

Accesstocontent

Alterstheprice

Compulsory

Optional


Registeranewaccount



SelectanItem


Addtobasket


Updatebasket

Could I access to a non-

published or private item

section?What if I insert a

very long number as a

section selector?

Could I be able to

modify the items price?

…The number of items without

altering the total price perhaps?

Definitely I must try to add to the basket a negative number of Items

Would it be possible to order

non-existent Items?

Could I decrease the number of Items below

cero?What will be the

maximum number of items

to order?

Could it be possible to include a negative number of items updating

the basket?

Would it be possible to change the price during

the basket update process?

What if I perform an update over a

non-existent item in the basket?

Compulsory

Optional

Abuse Cases from scratchAccesstothe

ApplicationURL

RegisteraUser

AccesswiththeNewUser

Select4Itemsofcertaincategory

Select3Itemsofanothercategory

Addthemtothebasket

Addthemtothebasket

Updatethenumberofitemsinthe

basket

Includeanegativenumberofitems

User

SecurityTester

GoalGain a higher confidence in how the application is going to behave whenthe number of items is modified below cero

Preconditions• All application modules have been correctly deployed in test• At least two item categories have been included in the application• There must be at least 4 items for two item categories

Actors• User: agent which is intended to perform a normal use of theapplication• Security Tester: person which is intended to cause abnormal behaviourin the application

Description• Access to the Application URL: the user accesses to the URLhttp://www...• Register a new user: he/she clicks on the…•…

DemoHey Hey Hey!, don’t touch my

App!!

Let`s rock baby!!Mmmm, I am not sure if I want to see this…

The Menu


Take away• Mind the Business Logic of your application, in the middle time is

really cheap• Look for the way to add a negative thinking in the development

process. Enforce Abuse Cases development.• Do not trick yourself: “This DO could happen to you”

• Raise the problem if you think there is a bug in the application, thesooner the better.

• Do not trust the component of the application you are developing:“Develop defensively and watch the abuse cases”

Take away

• You have a great future ahead as security tester… go for it!• Use all your knowledge: “Try bypassing the business logic as specified in the

abuse cases”.

NonetechnologicaldevicewillprotectyouagainstBusinessLogicAttacks,usethetalentinyourorganization,yourbrainisthe

mostpowerfultool,thinkinnegative…DevelopAbuseCases

References

• Testing for business Logic attacks. OWASP Foundation, 2014– https://www.owasp.org/index.php/Testing_for_business_logic

• OWASP Business Logic Cheat sheet; OWASP Foundation; 2014– https://www.owasp.org/index.php/Business_Logic_Security_Cheat_Sheet

• Common weakness Enumeration; Business Logic Errors; 2014– http://cwe.mitre.org/data/definitions/840.html

• Ten Business Logic Attack Vectors: Business Logic Bypass & More; NTObjectives; 2012– http://www.ntobjectives.com/research/web-application-security-white-papers/business-logic-attack-vectors-white-paper/

• How to Prevent Business Flaws Vulnerabilities in Web Applications; Marco Morana; 2011– http://es.slideshare.net/marco_morana/issa-louisville-2010morana

ThankYou!!

Thank you all!

ThankYou!!

Thank You!!

The dessert…

?

On the Speaker - Bio

[email protected] /[email protected]

https://www.linkedin.com/in/security-miguel-hernandez

https://twitter.com/miguelangelher

http://plusplussecurity.blogspot.ie/

IT Engineer, Master in Advanced Technologies, Master in Business Administration,CEH, CISA, CISM, SPSE, IRCA LA 27001, ISTQBf, ITIL-f and FCE. Currently working forIBM in the Watson Health division as Senior Security Engineer. Miguel Hernández hasbeen working in the security field during the past 10 years. He has helped some of themost important companies in different sectors to improve their security by processimprovement and web application security testing.

Running the demo• Download and install docker for your operating system• Download bodgeit store from docker

– docker pull psiinon/bodgeit• Run docker• Run bodgeit in docker

– docker run --rm -p 8080:8080 -i -t psiinon/bodgeit• Open bodgeit in the browser

– http://localhost:8080/bodgeit• If you want to intercept the communication and perform the “hack”.

– download and install ZAP for your platform.– Change the port of ZAP for the local proxy from 8080 to 8085– Configure firefox network settings to use the proxy localhost:8085

eurostar 16 abuse cases - from scratch to the hack

Technology