Reconsidering Security: Targeting Business Logic
Raf Los, Web application security evangelist at HP Software,
gave a presentation at the
Black Hat Conference in Barcelona, Spain, this week, about what he says is an emerging front in the area of application security. He says that as organizations harden their infrastructure against common attacks like SQL injection and cross-site scripting, the threat is moving up the stack.
"As an attacker there are three things that drive me. The payout, which is a big thing; the opportunity, how many of these things are out there; and what is the cost?"
Programs like Microsoft's Security Development Lifecycle (SDL) and improved tooling and best practices have narrowed the window for attack against the application infrastructure. At the same time, the economics of hacking a credit card database are changing.
"Payouts are getting smaller because the black market is flooded with credit numbers," says Los. "All those things are shrinking. So how do I find something that costs less, has bigger vulnerabilities and still has a big payout?"
Los says attackers are increasingly manipulating the actual design behind the application. He offers an anecdote of a flaw that a friend of his discovered in a Web-based customer loyalty program. His friend was able to set up a purchase on the Web site, then have the site award points to his account against that setup purchase, without ever actually completing the transaction. As a result of flawed code on the site, it was possible for customers to rack up limitless awards points, without ever spending a dime.
"Now it's not called hacking, it's called fraud," concludes Los, who adds that dev shops currently have no effective way to automatically detect these flaws. "How do you spin up a piece of code that looks for another piece of code's logic defects?"
It's a good question, and one that Los says no one is really prepared to answer.
'Talking about mitigation'
"I'm not going to be coy about it. This is not an easy problem to solve," Los says. "I don't think we understand enough about the problem yet, to fully tell anybody how to stay away from it. I'm seeking to raise awareness and more importantly, start to be able to identify these issues. And then, once we have that, we can start talking about mitigation."
Los says developers need to look out for two types of threats against their processes: transaction control manipulation and privilege manipulation. He urges developers to fully understand the application flows and business processes they are supporting. Can attackers alter an expected input or cause actions to be processed out of order?
Ultimately, Los says, developers need to ensure that the code supporting business processes cannot be manipulated or undermined.
"We've said this before and security sort of shouts this all the time: Never trust data or information or anything that leaves your direct control. Whatever you send out, assume that what comes back is bad--make that assumption," Los says.
These flaws won't show up in your test and QA. And if you are the victim of a savvy attacker, they may not even show up when they are being fully exploited. Los offers the example of a man who had discovered how to hack a video poker machine, so that he could change his bet after all the cards had been shown.
"You know how he got caught? He got greedy -- he won the maximum amount every time," Los says. "Unless you're stupid or greedy, you can make out like a crazy fox."
Posted by Michael Desmond on 03/18/2011