Web Application Exploit 101: Breaking Access Control and Business Logic

so nice target thank you for coming last session my presentation is web application it's going through this conference is a lot of the penetration test presentation it's very awesome comprehensive content here today already we talk about the web application penetration test especially focus on the braking the access control at the same time focus on the biggest business logic abuse this is kind of our way to be traditional but burn ability pass to is very important so we focus on today so first of all and let me introduce myself my name is Tomo i'm japanese security consultant eight years experience now and specialty is kind of led team style such as the web application penetration test or networks

the left of penetration test was instant response possibility consultation or vulnerability management was security awareness sub congress top at the same time i was i am a PhD student now i have a bunch of the speaker in the United States for example sounds part in the 11 or disco or that concept also I have their bunch of the certifications such as cissp or judge so this is my profile so today's talk Oh Bob you is first of all goal what is the goal the goal is share my experience of web application penetration test especially focus on the access contrary reviews and business thousand so leads and why our focus on genes were nobility because G is for

nobility can be this are discovered by only Melbourne your testing so what does he mean there's a bunch of a security scanner such as web apps folder or weather inspect or upscale but still in terms of the find out the access control BraunAbility it's only helped in some particular parts only helped only small parts so that is why I try to share how to find out gee under review by the manual testing this is the goal of my presentation so he is adjourned here first of all I very quickly look at the web application cpp overview first and then i will be discussed about the access contravenes and business logic abuse and wallet app so let's go one by one but people that

there is a disclaimer first of all this is my this is my sort and you are not my employer as well first of all and second of all all information provided on my tribe are for educational purposes only don't abuse that in the external side also did not try to exploit Gees technique in the export environment without necessary permission when they in do the penetration testing we have a sense we are getting the permission which is called a jail free card but without the permission you will be have some legal problems and do not try without the permission this is a sauce step also I recommend any question but please speak slowly and easily because I

am non-native speaker actually so this is the disclaimer here so let's look at the first I'll look at our issue one by one the first would look at web application security overview so if you look at the consider if you consider the web application broad abilities there is a bunch of the barbg such of the sequel injection or cross-site scripting there's a lot of a vulnerability dear one of the good resource to understand what the vulnerability is that was top thing is a very great resource to understand what kind of the vulnerability so as I said we focus on the vulnerability of the access control and business logic this is crossfire a poor and very server

we focus on this part also in the testing testing methodology if you try to start some penetration test in your company I definitely recommend to have testing methodology the Hadean testing this ability is very important you have to keep the consistency and also as a process so there is a bunch of a good resources about the testing methodology such as penetration test execution guide testing drive disability great resources at the same time if you won't discharge the carrier of a penetration test I definitely recommend to have some testing environments there's a bunch of the test environments here for example website ET dojo by Marvin security it's great resources also was bwa braking while of appreciation is active project

but it's still very great resources at the same time bad Stewart owner is also great resources it's actually not be plus 2 is 14 also some I TT f is a steal good environment to test about penetration test after in the driving home in 2016 one guy said we they she tried to reduce the bottom hole of the semi TT years but this is not still available not available now but it will be coming soon also if you curious about if it creates about a dis field I definitely recommend to leader just to birth it's a great resource here about the web application testing category when they did the penetration test there is a two type of

the test here the first one is also automated scan that the other one is a manual testing so what is the automated scan it's basically have a configuration and cheetahs down this is the automated conv testing there is a pro and con there the positive side of the awesome automated scan is series are very probable is a very powerful methodology to find out the parameter manipulation to find a diplomat among relation such as sequel injection or cross-site scripting because also it's very easy to use it so even though the maturity level of the penetration test in your company is not so sophisticated for still the Jesus cannot guarantee the subtle level of a penetration test so

that is why this is a very powerful in the positive side but at the same time can easily reduce R which is there is a false positive at the same time there is course- also there is a lot of a limitation but to someone ability such an access control cannot find these two to not find out these boundaries also sometimes sometimes when we do the scan with the scanner its impact on the system so there is a lot of a couple negative side view on the contrary in the manual test inside the basically what we have to do is using the knowledge of the penetration test first at the same time we utilize the local

proxy such as Bob sweet or feeder or adds a proxy so the positive side you can find out any vulnerability if you have a skill but at the same time in the military site is a very time-consuming technique also depends on the skill of the penetration tester there is a pro and con dear but in usual penetration testing we we combine G's technique at the same time you know that they seek the efficiency so I want to be focused on a little bit focus on some photo the negative side of automate this termination actually there's a couple the limitation in automated scanning actually is either to research there one of the research is came from that

DHS Department of the home Homeland Security they have a report that they said 67% of high impact permeability require the manual testing so what are they need is a still automated scanning is very powerful but still there is a limitation also the another company normal research that we are in life if your technologies it is Japanese security company its rebuilder 24 percent of the access control permeability crossed by the critical and discovering the access control elaborately means understanding or web application design and extremely difficult to detect access control issues with the scanning so that is why there is a bunch of the limitation there so now our will be this assist we discuss about some sort of limitation of

these tools now what right we discussed actual one ability gates so first of all we'd like to see the access control abused so the before starting the discussion what is the access control the access control sometimes say authorization so basically access control allow access to resource only to those who are permitted in other words so access control by relation or access to introduced mean someone who are not permitted can access some resources this is a kind of this is the meaning of the bonneville so let me explain that what the access control in some sort of picture so actually in technically there is a 2 cross application there which is horizontal access controller abused and

brought the access control abused you know that they exploit this concept I have to say here is a some sort of a picture of their insurance company internal system so here this vertical line me the previous level shears are also gated area at the authenticated there is a privilege level dinner of course a demonstrator is a high privilege on the contrary the vertical line here means that we in the coverage of available data for example agency in the insurance company which are only available a chunk only see the customer data of the agency for example so that it's very low production on the contrary for example regional why underlie the transceiver data of agency and agency

agency and so some sort of date accounting data of the region of why that kind of the page imagine Jesus system so I'd rather explain what that a mean of the horizontal access control and what does me of the particle access contrary abuse so first of all horizontal access contrary abuse so basically horizontal access control is that the horizontal like for example agent agency the data of Agent P for example or agency them they can see the data of Asian V or under lighter eggs can see the data of underlie the why this kind of the horizontal this kind of access front or others we cross by horizontal access country reveals so there is a bunch of

the synonymous here for example the some people said this impersonation some people called spoofing some people said data layer access country reveals but there's a lot of the variety of the worlds but this is the basic concept or the horizontal access control I another example here let's imagine sort of a shopping site and a user user a come see the some purchase history here like the Amazon if you click the link you just send your HTTP request and show the details immunity I in order to identify the details the Sandra ID such as historical ID here but if you change the number of ID from one two three four five two one two three four six

maybe we can see the data or under person just as a kind of the horizontal access control does it make sense so let's go to the another one which is the vertical access country abuse it's about access control it's kind of a practical stuff so let's say for example here the one of the abuse is aging they can see the under lighters are China used under like a function or corporate planning guard can abuse a function of administrators function this is kind of odd can access controls in other words some people search its privilege escalation the error they also another variety here is here an authenticated user to abuse the function of the authenticated user for

example also educating the user access to some specific URL and they can see the agency data there's sometimes we say this wolf education Bibles just say it's the another type of the access country reviews the another solution is here is some people call Jesus business logic access counter abuse but there's a bunch of the worlds there but this is a basic concept of barge to access about car access controls she is another example here in case of the shopping site if you access to the user a producer is an ordinary access ordinary ordinary users but if we access to the administrator URL maybe this just I can see the data of administrator and if this got abused

as administrator function this is vodka access contributes so this is just a second type of access control abilities so basically say that a lot of the competencies depends on the application depends on the complexity of a system but basic concept of access control is to that here so many we are sure this presentation I explained about our is a mechanism access control being abused at the same time you I think you understand it is difficult for automated sinner to find out this problem because the access control it differently defined by the human being or defined by design defined by the business requirements so that is why it is hard to teach Jesus that to the automated scanning so if it defined

by the humor of course in the future maybe we can teach about it but in current situation it is very hard to teach these that so standard cannot judge whether or not the phenomena is a deserted at access control by relation or it is not disabled access control by relation application are sorry connection not just Vista so that it we need a manual testing solution is so we have to do that some manual testing here we understand the question is how can we find out G's Barnaby just a question the answer is and the high level of abuse days a most important principle here the most important principle to find algie's vulnerability is understanding web application design

application behavior and the meaning of each parameter as much as possible of course if you understand the web application very well and understand application design you can find out that these are Jade vulnerability but of course this is the most basic principle in the penetration test we have some more couple techniques to find out the days of our ability we have today I introduced a three kind of a technique here which is called targeting dipping and fuzzing so let's look at a one by one the first one is eternity that's very easy concept basically one of the technique is a focus on some suspicious name parameters was suspicious day points for example suspicion parameter names such as customer ID or historical

ID page ID roll ID or upper bar broad it's kind of the parameters which looks like control the access one looks like controlled access we try to find out these parameters and try to focus all and money period this is the one of the policy the other point we have mutually we can see it is a cookie sometimes some some application issue the cookies such as more than equal one if you change the model aquatic wanted to maybe behavior will be changed for example or some application still issued user Eko John maybe it will change to the ball maybe if the behavior will be different so the we focus on the G is kind of a

stock the other point is the URL if you look here the contents wash one two three five maybe if you change the one two three four six maybe different context is available so let's look at some sort of example vostra is very famous operated barnable application so usually if you work on the freshmen in my company I asked them to do the penetrators on this system so it's a bunch of the a lot of the learning here but for example here there is a registration page here you put the name on email and password and then did a copy secret a secret a secret question dear what's your favorite color it's not a secret question but anyway but try to

input the day's information and send your request this request here their interval ID are long equal human they're even all alone equal you so maybe you need the user so that is why as a penetration tester what we have to do is chain to the a for example if we change the a maybe a mean the other mister later for example if you change to the s make this mean the supplier so we try to this kind of a stop in the stages after the turn is very pop is e but very powerful technique here but share Zecharia here so some application has exploited suggested already naming for some application do not provide any testing so this is a hundred example the

other application has one this is this is a kind of an image of an HTTP request I I saw in previously for example here if you look at here there is a no clue of what each what each parameter meaning so I don't understand what is a meaning of each parameter here so because there is a no name here since I don't have any theory of the developer how can you possible to create these kind of HTTP requests I'm not sure frosty we can see this kind of request here but there is no evidence or no crew to find out the meaning of these parameters so in this case is targeting the technique doesn't work at all

so in this cases we use a different technique called a different the different is original exploit an RCS technique so if you're familiar with exploit and nurses technique dipping is a very famous taking the basically compared in the context exploit analysis technique dipping is basically get the binary before the party and then apply the patch and gained up a patched version and then for the compared battle between the before the patch and after / parts and find out about the breeding this is a living in the exploit analysis context but in the web application testing context HTTP dipping means HTTP request difference analysis so before explained the concept so let me let me share the assumption of this

table as you know that HTTP requests HTTP protocol is a stateless a portable so that is what all behavior of web application are decided by HTTP requests so do you understand what I mean so basically all behavior decided by HTTP requests in other word the difference of HTTP requests she left alight the difference of the behavior so this is a basic assumption to discuss about giving so what are the taking so taking is basically compared almost similar HTTP requests and find out unique attribute that makes application behavior different so I usually compared HTTP request in different user same law same age for example or different the user different role and same ages or different is a different law similar

pages by comparison we can see for what attribute change the behavior so let's discuss about in example for example this HTTP request is order she's showing the order history video like he preached here applications and this requests so we try to find out the some parameter like the history ID from here but there is an oral here so what we have to what we try to do in the penetration test create a two HTTP request first of all loving as a user a to access to the order history detail and capture the HTTP request here and then I Louis again as user B and access to the order history and this create an HTTP request of all the history deviance and

then we gain the two HTTP requests and predict ampere kind of the deep in here this is a this is the kind of that tool of a GUI version of this commands here so basically we compare the request the lead part is a kind of that maker or she is a difference between the two requests so one of the difference is a cookie but our HTTP session body our session ID value here of course it is different you have different user also this parameter is also different also this parameter is different because of the comparison we can find out we can focus on these three parameters of course the efficient ID is usually so that is a I ignore but we focus on the

two parameter to find out whether or not there is a vulnerability for example try to log in as a user a again and create the HTTP request and then change about you from the three nine one zero to see I was free from the sender others in this case I can see the data of the user B maybe we can abuse a box s hunter Donna reading if it doesn't work I tried another one and whether or not there is a vulnerability this card didn't turn vbu which parameter had a potential burnable application up thought about procedures does it make sense for you guys cool I showed the another example in the bar to access contribution here is a

David it's a web Gold Asbury that's also vulnerable application David is a manager and Malaysia can see the several employee was several team members members she is a Bruce under the David and she's David is a manager she can see the profile of the Blues if we click the link HDTV because like this on the contrary if you log in as a John the John is autumn is later since Peyton such as seed all employees for hosts include in the Bruce also this guy is an alum is later she can delete the data of the employee if we create the delete profile progresses like this so in this case is this is the situation so the

question is is it possible to appeal the access control with David privilege basically the manager has a basically manager don't have a light to delete a profile for question is is it possible to delete a just our theater with a manager employee a manager privilege sister question so even to find out de-spawn ability it's very simple cases you don't need to do it in in terms in Tulsa in theory speaker you don't need to do it tiffen but I've actually explained a different concept this example for example in this cases try to compare the HTTP request of the divine law and similar function did you compare about dis to request they the several difference there may be one two

three four of course in this cases action equal beYOU profile and assure equal delete profile at the most doubtful para ventures so in this case is what they try to do it it's access to the David again and creep the Bruce and view problem you provide and then chain the body from the view profile to the delete profile and then send your request sorry then we can confirm that data is deleted so the t thing is kind of the different technique it's it's very useful to find out which parameter is most suspicious maybe you think that we probably show the example in the barn of application is it work in the reality was yes I

showed uh some sort of example in the loyalty cases she is a situation that there is a medical practice management software this software manage the patient medical history or operation management's and then to a testing situation like this say the two accounted here which is one one of them is a core the front office which is kind of a receptionist privilege she was he can make a reservation of the patients or some so they're doing this of the accounting or the Castro accounting of the patients this privilege has a might account function the basically they can change the user information kind of a main local number or Vuitton's down on the contrary the other privilege is

administrators they have the user management function the animator can't change any user information including the user privilege justice situation so here there is a my account page of the receptionist's village here if we access to these pages you can change a user user name or a bunch of information such as tax ID or maybe own ID was a constant it is if you click this Save here this application issued HTTP request action equal user method equal update user on the company if we access to the administrator privilege our go to the user management page and then since user management page it you can manage any users so go to the test office around office a front office

it's a same as a previous example and then in these pages since he is the administrator he can change access control level if you click the here it sheet update its Angela quest like the action equal user a method is update the user the question is the liquidus looks like similar life so if we compare is like this this looks similar so I use the sums of the tool here if a computer to request here she the user requests jadam HTTP request of my account function with a front of his feverish this it's a HTTP request of user management of want office as a demonstrator so basically jury the difference is adding the parameter in this cases so

basically in the user management pages basically what what this application do is adding some parameters and then give us some sort of more privilege so if you analyze some sort of a difference here is the wall ID here so if you'll find out some sort of difference there might hypothesis annexed if you added to the role ID here maybe we can change access country at the same time this is a reasonable hypothesis like so so through the comparison analysis there is problem if I add the loan ID here maybe we can change the access counter at the same time even though the receptionist so this is the my hypothesis again I added the alone ID equal one now hazel

or ID five but the through the analysis I understand the law I believe Awami the administrator privilege so if we added this parameter to the original request maybe we can abuse this problem so let's try it so what we have to try to do is they go to the user again as a receptionist privilege go to my account Cheeta say chapter the HTTP request an interceptor HTTP request and added to this parameter node ID equal one Anjali recent and if you look here previously only few small only human you dear the after that we can see the bunch of the bunch of the information a bunch of the menu here so what does they mean

that we can prepared have the previous escalation by adding some parameters how can you answer this is a very powerful technique to understand which parameter is the potential a barnable potentially vulnerable in terms of the access control as I show you some a couple of example here so actually this particular is very powerful most worse application I have a penetration test with each pages but each HTTP request had a one thousand parameter in each time it's crazy but I I try to kill myself cell sky but since they have a contract and also we in the other service level they agree that we have a manual testing in order to find out the access control

variability so I have to test 1000 parameter but I don't want to waste a time so that is why by using some sort of dipping try to find other potential rebound water parameters and focus on gene stop this sorta it was very useful in the Leon diva the ID world if the DV is not workable in the web application usually works but if it doesn't works final method is a having a basically try to change the parameter value randomly but it's very tough and it's very time consuming so that is our this is our final strategy so in terms of the remediation of the access control the basically access control problem should be the part of the web application design

process usually the leads and why this problem will be implemented is because access control is bought on afterwards so that is why these kind of design should be implemented before the implementation should be done in the design process also to find out what in the their own development process you should define who change as what so I think the access control matrix like that which is actually a setter which function is a very helpful the usually when I do the penetration test on the client usually I ask do you have any access control matrix if you say yes we have it usually they don't have a boundary key but on the contrary if I don't have it or we don't have it

the usually that is about nobility so that is what having these kind of Eric's in the design process is very critical so let's look at some business logic abuse here they were the hurdle before discussing the business logic Appeals what is a business logic in terms of the penetration test definition as simply one of the definition is a business logic in the application is modern real-life business objectives the business rule and what role drive the application so what I try to do so basically the business logic on the web application mean try to modeling the real world population so by based on this definition what the business logic appeals the business logic appeals is abusing in appropriate modeling in in

terms of the find out Cheech barnaby DJ's a lot of abusing variability there is a non systematic approach to find algie's vulnerability so basically what so basically a lot of terms of the example here I write down a top example here for example buy some product in the shop inside with a wonderous his dilg's problem there or there's some vulnerability coloca me in the financial system activations for example her give me vulnerable demons actually if it's discovered in the banking in the bank Japanese bank internet application its companies in the Bromberg the Adric explained some sort of how to abuse G's kind of business logic appearance so the assumption of the alchemy in the banking internal system

there is a one system in the banking in the in the banking institution this system has an emergency mode to change the calling exchange ratio it is poor originally for holding exchange market crash of course our Pony exchange ratio will be decided by the market usually but if there is also their crisis happen like the default or kind of some financial emergency happened this system doesn't work there that is why there is emergency mode there so what is some how to abuse this application here I give that example here so first of all what we have to do is create a banking account in Japanese here at the same time barking about in the United States so first of all

deposit in the 1 million Japanese into Japanese account using emergency mode change the college to change the currency with a modified ratio for using emergency mode usually 100 Japanese being equal $1 but by using emergency mode that US bank banker can change any ratio so that is why she can change Japanese weighing approximately $100 year usual for changes of 10 Japanese damper dollars first thing is go to the 100k dollars in the United States dollars intend attend ecology with a usual ratio go to the usual ratio is 100 Japanese yen per dollars so what do they mean is that they got 10 million dollars but it happened here in 2016 there is a barking your tongue this is the kind of

abuse but this is kind of a wonderful example of business logic appeals here so basically what we have to do is understand a web application very well it's very important without understanding it's very difficult to find out this vulnerability but there is some general guideline to understand find out jessica of this bond ability first of all understanding the business process as much as possible to solve this a basic rule 1 also basic ground rule number 2 is a compare the actual business process with a business logic on the web a vacation we basically check the sum of the daters allegation or process or condition to exhibit some process or some check the some privileges so based

basically jeez with this poor perspective we try to analyze and compare the actual business process and business logic on the web application and they try to find out some sort of an ability but as a penetration tester disinterred right it's very important but at the same time knowing the birth example is also helpful as a strand of conformance said if you know over 1,000 cases how to solve solve it wonder the one case it will be easily it is solved because you know a lot of the case so basically based on the assembly I definitely recommend if you want to seek the some penetration test carrier in dispute if you want to try to find out

the business logic vulnerability I definitely recommend you understand the example as much as possible so there is a bunch of the boundary there actually when I do the penetration test in my job I can earn 1 million dollars in 10 seconds I earned a lot of the money as much as possible in the holding exchange-traded system I would be considered to escape to Japan skip the Japan I've tried to go to the market you know I'm working but I'm still there I am still report to the client so that is why I am here and still working now thought but there is a bunch of an example maybe you have a song from there you about maybe you see some jackpot

there but you know you have to know that a lot of example as much as possible in order to find these vulnerabilities so here's a walloping up here what we try to do as I share my experiences especially I'd like to focus on how to find this burner pretty with the manual testing also what I try to do is a manual access control and business logic burner will be discovered only by manual testing yes scanner is very powerful it's very helpful but in order to find out gzr ability you should do the manual testing at the same time also you track this technique is a saving the time in in the penetration test like my content thank

you for coming that's all

if you have any question mm question okay thank you