BSidesSLC 2021 -- What are we missing in Web Applications? -- Speaker: Mirza Burhan Baig

welcome everyone uh good morning first of all it's about to be good afternoon and the region i am right now this is good night for me because it's 11 p.m so uh we'll be starting our session uh first of all the topic of the day is what are we really missing in the web applications nowadays uh a short and quick introduction about myself who i am and what i do my name is mirza burhan bake and i'm working currently as a threat analyst teamer in a bank in riyadh saudi arabia so the bank name is riyadh bank itself so it's a government semi-government bank my career starts from 2013 as a bug bounty hunter as you can see i've been

acknowledged by google microsoft facebook etc etc uh the top notch companies and uh right now uh today i did some work on the web hacking as well for the buck nonetheless so i'm ocp certified uh ewpta another certification that includes my credentials for mobile and network as well okay so i've been working for the financial mostly health and the business these and the government sectors as well and some other sectors so this is my quick introduction uh bug bounty hunter turn to vr threat list okay so the question is what are we what are the current and the critical web application flaws nowadays and what are the major changes in the oas top 10 i'm

sure most of you have heard about lost top 10 this is a baseline or we can say for the testers for the web applications and they can test their web applications according to the checklist that is provided by the wasp from the 2017 if we carried out 2020 21 uh so we can see there been major changes in the latest update uh why because the injections were the first thing very critical thing in 2017 till now until unless we have a new baseline and the framework that we use for the testing so now the major changes i'm not gonna dive into the changes but the main part which i'll be talking about in this presentation

will be that the bug that is moved from a5 to a1 that is a broken access control that incl includes your session management that includes your idols that includes your privileged escalations and what's on whatnot major change has been done in 2021 and we have to see why we need a change so why there is a need for a change maybe uh that's a very normal question for everyone everyone evolves right the live the human the the technology the security everything needs to be updated nothing is perfectly defined uh to carry out the change so that's why we need a change then the most important thing the thing the topic the pointer that i'll be discussing further

is something that your static scanners cannot detect how and why or we'll discuss that but static and dynamic scanners i meant to say that you have heard about the net sparker acunatix have a scan and there are ton of other uh scanners that are used for the web scanning so the vulnerability the issue that i'll be discussing today is not able uh the scanners cannot able to detect that why we'll discuss that so i'll be taking one example the injections are protected that includes your xml entity injections as well your skill injection your server-side template injection and some other injections as well so we will be just discussing this only sql injection thing for now for this uh specific slide

uh how they are protected my main question is that that there is something that is not protected but there is a thing that is most critical in 2017 till yet uh that is injection that is protected how uh because the frameworks the libraries and the plugins that are created by the developers for the developers so we have multiple ton of libraries of dotnet python java what's on whatnot so we we can use those libraries for the input validations as well right if you're a programmer and you're listening to this so uh if you're a programmer you can google and you can use a secure library for input validations for the.net as well and for every any any other

language right so these are already protected by the community for the community so the main thing is we can use multiple things multiple approaches to secure that the frameworks nowadays uh and the browsers mostly nowadays are very intelligent that if you try to do xss cross-site stripping attack so the browser will not bypass your query or there are some certain plugins that will not bypass your query so you have to make an input validation from the front end and the back end as well right so if you talk about the other vulnerabilities there are thousands of vulnerabilities that can be discovered and that can be talked about uh that how a framework is protecting that

but what we are talking about right now is business logic flaws you heard me right the business logic laws broken access control is uh uh uh

broken so what is our business logic flow what are business logic vulnerabilities so we will be discussing a very very small example for the business logic

and a sequence that a business user or us used to access or deliver certain things oh my internet connection is unstable it's perfectly fine now i guess yeah so what a business logic clause uh following a sequence for a user or a business we call it a business logic flaw uh for the sake of the example we take the login example for the facebook or twitter or instagram anything our first step go to the website second step put your credential that is your username and the password third step login and you will be redirected to the dashboard then you can move to the friend request or messages or something else like that the sequence is abc you go to the website

you put the credentials and you enter into the dashboard what if i can break the sequence from a to c skipping the b part which is providing your credentials that's right you are thinking in the right direction because i'm talking about a cross side scripting a tag in this situation if we steal the cookies of the insecure website or we

that's right business logic as well but that is a systematic way of bypassing the business logic but what if the sequence itself breaks we'll discuss because i have a lot of examples for that that i have encountered in my professional capacity while doing um and i have the rights to discuss that so how how these vulnerabilities the business logic flaws arises it's a total negligence of the developers because while coding thousands of lines they are uh confident enough that they are programming it perfectly but yeah they are programming it perfectly but

give you example for the dot net programmers if someone is listening in the dot net capacity the daughter programmers we have the controllers right we have the views we have the models what if i have checked every controller every controller of my website but what if i have left one controller unchecked for the privileged escalation for the idol in direct object references or bindings the most important and critical thing is session binding so when we are talking about it anyone can access that specific controller without any session and with all the data in it for example if i search for something uh while i'm logging so i capture the request in the verb i pass it to the repeater i click

on the repeat button but what if i click on the logout and then i try to search it again with the repeater in actual in in reality it should not bring me the results it should say that you are logged out please login again but what if the results come up and i can see all the results in my search that is my business logic law that happens why because of the negligence of the developers but uh what is the impact of the business logic flaws uh very very very disastrous basically if i tell something uh go to bug bounty hunting program any brick burning hunting program you'll know observe the most highly paid books are the business logic

flaws where a user is where user try to break the sequence and they bypass the system so they are highly paid there was a guy i'm not sure about his name but he bypassed the otp of instagram a few months or i'm not sure a year ago or two year ago uh he chained a proxy chain he changed the ip addresses simultaneously and he he applied some tricks so maybe i'm not sure about the process but he bypassed the otp of the instagram the instagram paid him 20 grand 20 000 us dollars as a bug bounty and again they fixed that after some time that person again bypassed the otp of the instagram once again so best of

luck and good luck with them they paid him 15 000 more in his bucket so incred total if you talk about 35 000 us dollars for a single vulnerability why because the team was unable to patch it properly again so this is the power of the business logic flaw if you are able to capture all the data that reside in your website somehow and it bypass the sequence so you have the critical data in your hands now if you talk about the common vulnerabilities in the business logic flaws i'm using the short form for the business logic laws blf so what are the few vulnerabilities and the misconceptions the misconception number one i'll be talking about uh unevenly over here

trusted user won't always remain trustworthy and the second thing users won't always supply mandatory input the the main example for this someone asked me about my uh name and i insert the uh digits and that or a special connector in that in actual it should block my request from the front end to the back end but the problem is if there is bypass from the front end that's perfectly fine you can uh capture the request in the verb and you can alter it and you can supply whatever you want to do that's perfectly fine from the front end but if you talk about the back end of the server so the background of the server should be processing and should

be checking your data voices coming from the front end so now the user won't always supply mandatory input i record you uh if someone is asking me my name if i uh curly brackets or the square brackets and i put the two multiply by two actually emptying the server side template injection so it should not bypass it or it should not it should directly say please do not use spatial characters or the digits in this field but uh we think that user will always do whatever we ask them number f uh the user won't always follow the intended sequence that i always say that if you follow the sequence and you try to break the sequence that is the main part of

the business logic clause forward uh the main thing that i want to discuss over here is that i have identified a very critical vulnerability and a financial fraud management system that is used overall in the globe with the uh in the banking industry i must say the financial industry because they have to check the fraud uh management or all the other things so come to the coming to the point uh what happens over here uh i have published uh that report see to the oracle and they publish the cd for that that's the number if you want to check it out you can go to this specific number okay uh the main thing is uh if you notice on

the left hand side left hand side is screen if you can see my screen there is a user analyst ep right that is uh my analyst ep and there is analyst m y there are two analysts one is highly privileged and second one is low privileged user that can only see the reports but the high privilege user can also see all the data all the logs all the transaction in the system so what i did i just captured the data from the front end uh that is going to the back and on the from the burp and i intercept the server response as well i copy all the requests if you want to do a bug boundary or if you want to check a

business logic flaw just follow my one what you can say instruction or a guideline that capture each and every request that server and system generates and put them in a notepad file one two three no matter how many files you generate just copy and paste all the responses and all the requested because you don't know which one will be bypassed so what i did actually i just captured the request from a high privileged user that back into a burp suit that's the second screen i put in a burp suit on the left hand side if you can see that the server is responding me with all the critical logs all the critical data and to search my new alerts my date

on which date i have done that and you can request anything so that was a critical vulnerability in an application just because of tempering the parameters just by passing the session and the session handling and the session binding issues we can uh see all the data that a hype can keep after this said that i'm involved in the financial industry and the banking industry overall so uh the second in vulnerability that i want to discuss over here is that there was a financial institution uh and there's a mobile application for that uh in the uh from the left we start first of all the screen mobile stream you know uh username and password i put

the username and password second string they send a otp uh on my mobile phone i received an otp what i did i just put an in valid otp the result is invalid right but what actually happens the first thing i did i login into my application and capture all the requests then i moved that request as a privileged user how how how did i that so i capture all the positive responses from the server 200 and all the positive responses that comes when i put or insert or put into the correct odp i captured the request that server is sending then what i did i that is the second vulnerability in the same application

if you put the username and password and you put the passcode invalid let's say one two three it says invalid passcode then it redirects you to the law

password and the login button it automatically log into you in the account on the right hand side screen if you can see that's my account uh on the invalid password what happened in the application the application was checking just one failure of the otp on the next thing it bypassed the system so that's the second thing i did in my practical experience number third this is also banking this is an internet banking at the same otp bypass i love to bypass otps by the way uh on the left hand side if you can see that is i put the username and pas the otp as well on the right hand side the upper image uh the highlighted you

can see otp underscore text and there uh digits that's a lit tp that i put on the below you can see our response in the request i received i captured this because that is my legit and the perfect response that i want from the server now i am saving that on a not notepad file because when i put the correct otp the server will respond like this but well it responds when i put the wrong username and password and replace this exact uh field and the exact data with my verb suit now if you can see on the left hand side i put the username and password correct my otp is wrong uh on the center image

you can see provided otp is incorrect so the server is saying that your otp is current but i have a request that will ready by pass the system and that is already a legit request from a server from a user to the server and server responsing in a positive way so what i did i just copy that and paste it when the server is saying the otp is invalid i just remove that paste my post request or the get request and bypass this on the right hand side you can see that the account is logged in so that's how i bypass three more different financial applications and different aspects of it so the problem is we are reaching towards

our end but we have to just security design flaws this image has been taken from the port serger the burp suit developers so it explains this very very quickly an example is very easy that i bypass in the previous example in the mobile execution whenever i put the username and password wrong it bypass the otp so here we go the first attempt for the username and password first attempt using password incorrect the second attempt the same the third attempt it bypass the system it bypass the system so what we can do to secure that we have to bind the session and we have to bind the all the security keys and all the controllers to a specific session so

whenever my web application tries to get a data from the database or the controller so it will check my session binding so i bypass and mobile application uh application otp with the help of this example by the way okay in the first example in the first step and the first slide i said no dynamic and static analysis tool can detect the person business logic so where we have to go what we can do to the automation part so there is a plugin in the burp suit auth metrics the that's very easily available you can repeat the workflows with different users different work groups and you can break the sequence as well of the web application

you are using so do check it out the auth metrics there are a ton of videos available how to tune how to configure your auth metrics but this is something you need to use immediately for the business logic because you will give you two username and two passwords privilege one is high privilege the high privilege data will be saved and it will be attacked by the low privilege that if you have a vulnerability so if you are a developer and you are still listening to me uh for a source code you have to mitigate it why how you have to identify where the controls are carried out where they are not if they are carried out

somewhere you have to bind the session but there are no goals don't not bind the session or something else the control you want to do dividing and modeling the first of all understand understand the application understand the workflow the connections the data inputs outputs in short prepare a threat model and if you don't know about threat modeling just google and there are a ton of that will do a threat model for you so analysis of the controls you have to analyse that do the analysis of the parameters coming from the server or going to the server so these are the few things do you have to look into the source code to mitigate the attack so the last thing

what is that what you have to ask these are the few things that you have to ask when you are working on a critical applications uh like when how often for how long this question remind me for a bug that is a concurrent session as well the people in the community knows the concurrent session bug what is that to user can login simultaneously in the same account that's not a good practice second thing uh when how often or for how long you just close your browser for how long your session will be established for example if you talk about the financial application your business data your banking data your application should log out itself after two or three minutes idle time

right so these are the few questions you have to ask for uh before implementation before developing and you have to carry out these things one final tip from my side you are talking about the business logic clause and you want to test it go to the account manager or the business owner ask them for the two accounts one is high privilege and one for the low privilege account try to manipulate the request and see the response and if the responses are changed and the responses are divided into multiple parameters try to change a perimeter one by one so that's it from my side uh salt lake city i hope you enjoyed and you learned the

new and the business logic flaws and if you're a bug bounty hunter do check out new buzz the system sequence that's a pro tip for tonight or today so thank you very much everyone i hope you have a good time i'll see you soon thank you very much everyone