SlideShare une entreprise Scribd logo

Eurostar 16 abuse cases - from scratch to the hack

M
Miguel Angel Hernandez Ruiz

Presentation on Business Logic Attacks

Technologie
1  sur  32
Télécharger pour lire hors ligne
Abuse Cases From scratch to the hack Miguel Hernandez Ruiz
Do the testers know about the business flows supported by the application?
As starter…
The Menu • As starter • A hacking story • What we are looking for • A methodological Approach • Abuse cases from use cases • Abuse cases from scratch • Take away
A hacking story Disclaimer: I have found both images online with no copyrights, if you find out they actually are copyrighted please let me know as soon as possible Name: Paul Age: 27 Job: Developer Name: Mike Age: 22 Job: none Paul work as IT Engineer for an IT Company which provides a shopping cart solution to several clients. He has never been concerned about security, neither his boss… Mike is a university student with too much free time and he is a security passionate person who loves finding out application vulnerabilities. He is really aware about application in-security… Name: Josh Age: 40 Job: Boss Josh is a successful business man who owns three different companies operating in different sectors. He has heard about security concerns in applications but “this won’t happen to him”…
A hacking story MY APP = Yabadabadooooooooooooooooooooo ooooo! Break another app Break another app Break another app Break another app
A hacking story Ouch! My boss recently told me that our customers complained about some security bugs reported by a Hacker in our application… Actually I think they were there since the first version but I am happy they didn’t realise it before… Anyway I am ready to fix them in the new release… I will close the issues all in a raw…
A hacking story SQLi XSS HTMLi CSRF Session Hijacking Session Fixation Buffer Overflow Insecure Direct Object Reference Non-validated Redirects Server Side Inclusion XXE LFI / RFI
A hacking story OK. I am going to take a look at the page I reported the bugs the past month… It seems that they have fixed them… interesting… I am happy to see that they have been able to solve the issues but… let me see… Lets play the joker up the sleeve… What if I change here this number… …YEAH!!!!
A hacking story Syringe image from http://shinta- girl.deviantart.com/
The Menu • As starter • A hacking story • What we are looking for • A methodological Approach • Abuse cases from use cases • Abuse cases from scratch • Take away
What we are looking for What the Application Is intended to do and It actually does What the Application Is intended to do and It does not What the Application Is not intended to do and It actually does The application business logic must be checked from a security perspective ABUSE CASES
What we are looking for — Use Cases ¡ A use case is a list of steps, typically defining interactions between a role (actor) and a system, to achieve a goal ¡ They are essentially structured stories or scenarios detailing the normal behaviour and usage of the software ¡ A use case is not only a diagram, is text as well, a full description including the main actor, goal in context, scope, preconditions, etc. — Abuse Cases ¡ An abuse case is a type of complete interaction between a system and one or more actors, where the results of the interaction are harmful to the system, one of the actors, or one of the stakeholders in the system ¡ An abuse case diagram is created together with a corresponding use case diagram (if available), but not in the same diagram ¡ There is no new terminology or special symbols introduced for abuse case diagrams
The Menu • As starter • A hacking story • What we are looking for • A methodological Approach • Abuse cases from use cases • Abuse cases from scratch • Take away
A methodological approach Look for the business key requirements Use the available use cases to design the abuse cases Wide understanding of the bussiness logic implement. Detect implementation flaws and … ¡¡¡¡Exploit them!!!! REQUIREMENT DESIGN IMPLEMENTATION INTEGRATION THE STAIRWAY TO THE BUG
A methodological approach Key requirement specification Use Cases designed? Locate Functional Documentation and Knowledge Detect potentially worst scenarios Design Abuse Cases derived from Use Cases Yes Application Use Cases Gain a deep understanding on the Business Logic Functional Documentation Detect key points Yes Application Workflows Design Abuse Cases derived from key points Abuse Cases App Repository Perform Application Workflows No Workflows designed? Determine the Critical Flows
The Menu • As starter • A hacking story • What we are looking for • A methodological Approach • Abuse cases from use cases • Abuse cases from scratch • Take away
Abuse Cases from Use Cases Goal Check that there is no possibility to add items for free to the basket Preconditions • All application modules have been correctly deployed in test • A previously registered user account must be provided • There must be at least 1 item and one item category available Description • Access to the Application URL: the user accesses to the URL http://www... • Log in: he/she performs the login using a provided user account • ... Access to the Application URL Log in Add an Item to the Basket Add an Item for free Check the total cost Actors • User: agent which is intended to perform a normal use of the application • Security Tester: person which is intended to cause abnormal behaviour in the application User Security Tester
The Menu • As starter • A hacking story • What we are looking for • A methodological Approach • Abuse cases from use cases • Abuse cases from scratch • Take away
Abuse Cases from scratch Access to application Register a new account Log in to the application Access to an item section Select an Item Increase / Decrease number of items to order Add to basket Increase / Decrease number of items Update basket About us Contact us Search items Your Basket Compulsory Optional
Abuse Cases from scratch Access to application Register a new account Log in to the application Access to an item section Select an Item Increase / Decrease number of items to order Add to basket Increase / Decrease number of items Update basket Privilege increase Access to content Alters the price Compulsory Optional
Abuse Cases from scratch Access to application Register a new account Log in to the application Access to an item section Select an Item Increase / Decrease number of items to order Add to basket Increase / Decrease number of items Update basket Could I access to a non- published or private item section? What if I insert a very long number as a section selector? Could I be able to modify the items price? …The number of items without altering the total price perhaps? Definitely I must try to add to the basket a negative number of Items Would it be possible to order non-existent Items? Could I decrease the number of Items below cero? What will be the maximum number of items to order? Could it be possible to include a negative number of items updating the basket? Would it be possible to change the price during the basket update process? What if I perform an update over a non-existent item in the basket? Compulsory Optional
Abuse Cases from scratch Access to the Application URL Register a User Access with the New User Select 4 Items of certain category Select 3 Items of another category Add them to the basket Add them to the basket Update the number of items in the basket Include a negative number of items User Security Tester Goal Gain a higher confidence in how the application is going to behave when the number of items is modified below cero Preconditions • All application modules have been correctly deployed in test • At least two item categories have been included in the application • There must be at least 4 items for two item categories Actors • User: agent which is intended to perform a normal use of the application • Security Tester: person which is intended to cause abnormal behaviour in the application Description • Access to the Application URL: the user accesses to the URL http://www... • Register a new user: he/she clicks on the… •…
Demo Hey Hey Hey!, don’t touch my App!! Let`s rock baby!!Mmmm, I am not sure if I want to see this…
The Menu • As starter • A hacking story • What we are looking for • A methodological Approach • Abuse cases from use cases • Abuse cases from scratch • Take away
Take away • Mind the Business Logic of your application, in the middle time is really cheap • Look for the way to add a negative thinking in the development process. Enforce Abuse Cases development. • Do not trick yourself: “This DO could happen to you” • Raise the problem if you think there is a bug in the application, the sooner the better. • Do not trust the component of the application you are developing: “Develop defensively and watch the abuse cases”
Take away • You have a great future ahead as security tester… go for it! • Use all your knowledge: “Try bypassing the business logic as specified in the abuse cases”. None technological device will protect you against Business Logic Attacks, use the talent in your organization, your brain is the most powerful tool, think in negative… Develop Abuse Cases
References • Testing for business Logic attacks. OWASP Foundation, 2014 – https://www.owasp.org/index.php/Testing_for_business_logic • OWASP Business Logic Cheat sheet; OWASP Foundation; 2014 – https://www.owasp.org/index.php/Business_Logic_Security_Cheat_Sheet • Common weakness Enumeration; Business Logic Errors; 2014 – http://cwe.mitre.org/data/definitions/840.html • Ten Business Logic Attack Vectors: Business Logic Bypass & More; NTObjectives; 2012 – http://www.ntobjectives.com/research/web-application-security-white-papers/business-logic-attack-vectors-white-paper/ • How to Prevent Business Flaws Vulnerabilities in Web Applications; Marco Morana; 2011 – http://es.slideshare.net/marco_morana/issa-louisville-2010morana
Thank You!! Thank you all! Thank You!! Thank You!!
The dessert… ?
On the Speaker - Bio mhernand@ie.ibm.com / hernandezrma@gmail.com https://www.linkedin.com/in/security-miguel-hernandez https://twitter.com/miguelangelher http://plusplussecurity.blogspot.ie/ IT Engineer, Master in Advanced Technologies, Master in Business Administration, CEH, CISA, CISM, SPSE, IRCA LA 27001, ISTQBf, ITIL-f and FCE. Currently working for IBM in the Watson Health division as Senior Security Engineer. Miguel Hernández has been working in the security field during the past 10 years. He has helped some of the most important companies in different sectors to improve their security by process improvement and web application security testing.
Running the demo • Download and install docker for your operating system • Download bodgeit store from docker – docker pull psiinon/bodgeit • Run docker • Run bodgeit in docker – docker run --rm -p 8080:8080 -i -t psiinon/bodgeit • Open bodgeit in the browser – http://localhost:8080/bodgeit • If you want to intercept the communication and perform the “hack”. – download and install ZAP for your platform. – Change the port of ZAP for the local proxy from 8080 to 8085 – Configure firefox network settings to use the proxy localhost:8085

Recommandé

주보11 20
주보11 20주보11 20
주보11 20김해 진영 창민교회
 
CRYPTTECH NG ÜRÜNLERİ ÖZELLİKLERİ
CRYPTTECH NG ÜRÜNLERİ ÖZELLİKLERİCRYPTTECH NG ÜRÜNLERİ ÖZELLİKLERİ
CRYPTTECH NG ÜRÜNLERİ ÖZELLİKLERİTulay Candar
 
Solar energy presentation
Solar energy presentationSolar energy presentation
Solar energy presentationAli_king1830
 
Comando y su uso
Comando y su usoComando y su uso
Comando y su usoEmir Méndez Alarcón
 
Pratigya Bhatnagar,B.Sc.-Fashion Technology+2 years Diploma
Pratigya Bhatnagar,B.Sc.-Fashion Technology+2 years Diploma Pratigya Bhatnagar,B.Sc.-Fashion Technology+2 years Diploma
Pratigya Bhatnagar,B.Sc.-Fashion Technology+2 years Diploma dezyneecole
 
HUG de Jez Alborough, ¡Mua! en castellano. El monito GUGU
HUG de Jez Alborough, ¡Mua! en castellano. El monito GUGUHUG de Jez Alborough, ¡Mua! en castellano. El monito GUGU
HUG de Jez Alborough, ¡Mua! en castellano. El monito GUGUCarmen
 
The compassion of God for Ephriam
The compassion of God for EphriamThe compassion of God for Ephriam
The compassion of God for EphriamSteve Moreland
 
Lema journal2 primary-tpd2016-.docx
Lema journal2 primary-tpd2016-.docxLema journal2 primary-tpd2016-.docx
Lema journal2 primary-tpd2016-.docxCaringadultgab
 

Recommandé

주보11 20
주보11 20주보11 20
주보11 20김해 진영 창민교회
 
CRYPTTECH NG ÜRÜNLERİ ÖZELLİKLERİ
CRYPTTECH NG ÜRÜNLERİ ÖZELLİKLERİCRYPTTECH NG ÜRÜNLERİ ÖZELLİKLERİ
CRYPTTECH NG ÜRÜNLERİ ÖZELLİKLERİTulay Candar
 
Solar energy presentation
Solar energy presentationSolar energy presentation
Solar energy presentationAli_king1830
 
Comando y su uso
Comando y su usoComando y su uso
Comando y su usoEmir Méndez Alarcón
 
Pratigya Bhatnagar,B.Sc.-Fashion Technology+2 years Diploma
Pratigya Bhatnagar,B.Sc.-Fashion Technology+2 years Diploma Pratigya Bhatnagar,B.Sc.-Fashion Technology+2 years Diploma
Pratigya Bhatnagar,B.Sc.-Fashion Technology+2 years Diploma dezyneecole
 
HUG de Jez Alborough, ¡Mua! en castellano. El monito GUGU
HUG de Jez Alborough, ¡Mua! en castellano. El monito GUGUHUG de Jez Alborough, ¡Mua! en castellano. El monito GUGU
HUG de Jez Alborough, ¡Mua! en castellano. El monito GUGUCarmen
 
The compassion of God for Ephriam
The compassion of God for EphriamThe compassion of God for Ephriam
The compassion of God for EphriamSteve Moreland
 
Lema journal2 primary-tpd2016-.docx
Lema journal2 primary-tpd2016-.docxLema journal2 primary-tpd2016-.docx
Lema journal2 primary-tpd2016-.docxCaringadultgab
 
Paches para Piel Oscura - Eliminar las Manchas en la Piel
Paches para Piel Oscura - Eliminar las Manchas en la PielPaches para Piel Oscura - Eliminar las Manchas en la Piel
Paches para Piel Oscura - Eliminar las Manchas en la PielDermatologia Estetica - Blanqueamiento de la Piel
 
Hybrid vs native mobile app development platform which one to choose
Hybrid vs native mobile app development platform which one to chooseHybrid vs native mobile app development platform which one to choose
Hybrid vs native mobile app development platform which one to chooseSolution Analysts
 
BI. una forma de millorar eficient i rendible
BI. una forma de millorar eficient i rendibleBI. una forma de millorar eficient i rendible
BI. una forma de millorar eficient i rendibleMara_Gomez
 
LakshmiGradesMasters
LakshmiGradesMastersLakshmiGradesMasters
LakshmiGradesMastersLakshmi Kunhanandan
 
Tanskan ja Malmön kirjastot
Tanskan ja Malmön kirjastotTanskan ja Malmön kirjastot
Tanskan ja Malmön kirjastotAntti Seppänen
 
Print House Company Profile
Print House Company ProfilePrint House Company Profile
Print House Company ProfileYogendra Singh Rathore
 
Mumtaz.khan
Mumtaz.khanMumtaz.khan
Mumtaz.khanMd.Mumtaz khan
 
Mapas progreso matematica_cambiorelaciones
Mapas progreso matematica_cambiorelacionesMapas progreso matematica_cambiorelaciones
Mapas progreso matematica_cambiorelacionesEsther Segovia
 
Lecture 3 - Misuse Cases Final.ppt
Lecture 3 - Misuse Cases Final.pptLecture 3 - Misuse Cases Final.ppt
Lecture 3 - Misuse Cases Final.pptDrBasemMohamedElomda
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsSecurity Innovation
 
12990739.ppt
12990739.ppt12990739.ppt
12990739.pptMuhammadShahidulIsla8
 
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon
 
Acceptance- and Behavior-Driven Development with Cucumber: Three Case Studies
Acceptance- and Behavior-Driven Development with Cucumber: Three Case StudiesAcceptance- and Behavior-Driven Development with Cucumber: Three Case Studies
Acceptance- and Behavior-Driven Development with Cucumber: Three Case StudiesJosiah Renaudin
 
Social Media Risk Metrics
Social Media Risk MetricsSocial Media Risk Metrics
Social Media Risk MetricsIftach Ian Amit
 
Cybersecurity for King County Public Educators
Cybersecurity for King County Public EducatorsCybersecurity for King County Public Educators
Cybersecurity for King County Public EducatorsSarah K Miller
 
Phish training final
Phish training finalPhish training final
Phish training finalJen Ruhman
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security TestingTEST Huddle
 
Testing Is How You Avoid Looking Stupid
Testing Is How You Avoid Looking StupidTesting Is How You Avoid Looking Stupid
Testing Is How You Avoid Looking StupidSteve Branam
 
Computing and ethics
Computing and ethicsComputing and ethics
Computing and ethicsNikki Shree
 
Janitor vs cleaner
Janitor vs cleanerJanitor vs cleaner
Janitor vs cleanerJohn Stauffacher
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorSandra (Sandy) Dunn
 
Reconnaissance and Social Engineering
Reconnaissance and Social EngineeringReconnaissance and Social Engineering
Reconnaissance and Social EngineeringVarunjeet Singh Rekhi
 

Contenu connexe

En vedette

Hybrid vs native mobile app development platform which one to choose
Hybrid vs native mobile app development platform which one to chooseHybrid vs native mobile app development platform which one to choose
Hybrid vs native mobile app development platform which one to chooseSolution Analysts
 
BI. una forma de millorar eficient i rendible
BI. una forma de millorar eficient i rendibleBI. una forma de millorar eficient i rendible
BI. una forma de millorar eficient i rendibleMara_Gomez
 
Tanskan ja Malmön kirjastot
Tanskan ja Malmön kirjastotTanskan ja Malmön kirjastot
Tanskan ja Malmön kirjastotAntti Seppänen
 
Mapas progreso matematica_cambiorelaciones
Mapas progreso matematica_cambiorelacionesMapas progreso matematica_cambiorelaciones
Mapas progreso matematica_cambiorelacionesEsther Segovia
 

En vedette (8)

Paches para Piel Oscura - Eliminar las Manchas en la Piel
Paches para Piel Oscura - Eliminar las Manchas en la PielPaches para Piel Oscura - Eliminar las Manchas en la Piel
Paches para Piel Oscura - Eliminar las Manchas en la Piel
 
Hybrid vs native mobile app development platform which one to choose
Hybrid vs native mobile app development platform which one to chooseHybrid vs native mobile app development platform which one to choose
Hybrid vs native mobile app development platform which one to choose
 
BI. una forma de millorar eficient i rendible
BI. una forma de millorar eficient i rendibleBI. una forma de millorar eficient i rendible
BI. una forma de millorar eficient i rendible
 
LakshmiGradesMasters
LakshmiGradesMastersLakshmiGradesMasters
LakshmiGradesMasters
 
Tanskan ja Malmön kirjastot
Tanskan ja Malmön kirjastotTanskan ja Malmön kirjastot
Tanskan ja Malmön kirjastot
 
Print House Company Profile
Print House Company ProfilePrint House Company Profile
Print House Company Profile
 
Mumtaz.khan
Mumtaz.khanMumtaz.khan
Mumtaz.khan
 
Mapas progreso matematica_cambiorelaciones
Mapas progreso matematica_cambiorelacionesMapas progreso matematica_cambiorelaciones
Mapas progreso matematica_cambiorelaciones
 

Similaire à Eurostar 16 abuse cases - from scratch to the hack

Lecture 3 - Misuse Cases Final.ppt
Lecture 3 - Misuse Cases Final.pptLecture 3 - Misuse Cases Final.ppt
Lecture 3 - Misuse Cases Final.pptDrBasemMohamedElomda
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsSecurity Innovation
 
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon
 
Acceptance- and Behavior-Driven Development with Cucumber: Three Case Studies
Acceptance- and Behavior-Driven Development with Cucumber: Three Case StudiesAcceptance- and Behavior-Driven Development with Cucumber: Three Case Studies
Acceptance- and Behavior-Driven Development with Cucumber: Three Case StudiesJosiah Renaudin
 
Social Media Risk Metrics
Social Media Risk MetricsSocial Media Risk Metrics
Social Media Risk MetricsIftach Ian Amit
 
Cybersecurity for King County Public Educators
Cybersecurity for King County Public EducatorsCybersecurity for King County Public Educators
Cybersecurity for King County Public EducatorsSarah K Miller
 
Phish training final
Phish training finalPhish training final
Phish training finalJen Ruhman
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security TestingTEST Huddle
 
Testing Is How You Avoid Looking Stupid
Testing Is How You Avoid Looking StupidTesting Is How You Avoid Looking Stupid
Testing Is How You Avoid Looking StupidSteve Branam
 
Computing and ethics
Computing and ethicsComputing and ethics
Computing and ethicsNikki Shree
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorSandra (Sandy) Dunn
 
Reconnaissance and Social Engineering
Reconnaissance and Social EngineeringReconnaissance and Social Engineering
Reconnaissance and Social EngineeringVarunjeet Singh Rekhi
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранSigma Software
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecurityVlad Styran
 
IT Security - TestArmy
IT Security - TestArmy IT Security - TestArmy
IT Security - TestArmy TestArmy
 
SplunkLive! Paris 2018: Intro to Security Analytics Methods
SplunkLive! Paris 2018: Intro to Security Analytics MethodsSplunkLive! Paris 2018: Intro to Security Analytics Methods
SplunkLive! Paris 2018: Intro to Security Analytics MethodsSplunk
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesSecurity Innovation
 
7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTEDbugcrowd
 

Similaire à Eurostar 16 abuse cases - from scratch to the hack (20)

Lecture 3 - Misuse Cases Final.ppt
Lecture 3 - Misuse Cases Final.pptLecture 3 - Misuse Cases Final.ppt
Lecture 3 - Misuse Cases Final.ppt
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security Tools
 
12990739.ppt
12990739.ppt12990739.ppt
12990739.ppt
 
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
 
Acceptance- and Behavior-Driven Development with Cucumber: Three Case Studies
Acceptance- and Behavior-Driven Development with Cucumber: Three Case StudiesAcceptance- and Behavior-Driven Development with Cucumber: Three Case Studies
Acceptance- and Behavior-Driven Development with Cucumber: Three Case Studies
 
Social Media Risk Metrics
Social Media Risk MetricsSocial Media Risk Metrics
Social Media Risk Metrics
 
Cybersecurity for King County Public Educators
Cybersecurity for King County Public EducatorsCybersecurity for King County Public Educators
Cybersecurity for King County Public Educators
 
Phish training final
Phish training finalPhish training final
Phish training final
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
 
Testing Is How You Avoid Looking Stupid
Testing Is How You Avoid Looking StupidTesting Is How You Avoid Looking Stupid
Testing Is How You Avoid Looking Stupid
 
Computing and ethics
Computing and ethicsComputing and ethics
Computing and ethics
 
Janitor vs cleaner
Janitor vs cleanerJanitor vs cleaner
Janitor vs cleaner
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
 
Reconnaissance and Social Engineering
Reconnaissance and Social EngineeringReconnaissance and Social Engineering
Reconnaissance and Social Engineering
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software Security
 
IT Security - TestArmy
IT Security - TestArmy IT Security - TestArmy
IT Security - TestArmy
 
SplunkLive! Paris 2018: Intro to Security Analytics Methods
SplunkLive! Paris 2018: Intro to Security Analytics MethodsSplunkLive! Paris 2018: Intro to Security Analytics Methods
SplunkLive! Paris 2018: Intro to Security Analytics Methods
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to Vulnerabilities
 
7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED
 

Dernier

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 

Dernier (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 

Eurostar 16 abuse cases - from scratch to the hack

  • 1. Abuse Cases From scratch to the hack Miguel Hernandez Ruiz
  • 2. Do the testers know about the business flows supported by the application?
  • 4. The Menu • As starter • A hacking story • What we are looking for • A methodological Approach • Abuse cases from use cases • Abuse cases from scratch • Take away
  • 5. A hacking story Disclaimer: I have found both images online with no copyrights, if you find out they actually are copyrighted please let me know as soon as possible Name: Paul Age: 27 Job: Developer Name: Mike Age: 22 Job: none Paul work as IT Engineer for an IT Company which provides a shopping cart solution to several clients. He has never been concerned about security, neither his boss… Mike is a university student with too much free time and he is a security passionate person who loves finding out application vulnerabilities. He is really aware about application in-security… Name: Josh Age: 40 Job: Boss Josh is a successful business man who owns three different companies operating in different sectors. He has heard about security concerns in applications but “this won’t happen to him”…
  • 6. A hacking story MY APP = Yabadabadooooooooooooooooooooo ooooo! Break another app Break another app Break another app Break another app
  • 7. A hacking story Ouch! My boss recently told me that our customers complained about some security bugs reported by a Hacker in our application… Actually I think they were there since the first version but I am happy they didn’t realise it before… Anyway I am ready to fix them in the new release… I will close the issues all in a raw…
  • 9. A hacking story OK. I am going to take a look at the page I reported the bugs the past month… It seems that they have fixed them… interesting… I am happy to see that they have been able to solve the issues but… let me see… Lets play the joker up the sleeve… What if I change here this number… …YEAH!!!!
  • 11. The Menu • As starter • A hacking story • What we are looking for • A methodological Approach • Abuse cases from use cases • Abuse cases from scratch • Take away
  • 12. What we are looking for What the Application Is intended to do and It actually does What the Application Is intended to do and It does not What the Application Is not intended to do and It actually does The application business logic must be checked from a security perspective ABUSE CASES
  • 13. What we are looking for — Use Cases ¡ A use case is a list of steps, typically defining interactions between a role (actor) and a system, to achieve a goal ¡ They are essentially structured stories or scenarios detailing the normal behaviour and usage of the software ¡ A use case is not only a diagram, is text as well, a full description including the main actor, goal in context, scope, preconditions, etc. — Abuse Cases ¡ An abuse case is a type of complete interaction between a system and one or more actors, where the results of the interaction are harmful to the system, one of the actors, or one of the stakeholders in the system ¡ An abuse case diagram is created together with a corresponding use case diagram (if available), but not in the same diagram ¡ There is no new terminology or special symbols introduced for abuse case diagrams
  • 14. The Menu • As starter • A hacking story • What we are looking for • A methodological Approach • Abuse cases from use cases • Abuse cases from scratch • Take away
  • 15. A methodological approach Look for the business key requirements Use the available use cases to design the abuse cases Wide understanding of the bussiness logic implement. Detect implementation flaws and … ¡¡¡¡Exploit them!!!! REQUIREMENT DESIGN IMPLEMENTATION INTEGRATION THE STAIRWAY TO THE BUG
  • 17. The Menu • As starter • A hacking story • What we are looking for • A methodological Approach • Abuse cases from use cases • Abuse cases from scratch • Take away
  • 18. Abuse Cases from Use Cases Goal Check that there is no possibility to add items for free to the basket Preconditions • All application modules have been correctly deployed in test • A previously registered user account must be provided • There must be at least 1 item and one item category available Description • Access to the Application URL: the user accesses to the URL http://www... • Log in: he/she performs the login using a provided user account • ... Access to the Application URL Log in Add an Item to the Basket Add an Item for free Check the total cost Actors • User: agent which is intended to perform a normal use of the application • Security Tester: person which is intended to cause abnormal behaviour in the application User Security Tester
  • 19. The Menu • As starter • A hacking story • What we are looking for • A methodological Approach • Abuse cases from use cases • Abuse cases from scratch • Take away
  • 20. Abuse Cases from scratch Access to application Register a new account Log in to the application Access to an item section Select an Item Increase / Decrease number of items to order Add to basket Increase / Decrease number of items Update basket About us Contact us Search items Your Basket Compulsory Optional
  • 21. Abuse Cases from scratch Access to application Register a new account Log in to the application Access to an item section Select an Item Increase / Decrease number of items to order Add to basket Increase / Decrease number of items Update basket Privilege increase Access to content Alters the price Compulsory Optional
  • 22. Abuse Cases from scratch Access to application Register a new account Log in to the application Access to an item section Select an Item Increase / Decrease number of items to order Add to basket Increase / Decrease number of items Update basket Could I access to a non- published or private item section? What if I insert a very long number as a section selector? Could I be able to modify the items price? …The number of items without altering the total price perhaps? Definitely I must try to add to the basket a negative number of Items Would it be possible to order non-existent Items? Could I decrease the number of Items below cero? What will be the maximum number of items to order? Could it be possible to include a negative number of items updating the basket? Would it be possible to change the price during the basket update process? What if I perform an update over a non-existent item in the basket? Compulsory Optional
  • 23. Abuse Cases from scratch Access to the Application URL Register a User Access with the New User Select 4 Items of certain category Select 3 Items of another category Add them to the basket Add them to the basket Update the number of items in the basket Include a negative number of items User Security Tester Goal Gain a higher confidence in how the application is going to behave when the number of items is modified below cero Preconditions • All application modules have been correctly deployed in test • At least two item categories have been included in the application • There must be at least 4 items for two item categories Actors • User: agent which is intended to perform a normal use of the application • Security Tester: person which is intended to cause abnormal behaviour in the application Description • Access to the Application URL: the user accesses to the URL http://www... • Register a new user: he/she clicks on the… •…
  • 24. Demo Hey Hey Hey!, don’t touch my App!! Let`s rock baby!!Mmmm, I am not sure if I want to see this…
  • 25. The Menu • As starter • A hacking story • What we are looking for • A methodological Approach • Abuse cases from use cases • Abuse cases from scratch • Take away
  • 26. Take away • Mind the Business Logic of your application, in the middle time is really cheap • Look for the way to add a negative thinking in the development process. Enforce Abuse Cases development. • Do not trick yourself: “This DO could happen to you” • Raise the problem if you think there is a bug in the application, the sooner the better. • Do not trust the component of the application you are developing: “Develop defensively and watch the abuse cases”
  • 27. Take away • You have a great future ahead as security tester… go for it! • Use all your knowledge: “Try bypassing the business logic as specified in the abuse cases”. None technological device will protect you against Business Logic Attacks, use the talent in your organization, your brain is the most powerful tool, think in negative… Develop Abuse Cases
  • 28. References • Testing for business Logic attacks. OWASP Foundation, 2014 – https://www.owasp.org/index.php/Testing_for_business_logic • OWASP Business Logic Cheat sheet; OWASP Foundation; 2014 – https://www.owasp.org/index.php/Business_Logic_Security_Cheat_Sheet • Common weakness Enumeration; Business Logic Errors; 2014 – http://cwe.mitre.org/data/definitions/840.html • Ten Business Logic Attack Vectors: Business Logic Bypass & More; NTObjectives; 2012 – http://www.ntobjectives.com/research/web-application-security-white-papers/business-logic-attack-vectors-white-paper/ • How to Prevent Business Flaws Vulnerabilities in Web Applications; Marco Morana; 2011 – http://es.slideshare.net/marco_morana/issa-louisville-2010morana
  • 31. On the Speaker - Bio mhernand@ie.ibm.com / hernandezrma@gmail.com https://www.linkedin.com/in/security-miguel-hernandez https://twitter.com/miguelangelher http://plusplussecurity.blogspot.ie/ IT Engineer, Master in Advanced Technologies, Master in Business Administration, CEH, CISA, CISM, SPSE, IRCA LA 27001, ISTQBf, ITIL-f and FCE. Currently working for IBM in the Watson Health division as Senior Security Engineer. Miguel Hernández has been working in the security field during the past 10 years. He has helped some of the most important companies in different sectors to improve their security by process improvement and web application security testing.
  • 32. Running the demo • Download and install docker for your operating system • Download bodgeit store from docker – docker pull psiinon/bodgeit • Run docker • Run bodgeit in docker – docker run --rm -p 8080:8080 -i -t psiinon/bodgeit • Open bodgeit in the browser – http://localhost:8080/bodgeit • If you want to intercept the communication and perform the “hack”. – download and install ZAP for your platform. – Change the port of ZAP for the local proxy from 8080 to 8085 – Configure firefox network settings to use the proxy localhost:8085