4. The Menu
• As starter
• A hacking story
• What we are looking for
• A methodological Approach
• Abuse cases from use cases
• Abuse cases from scratch
• Take away
5. A hacking story
Disclaimer:
I have found both images online with no copyrights, if you find
out they actually are copyrighted please let me know as soon as
possible
Name: Paul
Age: 27
Job:
Developer
Name: Mike
Age: 22
Job: none
Paul work as IT Engineer
for an IT Company which
provides a shopping cart
solution to several
clients. He has never
been concerned about
security, neither his
boss…
Mike is a university
student with too much free
time and he is a security
passionate person who loves
finding out application
vulnerabilities. He is
really aware about
application in-security…
Name: Josh
Age: 40
Job: Boss
Josh is a successful
business man who owns
three different companies
operating in different
sectors. He has heard
about security concerns
in applications but “this
won’t happen to him”…
6. A hacking story
MY APP =
Yabadabadooooooooooooooooooooo
ooooo!
Break another app Break
another app Break another
app Break another app
7. A hacking story
Ouch! My boss recently
told me that our
customers complained
about some security
bugs reported by a
Hacker in our
application…
Actually I think
they were there
since the first
version but I am
happy they didn’t
realise it before…
Anyway I am ready
to fix them in the
new release… I will
close the issues all in
a raw…
9. A hacking story
OK. I am going to
take a look at the
page I reported
the bugs the past
month…
It seems that
they have fixed
them…
interesting…
I am happy to see
that they have been
able to solve the
issues but… let me
see…
Lets play the
joker up the
sleeve… What if
I change here
this number…
…YEAH!!!!
11. The Menu
• As starter
• A hacking story
• What we are looking for
• A methodological Approach
• Abuse cases from use cases
• Abuse cases from scratch
• Take away
12. What we are looking for
What the Application
Is intended to do and
It actually does
What the Application
Is intended to do and
It does not
What the Application
Is not intended to do and
It actually does
The application business logic must be checked from a security perspective
ABUSE CASES
13. What we are looking for
— Use Cases
¡ A use case is a list of steps, typically
defining interactions between a role
(actor) and a system, to achieve a goal
¡ They are essentially structured stories
or scenarios detailing the normal
behaviour and usage of the software
¡ A use case is not only a diagram, is text
as well, a full description including the
main actor, goal in context, scope,
preconditions, etc.
— Abuse Cases
¡ An abuse case is a type of complete
interaction between a system and one or
more actors, where the results of the
interaction are harmful to the system, one
of the actors, or one of the stakeholders in
the system
¡ An abuse case diagram is created together
with a corresponding use case diagram (if
available), but not in the same diagram
¡ There is no new terminology or special
symbols introduced for abuse case
diagrams
14. The Menu
• As starter
• A hacking story
• What we are looking for
• A methodological Approach
• Abuse cases from use cases
• Abuse cases from scratch
• Take away
15. A methodological
approach
Look for the business key
requirements
Use the available use cases
to design the abuse cases
Wide understanding of the
bussiness logic implement.
Detect implementation
flaws and …
¡¡¡¡Exploit them!!!!
REQUIREMENT
DESIGN
IMPLEMENTATION
INTEGRATION
THE STAIRWAY TO THE BUG
17. The Menu
• As starter
• A hacking story
• What we are looking for
• A methodological Approach
• Abuse cases from use cases
• Abuse cases from scratch
• Take away
18. Abuse Cases from Use Cases
Goal
Check that there is no possibility to add items for free to the basket
Preconditions
• All application modules have been correctly deployed in test
• A previously registered user account must be provided
• There must be at least 1 item and one item category available
Description
• Access to the Application URL: the user accesses to the URL
http://www...
• Log in: he/she performs the login using a provided user account
• ...
Access to the
Application URL
Log in
Add an Item to
the Basket
Add an Item
for free
Check the
total cost
Actors
• User: agent which is intended to perform a normal use of the application
• Security Tester: person which is intended to cause abnormal behaviour
in the application
User
Security
Tester
19. The Menu
• As starter
• A hacking story
• What we are looking for
• A methodological Approach
• Abuse cases from use cases
• Abuse cases from scratch
• Take away
20. Abuse Cases from scratch
Access to application
Register a new account
Log in to the application
Access to an item section
Select an Item
Increase / Decrease number
of items to order
Add to basket
Increase / Decrease number
of items
Update basket
About us Contact us Search items Your Basket
Compulsory
Optional
21. Abuse Cases from scratch
Access to application
Register a new account
Log in to the application
Access to an item section
Select an Item
Increase / Decrease number
of items to order
Add to basket
Increase / Decrease number
of items
Update basket
Privilege increase
Access to content
Alters the price
Compulsory
Optional
22. Abuse Cases from scratch
Access to application
Register a new account
Log in to the application
Access to an item section
Select an Item
Increase / Decrease number
of items to order
Add to basket
Increase / Decrease number
of items
Update basket
Could I access
to a non-
published or
private item
section?
What if I insert a
very long
number as a
section selector?
Could I be
able to
modify the
items price?
…The number of
items without
altering the total
price perhaps?
Definitely I must
try to add to the
basket a negative
number of Items
Would it be
possible to order
non-existent
Items?
Could I decrease
the number of
Items below
cero?
What will be the
maximum
number of items
to order?
Could it be
possible to include
a negative number
of items updating
the basket?
Would it be
possible to change
the price during
the basket update
process?
What if I perform
an update over a
non-existent item in
the basket?
Compulsory
Optional
23. Abuse Cases from scratch
Access to the
Application URL
Register a User
Access with the
New User
Select 4 Items of
certain category
Select 3 Items of
another category
Add them to the
basket
Add them to the
basket
Update the number
of items in the
basket
Include a negative
number of items
User
Security
Tester
Goal
Gain a higher confidence in how the application is going to behave when
the number of items is modified below cero
Preconditions
• All application modules have been correctly deployed in test
• At least two item categories have been included in the application
• There must be at least 4 items for two item categories
Actors
• User: agent which is intended to perform a normal use of the
application
• Security Tester: person which is intended to cause abnormal behaviour
in the application
Description
• Access to the Application URL: the user accesses to the URL
http://www...
• Register a new user: he/she clicks on the…
•…
24. Demo
Hey Hey Hey!, don’t touch my
App!!
Let`s rock baby!!Mmmm, I am not sure if I
want to see this…
25. The Menu
• As starter
• A hacking story
• What we are looking for
• A methodological Approach
• Abuse cases from use cases
• Abuse cases from scratch
• Take away
26. Take away
• Mind the Business Logic of your application, in the middle time is
really cheap
• Look for the way to add a negative thinking in the development
process. Enforce Abuse Cases development.
• Do not trick yourself: “This DO could happen to you”
• Raise the problem if you think there is a bug in the application, the
sooner the better.
• Do not trust the component of the application you are developing:
“Develop defensively and watch the abuse cases”
27. Take away
• You have a great future ahead as security tester… go for it!
• Use all your knowledge: “Try bypassing the business logic as specified in the
abuse cases”.
None technological device will protect
you against Business Logic Attacks, use the
talent in your organization, your brain is the
most powerful tool, think in negative…
Develop Abuse Cases
28. References
• Testing for business Logic attacks. OWASP Foundation, 2014
– https://www.owasp.org/index.php/Testing_for_business_logic
• OWASP Business Logic Cheat sheet; OWASP Foundation; 2014
– https://www.owasp.org/index.php/Business_Logic_Security_Cheat_Sheet
• Common weakness Enumeration; Business Logic Errors; 2014
– http://cwe.mitre.org/data/definitions/840.html
• Ten Business Logic Attack Vectors: Business Logic Bypass & More; NTObjectives; 2012
– http://www.ntobjectives.com/research/web-application-security-white-papers/business-logic-attack-vectors-white-paper/
• How to Prevent Business Flaws Vulnerabilities in Web Applications; Marco Morana; 2011
– http://es.slideshare.net/marco_morana/issa-louisville-2010morana
31. On the Speaker - Bio
mhernand@ie.ibm.com / hernandezrma@gmail.com
https://www.linkedin.com/in/security-miguel-hernandez
https://twitter.com/miguelangelher
http://plusplussecurity.blogspot.ie/
IT Engineer, Master in Advanced Technologies, Master in Business Administration,
CEH, CISA, CISM, SPSE, IRCA LA 27001, ISTQBf, ITIL-f and FCE. Currently working for
IBM in the Watson Health division as Senior Security Engineer. Miguel Hernández has
been working in the security field during the past 10 years. He has helped some of the
most important companies in different sectors to improve their security by process
improvement and web application security testing.
32. Running the demo
• Download and install docker for your operating system
• Download bodgeit store from docker
– docker pull psiinon/bodgeit
• Run docker
• Run bodgeit in docker
– docker run --rm -p 8080:8080 -i -t psiinon/bodgeit
• Open bodgeit in the browser
– http://localhost:8080/bodgeit
• If you want to intercept the communication and perform the “hack”.
– download and install ZAP for your platform.
– Change the port of ZAP for the local proxy from 8080 to 8085
– Configure firefox network settings to use the proxy localhost:8085