SlideShare une entreprise Scribd logo

How to steal and modify data using Business Logic flaws - Insecure Direct Object References

Frans Rosén
Frans Rosén

This document discusses insecure direct object references (IDOR), which occur when a developer exposes references like file or database keys without access control. This allows attackers to access unauthorized data by manipulating the references. The document provides examples of IDOR vulnerabilities found in Twitter, Oculus, Square, Zapier, and WordPress. It emphasizes having a generic access control model, using user IDs instead of numeric IDs, and thoroughly reviewing code to prevent IDOR issues.

Logiciels
1  sur  40
Télécharger pour lire hors ligne
detectify detectify SECURITY FOR DEVELOPERS
Remember the AT&T Hack? #freeweev detectify
…or how about the Apple Developer site! detectify incident? #down4maint
What do they have in common? detectify
What do they have in common? detectify IDOR #wth?
detectify Frans Rosén! @fransrosen! #hacktheplanet
detectify Co-founder #daytime
detectify Hacked a few #nightime 0x09 in Google Hall of Fame! www.google.com/about/appsecurity/hall-of-fame/
detectify …a few more #uhere?
detectify aaand a few more #sorry
What does it mean? #owasp4 detectify “A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. ! ! Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.”
I! Insecure D! Direct O! Object R! Reference detectify Without proper access control exposing unauthorized data, such as a file, directory, or database key.
Eye-ball the URL #waitisover detectify
Eye-ball the URL #waitisover detectify Ouch.
detectify Update a user #totallylegit
detectify Update a user #totallylegit Ouch.
detectify Business Impact #obvious • Keys, Passwords! • Credit Card Data! • User Information / Email! • Invoices / Billing Data!
Business Impact #notsoobvious Numeric IDs for Order Receipts! ! “Not found” vs “No access”! ! Poll every day, you get analytics!! $$$! detectify
Business Impact #notsoobvious Numeric IDs for email invites = spam.! ! ! detectify Found by d4d1a179c0f3 https://hackerone.com/reports/1533
Business Impact #evenworse Change Delivery Address of an order.! ! Deleting another user’s information.! ! Reclaiming other user’s data. Gift Certificates anyone? detectify
detectify Are you fully protected?
detectify Why so few? #ohnoez 1. No secure access model.! ! “User X should only have access to A” “User X that has access to A should only have access to B”! ! and so on…
detectify Why so few? #ohnoez 2. Numeric IDs.! ! Enumerable/Sequential. Decrease value with 1 and try. ! ! Easy to test. Easy to attack.
detectify Why so few? #ohnoez 3. Error messages show and tell.! ! “User X cannot view object owned by User Y”! ! “No access to this object” ! ! “Object does not exist”
detectify Why so few? #ohnoez 4. Inconsequent ID sources.! ! /receipt/view/434! ! /receipt/?view=434! ! POST /receipt/view/ HTTP/1.1! receipt=434
detectify Why so few? #ohnoez 5. Lack of proper code review.! ! How to automate this?
detectify Examples! #bringpopcorn
detectify Example – Twitter Credit Card deletion from other users.! ! Sequential IDs when deleting cards.! ! Bounty $2,800 Found by secgeek (Ahmed Aboul-­‐Ela) https://hackerone.com/reports/27404
detectify Example – Oculus RCE through IDOR! ! Sequential IDs when updating users.! ! Bounty in total $25,000 Found by Bitquark (Jon) https://bitquark.co.uk/blog/2014/08/31/ popping_a_shell_on_the_oculus_developer_portal
detectify Example – Square Update other users / Get user info! ! ID as hashes, but visible using Google.! ! No check if user was in another company.! ! Bounty $3,000 ! https://hackerone.com/reports/23126
detectify Example – Zapier Get log-history from other user’s Zaps.! ! Contained sensitive information such as OAuth tokens / Credentials,! ! No access control for log entries.! ! Bounty $3,000 ! https://zapier.com/engineering/bug-­‐bounty-­‐program/
detectify Example – getClouder Remove Cloud Scaling for other users.! ! No check if user owned the Cloud Scaling setting.! ! Bounty $200
detectify Example – WordPress Get all users on a WordPress site.! ! .com/?author=1! ! WONTFIX by Wordpress ! http://hackertarget.com/wordpress-­‐user-­‐enumeration/
Doing it right. #anyoneoutthere? detectify
detectify Doing it right. #hellyeh 1. User ID in Session or Token! ! /user/view/me! /user/transactions
detectify Doing it right. #hellyeh 2. Make generic access model and stick to it.! ! function get($type, $id) { //check access for all objects }! ! $user->get(‘transaction’, $id);! // if not owned by user! ! ! ! ! ! ! ! ! // then error!!
detectify Doing it right. #hellyeh 3. Access model in routes or controllers.! ! Stick to it! Easy to miss.! !
detectify Doing it right. #hellyeh 4. Code review. Don’t miss this.! !
Quick repetition #eatsleepraverepeat detectify 1. IDORs are bad. Easy to exploit. East to find.! ! 2. Being actively exploited as we speak. Worth €€€! ! 3. Generic access model.! ! 4. Numeric IDs vs Hashes! ! 5. Review your code.
detectify THAT’S ALL FOLKS!! Questions?! ! by Frans Rosén (@fransrosen) www.detectify.com

Recommandé

The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Frans Rosén
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
OWASP Nagpur
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 

Recommandé

The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Frans Rosén
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
OWASP Nagpur
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification needed
Frans Rosén
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
Frans Rosén
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
Frans Rosén
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes
 
Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scale
Chandrapal Badshah
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
Yurii Bilyk
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
Nutan Kumar Panda
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
Дмитрий Бумов
 
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
Frans Rosén
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
Soroush Dalili
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers Job
Arbin Godar
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & Inconsistency
GreenD0g
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17
Sagar M Parmar
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
Ivan Novikov
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a Jedi
Yaroslav Babin
 
Hackfest presentation.pptx
Hackfest presentation.pptxHackfest presentation.pptx
Hackfest presentation.pptx
Peter Yaworski
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
Shahee Mirza
 

Contenu connexe

Tendances

WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
Frans Rosén
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers Job
Arbin Godar
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & Inconsistency
GreenD0g
 

Tendances (20)

DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification needed
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scale
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
 
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers Job
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & Inconsistency
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a Jedi
 

En vedette

E1a1 biological explanations for criminality
E1a1 biological explanations for criminalityE1a1 biological explanations for criminality
E1a1 biological explanations for criminality
Aarono1979
 
E3c1 the job of a forensic psychologist
E3c1 the job of a forensic psychologistE3c1 the job of a forensic psychologist
E3c1 the job of a forensic psychologist
Aarono1979
 
Lookin headhunt gold rush 成長企業様向け資料
Lookin headhunt gold rush 成長企業様向け資料Lookin headhunt gold rush 成長企業様向け資料
Lookin headhunt gold rush 成長企業様向け資料
Takahiro Nagafuchi
 
Pengenalan teknologi informasiiiiiiii
Pengenalan teknologi informasiiiiiiiiPengenalan teknologi informasiiiiiiii
Pengenalan teknologi informasiiiiiiii
Marinah_KS
 

En vedette (20)

Hackfest presentation.pptx
Hackfest presentation.pptxHackfest presentation.pptx
Hackfest presentation.pptx
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
 
Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016
 
Nitor Infotech - Big Data Services
Nitor Infotech - Big Data ServicesNitor Infotech - Big Data Services
Nitor Infotech - Big Data Services
 
Partes del cpu
Partes del cpuPartes del cpu
Partes del cpu
 
PART OF AN ABSTRACT
PART OF AN ABSTRACTPART OF AN ABSTRACT
PART OF AN ABSTRACT
 
E1a1 biological explanations for criminality
E1a1 biological explanations for criminalityE1a1 biological explanations for criminality
E1a1 biological explanations for criminality
 
CURRICULUM VITAE
CURRICULUM VITAECURRICULUM VITAE
CURRICULUM VITAE
 
Man
Man Man
Man
 
E3c1 the job of a forensic psychologist
E3c1 the job of a forensic psychologistE3c1 the job of a forensic psychologist
E3c1 the job of a forensic psychologist
 
All520253
All520253All520253
All520253
 
Globalisation
GlobalisationGlobalisation
Globalisation
 
Sistem pengolah dataa
Sistem pengolah dataaSistem pengolah dataa
Sistem pengolah dataa
 
Ece 214 week 2 dq 1
Ece 214 week 2 dq 1Ece 214 week 2 dq 1
Ece 214 week 2 dq 1
 
Youtube marketing music
Youtube marketing musicYoutube marketing music
Youtube marketing music
 
Hakla ilişkiler analiz
Hakla ilişkiler analizHakla ilişkiler analiz
Hakla ilişkiler analiz
 
Lookin headhunt gold rush 成長企業様向け資料
Lookin headhunt gold rush 成長企業様向け資料Lookin headhunt gold rush 成長企業様向け資料
Lookin headhunt gold rush 成長企業様向け資料
 
Importancia de la búsqueda, selección, evaluación y manejo de la información ...
Importancia de la búsqueda, selección, evaluación y manejo de la información ...Importancia de la búsqueda, selección, evaluación y manejo de la información ...
Importancia de la búsqueda, selección, evaluación y manejo de la información ...
 
Pengenalan teknologi informasiiiiiiii
Pengenalan teknologi informasiiiiiiiiPengenalan teknologi informasiiiiiiii
Pengenalan teknologi informasiiiiiiii
 
Router
Router Router
Router
 

Similaire à How to steal and modify data using Business Logic flaws - Insecure Direct Object References

Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Positive Hack Days
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
Jen Andre
 
Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018
Steve Poole
 
Angelo Alviar OSINT 101 Presentation - Forensics and Security Technology
Angelo Alviar OSINT 101 Presentation - Forensics and Security TechnologyAngelo Alviar OSINT 101 Presentation - Forensics and Security Technology
Angelo Alviar OSINT 101 Presentation - Forensics and Security Technology
Angelo Alviar
 
Angelo Alviar OSINT 101 Presentation - Forensics and Security Technology
Angelo Alviar OSINT 101 Presentation - Forensics and Security TechnologyAngelo Alviar OSINT 101 Presentation - Forensics and Security Technology
Angelo Alviar OSINT 101 Presentation - Forensics and Security Technology
Angelo Alviar
 
Hijacking a Pizza Delivery Robot (using SQL injection)
Hijacking a Pizza Delivery Robot (using SQL injection)Hijacking a Pizza Delivery Robot (using SQL injection)
Hijacking a Pizza Delivery Robot (using SQL injection)
Priyanka Aash
 
(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities
Steve Poole
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
bhumika2108
 

Similaire à How to steal and modify data using Business Logic flaws - Insecure Direct Object References (20)

Using logic flaws to steal data and how PHP can stab you in the back – Frans ...
Using logic flaws to steal data and how PHP can stab you in the back – Frans ...Using logic flaws to steal data and how PHP can stab you in the back – Frans ...
Using logic flaws to steal data and how PHP can stab you in the back – Frans ...
 
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
 
Phd final
Phd finalPhd final
Phd final
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018
 
Angelo Alviar OSINT 101 Presentation - Forensics and Security Technology
Angelo Alviar OSINT 101 Presentation - Forensics and Security TechnologyAngelo Alviar OSINT 101 Presentation - Forensics and Security Technology
Angelo Alviar OSINT 101 Presentation - Forensics and Security Technology
 
Angelo Alviar OSINT 101 Presentation - Forensics and Security Technology
Angelo Alviar OSINT 101 Presentation - Forensics and Security TechnologyAngelo Alviar OSINT 101 Presentation - Forensics and Security Technology
Angelo Alviar OSINT 101 Presentation - Forensics and Security Technology
 
Hijacking a Pizza Delivery Robot (using SQL injection)
Hijacking a Pizza Delivery Robot (using SQL injection)Hijacking a Pizza Delivery Robot (using SQL injection)
Hijacking a Pizza Delivery Robot (using SQL injection)
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdf
 
Web API Security
Web API SecurityWeb API Security
Web API Security
 
(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities
 
DEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wpDEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wp
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
MacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsMacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk Fundamentals
 
The Anatomy of Java Vulnerabilities
The Anatomy of Java VulnerabilitiesThe Anatomy of Java Vulnerabilities
The Anatomy of Java Vulnerabilities
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxThe Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
 
To be Hacked or not to be Hacked!
To be Hacked or not to be Hacked!To be Hacked or not to be Hacked!
To be Hacked or not to be Hacked!
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 

Dernier

introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 

Dernier (20)

introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 

How to steal and modify data using Business Logic flaws - Insecure Direct Object References

  • 2. Remember the AT&T Hack? #freeweev detectify
  • 3. …or how about the Apple Developer site! detectify incident? #down4maint
  • 4. What do they have in common? detectify
  • 5. What do they have in common? detectify IDOR #wth?
  • 6. detectify Frans Rosén! @fransrosen! #hacktheplanet
  • 8. detectify Hacked a few #nightime 0x09 in Google Hall of Fame! www.google.com/about/appsecurity/hall-of-fame/
  • 9. detectify …a few more #uhere?
  • 10. detectify aaand a few more #sorry
  • 11. What does it mean? #owasp4 detectify “A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. ! ! Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.”
  • 12. I! Insecure D! Direct O! Object R! Reference detectify Without proper access control exposing unauthorized data, such as a file, directory, or database key.
  • 13. Eye-ball the URL #waitisover detectify
  • 14. Eye-ball the URL #waitisover detectify Ouch.
  • 15. detectify Update a user #totallylegit
  • 16. detectify Update a user #totallylegit Ouch.
  • 17. detectify Business Impact #obvious • Keys, Passwords! • Credit Card Data! • User Information / Email! • Invoices / Billing Data!
  • 18. Business Impact #notsoobvious Numeric IDs for Order Receipts! ! “Not found” vs “No access”! ! Poll every day, you get analytics!! $$$! detectify
  • 19. Business Impact #notsoobvious Numeric IDs for email invites = spam.! ! ! detectify Found by d4d1a179c0f3 https://hackerone.com/reports/1533
  • 20. Business Impact #evenworse Change Delivery Address of an order.! ! Deleting another user’s information.! ! Reclaiming other user’s data. Gift Certificates anyone? detectify
  • 21. detectify Are you fully protected?
  • 22. detectify Why so few? #ohnoez 1. No secure access model.! ! “User X should only have access to A” “User X that has access to A should only have access to B”! ! and so on…
  • 23. detectify Why so few? #ohnoez 2. Numeric IDs.! ! Enumerable/Sequential. Decrease value with 1 and try. ! ! Easy to test. Easy to attack.
  • 24. detectify Why so few? #ohnoez 3. Error messages show and tell.! ! “User X cannot view object owned by User Y”! ! “No access to this object” ! ! “Object does not exist”
  • 25. detectify Why so few? #ohnoez 4. Inconsequent ID sources.! ! /receipt/view/434! ! /receipt/?view=434! ! POST /receipt/view/ HTTP/1.1! receipt=434
  • 26. detectify Why so few? #ohnoez 5. Lack of proper code review.! ! How to automate this?
  • 28. detectify Example – Twitter Credit Card deletion from other users.! ! Sequential IDs when deleting cards.! ! Bounty $2,800 Found by secgeek (Ahmed Aboul-­‐Ela) https://hackerone.com/reports/27404
  • 29. detectify Example – Oculus RCE through IDOR! ! Sequential IDs when updating users.! ! Bounty in total $25,000 Found by Bitquark (Jon) https://bitquark.co.uk/blog/2014/08/31/ popping_a_shell_on_the_oculus_developer_portal
  • 30. detectify Example – Square Update other users / Get user info! ! ID as hashes, but visible using Google.! ! No check if user was in another company.! ! Bounty $3,000 ! https://hackerone.com/reports/23126
  • 31. detectify Example – Zapier Get log-history from other user’s Zaps.! ! Contained sensitive information such as OAuth tokens / Credentials,! ! No access control for log entries.! ! Bounty $3,000 ! https://zapier.com/engineering/bug-­‐bounty-­‐program/
  • 32. detectify Example – getClouder Remove Cloud Scaling for other users.! ! No check if user owned the Cloud Scaling setting.! ! Bounty $200
  • 33. detectify Example – WordPress Get all users on a WordPress site.! ! .com/?author=1! ! WONTFIX by Wordpress ! http://hackertarget.com/wordpress-­‐user-­‐enumeration/
  • 34. Doing it right. #anyoneoutthere? detectify
  • 35. detectify Doing it right. #hellyeh 1. User ID in Session or Token! ! /user/view/me! /user/transactions
  • 36. detectify Doing it right. #hellyeh 2. Make generic access model and stick to it.! ! function get($type, $id) { //check access for all objects }! ! $user->get(‘transaction’, $id);! // if not owned by user! ! ! ! ! ! ! ! ! // then error!!
  • 37. detectify Doing it right. #hellyeh 3. Access model in routes or controllers.! ! Stick to it! Easy to miss.! !
  • 38. detectify Doing it right. #hellyeh 4. Code review. Don’t miss this.! !
  • 39. Quick repetition #eatsleepraverepeat detectify 1. IDORs are bad. Easy to exploit. East to find.! ! 2. Being actively exploited as we speak. Worth €€€! ! 3. Generic access model.! ! 4. Numeric IDs vs Hashes! ! 5. Review your code.
  • 40. detectify THAT’S ALL FOLKS!! Questions?! ! by Frans Rosén (@fransrosen) www.detectify.com