AppSec Europe 2016 has ended
Back To Schedule
Thursday, June 30 • 12:25 - 13:30
Attack Patterns for Black-Box Detection of Logical Vulnerabilities in Multi-Party Web Applications

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

An increasing number of business critical, online applications leverage trusted third parties in conjunction with web-based security protocols to meet their security needs. For instance, many online applications rely on authentication assertions issued by identity providers to authenticate users using a variety of web-based single sign-on (SSO) protocols (e.g., SAML SSO v2.0, OpenID Connect). Similarly, online shopping applications use online payment services and Cashier-as-a-Service (CaaS) protocols to obtain proof-of-payment before delivering the purchased items (e.g., Express Checkout and PayPal Payment Standard). We refer to this broad class of protocols as security-critical Multi-Party Web Applications (MPWAs). Three entities take part in the protocols: the User (through a web browser B), the web application (playing the role of Service Provider, SP), and a trusted third party (TTP). The design and implementation of the protocols used by security-critical MPWAs are prone to logical errors. Several logical vulnerabilities have been reported in the last few years. For example, over 20% of the Alexa top 20,000 US websites have vulnerable Facebook SSO implementation (Zhou et al. 2014). The problem is exacerbated by the fact that most of the commercial automatic web vulnerability scanners have almost no support for logical vulnerabilities and the solutions proposed in security research papers for detecting logical vulnerabilities do not provide experimental evidence of applicability in more than one MPWA scenario (e.g., CaaS or SSO). 
In this presentation, we show a new approach towards automatic black-box detection of logical vulnerabilities in MPWAs. Our approach is based on an observation and a conjecture. The observation is that, regardless of their purpose, the security protocols at the core of MPWAs share a number of features: 
1) by interacting with SP (and/or TTP), User authenticates and/or authorizes some actions, 
2) TTP (SP, resp.) generates a security token, 
3) the security token is dispatched to SP (TTP, resp.) through the web browser, and 
4) SP (TTP, resp.) checks the security token and completes the protocol by taking some security-critical decisions. 
The conjecture is that the attacks found in the literature (and possibly many more still to be discovered) are instances of a limited number attack patterns. For instance, the incorrect handling of the OAuth 2.0 access token by a vulnerable SP can be exploited by an attacker hosting another SP (Wang et al. 2013). If the victim User logs into the attacker’s SP, the attacker obtains an access token (issued by TTP) from the victim and can replay it in the vulnerable SP to login as the victim. A similar attack was previously discovered (Armando et al. 2008) in the SAML-based implementation deployed by Google. (Here the SAML authentication assertion is replayed instead of the OAuth 2.0 access token) Similar attacks have also been detected in CaaS-enabled scenarios (e.g., Pellegrino et al. 2014, Sun et al. 2014). 
We selected 13 prominent attacks reported in real-world MPWAs and analyzed their similarities. This led us to identify 7 application-independent attack patterns (targeting 6 different replay attacks and a login CSRF attack) that concisely describe the actions performed by attackers while performing these attacks. These attack patterns are leveraged by a black-box security testing module that automatically collects and analyzes different HTTP traffic samples of the MPWA under test for selecting the appropriate attack patterns which in turn automatically generates attack test cases targeting logical vulnerabilities in the MPWA. 
We implemented our ideas on top of OWASP ZAP (the most popular, open-source penetration testing tool) and discovered 21 previously unknown vulnerabilities in prominent MPWAs (e.g., developer.linkedin.com, pinterest.com, open.sap.com, stripe checkout), including MPWAs that do not belong to SSO and CaaS families. 

avatar for Alessandro Armando

Alessandro Armando

Associate Professor & Head of Research Unit, University of Genova & FBK
avatar for Roberto Carbone

Roberto Carbone

Researcher, Fondazione Bruno Kessler
Dr. Roberto Carbone is a researcher of the Security & Trust Research Unit of Bruno Kessler Foundation (FBK-ICT) in Trento, since November 2010. He obtained the MSc degree in Computer Engineering at the University of Genova in 2005 and received his Ph.D. from the same University in... Read More →
avatar for Luca Compagna

Luca Compagna

Researcher, SAP
Dr. Luca Compagna is part of the Security Research team at SAP where is contributing to the research strategy and to the software security analysis area in particular. He received his Ph.D. in Computer Science jointly from the U. of Genova and U. of Edinburgh. His area of interests... Read More →
avatar for Avinash Sudhodanan

Avinash Sudhodanan

Early Stage Researcher, Fondazione Bruno Kessler
Avinash Sudhodanan is an Early Stage Researcher at the Security & Trust Unit of Fondazione Bruno Kessler and a 3rd year PhD student at University of Trento. He is focusing his research on Automatic Analysis of Browser-Based Security Protocols (in the context of the EU project SECENTIS... Read More →

Thursday June 30, 2016 12:25 - 13:30 CEST
Room A (Michelangelo Ballroom Sect. 3)