Miscellaneous Security

Reading time: 2 – 4 minutes

Photo: malik ml williams

This is the last-part in a ten-part-series describing the OWASP Top 10. (See the entire OWASP Top 10)

What is the problem with Failing to Restrict URL Access

A common problem in web applications, failing to restrict URL access typically happens when a page doesn’t have the correct access control policy in place. Unauthorized users are able to view content that they shouldn’t have the ability to view.

Having these vulnerabilities in your application exposes privileged functionality to unauthorized users. It can also create a problem with your record trails. If users can access records without being authenticated the chain of custody is completely broken, preventing good auditing from taking place.

Failing to restrict URL access can also lead to problems with bypassing session management, another of the OWASP Top 10.

An Example of Failing to Restrict URL Access

Developers attempting to hide functionality from a user by creating “hidden” pages can create a failure to restrict URL access situation.

Hidden pages are defined as pages that don’t have a link pointing to them, preventing web crawlers, such as Google, from indexing them. Some developers believe that these pages will never be found by anyone who doesn’t know the exact URL. However, attackers typically find these pages through forceful browsing and the access controls on these pages tend to not be restrictive.

Another example of a page that can have this type of vulnerability is one where all of the privileges are checked client side but not server side. Attackers using personal proxies can bypass these client-side privileges and access functionality not intended for them to access.

How Do You Restrict URL Access

Most of these problems arise from a change in policy happening on paper, but not being implemented thoroughly across the application.

Restricting URL access correctly takes careful planning by the developer and the supporting organization. Organizations can follow some simple rules that will help them in preventing this vulnerability.

• Developers should never assume users will be unaware of hidden functionality.
• Administrators should block access to all file types that the application doesn’t serve.
• Architects should develop an access control matrix, helping them to prevent unauthorized users from accessing authorized content. This should be done for every URL and business function of the application.

Reading time: 2 – 3 minutes

Photo: Jason Arends

This is the ninth-part in a ten-part-series describing the OWASP Top 10. (See all the OWASP Top 10)

What are Insecure Communications

Insecure communications is when a client and server communicate over a n0n-secure (non-encrypted) channel. By doing this, the developer is ensuring that their communication channel can be viewed by eyes they didn’t intend.

Failing to securely communicate server-to-server and server-to-client helps attackers to intercept sensitive transactions. Attackers do this by using man-in-the-middle attacks, a post for another time. Not communicating securely breaks down confidentiality and integrity.

Developers fall into communicating insecurely when they:

• Don’t secure their client-to-server connections.
• Don’t secure their server-to-database connections.
• Don’t secure other back end connections that pass sensitive data.

An Example of Insecure Communications

Assume a developer has written an application that takes input from a user and stores it in a database that is located on another network segment.

If the developer fails to use SSL between the web server and the user, then he has an insecure communications channel between the user and the web server. (Client-to-server connection)

If the developer fails to forget to encrypt the connection between his web server and the database, then he is failing to secure the server-to-database connection.

How Do You Prevent Insecure Communications from Occurring in your Web Application

To prevent insecure communications from occurring, the first step is to make sure the security architect has formulated secure methods of communication between the clients and servers. The security architect can limit the connections they need to look at by only reviewing which servers and clients pass sensitive data.

Keep in mind, most of these architectures will fail to forget to encrypt data on back-end connections, such as database connections. Just because the data is now behind a firewall doesn’t mean it should be passed in clear-text.

To verify insecure communications won’t happen on your network:

• Make sure all client-to-server connections are encrypted with SSL.
• Verify that server-to-database connections are encrypted.
• Verify that any other areas in the design where sensitive data is passed is done so in a secure way.
• Keep developers in a security mindset. Developers should never assume their application is sending their information securely. Developers should always assume that any communications that are being made are done insecurely.

Reading time: 5 – 8 minutes

Photo: O'Reilly

My first book Hacking: The Next Generation is now available in electronic format. The physical version should be available on Amazon and in book stores in the next few days on October 15th.

I want to thank Mike Loukides of O’Reilly, and my co-authors Billy Rios and Nitesh Dhanjani. A special thanks to Nitesh for providing me this opportunity.

Here is a description and the layout of the book. If you read the book please send me a shout-out on Twitter and let me know what you think, I would love to hear feedback.

Description

With the advent of rich Internet applications, the explosion of social media, and the increased use of powerful cloud computing infrastructures, a new generation of attackers has added cunning new techniques to its arsenal. For anyone involved in defending an application or a network of systems, Hacking: The Next Generation is one of the few books to identify a variety of emerging attack vectors.

You’ll not only find valuable information on new hacks that attempt to exploit technical flaws, you’ll also learn how attackers take advantage of individuals via social networking sites, and abuse vulnerabilities in wireless technologies and cloud infrastructures. Written by seasoned Internet security professionals, this book helps you understand the motives and psychology of hackers behind these attacks, enabling you to better prepare and defend against them.

• Learn how “inside out” techniques can poke holes into protected networks
• Understand the new wave of “blended threats” that take advantage of multiple application vulnerabilities to steal corporate data
• Recognize weaknesses in today’s powerful cloud infrastructures and how they can be exploited
• Prevent attacks against the mobile workforce and their devices containing valuable data
• Be aware of attacks via social networking sites to obtain confidential information from executives and their assistants
• Get case studies that show how several layers of vulnerabilities can be used to compromise multinational corporations.

Chapter 1 – Intelligence Gathering: Peering Through the Windows to Your Organization

To successfully execute an attack against any given organization, the attacker must first perform reconnaissance to gather as much intelligence about the organization as possible. In this chapter, we look at traditional attack methods as well as how the new generation of attackers is able to leverage new technologies for information gathering.

Chapter 2 – Inside-Out Attacks: The Attacker Is the Insider

Not only does the popular perimeter-based approach to security provide little risk reduction today, but it is in fact contributing to an increased attack surface that criminals are using to launch potentially devastating attacks. The impact of the attacks illustrated in this chapter can be extremely devastating to businesses that approach security with a perimeter mindset where the insiders are generally trusted with information that is confidential and critical to the organization.

Chapter 3 – The Way It Works: There Is No Patch

The protocols that support network communication, which are relied upon for the Internet to work, were not specifically designed with security in mind. In this chapter, we study why these protocols are weak and how attackers have and will continue to exploit them.

Chapter 4 – Blended Threats: When Applications Exploit Each Other

The amount of software installed on a modern computer system is staggering. With so many different software packages on a single machine, the complexity of managing the interactions between these software packages becomes increasingly complex. Complexity is the friend of the next-generation hacker. This chapter exposes the techniques used to pit software against software. We present the various blended threats and blended attacks so that you can gain some insight as to how these attacks are executed and the thought process behind blended exploitation.

Chapter 5 – Cloud Insecurity: Sharing the Cloud with Your Enemy

Cloud computing is seen as the next generation of computing. The benefits, cost savings, and business justifications for moving to a cloud-based environment are compelling. This chapter illustrates how next-generation hackers are positioning themselves to take advantage of and abuse cloud platforms, and includes tangible examples of vulnerabilities we have discovered in today’s popular cloud platforms.

Chapter 6 – Abusing Mobile Devices: Targeting Your Mobile Workforce

Today’s workforce is a mobile army, traveling to the customer and making business happen. The explosion of laptops, wireless networks, and powerful cell phones, coupled with the need to “get things done,” creates a perfect storm for the next-generation attacker. This chapter walks through some scenarios showing how the mobile workforce can be a prime target of attacks.

Chapter 7 – Infiltrating the Phishing Underground: Learning from Online Criminals?

Phishers are a unique bunch. They are a nuisance to businesses and legal authorities and can cause a significant amount of damage to a person’s financial reputation. In this chapter, we infiltrate and uncover this ecosystem so that we can shed some light on and advance our quest toward understanding this popular subset of the new generation of criminals.

Chapter 8 – Influencing Your Victims: Do What We Tell You, Please

The new generation of attackers doesn’t want to target only networks, operating systems, and applications. These attackers also want to target the people who have access to the data they want to get a hold of. It is sometimes easier for an attacker to get what she wants by influencing and manipulating a human being than it is to invest a lot of time finding and exploiting a technical vulnerability. In this chapter, we look at the crafty techniques attackers employ to discover information about people to influence them.

Chapter 9 – Hacking Executives: Can Your CEO Spot a Targeted Attack?

When attackers begin to focus their attacks on specific corporate individuals, executives often become the prime target. These are the “C Team” members of the company—for instance, chief executive officers, chief financial officers, and chief operating officers. Not only are these executives in higher income brackets than other potential targets, but also the value of the information on their laptops can rival the value of information in the corporation’s databases. This chapter walks through scenarios an attacker may use to target executives of large corporations.

Chapter 10 – Case Studies: Different Perspectives

This chapter presents two scenarios on how a determined hacker can cross-pollinate vulnerabilities from different processes, systems, and applications to compromise businesses and steal confidential data.