Watch your SaaS: Partial parameter checking or The case of the unfinished homework

“Laws are like sausages. It’s better not to see them being made.”

– Otto von Bismarck

I’m not sure how many of you have kids or how diligent they are with their homework but I’m sure you’ve heard stories of parents observing that their kids have finished their homework in a remarkably short period of time.  However, upon investigation, you quickly discover that your child has only finished half of their homework.

Sadly, this state of affairs can also true for SAAS providers offering web application scanning services.  Only half of the work gets done, resulting in rapid, but inaccurate scans and potentially vulnerable websites that are given clean bills of health by the scanning company.

Taking shortcuts

Properly configured web vulnerability scanners should test parameters by locating all of the parameters on a page and then making attacks against individual parameters at a time.  So if there are 10 parameters, you do an attack against parameter 1 and put acceptable values into the other 9 parameters to successfully complete the form request.

Why can’t you just attack all 10 at once?  Well, let’s say that parameter 1 is vulnerable and parameters 2 -10 have good filters. If you attack parameter one with an attack that works (i.e. the application does not recognize it) and parameter 2 with an attack that trips the filter in the application, the application will quite likely appear to not be vulnerable.

Now the problem is that if you are testing various attacks (SQL Injection, Blind SQL Injection, Cross Site Scripting, etc.) you will have dozens of attacks of each class against each parameter.  Your total attacks per parameter will exceed 100 and if you have 10 parameters on a page (which you will likely have in a signup form, for example), you will have over a thousand attacks for that page. On top of that, some of these attacks, like blind SQL, will have multiple requests per attack.

Performance vs comprehensiveness

Many SaaS vendors want to complete scans fast to make them look more impressive. The problem is that in order to accomplish, you have to cheat.

To speed up a scan, you might only test the first parameter or the first three or whatever and then skip testing the rest of the parameters.  If the customer doesn’t test the site and doesn’t get hacked, no one is the wiser if those untested parameters are vulnerable.

Does this matter?  Is it possible that one of parameters 4-10 is vulnerable if 1-3 are not?  In a word, yes.  Different parameter types (dates, text fields, numerical values, etc.) will have different filters.  Just because a developer got 1 right doesn’t mean that he got them all correct.  We’ve seen numerous cases where one parameter is 100% clean and others are full of holes.  You have to thoroughly test every parameter.

Letting those POSTs get away with murder

Since dealing with forms on web pages can be difficult and there is a possibility that they could modify data in the database behind the web application, some SaaS solutions don’t even attack them. So this means all the inputs from the forms never get tested.

On many of the sites we have tested over the last decade, the form inputs sent over POST have been some of the most critical attack points with some of the worst vulns and often the most important areas to test on a website. Not testing them is the same as locking your doors, but leaving your windows wide open.

How can you assess your vendor

Ask your vendor the hard questions, such as:

1. How many parameters do they attack per page? Are there limits they impose.

2. Ask them to demonstrate that only one parameter at a time gets attacked while the other fields having good data. Heck, ask them to put these answers in the Statement of Work (SOW).

3. Confirm that they attack forms and POST data. Ask them to demonstrate it or test it yourself with a trial.

RSA 2012: NT Objectives hosts ISE® VIP wine tasting reception & book signing with Kevin Mitnick

We are looking forward to RSA 2012 in San Francisco. We are excited to be hosting a VIP reception and a book signing with Kevin Mitnick with T.E.N and their ISE® Alumni VIP Hosts.

Each guest will receive a complimentary copy of Ghost in the Wires, enjoy tasting some rare wines from Europe’s finest boutique wineries with me and have the opportunity to  connect with leading CISOs.

The wines have been selected by NTO’s own wine geek, me, and come from San Francisco’s hottest wine bar, Terroir. These are “natural” wines (WARNING: That links to a video that unnecessarily overuses and abuses of the f-bomb, but it is the best explanation of natural wines and its entertaining as well.) made with minimal intervention to preserve their unique flavor profiles and as such, are favored by industry insiders and wine geeks.

As the ISE® VIP Programs have been oversubscribed in previous years due to limited availability and strong interest, we recommend that you register early.

Hope to see you there!

More information on the NTObjective’s ISE VIP Reception and Book Signing

NT OBJECTives Positioned in the “Visionaries” Quadrant of the Magic Quadrant for Dynamic Application Security Testing (DAST)

Recent Gartner research positioned NT OBJECTives in the Visionaries quadrant for Dynamic Application Security Testing(DAST).(i) Gartner’s report was published in December and is now available to all Gartner subscribers.

Analysts Neil MacDonald and Joseph Feiman state in the report that “Dynamic Application Security Testing (DAST) solutions should be considered mandatory to test all Web-enabled enterprise applications, as well as packaged and cloud-based application providers.” They go on to note that “the market is maturing, with a large number of established providers of products and services.”(ii)

We consider our positioning in the “Visionaries” quadrant by Gartner confirmation of our mission and ability to deliver technologies and services that solve today’s toughest application security software challenges. Web application security represents one of the greatest security challenges facing the information technology industry today. We will continue to innovate and deliver the products today’s security teams need. In the months ahead, we are excited to launch a number of products that will further enhance our market position and help our customers.

In the report, MacDonald and Feiman also note that “as organizations have improved the security of their network, desktop and server infrastructures, there has been a shift to application-level attacks as a way to gain access to the sensitive and valuable information they handle, or to use a breach of an application to gain access to the system underneath. In addition, there has been a shift in attacker focus from mass “noisy” attacks to financially motivated, targeted attacks. As a result of these trends, application security has become a top investment area for information security organizations, whether improving the security of applications developed in-house, procured from third parties or consumed as a service from cloud providers.”(iii)
Gartner clients may view a copy of the Magic Quadrant for Dynamic Application Security Testing (DAST) report via Neil MacDonald’s blog, “The Market for Dynamic Application Security Testing is Anything but Static”.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

About NT Objectives
NT OBJECTives, Inc brings together an innovative collection of experts in information security to provide a comprehensive suite of technologies and services to solve today’s toughest application security challenges. NT OBJECTives solutions are well known as the most comprehensive and accurate Web Application security solutions available. NT OBJECTives is privately held with headquarters in Irvine, CA.

(i) Gartner “Magic Quadrant for Dynamic Application Security Testing” by Neil MacDonald and Joseph Feiman, December 27,2011
(ii) Gartner “Magic Quadrant for Dynamic Application Security Testing” by Neil MacDonald and Joseph Feiman, December 27,2011
(iii) Gartner “Magic Quadrant for Dynamic Application Security Testing” by Neil MacDonald and Joseph Feiman, December 27,2011

Surviving the Week – 02/17/2012

The NTO team keeps growing and the demands of running the business and supporting our customers is keeping me busy… and its a blast. But now its good to be getting back to these weekly postings.

On to the news, so I can help keep you all informed about the important news in web app security.

  • Will a standardized system for verifying Web identity ever catch on? – Maybe the question is “Do we even want a standardized system for verifying Web Identity?” I for one see stuff like this everyday, and if the FBI’s site can be hacked, who is going to promise the security of OpenID? It will just become the single place an attacker has to attack to get access to everyone’s confidential/private data.
  • CSRF with upload – XHR-L2, HTML5 and Cookie replay – XHR-Level 2 calls embedded in an HTML5 browser can open a cross domain socket and deliver an HTTP request. Cross-domain calls will abide by CORS, but browsers end up  generating preflight requests to check policy and based on that, will allow cookie replay. Interestingly, multi-part/form-data requests will go through without the preflight check and “withCredentials” allow cookie replay. This is how some new cutting edge attacks are going to be performed.
  • Vote Now! Top Ten Web Hacking Techniques of 2011 – This is an incredibly useful survey that they do each year. So, please vote to help the community get an idea of what is interesting and important to you.
  • Twitter Enables HTTPS By Default – As sites like Google, Facebook and now Twitter start pushing all traffic to HTTPS, I fear that users will mistake this for real security. “Oh, I can put all my information on Facebook/Twitter/etc now because they are ‘secure’. See there is even a little padlock icon in my browser when I go to those sites, just like the bank.” – FAIL

Julian Assange – Hacker of the Year?

On Dan and Jim’s recent podcast, I learned that Julian Assange had been declared Hacker of the Year. Assange is certainly a person that elicits strong opinions out of people, one way or another.

Much ink has been spilt over personal privacy in the modern age – most of it has been over whether we have any expectation of personal privacy in our lives.  I emphasize the word personal because it is generally agreed that it would be nice if we had personal privacy.  That is I really do not want my credit card data, my health data and my banking information splattered all over.  Without getting too far into this, I can agree that many of us have made the affirmative decision to, wittingly or unwittingly, to broadcast a ton of personal information about ourselves on the Internet through Facebook, Foursquare and the like.  The argument is generally about whether we have any hope of maintaining the privacy of our personal information in this day and age.

But that is not what is interests me about Assange and his potential copycats.  The area of privacy that Assange has threatened is more corporate privacy.  I should say enterprise because this would include government and nonprofit but corporate privacy sounds better.

Assange, as we know, has facilitated the dissemination of private enterprise communications for all the world to see.  His motivations are very clear; he seeks to expose wrongdoers by providing evidence of evil deeds.  For the sake of argument, let us agree that, in the words of Richard Nixon, “mistakes were made” by the enterprises exposed by Mr. Assange.  Let us also assume, for the sake of argument, that Mr. Assange’s motives were pure and he does this for the sole purpose of punishing the wicked and discouraging bad behavior in the future.  While i have not met Mr. Assange, I actually have no reason to doubt this.

My question is this: do we have any right to or expectation of corporate privacy?

This is a trickier question than one of personal privacy.   Almost all enterprises have policies that explicitly state that our communications over media owned by them (e.g. E-Mail) are owned by the enterprise.  Having said that, there is an implicit expectation of the confidentiality of certain communications between parties in the corporate world.

Some examples come to mind where corporate privacy is beneficial to us as a society.

  • Communications About Personnel
  • Personal Information (e.g.Health Information)
  • Corporate Secrets
  • Sensitive Information

Now I am sure that Mr. Assange would agree with most or all of these points.  I have never met Mr. Assange and can’t state with any certainty how he would respond but a possible response would be that he should be trusted to weigh these risks and decide what and should not be published based on the benefits of the dissemination and the potential harm.

I would also point out that we are entering a brave new world of whistleblower disclosures.  journalists have long reported on instances of whistleblowing but they very carefully extract documents as opposed to disseminating vast quantities of microdata as Mr. Assange has.  Additionally, journalists (at least in the US) are exposed to potential litigation if they cause harm by their actions.  Mr. Assange has intentionally (by his own admission) set up in jurisdictions to minimize his risk of litigation.

My question is, is that really how we as a civilized society (or at least a society striving to be civilized) wants a decision that has potentially significant impact on corporate privacy to be made?

For the sake of argument, let’s look at another decision that we make.  Punishment.  There are millions of criminals in this country and others that violate the understood morals of the society in which they live.  Do we allow individuals to decide to punish them?  If I see someone stealing an old woman’s purse, do I grab him and lock him in my basement?  Of course the answer is no.  We have a codified system of laws and a judicial system made up of individuals who effect judgement and punishment of criminals.  We do not leave these decisions to individual people or groups of people.

One can argue that Mr. Assange is basically a whistleblower (or a facilitator of whistleblowers).  A whistleblower is someone who reports wrongdoing.  There is some degree of legal protection for whistleblowers both in the US and internationally and I am personally certainly  on board with the idea of exposing evildoers.

I guess that my question is whether dumping E-Mails on the Internet is the optimal way to do this.  The question is, is there a better solution?  The irony is that I think that the security community has actually already come up with a better solution.  When a security researcher discovers a vulnerability, most will contact the vendor. The vendor is supposed to investigate the claim and crate and release a patch before the researcher releases the exploit.  Now this system doesn’t always work perfectly but it at least allows the responsible party to do the right thing before the world knows that their system can be hacked.

Maybe this is a better model for whistleblowers.   If a crime is committed, the evidence can be sent to the appropriate government authorities with a reasonable deadline for action.  The government should be able to act while using its resources to scrub the communications and minimize the damage to corporate privacy.  If the government fails to act and cannot convince the Assange’s of the world of their reasoning, then all bets are off.  This problem, of course, becomes much trickier if the wrongdoer is the government but the government does have mechanisms to investigate itself.  This idea is admittedly a Devil’s Bargain but it may be better than the situation we find ourselves in today.  If Mr. Assange and his imitators continue to have success, it may be better for governments to try to strike deals with them rather than risk widespread dissemination of confidential information.

An Information Security Place Podcast – Episode 02 for 2012

Thanks go to Jeremiah Grossman for sitting down with Michael for some great discussion. Jeremiah is the CTO at Whitehat Security and a very well known figure in the InfoSec industry. Jeremiah and Michael talk about Hawaii, sharks, security philosophy, RSA, stage fright, Jeremiah’s TED talk (not published as of the posting of this entry), and the age of the InfoSec industry and whether young folks are coming into the fold.

You can find Jeremiah at Whitehat (link above) and his blog, and you can follow him and on Twitter as well. Jeremiah will be giving a talk and participating on panel at RSA as well, so be sure to attend those if you are going to the RSA Conference 2012.