First off, in the spirit of full disclosure, two points: One is that this talk took place at the same time as the Shreeraj Shah talk I attended, but I did indeed effectively attend this talk as Dan presented it to me and one other employee of our company, NT OBJECTives after the conference. And point two is: this is because Dan is the co-CEO of NTO of which I am an employee (lead software architect). So the usual caveats of conflict of interest or “of course he is going to write a positive review” apply but to that I would say that as a borderline autistic nerd of dubious social skills (i.e. guile), I’m not that good of an actor. So I am delighted that I can say sincerely that this talk was very informative and rivaling the others in that regard without having to run to the toilet afterwards.
The fundamental theses of this talk are that the data to be perturbed for purposes of attack has gone deeper into the new protocols being employed to write web applications and also that a lot of these applications are for new technologies like mobile phones and as such the developers of the applications for these devices are making silly mistakes that secure-coding veterans of more conventional client-server platforms know to avoid. Or to state that latter one another way, with every new platform comes an opportunity to make the same old mistakes. On the former, whereas in previous years all one had to worry about were html query parameters, form inputs, and cookies (and the odd custom this that or the other), now there are JSON, AJAX, AMF, SOAP, REST, GWT-RPC, etc. and in several mobile apps there are proprietary binary data transports to worry about.
The business logic layer between the JSON, AJAX, etc. and the database is typically rather lax in security and often vulnerable to SQL injection attacks. AMF is a binary format but a quite well known one (by myself in particular, I wrote the parser for it in the new release of NTOSpider). Burp proxy shows the contents of AMF packets and it is easy to perturb string values with, for example, a SQL injection attack before forwarding the request on to the server. JSON and AJAX are more human readable than AMF and so they also are easy to attack. REST is more of a loosely defined suite of protocols all of which can be attacked in a conceptually similar way.
These new protocols do not necessarily retain the name=value paradigm in the strictest sense but with all of them one can recognize strings into which attack payloads can be inserted. The other half of the talk was an eye opening account of how easy it is to hack mobile apps. Passwords are often weak because people do not want to type elaborate passwords on a mobile phone, particularly where you have to switch between alpha and num several times which you do for a strong password.
Many apps are very stupidly written to use the phone’s MEID (the simcard ID with which the phone id’s you to the provider) as the authentication key. These are easily snooped. Even worse, some apps make the token gesture of asking for a password and then do not bother hashing it with the MEID. Effectively, the developers themselves have trojaned your mobile phone. Further, again to promote usability, session tokens often never expire.
So combined with these other vulnerabilities and the fact that some apps send info unencrypted as well, one can simply stroll around a shopping mall collecting MEIDs and session ids and then do whatever appearing to the server as these various users. There is a particular mobile phone app called bump which makes it easy to share contact information. Lovely idea but they use the GPS coordinates and not much else for authentication so one can fake GPS coordinates, intercept this traffic, and send errors to the phones in question which causes (likely) the users to rebump at which point you are the man in the middle snooping their personal information. A malicious URL can even be injected which allows for obtaining remote shell on the mobile device. The talk concludes by noting that 32% of apps are SQL injection vulnerable and that WAFs have not caught up with JSON, REST, AMF, and so forth.
The conclusions I come away with from this talk are many. Having worked on NTOSpider 6.0 which works with most of these new protocols, I was already keenly aware (and relieved) that attacking them is really just a matter of digging a little deeper for the fruit to attack as opposed to being some hugely intractable AI problem which means also that CSOs can and should still incorporate the use of automatic scanners (that are aware of the protocols) as part of their security strategy.
This is good for us at NTO and good for the industry in general as I don’t think anybody wants to give up the efficiency of automatic scanning and transition into a regime where the only way to ensure security is with hugely expensive manual pen testing and nothing else. Further, when there is a new platform despite it being basically the same as preceding platforms under the glamorous facade (mobile computer in your pocket, ooh aah, but still basically client-server), there is a taking a few steps backward before taking steps forward with such things as weak passwords, unencrypted transmission, bad authentication schemes, unvalidated inputs, etc. Security is in a lot of ways a “the more things change the more they stay the same” game.
There is more detailed information on this topic in our new whitepaper, The Widening Web Application Security Scanner coverage Gap in RIA, Mobile and Web Services.
Recorded presentation from 2012 OWASP AppSec USA “Get Off Your AMF and Don’t REST on JSON” by Dan Kuykendall.
Leave a Reply