But let’s not limit our focus to the InfoSec guys. Life coaches (whatever they are) are abusing the subject with exaggerated comparisons and vague slogans. And the business people, oh, believe me, these are the most creative. Telling you how big of a war is out there and how to deal with it like a boss. I kind of secretly desire for a cooking show to refer to The Art of War and debate how to diminish cucumbers’ morale before chopping and throwing them into the salad. All for a better taste of course, because, you know, cucumbers are the enemies.

I don’t find it particularly amusing to be the one breaking the spell but somebody has to do it.

So, The Art of War is a military treaty from 2500 years ago. One other important aspect you have to consider is that the writing and translation process was complicated to say the least. The origins of the text and author are known only to a certain degree of confidence and the writing went through several translation and reinterpretation cycles. It does outline some generic principles which can be applied in various aspects of life, especially if one has the tendency to generalize. Otherwise it talks about:

• Using gongs, drums, banners and flags to raise morale (funny enough, some InfoSec companies take this ad-literam)
• Analyzing weather and terrain conditions. Showing your troops that you packed enough food for the winter. If your rival’s forces are crossing a body of water, don’t meet them in the middle, where you’ll both be bogged down. Instead, wait until half of them have landed and attack while the entire army is divided.
• How spies must be liberally rewarded and their work highly appreciated.

Again, if one is prone to the confirmation bias and willing to look for far-fetched parallels, he can identify in the above 3 bullets awareness, reconnaissance and intelligence.

For this kind of people I’m willing to make a few recommendations of good readings:

• Little Red Ridding Hood outlining the necessity for risk analysis. Red should of known better when walking the woods alone.
• Snow White, which teaches us the need for security assessments. Our heroine could have used one of the dwarfs for QA testing the apple.
• And finally, my favorite, The Three Little Pigs from which we can learn about the security in depth principle and the need for security architecture.

Next time you go into a meeting and talk about the importance of Information Security, use The Three Little Pigs as your support material (on your own risk).

The Art of War is a good book if read properly and understood in the context in which it was written. China, 2500 years ago. And it’s not the only strategy manual from that region and period, another good read is The Seven Military Classics of Ancient China. The only universal principle coming out of these texts is that you must know yourself, your opponents and the context, and adapt your strategies accordingly.

But my question was always: why 10? Why not 11? Or 9. Or whatever else? I guess 10 sounds more important than 11 or 9. It’s the decimal system, 10 fingers, easy to visualize. What would you trust more, a Top 11 or a Top 10? Then the pressure is on the top creator to add, eliminate or combine elements to end up with 10 for a credible list.

Let’s get back to our InfoSec sheep. I prefer simplification and that’s why I started a quest to see if I can end up with a shorter version of the OWASP Top 10.

"The OWASP Top Ten is a powerful awareness document for web application security [...] represents a broad consensus about what the most critical web application security flaws are. [...] Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code." [link]

The OWASP Top 10 is a versatile project and can be used in multiple ways. But as you work with it, you realize that it is a little bit bloated.

Let’s start with A1-Injection: "Injection flaws occur when an application sends untrusted data [...]" This to me sounds very similar to the definition of A3-Cross-Site Scripting (XSS): "XSS flaws occur whenever an application takes untrusted data and sends it [...]". But enough with definitions, rationalizing XSS is JavaScript injection. In my opinion, A1 and A3 are separated by the location of the untrusted data parser, server vs client side. But in terms of mitigation, they’re both addressed on the server side (if you’re security conscious), so why keep them separate, A1 + A3 =  NEW1.

And while we’re at it, isn’t CSRF another form of injection? The attacker injects a command to be executed by the victim in a valid session.

OK, one more and I promise we’ll move on. Otherwise we might end up with Top 1 security vulnerabilities. A10-Unvalidated Redirects and Forwards. The attack mechanism is similar to XSS and CSRF, tricking the victim through phishing. What’s the injection here? Malicious URLs.

So…

A1 + A3 + A8 + A10 = NEW1 – Injections of all kinds

Moving on to other categories. Now, talking about A2-Broken Authentication and Session Management, isn’t authentication part of the bigger concept, authentication and authorization? If so, A4-Insecure Direct Object References deals with flawed authorization and would fall under the same umbrella.

But wait a minute, isn’t A7-Missing Function Level Access Control dealing with access control aka authorization? The definition says:

Sometimes, function level protection is managed via configuration, and the system is misconfigured. Sometimes, developers must include the proper code checks, and they forget.

Let’s leave the part that is managed via configuration out of the question for a second (it will be incorporated in the next category). The rest of the problem is at the code level generated by the developer who doesn’t introduce proper checks and thus allows a malicious user to execute functions without authorization.

We have our second category:

A2 + A4 + A7 = NEW2 – Flawed authentication and authorization

What’s left? Ah, yes, the all mighty configuration issues. Let’s start with A5-Security Misconfiguration. If I had a penny for each vulnerability I’ve seen which was classified as A5, I wouldn’t probably write this article. What I’ve noticed is the tendency that most pentesters have to drop vulnerabilities that they think can’t be classified otherwise in this category. Sometimes it’s because issues are complex and there’s no other category for them, other times it’s just easy to drop them somewhere and forget about it, even though the vulnerabilities can easily fit in one of the other 9.

About A6-Sensitive Data Exposure, this is mainly related to infrastructure configuration. The main point here is related to the protection of data in transit and at rest. While developers can introduce vulnerabilities by using weak (if at all) cryptographic functions, this can be enforced by other security controls and with proper management of the development life-cycle. The focus has been lately on using old or poorly configured SSL versions and not encrypting data at rest. To me, A6 is just a different set of configuration issues.

Last but not least, A9-Using Components with Known Vulnerabilities. This is a no brainer, if you configure your systems properly and have a good change management process, you would you introduce or continue using old components, right? Depending on weather this is an infrastructure problem or using old vulnerable libraries in the code, the responsibility can be shared between SecOps and DevOps.

Thus we have our bronze medalist:

A5 + A6 + A9 = NEW3 – Configuration Vulnerabilities

Without further ado, I give you my heavily revised and compressed OWASP Top 3 Web Application Vulnerabilities

• NEW1 – Injections of all kinds
• NEW2 – Flawed authentication and authorization
• NEW3 – Configuration Vulnerabilities

Is it usable? It depends. On a higher and less technical level it makes things easier to explain. It might be useful to map the identified vulnerabilities on this top in order to identify the developers security training needs.

If you managed to read this far, you should know that I use the OWASP Top 10 on a daily basis in more than one way, I find it very practical and I prefer it over other web vulnerability classifications like CWE/SANS Top 25 due to its simplicity. There are certain cases where others are better, it all depends on how you plan to use them and the maturity of the organization where you try to implement.

Their approach was to use https just for the login sequence and plain text communication for everything else. And it was not like they didn’t understand the underplaying problem of sending session cookies over an unencrypted channel, it was just that they thought https is too much for the servers to deal with.

Doing some research back then, I found a paper from the 90s stating that the performance impact was between 10 and 20%. And that only because of the hardware (mainly) CPU available at that time. With the advancement in computational power that should have decreased over time.

And indeed, as of 2010, Gmail switched to using HTTPS for everything by default. Their calculation shows that SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Of course there were some tweaks, but no rocket science involved.

1%, 2%, 10KB. Nothing. I remember somebody saying that 640KB ought to be enough for anyone Maybe he knew something. As you can see in the link, Bill Gates didn’t actually say that.

5 more years have passed since then, hardware is more capable, cheaper, so there’s no excuse not to use https.

I’ve seen poor implementations where all http traffic was passed over a secure channel, but not the .js files. Needless to say, a MitM attack can easily modify the .js on the fly and run code in the victim’s browser.

As a closing note, use https for everything, don’t invoke the performance issues, there’s no reason in the current era not to do so.

###

OWASP (The Open Web Application Security Project) are acum deschisa o organizatie locala si in Romania. Suntem in cautare de noi membri cu care sa alcatuim o echipa puternica de oameni implicati in securitate informatica. Scopul nostru principal este sa formam o comunitate locala in care sa putem gasi si oferi suport pentru proiectele fiecaruia si sa putem invata si progresa in acest domeniu in care activam sau pentru care avem o pasiune speciala.

Ce este OWASP: O comunitate globala care aduce vizibilitate si conduce evolutia catre siguranta si securitatea softwareului.

Ce isi propune organizatia in Romania:

– sa initieze intalniri periodice intre membri

– sa aduca la intalnirile periodice oameni implicati in OWASP la nivel global

– sa contribuie la proiectele OWASP

– sa propuna si sa dezvolte proiecte proprii in cadrul OWASP

– sa organizeze o conferinta de securitate in Romania

Activitatea OWASP nu este una comerciala sau profit. Mediul de afaceri este insa binevenit si incurajat sa sustina proiectele OWASP.

Cum poti deveni un membru activ al acestei comunitati? Intra pe pagina OWASP Romania, acceseaza grupul nostru de pe LinkedIn, aboneaza-te la lista de mail si intra in contact cu ceilalti membri.

As stated by the authors:
“In a nutshell the lack of direct access to the game server and having to deal with clients that are far too complex to be easily emulated force us to rely on injecting fuzzing data into a legitimate connections rather than use the standard replay execution approach. Top that with heavily encrypted and complex network protocols and you start to see why we had to become creative to succeed :)”

The problem of an application security analysts is that most of the communication is encrypted and is using custom protocols that can’t be intercepted using standard proxies like Burp or Charles. One’s thoughts on this could go into using Mallory as transport layer proxy and should be fine with some custom protocols but still doesn’t deal with the encryption problem. So reverse engineering and memory analysis and manipulation must be involved.

Techniques proposed by the presenters:
– Combining network traffic analysis with memory analysis (check what happens in the memory when certain packets are sent over the wire)

Challenges involved:
– Intercepting traffic
– Bypassing Encryption
– Reversing the protocol
– Monitoring the results of fuzzing

Traffic interception:
– DLL injection at the application level – direct access to game state
– Write a driver at the OS level
– Pass the traffic through an intercepting box – this is done at the network level; as a side note this can be done on the same box using WireShark; keep in mind that WireShark does not intercept packets sent on the loopback interface and you can use RawCap for this

DLL injection:
– Most application use Windows Winsock API and the interesting functions to watch for are connect, recv and send
– Ways to do it: Microsoft detour library and IAT (Import Address Table) hooking:
o http://sandsprite.com/CodeStuff/Understanding_imports.html
o http://sandsprite.com/CodeStuff/IAT_Hooking.html
– The problem is that protection mechanisms like anti-cheating engines detect hooking

Writing a driver:
– Windows Filter Platform – could be an excellent replacement for Mallory since we don’t need an external machine (even a virtual one) to capture the packets

The presenters then focus on the analysis of the custom LOL (League of Legends) protocol to give a practical example. Among others, they use packet, statistical, n-gram analysis and search for a feasible way to fuzz the protocol. They don’t go into details like tools, usage and how to perform the analysis but stay on a high perspective level.

For this example we will use bogus@pentest.ro. We first need to check the MX record for pentest.ro. In Linux is as simple as:

> dig MX pentest.ro

; <<>> DiG 9.6-ESV-R4 <<>> MX pentest.ro
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53492
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 3, ADDITIONAL: 0

;; QUESTION SECTION:
;pentest.ro.                    IN      MX

;; ANSWER SECTION:
pentest.ro.             86400   IN      MX      5 ALT2.ASPMX.L.GOOGLE.COM.
pentest.ro.             86400   IN      MX      10 ASPMX2.GOOGLEMAIL.COM.
pentest.ro.             86400   IN      MX      10 ASPMX3.GOOGLEMAIL.COM.
pentest.ro.             86400   IN      MX      10 ASPMX4.GOOGLEMAIL.COM.
pentest.ro.             86400   IN      MX      10 ASPMX5.GOOGLEMAIL.COM.
pentest.ro.             86400   IN      MX      1 ASPMX.L.GOOGLE.COM.
pentest.ro.             86400   IN      MX      5 ALT1.ASPMX.L.GOOGLE.COM.

;; AUTHORITY SECTION:
pentest.ro.             86400   IN      NS      ns1.pentest.ro.
pentest.ro.             86400   IN      NS      ns2.pentest.ro.
pentest.ro.             86400   IN      NS      ns3.pentest.ro.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jul  2 21:48:05 2011
;; MSG SIZE  rcvd: 261

On Windows platforms there is no integrated dig utility. You can use this app, or you can use a free online check like this one:

http://www.mxtoolbox.com/

Either way you will end up with the MX server or servers for the domain. Notice there is a number in front of the MX servers in the list, that indicates priority (smaller means higher priority). We will use the highest priority server available and if this one fails we can try the next one.

It’s time to connect to the server (from the command line in Linux or Windows):

> telnet ASPMX.L.GOOGLE.COM 25
Trying 74.125.39.27...
Connected to ASPMX.L.GOOGLE.COM.
Escape character is '^]'.
220 mx.google.com ESMTP y26si6167249fag.156
helo mydomain.com
250 mx.google.com at your service
mail from: <me@mydomain.com>
250 2.1.0 OK y26si6167249fag.156
rcpt to: <bogus@pentest.ro>
550-5.1.1 The email account that you tried to reach does not exist. Please try
550-5.1.1 double-checking the recipient's email address for typos or
550-5.1.1 unnecessary spaces. Learn more at
550 5.1.1 http://mail.google.com/support/bin/answer.py?answer=6596 y26si6167249fag.156
rcpt to: <somevalidaddress@pentest.ro>
250 2.1.5 OK y26si6167249fag.156
quit
221 2.0.0 closing connection y26si6167249fag.156
Connection closed by foreign host.

The bolded lines are the ones you type, the others are responses from the server.

All servers should abide to RFC 821. Most do, a few don’t. I noticed some servers are accepting all addresses as valid. This is not a standard response but you can check if this occures testing an email like vrWvrtVWRmJU5Jrvrw43t524@domain.com.

The response code you are interested in is 250. This means it’s a valid address. 550 means that the user does not exist. There are other codes as well and you can do further reading in the RFC.

Please note that helo command must be run before anything else. mydomain.com and me@mydomain.com can be changed in anything you please.

To close the connection after validation just type quit.

First of all, there are some perquisites. One will need an insider or more in order to carry out the attack, but this should not be a problem based on the fact that a lot of attacks come from the inside. The second matter would be to get access to the central machine taking care of the database. Again, if not well protected, an insider should be able to provide enough data to gain access.

Let’s choose a lottery, 6/49 for instance. You choose 6 numbers, mark them on a ticket and pass it to the lottery guy. The lottery guy place the ticket in a machine that reads the marked numbers, prints them on the side of the ticket and cuts off a part of the ticket. This is the magic part, as the machine keeps a part of the ticket for validation in case you win.

The system is closing hours before the drawing so the machines does not accept any new ticket after a specific hour. The insider would place a bogus ticket with random numbers, it really doesn’t matter what this would be, preferably the last ticket on the machine. This ticket has a unique serial number that will be printed on it and on the part that will remain in the machine and also registered in the central database, so it’s imperative that this ticket is issued via the standard procedure before the deadline.

After the drawing, some official from the lottery must enter the results into the system to check the winners. Using the previously gained access to the database, the attacker will modify the record corresponding to the bogus ticket (based on the unique serial number) with the correct numbers, preferably in real time so when the checking is made, the correct values are already in the database. Lotteries are usually broadcasting live the drawings so this step would be feasible. Otherwise another insider must be in the room when the drawing takes place.

The last step would be for the insider to replace the cut part of the bogus ticket with one that is printed with the same unique serial but with the winning numbers instead of the bogus ones. The other part of the ticket must be printed as well with the correct numbers. This would require some hardware work, but I saw people doing crazy things for pennies.

Conclusion:

I don’t say it’s feasible. It’s more of a “James Bond”-like fantasy. There are a lot of ifs, and here are some good measures that the lottery can implement to prevent this from happening:

• copy the final database before the drawing to a safe off-line location and check the results in this copy (then again it’s important who can access and how can this database be accessed)
• implement hardware protection on the machines who are printing the tickets
• implement strong security policy and do regular checks on the staff, maybe rotating them from one station to another