Cloudy with a chance of 0-day

Similar documents
Where every interaction matters.

Cloud Computing. Technologies and Types

Lecture 10 Fundamentals of GAE Development. Cloud Application Development (SE808, School of Software, Sun Yat-Sen University) Yabo (Arber) Xu

SOA, case Google. Faculty of technology management Information Technology Service Oriented Communications CT30A8901.

Cloud Application Development (SE808, School of Software, Sun Yat-Sen University) Yabo (Arber) Xu

Google Apps Engine. G-Jacking AppEngine-based applications. Presented 30/05/2014. For HITB 2014 By Nicolas Collignon and Samir Megueddem

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Security Testing with Selenium

Web application security

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

References. Introduction to Database Systems CSE 444. Motivation. Basic Features. Outline: Database in the Cloud. Outline

Introduction to Database Systems CSE 444

Workday Mobile Security FAQ

Hack Proof Your Webapps

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

PaaS - Platform as a Service Google App Engine

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Cloud Computing. Chapter 3 Platform as a Service (PaaS)

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

Enterprise Application Security Workshop Series

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

(WAPT) Web Application Penetration Testing

Ø Teaching Evaluations. q Open March 3 through 16. Ø Final Exam. q Thursday, March 19, 4-7PM. Ø 2 flavors: q Public Cloud, available to public

Check list for web developers

The Web AppSec How-to: The Defenders Toolbox

appscale: open-source platform-level cloud computing

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Web Application Worms & Browser Insecurity

What is Web Security? Motivation

HYBRID CLOUD SUPPORT FOR LARGE SCALE ANALYTICS AND WEB PROCESSING. Navraj Chohan, Anand Gupta, Chris Bunch, Kowshik Prakasam, and Chandra Krintz

MANAGED SECURITY TESTING

Mobile Banking. Secure Banking on the Go. Matt Hillary, Director of Information Security, MX

CS 558 Internet Systems and Technologies

Cloud Computing. Up until now

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

Sitefinity Security and Best Practices

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Threat Modeling. A workshop on how to create threat models by creating a hands-on example

IJMIE Volume 2, Issue 9 ISSN:

How to Grow and Transform your Security Program into the Cloud

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

Security features of ZK Framework

The full setup includes the server itself, the server control panel, Firebird Database Server, and three sample applications with source code.

Lecture 6 Cloud Application Development, using Google App Engine as an example

System Administration Training Guide. S100 Installation and Site Management

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15

Revisiting SQL Injection Will we ever get it right? Michael Sutton, Security Evangelist

Web Application Penetration Testing

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia

Web Application Security

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Attack Vector Detail Report Atlassian

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

Practical Google App Engine Applications in Python

Webapps Vulnerability Report

Web Application Vulnerability Testing with Nessus

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

WildFire Overview. WildFire Administrator s Guide 1. Copyright Palo Alto Networks

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Cross Site Scripting in Joomla Acajoom Component

Still Aren't Doing. Frank Kim

CS 155 Final Exam. CS 155: Spring 2013 June 11, 2013

Google App Engine f r o r J av a a v a (G ( AE A / E J / )

APP DEVELOPMENT ON THE CLOUD MADE EASY WITH PAAS

About me. André Boonzaaijer - CTO - Trainer - Software engineer / architect / coach - Excavator operator Sogyo B.V.

Hacking cookies in modern web applications and browsers

Research Paper Available online at: A COMPARATIVE STUDY OF CLOUD COMPUTING SERVICE PROVIDERS

Hack Yourself First. Troy troyhunt.com

REDCap Technical Overview

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

Web Application Security

Secure development and the SDLC. Presented By Jerry

Advancements in Botnet Attacks and Malware Distribution

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Attack and Penetration Testing 101

INCREASINGLY, ORGANIZATIONS ARE ASKING WHAT CAN T GO TO THE CLOUD, RATHER THAN WHAT CAN. Albin Penič Technical Team Leader Eastern Europe

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

The Cloud to the rescue!

Cloud Security Framework (CSF): Gap Analysis & Roadmap

DIPLOMA IN WEBDEVELOPMENT

The Top Web Application Attacks: Are you vulnerable?

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Introduction to IBM Worklight Mobile Platform

Mobile Device Management Version 8. Last updated:

Transcription:

Cloudy with a chance of 0-day November 12, 2009 Jon Rose Trustwave jrose@trustwave.com The Foundation http://www.owasp.org

Jon Rose Trustwave SpiderLabs Phoenix DC AppSec 09!

Tom Leavey Trustwave SpiderLabs NYC

Cloud Fluff Google App Engine Security risks

dynamically scalable and often virtualized resources are provided as a service over the internet. Users need not have knowledge of, expertise in, or control over the technology infrastructure Source: Wikipedia

Marketing Hype 6

Software as a Service 7

Platform as a Service 8

Infrastructure as a Service 9

Why the Cloud? 10

No infrastructure investment

Expand or shrink based on demand

Pay as you go

Scaling and load balancing

It s the Next Big Thing

New Opportunities Nasdaq Market Replay Amazon S3 & AIR frontend New York Times: 1851 1989 TIFF uploaded & PDF d on Amazon S3

Too expensive for traditional development process

Potential Problems

Vendor Lock-In

Multitenant Infrastructures

Evolving IT experiment vs. Enterprise-ready environments

Forensics

Compliance

Third Party Data Processing

Where are you in the Cloud?

Compliance?

Cloud (Mis)use Sensepost Sifto Malicious vms BruteForce forgot password links PGP zip password cracking

Cloud Security Testing Service

NSW Response Time Study 7 month study of Amazon EC2, Google AppEngine and Microsoft Azure Scaled well to meet demand Inconsistent performance results Response times varied by a factor of 20 Effected by time of day No hard data Emailed Anna Liu

Cloud Providers

31

Google App Engine (GAE)

Google App Engine (GAE) Released April 2008 Full application stack for developers Python/Java API into Google's infrastructure Currently free Preview Release SDK provides local development environment

Runtimes webapp Framework Version 2.5.2 No C Extensions Servlets or JSP s Version 6 White List

Sandbox Limited access to OS Only access Internet through API s 30 Seconds Max

Datastore Google DB: Bigtable Data objects AKA Entities Concurrency control Transactions

API s Users API Email URL Fetch Memcache Image Manipulation

Cron and Queues Schedule Tasks Handled by the Cron service Invoke a URL at a given time Task Queues Background task created while handling a request Experimental Feature Web Hook Only for Python Same Limits/Quotas as HTTP request

Quotas

Billing Quotas

Account Signup requires SMS message to activate account

Terms of Service Only access Admin interface through API Cannot link multiple Apps into single App Pre-screen, review, flag, filter, modify, refuse or remove any or all Content from the Service Google has no responsibility or liability for the deletion or failure to store any Content and other communications maintained or transmitted

App Engine Security Details

The team identified and fixed the underlying problem and service has now been restored.

Cloud Risks 48

Client-Server Business Logic Data Validation 30 seconds

SSL only on appspot.com subdomains

Availability & Crashes 51

GAE System Status 52

App Denial of Service The cloud expands based on demand Pricing is based on utilization Is this malicious? How can you tell? GET http://myapp.appspot.com X 10 GET http://myapp.appspot.com X 1000000000000

App Denial of Service == $$$ Leverage application functionality to exceed quotas Repeated URL fetch for large data Forcing application to make multiple URL fetch requests Invoking process intensive functions repeatedly DOS is way cooler when it costs people money

Breaking Quotas

Java App - GaeFlood

JS Malware - GaeDOS.js

Quota Denial of Service

Quota Denial of Service

Task Queues DOS App is still up, Queue functionality can no longer be used

URLFetch Abuse Proxy attacks Delay investigations 10 seconds timeout

App Versions Apps with outdated versions exposed 1.latest.app-id.appspot.com 2.latest.app-id.appspot.com

One Vuln to Own the All A single vulnerability in the Runtime would affect all apps HyperVM exploit (LXLabs) 100,000 websites destroyed Cheaper, non-backed up sites completely gone.. HyperVM boss commits suicide

Code Security

It s just a web app XSS Access Controls Response Splitting GQL injection Information Leakage Input validation Error handling

XSS is still XSS cgi.escape() required

XSS impact on the cloud Code running in appspot.com domain Standard XSS exploits Steal cookies Deface pages Serve exploits to vuln browsers Portscan internal network No GoogValidateRequest?!?

XSS Filters IE 8 XSS Filter Detects JavaScript in URL and HTTP POST requests. Sanitizes the original request

Access Controls - Forceful Browsing Not Mapped Mapped Handler Misses

Access Controls - Internal URL s Task Queues & Scheduled Tasks Use app URL s to invoke action Opens the door for abuse by an attacker

Access Controls - Datastore Data access controls still need to be enforced Id=2 Id=4 Id=283 Query Datastore through remote API (REST) Potential access to privileged info CSRF

GQL Injection Google Example: Greeting.gql("WHERE author = :author ORDER BY date DESC, author=users.get_current_user()) greetings = db.gqlquery("select * FROM Greeting WHERE content = '" + self.request.get('searchstr') + "'")

GQL Injection Does not appear to be possible Further research required

Fingerprinting GAE sites

Summary Cloud Technologies Business s starting to experiment Varied definition, services, and providers Hottest buzzword of 09 Potential Legal and compliance issues GAE Provides infrastructure & platform Currently Preview release 30 second response limit Doesn t seem ready for Enterprise usage

Questions

jrose@trustwave.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information