Saturday, February 8, 2014

Business Logic, Session and Crypto – Security Controls

Business Logic Handling

Business logic is core of any application; if any loophole in business logic is identified by an attacker then it can lead to sever set of vulnerabilities. Logical handling with input validation can prove a dangerous cocktail. Business logic vulnerabilities are hard to identify and needs good understanding of source code. Logical decision making blocks are usually suspects for this range of vulnerabilities. Some common logical issues in the source are as follows
1.) Data type bypass
2.) ACLs manipulation
3.) Read/Write access
4.) Privilege escalation on application layer
5.) API abuse
6.) Cross Domain Call and API manipulation
7.) Client Side Logic reverse engineering
We have seen as lower hanging fruits (LHF) are getting exhausted on the application, hackers move on to find something else and logical vulnerabilities is one of the crucial domain they would like to hack in. Lot of secure coding measures is required to protect the application with respect to business logic bugs and vulnerabilities.

Session and Identity Handling

Session management and unique identity handling are very important aspect of web applications. Web applications runs on HTTP protocol and one of the fundamental limitations of this protocol is its non-statefulness. HTTP can not maintain state of network and over period several different mechanisms are developed like URL rewriting or cookie based access. If there is a loophole in session management then it can lead to key vulnerability which can be exploited to gain unauthorized access on the system. Here is a list of possible issues
1.) Session hijacking by eavesdropping
2.) Man in the middle attack
3.) Poor session identifier generation
4.) Browser hacks like XSS to gain cookies
5.) Predictable session identifier
6.) Session bypass and access
7.) Cookie scope and time abuse
8.) Abusing URL rewriting
9.) Local session storing access
Session handling is closely linked to both authentication and authorization layer as well. It can be complex in nature as well when comes to deployment. It is becoming increasingly interesting with Web 2.0 applications and lot of session management required for various different streams as well.

Crypto and secret handling

Cryptographic usage is another important aspect of modern day’s applications. Application needs to keep certain data and information very secret. Many times application data get used by internal users as well and it should not be accessible in clear text either. Application’s crypto usage need to be evaluated thoroughly as well and some of the vulnerabilities or weak area are as follows in this particular domain,
1.) Poor key generation
2.) Database fields are not well encrypted (password, social security number etc.)
3.) Poor encryption (customized)
4.) Checksum spoofing
5.) Some secrets in source code itself
6.) Configuration file containing secrets
7.) Secret getting revealed in error message or some other means
Source code assessment can help in identifying any weak area in crypto and managing secret. This domain is another very critical area of application.