Impact of sensitive information sent to Analytics in modern world applications

Background:

Application analytics is becoming very important aspect from business standpoint across companies and ventures. It is even more important for consumer centric sites like eCommerece, portals, mobile apps etc. Analytics server are usually third party owned and application owner integrates the code and force browser session to push some data cross domain to those servers.

Problem Domain:

Let's take this example, application running an eCommerce portal has implemented third party analytics services like shown in figure 1. This server is well guarded by firewall and applied secure coding practices on major components across the application. Portal is utilizing analytics services and this service can be integrated with JavaScript, which needs to be implemented across various sets of pages.

Figure 1 – Analytics Deployment for Target Application

This type of scenario brings some unique threats, if application integration with analytics server is not securely done. Here is the list of issues we have observed during our consulting engagements.

• Developers may have blindly integrated code on each pages, links or visited URLs are going to analytics server for analysis. In that case, certain pages like forget password, reset password, SSO page etc. All these pages have URL with sensitive tokens. These tokens can end up providing access to the site and user sessions can be compromised. This is one of the major threats we have observed across many applications.
• Analytics server is running over non-SSL channel and it may end up exposing traffic and certain sensitive information.
• In certain cases JS implementation code of third party component is having DOM based XSS and open redirect types of vulnerabilities, which can be exploited.
• Analytics server is running with certain open ports and can be compromised in very few cases.

Conclusion

It is imperative to evaluate analytics code and their integration from development standpoint. Code should be analyzed for vulnerabilities and it should be integrated to selected pages only. No point in putting its integration on all pages and it may end up sending sensitive tokens to the analytics server. Also, deployment of analytics server with open ports, security posture and communication channel should be carefully evaluated.

Authentication and Authorization Security Controls – Code Analysis

Authentication

Applications are running on the server and usually serving browsers. Application authentication is form based and done over HTTP. There are several layers involved in the authentication process and each layer should have their own security protections. There are several different authentication mechanism available on application like NTLM, Basic, Digest, HTML Form based, LDAP, Certificate based etc. Authentication is has two aspects in web based application one is authenticating user and second is making a tunnel or channel for authenticated user since HTTP itself is stateless protocol. Various different authentication controls help in protecting application and if any of the control is missing or poorly written then it opens up severe vulnerability in application. Here is a list of possible issues or vulnerabilities

1.) Authentication disclosing sensitive information
2.) Not having auditing on the authentication
3.) No user lockdown policy in place
4.) Authentication bypass (SQL / LDAP interface)
5.) Password strength is poor
6.) No deployment of CAPTCHA or similar identification product
7.) Credential are not securely transmitted
8.) Credential are stored on client side which can be retrieved
9.) Authentication token or cookies are not well crafted
10.) Single Sign On (SSO) can be abused
11.) Deliberated backdoors are created
12.) Hidden fields and information exposure

Authentication controls are part of application code and it is imperative to analyze full mechanism in detail. This layer of code can help in identifying possible loopholes. Authentication is very critical for sensitive and transaction based sites like banking, trading or mailing system. An attacker can bypass authentication and can take hold of full session, it gets opportunity to advance hacking from there. Over years we have seen popular attack vectors as below

1.) Brutefocing
2.) Cookie theft and replay
3.) Authentication injections with SQL/LDAP
4.) Network eavesdropping and malicious codes
5.) Dictionary attacks
6.) Exploiting backdoors
7.) Hidden data manipulation
8.) Local store and information theft

Above attack vectors can help in exploiting the application and these attacks are easy to carry out using different frameworks. Source code can be written in the most secure fashion to protect against above attacks.

Authorization

Once user gets authenticated next thing is to maintain authorization through out the application. Authorization on the application get maintained using proper access control lists (ACLs). Application runs on HTTP and being a stateless protocol, session tokens are required to maintain authorization. There are several issues which can make entire application weak with authorization perspective and that can lead to exploitable security vulnerability. Here is possible weak area in the application for authorization,

1.) Session tokens are insecure
2.) Weak authorization mechanism
3.) Client side tampering and manipulation possible
4.) Possible data and SQL injections
5.) Access to system level bypass
6.) Single place authorization bypass
7.) URL forcing and manipulation
8.) Guessable resources and access
9.) Role-based bypass exploitation and weakness

Above weakness opens up several different set of vulnerabilities. These vulnerabilities can give access to various resources and opens up larger attack surface. Attacker or hacker can launch various attacks and exploits against target application. Here are list of popular attack vectors,

1.) Elevation of privilege
2.) Confidential data leakage
3.) Data tampering
4.) Session hijacking
5.) Session token exploitation
6.) Authorization injections
7.) URL bruteforcing
8.) Clients side reverse engineering and exploits

Above attacks are very popular against applications with respect to authorization. One needs to analyze logic in detail to detect authorization based vulnerabilities.