DevSecCon London 2018: Securing a web app: business security VS the OWASP top 10
1 like167 views
1) The document discusses securing web applications by focusing on business logic security rather than just the OWASP top 10. It presents an approach to monitor business logic functions and define rules to detect attacks. 2) The approach involves instrumenting business logic functions to generate event data, processing that event stream to analyze metrics like call volumes and user flows, and defining responses like locking accounts if unusual activity is detected. 3) A case study is presented on how this approach could have detected and responded to the recent Facebook hack by monitoring functions related to user impersonation and token generation and locking affected user accounts.
![[
{
"class": "User",
"method": "token_generation",
"event_name": "user_token_generation",
"custom_properties": {
"impersonated": "@impersonated"
}
},
{
"class": "User",
"method": "impersonation",
"event_name": "user_impersonation"
}
]
instrumentation.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
How could
this work?](https://image.slidesharecdn.com/jeanbaptisteavitslidesdevseccon-181024113453/85/DevSecCon-London-2018-Securing-a-web-app-business-security-VS-the-OWASP-top-10-27-320.jpg)
DevSecCon London 2018: Securing a web app: business security VS the OWASP top 10
- 1. Securing a web app: business security VS the OWASP top 10 By Jean-Baptiste Aviat LONDON 18-19 OCT 2018
- 2. Who am I? Jean-Baptiste Aviat CTO & CO-FOUNDER OF SQREEN.IO EX APPLE RED TEAM Email jb@sqreen.io Twitter @JbAviat
- 5. 5 2020’s
- 6. What is an attack against business logic?
- 8. WAF
- 11. How to do it in practice?
- 12. def track(event_name) Let’s define a function
- 13. function generate_user_token(user_id) { ... track(‘user_token’) } function reset_password(email) { ... track(‘reset_password’) } 1 2 3 4 1 2 3 4 function login(email, password) { ... track(‘login’) } 1 2 3 4
- 14. Event Stream
- 17. if (rate(user_token_gen) is unusual) { respond: lock_user_account alert: send_webhook } 1 2 3 4 if (count(user_impersonation) is above 10 over last 1 minute) { respond: raise_exception, block_ip in reverse proxy alert: call_pager } 1 2 3 4
- 19. How to do this at scale?
- 23. 23 def override_instance_method(klass_name, meth, hook) saved_meth_name = "#{meth}_saved" new_method = "#{meth}_modified".to_sym klass_name.class_eval do alias_method saved_meth_name, meth define_method(new_method, hook) end alias_method meth, new_method end 1 2 3 4 5 6 7 8 9 10 11 12 In Ruby
- 24. 24 Class<?> dynamicType = new ByteBuddy() .subclass(Object.class) .method(ElementMatchers.named("toString")) .intercept(FixedValue.value("Hello World!")) .make() .load(getClass().getClassLoader()) .getLoaded(); 1 2 3 4 5 6 7 In Java
- 25. Retrieve all the context you need • Authenticated user • Custom business information • Custom code / framework information • Any HTTP value • Previous service called • Spanning information
- 27. [ { "class": "User", "method": "token_generation", "event_name": "user_token_generation", "custom_properties": { "impersonated": "@impersonated" } }, { "class": "User", "method": "impersonation", "event_name": "user_impersonation" } ] instrumentation.json 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 How could this work?
- 28. Analyze • The volume of calls • The successive actions performed by a given user (or IP) • Detect unusual activity • Anomalies in volume, proportions • Check logic flows
- 29. • Deny access to sensitive functions • Deny access to a whole service • Set account “read only” • Lock a user account • Log a user out • Trigger a pager • Fire a webhook • Create a ticket • … Respond
- 31. View as Video uploader User Token Management
- 32. How to solve it Record business logic actions (down to the code) Define rules to detect a vulnerability exploitation Trigger security responses to be applied (a)Impersonate a user (b) Generate a token User is calling (impersonation) too much OR user is calling (generate_token) too much Lock the user AND Tag the user for review
- 33. 33
- 35. Event Stream Processing & analysis Respond: Lock UserView as Video uploader User Token Management instru- mentation .json
- 37. Questions?
- 38. Thank You! LONDON 18-19 OCT 2018