detectifySECURITY FOR DEVELOPERS

detectify

detectify

Remember the AT&T Hack? #freeweev

detectify

…or how about the Apple Developer site!incident? #down4maint

detectify

What do they have in common?

detectify

What do they have in common?IDOR #wth?

detectify

Frans Rosén!@fransrosen!

#hacktheplanet

detectify

Co-founder #daytime

detectify

Hacked a few #nightime

0x09 in Google Hall of Fame!www.google.com/about/appsecurity/hall-of-fame/

detectify

…a few more #uhere?

detectify

aaand a few more #sorry

detectify

What does it mean? #owasp4“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. !!Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.”

detectify

I! Insecure D! DirectO! Object R! Reference

Without proper access control exposing unauthorized data, such as a file, directory, or database key.

detectify

Eye-ball the URL #waitisover

detectify

Eye-ball the URL #waitisover

Ouch.

detectify

Update a user #totallylegit

detectify

Update a user #totallylegit

Ouch.

detectify

Business Impact #obvious

• Keys, Passwords!• Credit Card Data!• User Information / Email!• Invoices / Billing Data!

detectify

Business Impact #notsoobviousNumeric IDs for Order Receipts!!“Not found” vs “No access”!!Poll every day, you get analytics!!$$$!

detectify

Business Impact #notsoobviousNumeric IDs for email invites = spam.!!!

Found  by  d4d1a179c0f3  https://hackerone.com/reports/1533

detectify

Business Impact #evenworse

Change Delivery Address of an order.!!Deleting another user’s information.!!Reclaiming other user’s data. Gift Certificates anyone?

detectify

Are you fully protected?

detectify

Why so few? #ohnoez1. No secure access model.!!“User X should only have access to A”

“User X that has access to A should only have access to B”!!and so on…

detectify

Why so few? #ohnoez2. Numeric IDs.!!Enumerable/Sequential. Decrease value with 1 and try. !!Easy to test. Easy to attack.

detectify

Why so few? #ohnoez3. Error messages show and tell.!!“User X cannot view object owned by User Y”!!“No access to this object” !!“Object does not exist”

detectify

Why so few? #ohnoez4. Inconsequent ID sources.!!/receipt/view/434!!/receipt/?view=434!!POST /receipt/view/ HTTP/1.1!receipt=434

detectify

Why so few? #ohnoez5. Lack of proper code review.!!How to automate this?

detectify

Examples! #bringpopcorn

detectify

Example – Twitter

Found  by  secgeek  (Ahmed  Aboul-­‐Ela)  https://hackerone.com/reports/27404

Credit Card deletion from other users.!!Sequential IDs when deleting cards.!!Bounty $2,800

detectify

Example – OculusRCE through IDOR!!Sequential IDs when updating users.!!Bounty in total $25,000

Found  by  Bitquark  (Jon)  https://bitquark.co.uk/blog/2014/08/31/popping_a_shell_on_the_oculus_developer_portal

detectify

Example – SquareUpdate other users / Get user info!!ID as hashes, but visible using Google.!!No check if user was in another company.!!Bounty $3,000

!https://hackerone.com/reports/23126

detectify

Example – ZapierGet log-history from other user’s Zaps.!!Contained sensitive information such as OAuth tokens / Credentials,!!No access control for log entries.!!Bounty $3,000

!https://zapier.com/engineering/bug-­‐bounty-­‐program/

detectify

Example – getClouderRemove Cloud Scaling for other users.!!No check if user owned the Cloud Scaling setting.!!Bounty $200

detectify

Example – WordPressGet all users on a WordPress site.!!.com/?author=1!!WONTFIX by Wordpress

!http://hackertarget.com/wordpress-­‐user-­‐enumeration/

detectify

Doing it right. #anyoneoutthere?

detectify

Doing it right. #hellyeh1. User ID in Session or Token!!/user/view/me!/user/transactions

detectify

Doing it right. #hellyeh2. Make generic access model and stick to it.!!function get($type, $id) { //check access for all objects }!!$user->get(‘transaction’, $id);! // if not owned by user!! ! ! ! ! ! ! ! // then error!!

detectify

Doing it right. #hellyeh3. Access model in routes or controllers.!!Stick to it! Easy to miss.!!

detectify

Doing it right. #hellyeh4. Code review. Don’t miss this.!!

detectify

Quick repetition #eatsleepraverepeat1. IDORs are bad. Easy to exploit. East to find.!!2. Being actively exploited as we speak. Worth €€€!!3. Generic access model.!!4. Numeric IDs vs Hashes!!5. Review your code.

detectify

THAT’S ALL FOLKS!!Questions?!

!by Frans Rosén (@fransrosen)

www.detectify.com