Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Prevent business logic attacks using dynamic in...

Prevent business logic attacks using dynamic instrumentation

Presented by Jean-Baptiste Aviat at SysadminDays #8 (https://sysadmindays.fr)

Renaud Chaput

October 19, 2018
Tweet

More Decks by Renaud Chaput

Other Decks in Programming

Transcript

  1. WAF

  2. function generate_user_token(user_id) { ... track(‘user_token’) } function reset_password(email) { ...

    track(‘reset_password’) } 1 2 3 4 1 2 3 4 function login(email, password) { ... track(‘login’) } 1 2 3 4
  3. if (rate(user_token_gen) is unusual) { respond: lock_user_account alert: send_webhook }

    1 2 3 4 if (count(user_impersonation) is above 10 over last 1 minute) { respond: raise_exception, block_ip in reverse proxy alert: call_pager } 1 2 3 4
  4. 23 def override_instance_method(klass_name, meth, hook) saved_meth_name = "#{meth}_saved" new_method =

    "#{meth}_modified".to_sym klass_name.class_eval do alias_method saved_meth_name, meth define_method(new_method, hook) end alias_method meth, new_method end 1 2 3 4 5 6 7 8 9 10 11 12 In Ruby
  5. Retrieve all the context you need • Authenticated user •

    Custom business information • Custom code / framework information • Any HTTP value • Previous service called • Spanning information
  6. [ { "class": "User", "method": "token_generation", "event_name": "user_token_generation", "custom_properties": {

    "impersonated": "@impersonated" } }, { "class": "User", "method": "impersonation", "event_name": "user_impersonation" } ] instrumentation.json 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 How could this work?
  7. Analyze • The volume of calls • The successive actions

    performed by a given user (or IP) • Detect unusual activity • Anomalies in volume, proportions • Check logic flows
  8. • Deny access to sensitive functions • Deny access to

    a whole service • Set account “read only” • Lock a user account • Log a user out • Trigger a pager • Fire a webhook • Create a ticket • … Respond
  9. How to solve it Record business logic actions (down to

    the code) Define rules to detect a vulnerability exploitation Trigger security responses to be applied (a)Impersonate a user (b) Generate a token User is calling (impersonation) too much OR
 user is calling (generate_token) too much Lock the user AND Tag the user for review
  10. 33

  11. Event Stream Processing & analysis Respond: Lock User View as

    Video uploader User Token Management instru- mentation .json