Stopping Business Logic Attacks: Why a WAF is no Longer Enough – Karl Triebes – ASW #255
Full Audio
View Show IndexSegments
1. Stopping Business Logic Attacks: Why a WAF is no Longer Enough – Karl Triebes – ASW #255
The majority of attacks are now automated, with a growing number of attacks targeting business logic via APIs, which is unique to every organization. This shift makes traditional signature-based defenses insufficient to stop targeted business logic attacks on their own. In this discussion, Karl Triebes shares how flaws in business logic design can leave applications and APIs open to attack and what tools organizations need to effectively mitigate these threats.
This segment is sponsored by Imperva. Visit https://securityweekly.com/imperva to learn more about them!
Announcements
Security Weekly listeners: InfoSec World 2023 is just weeks away! Have you registered to join over 2,500 cybersecurity experts on September 25-27 in Lake Buena Vista, FL? InfoSec World is your gateway to a world of knowledge and growth. Don't miss the chance to enhance your career, connect with industry leaders, and make an impact on the rapidly evolving landscape.
Secure your seat using code ISW23-SECWEEK20 to save 20% off your registration. Register today: securityweekly.com/infosecworld2023
Guest
For over three decades, Karl Triebes has helped conceive and build products, services, and businesses for networking, application software, storage, and cloud. At Imperva, he leads product management for the Application Security business unit, driving product innovation for customers. Prior, he was Executive Vice President of Product Development and CTO at F5. Triebes has also held senior leadership positions with Amazon Web Services, Foundry Networks, and Alcatel.
Hosts
2. Azure’s Eight XSS Vulns, CNCF’s Two Security Audits, CISA’s OSS Roadmap, Repojacking – ASW #255
A slew of XSS in Azure's HDInsights, CNCF releases fuzzing and security audits on Kyverno and Dragonfly2, CISA shares a roadmap for security open source software, race conditions and repojacking in GitHub, and more!
Announcements
Join us at SC Media’s Investing in IAM eSummit September 19th through 20th. This two-day virtual event will provide insights from industry experts with a deep dive into identity and access management. Register now for this free event where you will gain cybersecurity knowledge and receive 6.5 CPE credits just for attending!
Register today: securityweekly.com/IAM
Hosts
- 1. Azure HDInsight Riddled With XSS Vulnerabilities via Apache Services
I always say I find XSS boring and then I end up including the occasional article that references it. In this case, there's a slew of XSS vulns in Azure's collection of open source tools for analytics under its HDInsights feature.
It's a good article, with a clear explanation of the services involved and the vulns discovered. One quibble I have is with the characterization of XSS as an input validation issue. That's a common framing of the problem -- even the OWASP Top 10 list does it. But I always see XSS as an issue with rendering the output safely for its destination context. You can accept whatever input you want, whether its characters used in HTML or not. You just have to escape them properly when they're rendered. Move the security check to where it's most relevant and is best handled.
Bringing the topic back to the article, it's quite surprising and disappointing that XSS would be present in a modern app, especially for as simple a payload as an image error handler.
- 2. 38TB of data accidentally exposed by Microsoft AI researchers
"Microsoft’s AI research team, while publishing a bucket of open-source training data on GitHub, accidentally exposed 38 terabytes of additional private data — including a disk backup of two employees’ workstations."
In other words, this is exactly the sort of data leakage warned about in AI adoption -- and it's about the most spectacular way to do so in terms of amount of data and sensitivity of data. One of those backups included secrets, private keys, and passwords
- 3. Persistent Threat: New Exploit Puts Thousands of GitHub Repositories and Millions of Users at Risk
Mentioning this because it highlights race conditions, which sounds like that'll be the theme of web app security conferences and vuln disclosures for the next year or two -- and I say that with affection! It's nice to see the generic "business logic" flaw be decomposed into more interesting examples and types.
We've also talked previously about the research from James Kettle on race conditions in web apps.
- 4. Dragonfly completes security audit!
I enjoy reading security audits for a few reasons. One, it's interesting to see what types of issues are being identified and if any of the techniques seem new. Two, how results are presented in terms of a focus on implementation errors or underlying design flaws. Three, hints of the testing techniques and scenarios used in the test. It's that last item that can add to appsec education, but it's also the item that mostly commonly missing or superficial. This report doesn't go into much detail, but it has a short list of project goals that can serve as seeds for threat modeling and it references fuzzing quite a bit.
On the specific findings, it seems surprising that the file access isn't in a sandbox at all, which was part of the reason the researchers could execute arbitrary file read and write. I also appreciated that, even though they didn't find an explicit flaw, they pointed out the risks of relying on regexes and string methods to parse URLs -- regexes and parsing and fraught with danger.
- 5. Kyverno Completes Fuzzing Security Audit
Another report from the CNCF, this time coming Kyverno. (We also mention CNCF's Dragonfly2 security audit this episode.)
I like that the intent of this work isn't to fuzz and forget, it's to demonstrate integrating fuzzing within the project and putting it on a path to be able to fuzz on a continuous basis with large coverage. It also shows that saying, "Use a fuzzer" comes with a lot of unmentioned development overhead.
- 6. CISA Open Source Software Security Roadmap
CISA lays out the important of open source software (OSS), including the need to better quantify just how important and prevalent it is.
It's a relatively brief doc with two goals that should resonate with a lot of orgs looking to improve security: visibility and hardening.
I'm curious about objective 2.2. -- "Develop a Framework for OSS Risk Prioritization" -- and how CVSS, exploitability, and other approaches to describing impacts and risks will play into it.
I'm very curious about objective 4.2. -- "Foster Security Education for Open Source Developers -- since security education is a topic we revisit often. I really hope it goes far, far beyond reciting entries from a top 10 list.
There's also objective 4.3 about publishing guidance on best practices. That's another one that I hope turns more towards design principles and away from hardening guides.
- 7. End of servicing plan for third-party printer drivers on Windows
This is a nice reduction in attack surface, but wow does it take a long time to deprecate major features...
- 8. OWASP Top 10 API Security Risks – 2023
The latest top 10 for APIs is here. We talked about lots of top 10 lists back in episode 242.
Not going to rehash much of that episode here. So, here's the list of API security things. Three of them are broken authorization, another is "unrestricted access" -- which sounds like a way to have a fourth broken authorization entry.
- 9. FYI: OWASP 2023 Global Board Elections
The OWASP Global Board elections are coming up. If you're a member, or wish to be a member and influence the org's direction, check out the timeline and candidates.
- 1. Heap buffer overflow in WebP
For the amount of patching and rebooting over the last week, there's not a lot of (public) info out there on this issue: The libwebp project had a heap overflow vulnerabiilty which reportedly was being exploited in the wild. A look at the fix (below) is a good example of sometimes it's not quite as simple as checking bounds...
https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a
- 2. WiFi5 beamforming info allows stealing numerical wifi passwords
This is a cute information disclosure vulnerability: In short, due to how antennas are positioned in many mobile devices, the signal seems to be attenuated as a user types on the device's screen. The information about the quality of this signal is used by WiFi beam forming to determine the best way to communicate between the mobile device and access point - and is transmitted to the WiFi access point in plaintext.
Researchers have figured out how to use the variations in that signal quality to recognize numerical passwords with up to 90% accuracy.
For a "named attack," These guys did a horrible job on the SEO. I keep getting search results for rappers and video games.