Post-mortem: What I learned from getting hacked.
Open Web Application Security Project (OWASP), is a non-profit international organization that helps provide guidelines and educational resources that are both open to the public, and meant to lead developers and companies into producing secure code.
The OWASP top 10 is a list of the most common and important web vulnerabilities found in web apps. After hearing our instructors make the case for the imperative use of safe params in our rails app when building forms, it is no surprise that the infamous SQL injections (A1-injections) top the list! The remainder of the list as featured below was acquired from the OWASP site. This article will focus on issues with two of the 10 vulnerabilities.
A1-Injection: Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
A2-Broken Authentication and Session Management: Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.
A3-Cross-Site Scripting (XSS): XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
A4-Insecure Direct Object References: A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.
A5-Security Misconfiguration: Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.
A6-Sensitive Data Exposure: Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.
A7-Missing Function Level Access Control: Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.
A8-Cross-Site Request Forgery (CSRF): A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
A9-Using Components with Known Vulnerabilities: Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.
A10-Unvalidated Redirects and Forwards: Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
Speaking beyond SQL injections now, the MTA alerts web app that my teammates and I built was hacked a couple of days ago within 3 minutes by an attacker. Two vulnerabilities were exploited: ”A-2 Broken Authentication and Session Management” and ”A-7 Missing Function Level Access Control.”
First, our A-2 problem was that by simply modifying the recipient id in the url, the unauthenticated attacker was able to view and modify other user’s settings . That’s a tad embarassing alright, but rather than crawling under a rock in shame, let’s pick at the code, and checkout some patches implemented by my teammate, Yonatan Miller.
You will see from the Github code snippets below, that the problem code is highlighted in red, and it’s corresponding patch is in green. For right now we will be actually referring to the actual commit logs on Github, since for some reason, Tumblr is not allowing me to post any more screen shots to this blog. Bear with me and my apologies in advance.
This link shows a modification to the application and pages controller. In the application controller, a before_filter callback is added to require the user to be authenticated. The recipient controller (2nd to last file) has been modified to redirect the user to the home page if current_user is not authorized to view a particular recipient. (We will worry about adding an alert message later letting them know they are not authorized).
https://github.com/Sammykhaleel/mta/commit/316580009c429b80c13d3647499e45365d38c3ce
Here in the link below are the parts of the recipient and alert contollers, which have been modified so access to alerts and recipient info can only be accessed if these are associated with current_user. The method, current_user is built-in to our authentication gem, Devise, and it refers to the user currently in session. The modification helps prevent a brute force attack on the URL.
https://github.com/Sammykhaleel/mta/commit/c2037f8b53882170c27633b65ae1da3c037a3c3b
Our A-7 exploit was that as a logged in user, the attacker was able to modify other user’s alerts in the database by entering an alert id number in the URL That was another big no no, which is now in part resolved by the code previously described. One more thing was added to the patch, and that was to incorporate rescue ActiveRecord::RecordNotFound and redirect_to root_path when an illegal attempt to gain access is encoutered. Here is the code. Focus on the green.
https://github.com/Sammykhaleel/mta/commit/6a7c02d1241c8ed7085fb4a30b4412dab23e7539
Despite the security shortcomings (on what is thankfully a barely used app), this experience has been good in directing efforts to explore general app security. In the process, I got to learn about how use ActiveRecord callbacks, and rescues using ActiveRecord error messages as tools for implementing patches.As a team, we also know to keep the security problems we discussed in mind for future projects. Lastly, it is great to be introduced to the OWASP, since it is a valuable resource to the developer community. I expect to become even more familiarized with the guidelines they provide as I work towards becoming a more cognizant developer. I suggest you all check them out too!