Threats are caused by a combination of defects!

Feb08


Security testing is always very thankful, many defects, many examples for the trainer of a course. Sir Wilfred Grenfell once said:

“Real joy comes not from ease or riches or from the praise of men, but from doing something worthwhile.”

He mentioned this quote while he was helping others with medical support. But this quotation is also true for me if I’m executing a security test. Because the vulnerabilities you find can often create danger for the owner of the data. Because these vulnerabilities (defect) affect for example the availability.

In this post I want to describe how the combination of some defects can lead to huge problems for the owner of the application. The defects have an effect on the confidentiality, integrity and availability of the application.

Sometimes finding security defects is very easy. Maybe you can imagine an “SQL Syntax Error message” like this one:

If you’re not aware of security this error message is not more than a jammer for you. But if you realize that this message is created by only a single in a search field you find a great entry point for a SQL-injection! What happens is that this single make the syntax of the statement at the background corrupt. In other words this happens if there is a conjunction between the data and the logic. These two must be separated, but are combined into one statement. Instead of executing the statement with date will he execute the data like it is a statement.

This single defect is not a threat on its own, but if you combine this with other statements you can, for example, make a copy of the database or just enter the commando ; DROP  database (don’t try this at work).

Examples
The next 4 defects show you how a combination of data and logic can lead to a real threat. Imagine for example an electricity provider with a web portal for its end users. To login you need to fill your region code, username and password. 4 defects we found:

  1. When you “Right click” in the login page, the “show source” option will give you the source code of this page. Sometimes you’ll find //comments in the code. These comments are often interesting but they are more interesting if they describe that there is a default region code in case a user leaves this field empty. You first defect is: It’s possible to get a third part of the login code, the region code.
  2. The next test you execute is; how many times can I log in with an incorrect combination of username and password? If this is ten times or more, you’re quite sure the account will not lock after 100 times. Your second defect is: It’s possible to brute force the combination of username and password.
  3. While you’re browsing through the application you see only a short URL like “www.myelectricityprovider.net”. If you right click you can see the settings of this button. Within these settings you’ll find the direct URL. Copy and paste this URL and now you see an ID. Change this ID into an ID of someone else you can sometimes enter that specific account. The defect you found is a big one, because no one can trace this ’normal‘ use.
  4. If you go with the account, that isn’t yours, to the account setting page, you can see the personal settings. If you can see the password in text here, like “Welcome01” you have another defect. For security reasons it’s not a good choice to save the passwords non-hashed in the database.

This combination of defects has his impact at the confidentiality, integrity and availability.
-      You can lock all accounts with changing the passwords; nobody can enter his account at this moment. The application is threaten at the availability.
-      Hacking the account of someone else affect also the confidentiality. Because you as the account owner are not the only one that can see your personal data.
-      The integrity can be damaged by changing the personal data.

A hacker will step by step gather information and attack deeper and deeper into the application. Also these defects on their own create a risk, but the combination of these gives a lot of features to those that haven’t the permissions to use YOUR account.

Use your imagination to make these combinations and you’ll see you’re doing something that’s worthwhile.

This entry was posted on Monday, February 8th, 2010 at 18:44 and is filed under Andréas Prins, security testing. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

5 Responses to “Threats are caused by a combination of defects!”

  1. Trackbacks Says:
    February 10th, 2012 at 07:53

Leave a Reply

Before you submit form:
Human test by Not Captcha