1 / 19

Insufficient Anti-Automation

Insufficient Anti-Automation. Irina Grosu Ana- Teodora Petrea. What is Insufficient Anti-Automation?.

hiroko
Download Presentation

Insufficient Anti-Automation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Insufficient Anti-Automation Irina Grosu Ana-TeodoraPetrea

  2. What is Insufficient Anti-Automation? • Insufficient Anti-Automation is classified by the Web Application Security Consortium Threat Classification as a weakness having the reference ID WASC-21. It occurs when a web application allows an attacker to automate a process that was originally designed to only be performed manually. • Related to WASC-21 are also the following Common Weakness Enumerations: • CWE-799: Improper Control of Interaction Frequency - The software does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests. • CWE-804: Guessable CAPTCHA - The software uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.

  3. Historical references The Insufficient Anti-Automation weakness appeared in the 2004, 2007 and 2010 Top 10 Open Web Application Security Project (OWASP) rankings of the Application Security Risks: • OWASP Top 10 2004 – A2 - Broken Access Control • Restrictions on what users are allowed to do are not properly enforced. Attackers can exploit these flaws to access other users' accounts, view sensitive files, or use unauthorized functions. Exploiting the Insufficient Anti-Automation weakness make attackers obtain quick, confidential information from the affected websites. • OWASP Top 10 2007- A10 - Failure to Restrict URL Access • OWASP Top 10 2010 - A8 - Failure to Restrict URL Access • The primary attack method for exploiting the Insufficient Anti-Automation Weakness part of the A8 (2010) and A10 (2007) Application Security Risks is "forced browsing", which works by guessing links and brute force techniques to find unprotected pages.

  4. Common places for exploit • The usual targets for exploiting the Insufficient Anti-Automation weakness consist of the following: • Application login forms- automation of brute force login requests, aimed to guess user credentials; • Service registration forms- automatically create a high number of new accounts; • Forms tied to SQL database queries - flooding with numerous heavy SQL queries, keeping the victim from responding to legitimate ones; • Account information forms - attempting to get user personal information from a web application;

  5. Common places for exploit • Comment forms / Content Submission forms – spamming blogs and web forums by automatically submitting content such as spam or even web-based malware • eShopping / eCommerce - buying items in large amounts, such as sporting events tickets. These are later sold by scalpers for higher prices. • Online polls - manipulating voting systems in favor of a certain choice.

  6. Examples of types of attacks that exploit the weakness The main types of attacks (but they are not limited to) that exploit the Insufficient Anti-Automation weakness are Brute Force and Denial of Service.

  7. Brute Force The brute force attacks are easy to make and may have great impact on the target if no form of anti-automation exists. This types of attacks may lead to obtaining access to confidential information such as user accounts credentials. • Guessing the user credentials of an account – DEMO • How to create the attack:This can be achieved by creating and running automation that tries to guess user credentials by trying to login with a user id and different passwords until the access is obtained to that account. • How to prevent the attack: • Only allow a limited number of tries for an account. The number of missed tries that are allowed can be limited by a combination of the next information (and not only): • Time interval. • IP address. • Username. • The selection of the limitations needs to be specific to the type of application that is created (for example: web/desktop, consumer/enterprise) • Use a good implementation of a CAPTCHA mechanisms that will be activated after a few unsuccessful login tries. • Impact: The privacy of the accounts is compromised, attackers can gain access to confidential information.

  8. Demo Website:http://guesspassword.azurewebsites.net/ Brute force password cracker application: http://students.info.uaic.ro/~irina.grosu/ss/PasswordFinder.exe

  9. Denial of Service A denial of service is an attempt to make a machine or network resource unavailable to its intended users; it generally consists of efforts to temporarily or indefinitely interrupt or suspend the services of a host. DoS attacks usually intend to: • Force the targeted computer(s) to reset, or consume its (or their) resources so that it can no longer provide the intended service. • Obstruct the communication media between the users and the victim so that they no longer can communicate adequately. • Locking real accounts by failing logins through automation.

  10. Denial of Service • Causing server overload • How to create the attack: One common method of attack involves saturating the target machine with external requests, so that it becomes incapable of responding to legitimate traffic. • How to prevent the attack: • Disable any unused or unneeded network services. This can limit the ability of an intruder to take advantage of those services to execute a denial-of-service attack. • Observe your system performance and establish baselines for ordinary activity. Use the baseline to gauge unusual levels of disk activity, CPU usage, network traffic. • Invest in and maintain "hot spares" - components that can be placed into service quickly in the event that a similar one is disabled. • Impact:Denial-of-service attacks can essentially disable one's computer or network.

  11. Abuse of Functionality • Illicit use of a voting system • How to create the attack:An attack can be created by using automation or manually by the attacker by voting multiple times for the same person in order to change the result of the voting. • How to prevent the attack: The number of votes per person needs to be limited by using different restriction methods (and not only): • IP Address. • Email Address. • Personal Identification Number. • MAC address of the device that was used in the voting system. • Impact: The validity of the voting session is destroyed. If the attack is not discovered in time, the result of the voting session will be fraudulent.

  12. Combining different attacks in order to exploit the Insufficient Anti-Automation weakness • Brute Force + Abuse of functionality for spamming purposes A combination of the brute force with the abuse of functionality attacks can also be used to take advantage of an application that doesn’t have sufficient anti-automation functionality. • How to create the attack: Having an email online service that doesn’t have sufficient anti-automation developed both for log in and the number of emails that can be sent from an account. After creating a brute force attack by running automation to guess the correct user credentials the attacked can use this information to run automation that sends emails from that user account to its contacts from the address book but also to other email addresses specified by the attacker. • How to prevent the attack: Writing anti-automation code to limit the login tries when the password is not successful (as specified in Brute Force point 1 section). Limit the number of emails that a user can send during a day, using of the CAPTCHA mechanism and so on. • Impact: The privacy of the accounts is compromised, attackers can gain access to confidential information. A spamming system is created.

  13. Insufficient anti-automation+ insufficient authentication This situation can occur in an application that allows users to directly access a URL similar to the following (where X denotes an account ID number): http://www.mysite.com/app/accountDetails.aspx?UserID=X • How to create the attack: If the application issues predictable (or enumerable) Account ID numbers, an attacker could automatically submit massive amounts of HTTP requests, with a different account ID numbers. Becauseof the fact that unauthenticated users have accessto those pages, attackers gain access to user account information. • How to prevent the attack: Implement mechanismsto limit the number of requests. For example, block the IP address after 3 invalid attempts, or ask the user to contact the service provider. • Impact: The privacy of the accounts is compromised, attackers can gain access to confidential information.

  14. Real Case: Microsoft Exchange IIS license exhaustion denial of service • Microsoft Exchange 2000 is vulnerable to a denial of service attack exploiting the Insufficient Anti-Automation weakness. • Reported Date: Aug 05, 2002, not known fix. • Affected: Microsoft Exchange Server 2000 • How it was exploited: If an authenticated remote attacker sends multiple rapid requests to a vulnerable Exchange server, the attacker could use all available licenses issued by the Microsoft Internet Information Services (IIS) server to cause a denial of service. The IIS and Exchange server's must be restarted to regain normal functionality.

  15. Real Case: Macworld crack offers VIP passes • A cracker was able to obtain free “Platinum Pass” tickets from Macworld website. • Reported Date: January 12, 2007 • Affected: http://www.macworld.com/ • How it was exploited: The VIP codes were kept in the JavaScript code as MD5 hashes. The VIP codes were simple, they did not contain special characters so the hacker automated the generation of different codes to which he applied the MD5 hash algorithm and then compared them to the MD5 values from the JavaScript code. When the hashes matched he obtained a valid VIP code.

  16. General types of prevention • CAPTCHA • They can be used to prevent bots to use services in an illicit way: trying to collect sensitive information, spamming, online pools and so on. • Usually CAPTCHA mechanisms rely on: • Distorted text inside images where the user has to type the text; • Audio CAPTCHA for visual impaled people; • Some CAPTCHAs may be easy to break if they rely on simple techniques. Image-based ones can be solved by using OCR and audios ones by using sound analysis. • Not using predictable (or enumerable) ID numbers. • Limit the number of requests using different methods (IP address, MAC address, account ID) and so on.

  17. Recent Report • In 2010, SpiderLabs released the “WASC Web Hacking Incident Database (WHID) Semiannual Report for 2010 (July – December)”. • The report analysis 75 Web hacking incidents between the specified months. • The most exploited weakness was the Insufficient Anti-Automation by attacks of type denial of service and brute force attacks

  18. Bibliography • Insufficient Anti-automation: http://projects.webappsec.org/w/page/13246938/Insufficient%20Anti-automation • Threat Classification Taxonomy Cross Reference View: http://projects.webappsec.org/w/page/13246975/Threat%20Classification%20Taxonomy%20Cross%20Reference%20View • https://www.owasp.org/index.php/Top_10_2004 • https://www.owasp.org/index.php/Top_10_2007-Failure_to_Restrict_URL_Access • https://www.owasp.org/index.php/Top_10_2010-Main • CWE-799: Improper Control of Interaction Frequency: http://cwe.mitre.org/data/definitions/799.html

  19. Bibliography • CWE-804: Guessable CAPTCHA: http://cwe.mitre.org/data/definitions/804.html • http://news.cnet.com/Macworld-crack-offers-VIP-passes,-hacker-says/2100-1002_3-6149994.html • http://www.slideshare.net/marco_morana/issa-louisville-2010morana • http://projects.webappsec.org/w/page/37719294/Web%20Hacking%20Incident%20Database%202010%20Semi%20Annual%20Report%20-%202 • Microsoft Exchange IIS license exhaustion denial of service: http://xforce.iss.net/xforce/xfdb/9791

More Related