Download - Web Application Concurrency Vulnerabilities
-
OWASP Testing Guide~NZ$18 + pp
OWASP Code Review~NZ$15 + pp
OWASP Developers Guide~NZ$15 + pp
OWASP BOOKS
-
WEB APPLICATION SECURITYWHAT ABOUT SQL INJECTION?
-
WEB APPLICATION SECURITY
-
WEB APPLICATION SECURITY
-
Web servers are multithreaded applicationsThread poolsLockingIO requests
Web applications need to be thread awareDanger of multiple threads interacting with an object at the same time
What happens when threads act simultaneously?Depends on the language and frameworkDepends on the situationDepends on the server loadCONCURRENCY VULNERABILITIES
-
Race conditionsTOCTOUObject reuse out of contextObject modification during workflow
DeadlocksCommon condition when data updated by two sourcesRecord locking, database transactionsMULTI ACCESS ISSUES
-
Thread safetyMultithreaded applications
Cross user data vulnerabilitiesAccess through shared objects
Single user data vulnerabilitiesAccess through unshared objects
Asynchronous requestsSynchronisation issues
CONCURRENCY VULNERABILITIES
-
Thread safe objectsAutomatically handle lockingEnsure access by one thread at a timeNot cause a deadlock
Threading errorsNot all objects are thread safeSerious and subtle problemsDifficult to identifyDifficult to reproduceTHREAD SAFETY
-
THREAD SAFETYDepending on who wins the race and when the threads intercept, numusers could end up as 10 or 11 (should be 10)The app starts with 10 users
-
ASP.NetRequests for a given session are serialized, so session variables are thread-safe by default
Java ServletsHttpSession, including associated variables are not thread-safe
THREAD SAFETY
-
Struts 1.xActions are singletons and thus prone to issues
Struts 2.xNew instances of Actions are spawned for each request and are thread safe
THREAD SAFETY
-
How does this affect security?Consider an online banking systemTHREAD SAFETY
-
THREAD SAFETY
-
More interesting are;Issues affecting usersCONCURRENCY ISSUESThe ones that make it into the headlines!
-
UNCONFIRMED ISSUES
-
UNCONFIRMED ISSUES
-
Variables shared between threadsShared between sessionsClass globalsStatic declarations
Shared dataAny data not instantiated for the sessionData reused in following sessions
How can this affect user accounts?Session token identifier returned to two threadsDifferent browser sessions have the same identifier
WHAT HAPPENED?
-
CROSS USER THREAD SAFETYDepending on where the object is used, it can cause a security issue
-
ServletsUnless it implements the SingleThreadModel interface, the Servlet is a singleton by defaultThere is only one instance of the Servlet
Member fieldsStoring user data in Servlet member fields introduces a data access race condition between threadsJAVA
-
JAVApublic class GuestBook extends HttpServlet {
String name;
protected void doPost (HttpServletRequest req, HttpServletResponse res) { name = req.getParameter("name"); ... out.println(name + ", thanks for visiting!"); }}Thread 1: assign "Dick" to nameThread 2: assign "Jane" to nameThread 1: print "Jane, thanks for visiting!Thread 2: print "Jane, thanks for visiting!"
-
Java beansWhen a bean is a singleton (which is by default), it simply means that every time you access the bean, you will get a reference to the same object
JAVA
Object bean1 = context.getBean("myBean");Object bean2 = context.getBean("myBean");Object bean3 = context.getBean("myBean");bean1, bean2, and bean3 are all the same instance of MyClass.
-
JSP pagesJSP pages by default are not thread safeLocal variables are okInstance variables modified within the service section of a JSP will be shared by all requests
Can mark it as unsafe
Will cause [N] instances of the servlet to be loaded and initializedJAVA
-
Thread safeMost, but not all, classes and types are safe
Shared dataStatic variables in classA static reference to a helper class that contains member variablesA helper class that contains a static variable
The application collectionGlobal application-specific information that is visible to the entire application.
ASP .NET
-
Static declarationStatic classes, methods and variables are shared by every requestDeveloper must be careful not to have unsafe code
ASP .NETpublic static class Global{ /// Global variable storing important stuff. static string _importantData; /// Get or set the static important data. public static string ImportantData {get{ return _importantData;}set{ _importantData = value;} }
-
PoolsApplication poolsThread poolsObject poolsJobsEtc....
WHY ARE THEY HARD TO DETECT
-
Server loadDid you test with 10 simultaneous connections?Did you test with 100 simultaneous connections?
WHY ARE THEY HARD TO DETECTDid you even test with just 2 simultaneous connections?
-
SERVER LOAD1 User thread accessing the shared object over its workflow life
-
SERVER LOAD2 User threads accessing the shared object over its workflow life. User2 has overwritten user1 data
-
SessionStore and retrieve values for a user Assigned to their session token
Single UserCan only be accessed by the associated userUsually thread safe for read/write
Safe?Not alwaysCan be changed by different threadSESSION VARIABLES
-
SESSION VARIABLES1 User thread accessing the session object over its workflow life
-
SESSION VARIABLES2 User threads accessing the session object over its workflow life
-
Real world exampleSESSION VARIABLESLogin(){..Session["Username"] = Username.Text;Session["Password"] = Password.Text;If CheckLogin()Session["Authed"]=TRUE;Else {Session["Username"] = "";Session["Password"] = "";}..}
-
Real world exampleSESSION VARIABLESLoadUserData(){..If !(Session["Authed"]=TRUE)return FALSE;..GetUserDataFromDB(Session["Username"]);
//Display user data..
Return TRUE;}
-
Real world exampleSESSION VARIABLESLoadUserData(){..If !(Session["Authed"]=TRUE)return FALSE;..GetUserDataFromDB(Session["Username"]);
//Display user data..
Return TRUE;}Login(){..Session["Username"] = Username.Text;Session["Password"] = Password.Text;If CheckLogin()Session["Authed"]=TRUE;Else {Session["Username"] = "";Session["Password"] = "";}..}Login with valid creds, sets Session[Authed] = TRUEHit Login() function against with different username, sets Session[Username]Race with LoadUserData()Win the race and view other users data
-
TOCTOUTime of check, time of use
Change in stateBetween the time in which a given resource is checked, and the time that resource is used, a change occurs in the resource to invalidate the results of the check
Threading issuesAll of the previously discussed issuesRACE CONDITIONS
-
Usual shopping processRACE CONDITIONS
-
Raced shopping processAdd To Cart Contents After Payment Processed
-
Can be affected by race conditionsASYNCHRONOUS REQUESTSRace condition exists between the backend functions, to which order they are executed
-
Most major browsers have had issuesComplicated window, DOM, object sharingFaulty synchronization between objects
BROWSER CONCURRENCY ISSUESRace!
-
Application designBe aware of which objects are sharedDo not use static/globals for user specific data
Code levelSafe lockingSyncronisation, MutexesBe aware of thread safe/unsafe typesUse intelligent queries
SOLUTIONSUPDATE Account ... where ID=## and Balance=[LASTKNOWNBALANCE]
-
Code reviewsInvestigate static/global classesIdentify all singleton java objectsCheck session[] use pre authentication
Load testingIdentify how to detect issuesUse stress testing tools to mimic simultaneous use
Cross user suggestionsSession should be hooked to dbase IDUser data should be associated with sessionDo not allow concurrent session useSOLUTIONS
-
WE ARE ACTIVELY HIRING NEW PEOPLE NOW* Code review* Penetration testing* Infrastructure testing* Vulnerability research* Technical report writers
www.insomniasec.com