Sunday, November 2, 2008

kissxss

to quote many good teachers: "keep it simple stupid"

while we're on that subject, i am often stupid... ;)

=-=-=-=-=-=-=-=-=-=-=-=-=-

ever hear something like: who is really going to attack it? there isn't anything valuable there

it sounds reasonable and risk management-ish because they're allocating limited infosec resources by examining the likelihood of an event. but is the conversation limited to the perception of value held by the decision makers (who might be middle management for developers, dbas, sysadmins, etc)?

someone can covet something of yours, even if you don't know you have it.

say you have a reasonable security setup. you've got layer 3 segmentation into security zones, good firewall policies segregating traffic between those zones, and you've got a decent waf protecting your your web app dmz. and let's ignore any argument that a compromise could be used to leverage an attack on another system in that security zone, since most non-infosec peeps glaze over at that point.

so you're trying to convince people to take you seriously about fixing those medium-rated host configuration vulns and web app flaws, and they're telling the cio "well, we already fixed the stuff rated high, and our people are stacked up and deadlines are tight. you know those security guys, they jump at their own shadows."

so our attacker alice pokes around. there's a portion of a mundane web app that appears to be vulnerable to reflective xss. but there's no login to steal, and no sensitive information on the site or host. the app doesn't do anything with money or sensitive info.

alice determines that using dangerous values in the suspected param results in a different 200ok page, redir, reset, or whatever. alice probes the suspected vuln and determines that a small subset of xss attacks work past the waf. even when they work, the functionality is very limited because the waf is blocking many potentially abused html elements as well as some scripting syntax.

alice can use either scripting or html to influence user navigation, but is reliant on user interaction to do it. there is no significant limitation to normal characters or the length of her reflecting input.

so she designs a phishing mail or maybe puts together a fake flash advert for the target company. it's all legit looking w/ reasonably syntax and diction, and uses logos and says something like come check our site we make cool widgits. the link contains the xss that alters the contents of the page. the user still sees your legit site, but it has a little "limited time sale" bait or something like that. it's just subtle 'click here to buy now', but they're already kinda interested in you and your widget because they followed the link. and the price is reasonable. not a steal, but definitely on sale.

alice registered ecommerce-yourdomain.com and with your look and feel and it says "secure" and "safe" when you click through. it doesn't use ssl when you submit, so some potential customers might dig and notice, but some wouldn't. expect your package within 7 to 10 business days :P

so in the end, there are customers who went to your site and were offered a deal. their money is with alice, and your brand was leveraged to make it happen.

even if your waf picked up the probes, and even if your admins actually investigated, the probing could be done in such a way that the attack vector is not deducible. and alice could wait a while after the probe to perform the attack, and maybe get a couple days before anyone calls your helpdesk with a concern.

there are a lot of highly-effective subtle and simple attacks like this. there are proactive counter-measures that can reduce a lot of risk, but the solutions are often manual and mundane rather than sexy-terminatrix (btw: river tam ftw!) ninja hacker shit.

targeted methodical process and procedure can reduce a lot of risk, and can be implemented and maintained with relatively little manpower cost. think about that the next time you're getting wined and dined by some vendor for some 6 figure plus nifty gadget that is going to keep you safe.

there may be more value in investing in some mundane things (which might also end up improving the org overall ;)

No comments: