OWASP Testing Guide~NZ$18 + pp

OWASP Code Review~NZ$15 + pp

OWASP Developers Guide~NZ$15 + pp

OWASP BOOKS

WEB APPLICATION SECURITYWHAT ABOUT SQL INJECTION?

WEB APPLICATION SECURITY

WEB APPLICATION SECURITY

Web servers are multithreaded applicationsThread poolsLockingIO requests

Web applications need to be thread awareDanger of multiple threads interacting with an object at the same time

What happens when threads act simultaneously?Depends on the language and frameworkDepends on the situationDepends on the server loadCONCURRENCY VULNERABILITIES

Race conditionsTOCTOUObject reuse out of contextObject modification during workflow

DeadlocksCommon condition when data updated by two sourcesRecord locking, database transactionsMULTI ACCESS ISSUES

Thread safetyMultithreaded applications

Cross user data vulnerabilitiesAccess through shared objects

Single user data vulnerabilitiesAccess through unshared objects

Asynchronous requestsSynchronisation issues

CONCURRENCY VULNERABILITIES

Thread safe objectsAutomatically handle lockingEnsure access by one thread at a timeNot cause a deadlock

Threading errorsNot all objects are thread safeSerious and subtle problemsDifficult to identifyDifficult to reproduceTHREAD SAFETY

THREAD SAFETYDepending on who wins the race and when the threads intercept, numusers could end up as 10 or 11 (should be 10)The app starts with 10 users

ASP.NetRequests for a given session are serialized, so session variables are thread-safe by default

Java ServletsHttpSession, including associated variables are not thread-safe

THREAD SAFETY

Struts 1.xActions are singletons and thus prone to issues

Struts 2.xNew instances of Actions are spawned for each request and are thread safe

THREAD SAFETY

How does this affect security?Consider an online banking systemTHREAD SAFETY

THREAD SAFETY

More interesting are;Issues affecting usersCONCURRENCY ISSUESThe ones that make it into the headlines!

UNCONFIRMED ISSUES

UNCONFIRMED ISSUES

Variables shared between threadsShared between sessionsClass globalsStatic declarations

Shared dataAny data not instantiated for the sessionData reused in following sessions

How can this affect user accounts?Session token identifier returned to two threadsDifferent browser sessions have the same identifier

WHAT HAPPENED?

CROSS USER THREAD SAFETYDepending on where the object is used, it can cause a security issue

ServletsUnless it implements the SingleThreadModel interface, the Servlet is a singleton by defaultThere is only one instance of the Servlet

Member fieldsStoring user data in Servlet member fields introduces a data access race condition between threadsJAVA

JAVApublic class GuestBook extends HttpServlet {

String name;

protected void doPost (HttpServletRequest req, HttpServletResponse res) { name = req.getParameter("name"); ... out.println(name + ", thanks for visiting!"); }}Thread 1: assign "Dick" to nameThread 2: assign "Jane" to nameThread 1: print "Jane, thanks for visiting!Thread 2: print "Jane, thanks for visiting!"

Java beansWhen a bean is a singleton (which is by default), it simply means that every time you access the bean, you will get a reference to the same object

JAVA

Object bean1 = context.getBean("myBean");Object bean2 = context.getBean("myBean");Object bean3 = context.getBean("myBean");bean1, bean2, and bean3 are all the same instance of MyClass.

JSP pagesJSP pages by default are not thread safeLocal variables are okInstance variables modified within the service section of a JSP will be shared by all requests

Can mark it as unsafe

Will cause [N] instances of the servlet to be loaded and initializedJAVA

Thread safeMost, but not all, classes and types are safe

Shared dataStatic variables in classA static reference to a helper class that contains member variablesA helper class that contains a static variable

The application collectionGlobal application-specific information that is visible to the entire application.

ASP .NET

Static declarationStatic classes, methods and variables are shared by every requestDeveloper must be careful not to have unsafe code

ASP .NETpublic static class Global{ /// Global variable storing important stuff. static string _importantData; /// Get or set the static important data. public static string ImportantData {get{ return _importantData;}set{ _importantData = value;} }

PoolsApplication poolsThread poolsObject poolsJobsEtc....

WHY ARE THEY HARD TO DETECT

Server loadDid you test with 10 simultaneous connections?Did you test with 100 simultaneous connections?

WHY ARE THEY HARD TO DETECTDid you even test with just 2 simultaneous connections?

SERVER LOAD1 User thread accessing the shared object over its workflow life

SERVER LOAD2 User threads accessing the shared object over its workflow life. User2 has overwritten user1 data

SessionStore and retrieve values for a user Assigned to their session token

Single UserCan only be accessed by the associated userUsually thread safe for read/write

Safe?Not alwaysCan be changed by different threadSESSION VARIABLES

SESSION VARIABLES1 User thread accessing the session object over its workflow life

SESSION VARIABLES2 User threads accessing the session object over its workflow life

Real world exampleSESSION VARIABLESLogin(){..Session["Username"] = Username.Text;Session["Password"] = Password.Text;If CheckLogin()Session["Authed"]=TRUE;Else {Session["Username"] = "";Session["Password"] = "";}..}

Real world exampleSESSION VARIABLESLoadUserData(){..If !(Session["Authed"]=TRUE)return FALSE;..GetUserDataFromDB(Session["Username"]);

//Display user data..

Return TRUE;}

Real world exampleSESSION VARIABLESLoadUserData(){..If !(Session["Authed"]=TRUE)return FALSE;..GetUserDataFromDB(Session["Username"]);

//Display user data..

Return TRUE;}Login(){..Session["Username"] = Username.Text;Session["Password"] = Password.Text;If CheckLogin()Session["Authed"]=TRUE;Else {Session["Username"] = "";Session["Password"] = "";}..}Login with valid creds, sets Session[Authed] = TRUEHit Login() function against with different username, sets Session[Username]Race with LoadUserData()Win the race and view other users data

TOCTOUTime of check, time of use

Change in stateBetween the time in which a given resource is checked, and the time that resource is used, a change occurs in the resource to invalidate the results of the check

Threading issuesAll of the previously discussed issuesRACE CONDITIONS

Usual shopping processRACE CONDITIONS

Raced shopping processAdd To Cart Contents After Payment Processed

Can be affected by race conditionsASYNCHRONOUS REQUESTSRace condition exists between the backend functions, to which order they are executed

Most major browsers have had issuesComplicated window, DOM, object sharingFaulty synchronization between objects

BROWSER CONCURRENCY ISSUESRace!

Application designBe aware of which objects are sharedDo not use static/globals for user specific data

Code levelSafe lockingSyncronisation, MutexesBe aware of thread safe/unsafe typesUse intelligent queries

SOLUTIONSUPDATE Account ... where ID=## and Balance=[LASTKNOWNBALANCE]

Code reviewsInvestigate static/global classesIdentify all singleton java objectsCheck session[] use pre authentication

Load testingIdentify how to detect issuesUse stress testing tools to mimic simultaneous use

Cross user suggestionsSession should be hooked to dbase IDUser data should be associated with sessionDo not allow concurrent session useSOLUTIONS

WE ARE ACTIVELY HIRING NEW PEOPLE NOW* Code review* Penetration testing* Infrastructure testing* Vulnerability research* Technical report writers

www.insomniasec.com