slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
SaaS Vulnerabilities Workshop : SaaS as the new attack vector PowerPoint Presentation
Download Presentation
SaaS Vulnerabilities Workshop : SaaS as the new attack vector

Loading in 2 Seconds...

play fullscreen
1 / 41

SaaS Vulnerabilities Workshop : SaaS as the new attack vector - PowerPoint PPT Presentation


  • 313 Views
  • Uploaded on

SaaS Vulnerabilities Workshop : SaaS as the new attack vector. About us. Cyber security experts from Adallom AdallomLabs is the leading SaaS threats research center. Adallom monitors SaaS traffic from managed and unmanaged devices and detects attacks against company assets in the cloud.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

SaaS Vulnerabilities Workshop : SaaS as the new attack vector


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
    Presentation Transcript
    1. SaaS Vulnerabilities Workshop : SaaS as the new attack vector

    2. About us • Cyber security experts from Adallom • AdallomLabs is the leading SaaS threats research center • Adallom monitors SaaS traffic from managed and unmanaged devices and detects attacks against company assets in the cloud

    3. Agenda • Intro to the world of SaaS attacks • Training • Background on SAML • Hands on Workshop!! • Summary

    4. SaaS allows access anywhere • Software-As-A-Service • Software and data hosted in the cloud • Allows “access anywhere” • Key stakeholders • SaaS provider • Company (Business unit and IT) • End Users

    5. SaaS is a new attack vector CONFIDENTIAL AND PROPRIETARY • The common link: • Attack occurs outside of company network • Bypasses company controls • Very hard to detect

    6. Anatomy of a SaaS attack • Objectives: • Persistent access to the CRM of the Acme organization • Initial research: • Use Salesforce.com for CRM

    7. If this was on premise .. • Requires sophisticated cyber attack campaign

    8. Anatomy of a SaaS attack • Requires a much simpler attack • Choose attack vector – Users. • Company network not relevant. SaaS provider too hard. • Open Source intelligence – Focus on targets. • Social Networks, Social Engineering,Support forums, etc. • Compromise the user – Phishing, social engineering • Or compromise the device – Exploit home PC, mobile • End Of Game – Stealth. Persistent. Simple. One employee. One mistake. The attacker will eventually win.

    9. Breakdown of SaaS attack vectors SaaS provider responsibility Enterprise responsibility

    10. Exercise

    11. Exercise Introduction • Attacking a SAAS website • WordPress based • Vulnerability is still exploitable in real websites • SSO & SAML in depth • XSW – XML Signature Wrapping attack

    12. SAML Single Sign On Sam ???

    13. SAML Single Sign On • SSO – use only one password for all SAAS applications • Pros • Reducing password fatigue from different user name and password combinations • Reducing time spent re-entering passwords for the same identity • Reducing IT costs due to lower number of IT help desk calls about passwords • SAML – Security Assertion Markup Language

    14. SAML Single Sign On User Service Provider (SP) Identity Provider (IDP) Sam Credentials User:sam@gmail.com Password: S4mP@$$ Token user = sam

    15. SAML Single Sign On User Service Provider (SP) Identity Provider (IDP) Sam Credentials User:sam@gmail.com Password: S4mP@$$ SSL SSL SSL Token user = sam

    16. SAML Single Sign On User Service Provider (SP) Identity Provider (IDP) Credentials User:drevil@gmail.com Password: 1337H4X0R SSL SSL SSL Token user = drevil Token user = sam

    17. SAML Single Sign On User Service Provider (SP) Identity Provider (IDP) Credentials User:drevil@gmail.com Password: 1337H4X0R SSL SSL SSL Token user = drevil Token user = drevil

    18. SAML Single Sign On SAML Sample

    19. XSW – XML Signature Wrapping • XML Signature • Used to verify that data wasn’t modified during transportation. • May apply to specific XML elements or the whole XML document. • There is no standard for what elements should be signed.

    20. XSW – XML Signature Wrapping • <Envelope> - Root element • <Header> (optional) - Contains information that will be processed by SOAP nodes during transmission. • <Body> - Contains call and response information SOAP – Simple Object Access Protocol Most of web services are using SOAP which is XML based SOAP basic structure:

    21. XSW – XML Signature Wrapping • Sample SOAP message • Receiver side’s logic if isValid(Signature) return fread([“Body”][“GetFileContent”] • Can it be used for malicious purpose?

    22. XSW – XML Signature Wrapping • if isValid(Signature) • return fread(env [“Body”][“GetFileContent”]) Original Message Malicious Message

    23. XSW – XML Signature Wrapping • Causes • No common library for xml signature validation • Using different logic to find signed element and read element’s data NOTE: XSW is generic attack and is NOT specific to SOAP!

    24. Any Questions?

    25. Hands-On Hacking challenge

    26. Exercise • Main Goal • Original wordpress code + onelogin original plugin • Training Process • Exercise composed of 6 phases • Hints and solutions will be available on wordpressfeed • Tools • Charles or any other web debugging proxy (Burp, Fiddler, mitmproxy, etc..)

    27. Exercise • Phase 0 • Goal: Prepare environment • Resources • http://www.adallombh.com/box • Target Service provider • https://www.adallombh.com • Identity provider • https://app.onelogin.com/login • Password for OneLogin • Password1!

    28. Exercise • Phase 1 • Goal: Extract the SAML token • Hint #1: Use charles for capturing HTTP traffic • Hint #2: Recall the flow of SAML (in your HandOut) • Hint #3: SAML is encoded and thus, will not look like XML • Solution video is available on adallombh.com

    29. Exercise • Phase 2 • Goal: Decode the SAML token • Hint #1: Response is passed by HTTP and thus must be URL encoded • Hint #2: Response is also encoded in Base64 • Solution video is available on adallombh.com

    30. Exercise • Phase 3 (Optional) • Goal: Build and post custom SAML token • Hint #1: White spaces are not allowed in SAML • Hint #2: Use charles “edit” feature for manipulating original request • Solution video is available on adallombh.com Response is validEmail is custom@saml.org Note: This phase intends to verify that you are able to send your own SAML response. If you feel comfortable with that, you may continue to phase 4.

    31. Exercise • Phase 4 • Goal: Manipulate SAML token for gaining admin access • Targeted user name:admin@adallom.com • Hint #1: Source code may come in handy. It may be found at wordpress plugins site. • Hint #2: Draw diagrams for better understanding of SAML structure • Hint #3: Video is available adallombh.com • Solution video is available on adallombh.com

    32. Exercise • Phase 5 • Goal: Publish a post telling you’re the best hacker • Hint #1: Breakpoints or Cookie Editing may come in handy • Solution video is available on adallombh.com

    33. Solution & Summary

    34. The exploit php/lib/onelogin/saml/authenticate.php • Authentication process on SP • Validate SAML Signature • Check NameID against wordpress’s user list • Generate authenticated cookie

    35. The exploit php/lib/onelogin/saml/response.php • User name extraction • Find all matches for NameID element • Use the first match as the user name • User name manipulation – DONE!

    36. The exploit Original SAML Malicious SAML

    37. The exploit php/onelogin/saml/xmlsec.php • Steps • Locate signature • Validate reference • Locate key • Verify key How doesn’t it invalidate the signature?

    38. The exploit Locate signature

    39. The exploit Validate Reference

    40. The exploit • There are many other possibilities for getting the same result Original SAML Malicious SAML Id = 1337

    41. Summary • Admin’s password was: • X7r3MelyH@rdP@$$0rd • This specific XSW exploit was first introduced at USENIX 2012 by Juraj Somorovsky • Whatcausedthisvulnerability? • SAML is a complicatedprotocol • No awareness for SAAS vulnerabilities