Logic flaws and the OWASP Top 10by Steve Ragan - Apr 21 2010, 20:00
This week the Open Web Application Security Project (OWASP) released the newest version of their list that is comprised of the top ten vulnerabilities that business-driven Web Applications face, but one expert reminds developers that there is another threat to consider as well – logic flaws.
Since 2003, the researchers and experts who are part of OWASP have watched and recorded the state of Web application security. Over the years they have explained and defined the types of problems that forward facing applications will need to contend with online to remain secure. For the most part, the OWASP Top 10 has driven secure code in one way or another, but that isn’t to say that Web Applications as a whole are completely secure because of it.
[View the 2010 OWASP Top 10 list here]
Qualys Security Researcher Mike Shema recently spoke to The Tech Herald and covered one WebAppSec flaw that is present to some degree in most of the entries on the OWASP Top 10 list, while at the same time only earns a passive mention.
Shema spoke to us about logic flaws, something that is an afterthought when you consider the attention given to Cross-Site Scripting (OWASP A2 2010), SQL Injection (OWASP A1 2010), or Cross-Site Request Forgery (OWASP A5 2010) attack vectors when discussing secure code.
Shema explained that the OWASP Top 10 is talking about risks and not vulnerabilities.
“If you’re just using the OWASP Top 10 to apply security to your website your doing it a disservice. The thing that’s important about OWASP Top 10 is it's telling people why WebApp Security is a problem and the way that Web Applications are being attacked. That’s a very good thing,” he told us.
OWASP has added and removed risks from their list several times over the years. It represents “a broad consensus about what the most critical web application security flaws are” and as a result needs updating from time to time to address changes to risks associated with new Web Application development standards and attack vectors.
For example, Security Misconfiguration (OWASP A6 2010) appeared in the 2004 version of the top ten, and it was dropped in 2007 before making its comeback. Also, Malicious File Execution (OWASP A3 2007) was dropped because the main culprit - poorly configured PHP applications - can benefit from improvements to the default PHP settings.
However, Shema noted, “It's still important for website owners to keep track of the OWASP Top 10 in order to understand how threats evolve. CRSF didn't appear on the list in 2004, but apps have been vulnerable to it since 2000 and earlier. It's just that CSRF attacks weren't well defined or widely understood before the list could be updated in 2007.”
Yet, when you consider the risks that made it into the OWASP Top 10 for 2010, there is another threat that can catch some websites off guard and leave them exposed to problems that can cost them money or embarrassment. That’s where logic flaws come into play.
“Logic flaws tend to be really hard to find because it’s very difficult to automatically look for them. So you need people, and people don’t scale very well across the hundreds of thousands or millions of websites that are out there. But the impact can still be heavy, and so a logic flaw can fall into some of [the OWASP top ten] categories, but it’s hard to figure out which one,” Shema said.
“So when I’m talking about logic flaws, it could be as simple as doing client-side validation of content.”
Consider Kurt Grutzmacher, a security professional who in 2007 used logic flaws to earn a free Platinum Pass to Macworld. The registration process used the browser to perform data input validation in order to lessen the server load and increase user experience.
In 2009, a series of logic flaws in the code running the TIME 100 Poll allowed fans of 4Chan founder ‘moot’ (a.k.a Christopher Pool) to place him at the top of the list, with 16,794,368 votes. So troubled was the voting script, the people who helped rig the process were able to control results and leave behind the message seen below. At the end of the day, despite claims from TIME that they “did detect and extinguish several attempts to hack the vote” one person using an IPv6 address was able to bypass IP address and timed voting restrictions to send votes for moot at a rate of about 5,000 votes a minute.
“Obviously those examples don’t have direct financial impact on the website. It’s not compromising credit cards or anything like that. However, speaking in general you can still have old concepts of logic flaws in the checkout process,” Shema said.
“A logic flaw could simply be applying a checkout coupon several times, or depending on how a Web Application is tracking your product, the shipping rate for the product, and the shipping delivery time. You could possibly do some client-side tricks so that you’ve ordered a bunch of books and you’re getting overnight shipping, but paying the 3-5 day shipping rate.”
Essentially, Shema explained to us, logic flaws allow an attacker to play around with the assumptions that the website is making on the data that it’s receiving from the end user. Another thing is that a lot of these logic attacks don’t carry obvious markers along with them. In other words, you don’t have to inject single quotes like you would with SQL Injection or script tags like in Cross-Site Scripting in order to bypass or confuse the logic used in a Web Application.
With that said, Shema offered some advice for dealing with logic flaws when developing Web Applications. The best way to avoid them is a constant checks and balances system, which is the opposite of filtering input alone. Developers will need to manage the data that is sent to the Web Application, that is certain, but at the same time they'll need to make sure that the input comes at the right time from the right source.
Shema said that most logic problems come from developers who take shortcuts, and that when writing secure code, there is never any room for them. “If you focus on one security aspect, you can’t ignore others. For example focus on XSS and SQL Injection is great, but you have to account for logic issues that could be related to them.”